According to the first annual report issued by the Privacy Commissioner of Canada (1984), “Privacy is not simply a precious and often irreplaceable human resource; respect for privacy is the acknowledgement of respect for human dignity and of the individuality of [hu]man[ity].” Everyone has the legal right to have their privacy respected, and their personal health information protected, by the health practitioners from whom they are receiving healthcare services.
Therefore, the Nishnawbe Aski Mental Health and Addictions Support Access Program (“NAN Hope”) has developed strict policies to ensure clients are receiving services through the NAN Hope Program in a manner that protects their privacy, as well as their personal health information. Specifically, the NAN Hope Program policies incorporate all relevant privacy legislation set forth by Canada’s federal government, namely the Privacy Act and the Personal Information Protection and Electronic Documents Act (PIPEDA), as well as Ontario’s Personal Health Information Protection Act (PHIPA).
Privacy of personal information is a critically important principle to everyone at the NAN Hope Program. We are committed to collecting, using and disclosing personal information responsibly and only to the extent necessary for the services we provide. We also try to be open and transparent as to how we handle personal information.
Personal Information: Personal information refers to information about an identifiable individual and includes information that relates to an individual’s personal characteristics (e.g., name, date of birth, home address and telephone number), their health (e.g., presenting problem, health history, health services received by the individual, social situation) or their activities and views (e.g., opinions expressed by an individual, an opinion or evaluation of an individual). Personal information is not the same as business information (e.g., an individual’s business address and telephone number), which is not protected by privacy legislation. Personal Health Information is defined by the Personal Health Information Protection Act, 2004, as such legislation may be amended, from time to time, and, for the purposes of these policies, is one component of “personal information”.
We use a number of consultants and agencies that may, in the course of their duties, have limited access to the personal information we hold. These consultants and agencies include bookkeepers and accountants, lawyers, office maintenance, cleaners, computer consultants, credit card companies, financial institutions, marketing personnel and website managers. We restrict their access to any personal information we hold as much as reasonably possible. We also have a confidentiality agreement with them.
Use and Disclosure of Personal Information
No personal information will be communicated, directly or indirectly, to a third party without the informed and written consent of the NAN Hope Program clients. Exceptions to this policy include the legal, and/or ethical obligations to:
- Inform a potential victim of violence of a client’s intention to harm them;
- Inform an appropriate family member, health care professional, or emergency services if necessary, of a client’s intention to end his or her life;
- Provide a copy of a record when there is a court order, warrant or subpoena to do so;
- Inform the Children’s Aid Society (CAS) / Family and Children’s Services (FACS) if there is suspicion of a child being at risk of, or in need of, protection due to neglect, or physical, sexual (inclusive of child pornography), or emotional abuse;
- Report a health professional who has sexually abused a client;
- Report elder abuse in long term care facilities; and,
- Share identifying information to relevant authorities (i.e., public health), if required, with respect to infectious disease control requirements for contact tracing procedures (i.e., should I, my therapist, or another client who receives services at my therapist’s office test positive for an infectious disease).
Additional exceptions to disclosure include the following:
REGULATORY COLLEGE REQUIREMENTS
The services provided by the NAN Hope Program are regulated by the College of Psychologists of Ontario, the Ontario College of Social Workers and Social Service Workers, and the College of Registered Psychotherapists of Ontario, who may inspect our records and interview our mental health practitioners and administrative staff as part of their regulatory activities in the public interest, consistent with the Ontario Regulated Health Professions Act, 1991. Regulatory colleges have their own strict privacy obligations. College reports may include personal information about our clients, or other individuals to support the concern (e.g., improper services).
Like all organizations, various government agencies (e.g., Canada Customs and Revenue Agency, Information Privacy Commissioner of Ontario, Human Rights Commission, etc.) have the authority to review our files and interview our mental health practitioners and administrative staff as part of their mandates. In these circumstances, we may consult with professionals (e.g., lawyers, accountants) who will investigate the matter and report back to us.
Client Access to Records
It is the policy of the NAN Hope Program that clients have a legal and moral right to know what information is contained about them in their record.
