COMMITMENT TO PRIVACY
We, at Melissa Cutler Therapy (“MCT”) are committed to maintaining the privacy and confidentiality of all personal health information that we collect, use and disclose. We strive to protect the privacy rights of our clients at MCT by meeting or exceeding the standards established by law, including the Personal Health Information Protection Act, 2004 (“PHIPA”).
PERSONAL HEALTH INFORMATION
THE INFORMATION WE COLLECT FROM OUR CLIENTS
The types of PHI that MCT collects, uses and stores may vary depending upon the individuals involved and the nature of their relationship with MCT. The information we collect may include, for example:
- • a client’s name, address, date of birth, health history, family health history; and
- • information related to medical or counseling assessments, diagnosis, medication, and treatment.
With limited exceptions, we obtain PHI directly from our clients or their authorized representative(s). Occasionally, we may collect information about our clients from other sources, including other health care providers, where we have obtained their consent to do so or if the law permits.
We will not collect PHI if other information we have will serve the purpose of the collection. In addition, we will not collect more PHI than is reasonably necessary to meet the purpose of the collection.
HOW WE USE THE INFORMATION WE COLLECT
MCT will identify the purposes for which PHI is being collected, in advance, and will inform clients of these purposes. We will only collect, use and store information that is necessary for these purposes.
- • A client’s personal health information may be used, for example:
- • to provide assessment, treatment and other social work services;
- • to obtain payment for healthcare services, including payment from a third party insurer;
- • for quality assurance purposes;
- • to comply with legal and regulatory requirements; and
- • to fulfil other purposes permitted or required by law to plan, administer and manage our internal operations.
If we intend to use our clients’ information for any other purposes, we will ask for their consent before doing so, unless otherwise permitted to do so by law without their consent.
MCT will not collect, use or disclose PHI without the consent of a client or, if the client is not capable of giving or refusing consent, without the consent of his or her substitute decision-maker, unless otherwise required or permitted by law. Consent to the collection, use or disclosure of PHI may be express or implied.
- • Express Consent means permission that we have specifically obtained from the client.
- • Implied Consent means we have concluded from surrounding circumstances that the client or their substitute decision-maker would agree to the collection, use or disclosure of their information, and we need not ask for their express consent.
For most healthcare purposes, consent is implied as a result of consent to treatment. However, in some circumstances, express and sometimes written consent may be required.
Unless the law requires such disclosure, we will always ask for a client’s express consent before:
- • disclosing their information to someone who is not a health information custodian (e.g., to an insurance company, employer, school board, WSIB, lawyer, etc.); or
- • disclosing their information to a health information custodian for purposes other than providing them with health care (e.g. for research).
A client may withdraw or limit their consent at any time, unless doing so prevents us from recording the information required by law or under professional standards. A client may also give express (written) instruction that specific information is only to be used or disclosed by certain individuals or to certain individuals or for certain purposes. The Privacy Officer will assist them with this process.
We may collect, use or disclose a client’s information without their consent in certain limited circumstances that are expressly permitted by PHIPA. For example, some laws require disclosure of their information in certain circumstances, such as the Child and Family Services Act, the Health Protection and Promotion Act and the Workplace Safety and Insurance Act, 1997.
In order for consent to be valid, it must be knowledgeable and obtained voluntarily (i.e., without deception or coercion) from an individual with the capacity to consent. Knowledgeable consent means that it is reasonable in the circumstances to believe that the individual knows the purposes for which MCT is collecting, using or disclosing the information and knows that they have the right to give or withhold their consent.
If a client is found to be incapable of making decisions about their information, we will consult their substitute decision maker, as determined by law. There is no age of consent in Ontario. As such, all children may provide consent to the collection, use and disclosure of their own PHI if they are capable of doing so.
A person is capable to consent to the collection, use or disclosure of their PHI if the person is:
- (a) able to understand information relevant to deciding whether to consent to the collection, use, or disclosure of the information; and
- (b) able to appreciate the reasonably foreseeable consequences of giving, not giving, or withholding or withdrawing consent.
Where a child is under 16 years of age, a parent or guardian may consent to the collection, use or disclosure of a capable child’s personal health information, unless the information relates to treatment sought by the child on their own. However, where a child is capable of consenting to the collection, use or disclosure of their personal health information, the child’s consent will be sought wherever practicable.