Clients or their legal designates shall have access to all information which can be identified as pertaining to them and which is stored in the client record, with the exception of information that is believed to be harmful or that is confidential about, or from, third parties. We will need to confirm a client’s identity and legal right to have access to the information prior to release of information from their record. In some cases, this may include producing identification and/or proof that another individual (e.g., substitute decision maker) has legal authority to make decisions on behalf of the client if the client is unable to do so themselves. We reserve the right to charge a nominal fee for such requests.
We may ask that all requests for records are made in writing to the NAN Hope Program. If we cannot provide access to a record, we will inform the requesting individual/client within 30 days, and provide a reason, as to why we cannot provide access.
If a client believes there to be a mistake in the information contained in their record, they have the right to ask for it to be corrected. This applies to factual information and not to any professional opinions we may have formed. We may ask clients provide documentation that supports the notion that our files are incorrect. If changed, a statement of changed information is included in the record. If the request for a change is declined, the client may file a notice of disagreement in the record.
Storage and Transmission of Data
Personal information collected during the course of services with the NAN Hope Program will be stored and transmitted in the following ways, consistent with regulatory college and legislative requirements:
- Electronic Clinical Record: A record of each client’s clinical services (e.g., counselling) will be stored on a secure server, located in Canada, and owned by OWL. This is not a shared server and complies with PHIPA requirements. There are various protocols in place (e.g., back-up server, bank-level SSL encryption) to ensure the safety and security of the data.
- OWL: This platform provides PHIPA compliant communication of client information. All data is encrypted as it moves between the OWL secure and dedicated servers and the device and browser on which a clinician accesses their OWL Practice account.
- Communication via email: Transmission of personal information via email is only permitted when using password-encrypted PDF documents.
- Communication via mail: Transmission of personal information via mail is only permitted when sent via trusted post or courier service (e.g., Canada Post, Purolator, UPS), is registered for tracking with the service, and is only delivered once a signature of the intended recipient is received by the service.
- Communication via fax: Transmission of personal information via fax is only permitted if the fax is not a shared service (such as those at a Staples or another public/shared fax machine), and if the intended recipient has been notified via telephone prior to the fax being sent, and confirms via telephone once it has been received.
Protecting Personal Information
We understand the importance of protecting personal information. For that reason, we have taken the following steps in the storage and maintenance of our client’s personal information and personal health information, consistent with PHIPA and PIPEDA requirements:
- Paper information is stored either under supervision or secured in a locked or restricted area.
- Electronic hardware is either under supervision or secured in a locked or restricted area at all times.
- Passwords are used on computers accessing personal health information.
- Paper information is transmitted through sealed, addressed envelopes or boxes by reputable companies (e.g., Canada Post, Purolator, UPS, etc.). All paper information that is transmitted through mail or courier is to be expediated and registered for tracking, with a signature required by the recipient upon delivery.
- Information is transmitted electronically (e.g., email) if it is completely anonymized/de-identified, and/or contained in a password-encrypted PDF document attached to the electronic/email transmission.
- Any files or electronic hardware being transported are required to be stored in a double-locked area (e.g., car trunk, carrying case with a locking mechanism).
- External consultants and agencies with access to personal information must enter into privacy agreements with the NAN Hope Program.
Retention and Destruction of Personal Information
We are required to retain personal information for a period of time to ensure that we can answer any questions clients might have about the services provided and for our own accountability to regulatory colleges.
As required by our regulatory colleges, the NAN Hope Program retains personal information for 10 years following the client’s last contact or, if the client was less than 18 years of age at the time of last contact, for 10 years following the day the client would have turned 18.
Under our general correspondence, we keep any personal information relating to people who are not clients contained in newsletters, seminars and marketing activities for six months after the newsletter ceases publication or a seminar or marketing activity is over.
Once a file has been retained for the time outlined above, we destroy it consistent with PHIPA guidelines. To safeguard the privacy of the NAN Hope Program clients, we cross-shred paper files containing personal information. We destroy electronic information by securely deleting or over-writing it (whichever is more secure) it and when the hardware is discarded, we ensure the hard-drive is physically destroyed.