SHARING PERSONAL HEALTH INFORMATION
Generally, we will not share a client’s personal health information with anyone else without their consent.
The only exception to this is that we may be required or permitted by law in certain instances to disclose personal health information without consent.
In addition, unless instructed otherwise, we may disclose a client’s personal health information without express consent to other health care providers in the “Circle of Care” who need to know this information in order to help provide care to the person. We rely on assumed implied consent for these disclosures.
SAFEGUARDS AND SECURITY
MCT recognizes the importance of safeguarding PHI and will take all steps that are reasonable in the circumstances to ensure that PHI in our custody is protected against theft, loss or unauthorized access, use, or disclosure. We will also ensure that the records containing this information are protected against unauthorized copying, modification or disposal.
The personal health information records we maintain are kept in electronic format. In order to protect our clients’ information, we have taken steps to meet the need for physical security, technological security and administrative controls.
The measures we have taken for the physical security of personal health information include:
- • storing hard copies of all PHI records in locked filing cabinets in secure areas or in a secure offsite storage facility which has a security system installed; and
- • restricting office access to authorized individuals.
MCT’s PHI records which are maintained in electronic form are protected through technological security measures we have taken, including the use of:
- • password controls and search controls;
- • firewalls and anti-virus software;
- • logging, auditing and monitoring of all access to electronic records of personal health information; and
- • encryption of all mobile electronic devices that contain PHI.
We have also implemented administrative controls to safeguard the personal health information records we maintain, including:
- • providing mandatory initial and ongoing privacy training to all agents;
- • prohibiting MCT staff or agents from removing hard copy records from MCT’s office for any purposes other than the provision of care;
- • prohibiting MCT staff or agents from printing, copying or downloading electronic records except where necessary for the provision of care;
- • conducting regular audits of MCT’s records to ensure compliance with our policies;
- • requiring agents to sign confidentiality agreements and end-user agreements on a regular basis; and
- • maintaining a log of all privacy breaches, which will be audited and monitored in order to identify patterns or trends in privacy breaches and to ensure that appropriate administrative, physical or technical safeguards are implemented to remediate the privacy breaches and to prevent or minimize privacy breaches in the future.
Electronic Communication of Personal Health Information
Due to the significant risks to the protection of clients’ privacy and confidentiality that are associated with the use of e-mail and text messaging, MCT does not collect or disclose personal health information through these means of electronic communication except through the use of a secure email server or in very limited circumstances.
Clients will be informed of the risks associated with electronic communication of their personal health information at the outset of their interaction with MCT. Consent will be obtained from clients in advance if there is a need to communicate in this manner other than as described above.
Where personal health information is provided to MCT through e-mail or text, a copy of the e-mail or the text message will kept as part of the client’s record.
RETENTION OF PERSONAL HEALTH INFORMATION
Our policy is to retain personal health information records for the later of: at least ten (10) years from the date of the last entry in the record; ten (10) years following the eighteenth (18th) birthday of the client to whom the record relates; or in accordance with any minimum retention period that is established by law.
DISPOSAL OF PERSONAL HEALTH INFORMATION
When PHI is disposed of, MCT will take reasonable steps to ensure secure and permanent destruction of these records, whether physical or electronic. Where a third party is retained to dispose of PHI, we will enter into a written agreement with the third party that sets out the requirements for secure disposal and require the third party to confirm in writing that secure disposal has occurred. MCT keeps a record of all PHI that has been destroyed, including the date and manner in which the PHI was disposed of.
In the event that a client’s PHI has been stolen, lost or subject to unauthorized use, access, disclosure, copying or modification, our first priority will be to identify and contain the breach, and then to take steps to correct it and to minimize the chance of similar breaches in the future. We will notify any client whose PHI may have been stolen, lost or accessed in an unauthorized manner, at the first reasonable opportunity. We will also advise clients of their right to contact the Information and Privacy Commissioner.
In the event a privacy breach occurs, MCT will take the following steps:
- Step 1: Report breach to Privacy Officer and Implement Privacy Breach Protocol
- Sept 2: Stop and contain the breach
- Step 3: Investigate the breach
- Step 4: Notify those affected by the breach
- Step 5: Conduct a review and remediation of the breach
- Step 6: Consideration of reporting to the Privacy Commissioner
These steps may need to be carried out simultaneously and in quick succession.
ACCESS TO PERSONAL HEALTH INFORMATION
Clients and their authorized representatives have a general right to access all of their PHI in MCT’s custody or control. Where a client is not capable to consent to the collection, use or disclosure of their PHI, the client’s substitute decision-maker may access information on the client’s behalf. Clients may also request a copy of this information.
If a client would like to request access to or a copy of his or her PHI, he or she must make a written request to any staff member, who will forward the request to the Privacy Officer. The Privacy Officer will make arrangements to provide the client or their substitute decision-maker with a copy of records requested or will make an appointment to review the records with the client or substitute decision-maker. A staff person will always be present when original records are reviewed by a client or substitute decision-maker.
A client’s right to access his or her personal information is not absolute. MCT may deny an access request where:
- • the information does not exist or cannot be found;
- • denial of access is required or authorized by law; or
- • the request is frivolous, vexatious, or made in bad faith.
All requests for access to PHI will be addressed as soon as possible, but no later than 30 days from the date of the request. If the Privacy Officer refuses a client access to their records, there will be a reason provided to the client as to why we are not able to do so. The client will also be notified of their right to make a complaint about the refusal to the Information and Privacy Commissioner of Ontario.
MCT will ask for verification of the individual’s identity before providing access. MCT may charge a reasonable cost recovery fee for making information available and/or providing copies of PHI records. If we choose to do so, we will provide notice of the fee in advance of processing the request.
ACCURACY OF PERSONAL HEALTH INFORMATION
We take all reasonable steps to ensure all PHI is as accurate, complete and up to date as necessary for the purpose the information is being used.
We will not routinely conduct updates on information in our control unless routine updates are necessary to fulfil the purposes for which the information was collected.
We use advanced technology and well-defined practices to ensure PHI is processed promptly, accurately, and completely. We ask that our clients advise us of any changes to their PHI in a timely manner so that we may ensure our information is accurate.
CORRECTION TO PERSONAL HEALTH INFORMATION
If a client believes that his or her PHI is not accurate or complete, he or she may make a written request to the Privacy Officer to have the information corrected.
MCT will correct PHI where it is demonstrated that the information in the client’s record is, in fact, inaccurate or incomplete and necessary information is provided to correct the record. Where a correction is made, the original information will still be maintained in the client’s record.
However, MCT may refuse to correct PHI where:
- • we are not satisfied that the record is incomplete or inaccurate for the purposes for which we collected, use or have used the information;
- • the record containing the PHI was not originally created by us and we do not have sufficient knowledge, expertise and authority to correct the record;
- • the request consists of a professional opinion or observation that a health care provider has made in good faith; or
- • the request is frivolous, vexatious, or made in bad faith.
All requests for correction of PHI will be addressed as soon as possible, but no later than 30 days after receiving the request. Where a correction request is denied, clients will be notified of the reasons for the refusal and will be informed that they are entitled to prepare a short statement of disagreement to have appended to their PHI record. In addition, clients are entitled to make a complaint about the refusal to the Information and Privacy Commissioner of Ontario.
COMPLIANCE WITH THIS POLICY
Any breach of this Policy or the confidentiality agreements by our agents may result in disciplinary action, including:
- • suspension, demotion, and termination;
- • termination of contractual relationship; or
- • termination of affiliation.
All agents must notify the Privacy Officer at the first reasonable opportunity if a client’s personal health information is lost, stolen or accessed without authorization.
If clients have any questions or concerns about the collection, use, disclosure or protection of their PHI at MCT, they should speak with our Privacy Officer @ (647) 933-5506
MCT takes the privacy of its clients seriously and will investigate all written privacy concerns. If a concern is found to have merit, we will take appropriate measures, including, if necessary, taking disciplinary action against our agents and/or amending our policies and practices relating to the collection, use and disclosure of the client’s PHI.
If we are not able to address a client’s concerns, or if a client requires further information regarding privacy in Ontario, they may contact the Information and Privacy Commissioner of Ontario:
- Information and Privacy Commissioner of Ontario
2 Bloor Street East, Suite 1400
Toronto, ON M4W 1A8
POLICY REVIEW AND CHANGES
MCT reviews our privacy policies and procedures on an annual or as-needed basis and may revise these from time to time. If these revisions significantly change how we collect, use or disclose previously collected PHI, we will inform our clients and obtain consents where required.