Privacy Breach Policy
If there is a suspected or actual breach of a client’s private and confidential information, the NAN Hope Program must:
- Implement the privacy breach protocol;
- Contain the breach;
- Notify the clients affected by the breach;
- Investigate and remediate the breach; and,
- If applicable, report the breach to the Information and Privacy Commissioner of Ontario (IPC) and/or the appropriate regulatory/governing
The NAN Hope Program Privacy Officer will implement the following Privacy Breach Protocol in the case that a privacy breach has been reported and/or suspected:
Note: It is the role of the the NAN Hope Program team to cooperate with the Privacy Officer during the privacy breach protocol process, per direct instruction from the Privacy Officer.
- As soon as possible, convene a team meeting including the NAN Hope Program staff member involved (if applicable), clinician (if applicable), Chief Executive Officer, Chief Clinical Officer, and Quality Assurance Officer to document the details of the breach, and determine a plan of action;
- Open a file on the the NAN Hope Program secure server, in which to compile, organize, and save all relevant information pertaining to the breach;
- Review “Reporting a Privacy Breach to the Commissioner” (if unclear as to whether the suspected breach constitutes an actual breach, contact the IPC at 1-800-387-0073);
- If the suspected breach does not constitute an actual breach, save the information and close the case;
- If the suspected breach constitutes an actual breach, contact the IPC and make a verbal report based on the information gleaned from discussions with the team (1-800-387- 0073);
- In the case of a confirmed breach of privacy:
- Communicate with the clients affected by the breach, including detailed specifics of what informationwas breached, within one (1) week of verbally reporting the breach to the IPC;
- If the breach was due to an oversight by the administrative staff team at the NAN Hope Program or Dalton Associates, the Privacy Officer will draft detailed, dated, and signed letters to the affected clients, reporting the breach;
- The letter(s) must be approved by the NAN Hope Program team member, clinician (if applicable), Chief Executive Officer, Chief Clinical Officer, and Director of Quality Assurance prior to being sent to the affected clients;
- The letter(s) must be sent via registered post or secure email transmission to the clients;
- Should any letter be returned to Dalton Associates due to an outdated client address, the Privacy Officer will contact the client via telephone to report the breach and obtain a corrected address to which the registered letter will be sent.
- If the breach was due to an oversight by a clinician, the clinician is responsible for drafting a detailed, dated, and signed letter to the affected clients, reporting the breach;
- The letter(s) must be approved by the clinician, Supervising Psychologist (if applicable), Chief Executive Officer, Chief Clinical Officer, and Quality Assurance Officer prior to being sent to the affected clients;
- The letter(s) must be sent via registered post or secure email transmission to the clients;
- Should any letter be returned to the clinician due to an outdated client address, the clinician will contact the client via telephone to report the breach and obtain a corrected address to which the registered letter will be sent;
- The clinician will keep the Privacy Officer informed of the clinician’s progress in communicating the breach to clients.
- The Privacy Officer must compose a report for the IPC detailing the details of the breach (a template of said report is available on the Dalton Associates secure server);
- After the report is drafted, the report (along with any relevant supporting documentation) must be reviewed by the the NAN Hope Program team member (as necessary) and approved by the clinician (if applicable), Chief Executive Officer, Chief Clinical Officer, and Director of Quality Assurance prior to being sent to the IPC
- The report, and all relevant/supporting documentation, must be sent to the IPC (via email, fax, or mail) by the deadline they set
5. Await the response from the IPC;
6. Make any necessary changes to the NAN Hope Program’s policies and procedures to avoid future breaches of a similar nature from occurring;
7. Report the breach and any lessons learned (excluding all identifying information of the the NAN Hope Program team member(s) and the clients involved) via a memo to all staff at the NAN Hope Program and Dalton Associates within one (1) month of receiving a response from the IPC;
8. In some situations, the breach will need to be reported to the regulatory college of a clinician involved (should the clinician have caused the breach).