Privacy Policy

Employees, physicians, volunteers and associated personnel of Markham Stouffville Hospital Corporation are committed to upholding patient confidentiality and the protection of personal health information.

Markham Stouffville Hospital Corporation abides by its privacy policy which guides how your personal health information can be used, how it is protected, and how you can access it.  

Purpose:

All Markham Stouffville Hospital employees, physicians, volunteers and associated personnel have an obligation to ensure the privacy, integrity, and availability of personal health information that is created, collected, entered, processed, communicated, disclosed, transported, disseminated, stored or destroyed. Markham Stouffville Hospital recognizes that the individual has the right to control the collection, use and disclosure of their personal health information. The purpose of this policy is to outline the specifics of the privacy policy.

Application: 

This policy applies to all sites under the supervision and authority of Markham Stouffville Hospital and to all personnel that have a contractual relationship with the hospitals.

Definition: 

Personal health information means either in oral or recorded format about an individual:

• the address, telephone number

• information relating to the race, national or ethnic origin, colour, religion, age, sex, sexual orientation, blood type of the individual or marital or family status of the individual,

• information relating to the education or the medical, psychiatric, psychological, criminal or employment history of the individual

• medical history of the individual’s family

• provision of health care to the individual and the providers of health care

• information that is collected incidentally to the provision of health care

• payments or eligibility for health care services

• information relating to financial transactions in which the individual has been involved

• any identifying number, symbol or other particular assigned to the individual, including health number

• the personal opinions or views of the individual except where they relate to another individual

• correspondence sent to Markham Stouffville Hospital at either the Markham Site or Uxbridge Site by the individual that is implicitly or explicitly of a private or confidential nature relating to the provision of health care, and replies to that correspondence that would reveal the contents of the original correspondence

• the views or opinions of another individual about the individual. 

Individual means the individual, whether living or deceased to whom the information was or is being collected or created.Information refers to data elements (including written, electronic, audio and visual) that are organized, interpreted and used to communicate and record decisions. It includes originals, drafts, copies, notes, facsimiles, electronic mail, voice mail, electronic stored data including the display, printout or other output of that data, photographs, films, microform, sound recordings, pictoral, graphs, tracings, videotapes and any machine readable record.Health care means any observation, examination, assessment, care, service or procedure that is done for a health-related purpose.

Accountability for Personal health information 

Markham Stouffville Hospital (MSH) is responsible to ensure the privacy for personal health information under its control.

The president and chief executive officer (CEO) is accountable for compliance with the policy and has designated others within the organization for the day-to-day collection, use and disclosure of personal health information. The CEO has designated a privacy officer to act on her/his behalf to ensure compliance with its privacy policies and practices.

MSH continues to be responsible for personal health information that has been transferred to an agent for processing and shall use contractual or other means to ensure the privacy of that information.

MSH shall formulate and implement policies and practices to carry out this policy, including:

-Procedures to protect personal health information
-Procedures to receive and respond to inquiries and complaints
-Training and continued education of staff, volunteers, and agents on its policies and practices

Identifying Purposes for the Collection of Personal Information 

The primary purposes for the collection of personal health information are:

• Delivery of direct and on going patient care

• Determining eligibility and collection of payment for health services

• Administration purposes in the delivery, planning, monitoring and evaluating health care services

• Teaching and education

• Research studies

• As directed under the Public Hospitals Act, Mental Health Act, Health Care Consent Act, Substitute Decisions Act and Personal Information, Health Information Protection Act, Protection of Electronic Documents Act and other related Acts and Regulations .

• In response to court order, subpoena and summons as authorized under a statute of Ontario

• Fundraising and marketing

At or before the time personal health information is collected, MSH shall identify the purpose for its collection. This will enable the hospital to identify the information required for a specified purpose. The purpose may be included on a form that the person is asked to complete or it may be posted in the department, clinic or service that the person attends. When personal health information shall be used for a purpose not previously identified, the purpose shall be explained prior to its collection. If there is not a legislative requirement for the purpose, the consent of the person is required for its collection.
Persons collecting the personal health information shall be able to explain the purpose for which the information is being collected.

Consent for the Collection, Use and Disclosure of Personal Health Information 

The consent of the individual is required for the collection, use or disclosure of personal health information, except when it is required by legislation, or when it is not reasonable in the circumstances to get consent of the person for reasons of mental capacity, physical condition and or language barrier.

To be valid, the consent:
• Must be the consent of the individual or substitute decision-maker
• Must be knowledgeable – the individual must understand
-The purpose for the collection, use or disclosure of the information
- That the individual may provide or withhold consent
• Must relate to the information
• Must not be obtained through deception or coercion
• Must be deemed capable

Consent may be implied or expressed and will be in keeping with sensitivity of the medical and health information required. Consent shall not  be obtained prior to collection, use or disclosure for a purpose that has not been identified.
An individual may withdraw consent at any time by notifying the hospital to the full or partial withdrawal of the collection, use, or disclosure of personal information. MSH shall inform the individual of the implications of such a withdrawal.

Limiting Use, Collection, Disclosure and Retention of Personal Information 

-MSH shall not collect, use or disclosure more personal health information than is reasonably necessary to meet the purpose of the collection, use or disclosure; or its use or disclosure is authorized by legislation.

-MSH shall not collect, use or disclose personal health information if other information will serve the purpose of the collection, use or disclosure.

-MSH shall not collect, use or disclose personal health information for a purpose that has not been identified without the consent of the individual.

-MSH shall retain personal health information only as long as necessary for the fulfillment of the expressed purpose of its collection and in accordance with the Public Hospitals Act and other applicable legislation.

Ensuring Accuracy of Personal Health Information 

-MSH shall take reasonable steps to ensure that the personal health information is as accurate, complete and up-to-date as necessary for the purposes for which it was collected.

-MSH shall notify the recipient of health information of any known limitations, on the accuracy, completeness or up-to-date character of the information.

Ensuring Safeguards of Personal Health Information 

MSH shall protect personal health information against loss or theft, against unauthorized access, disclosure, copying, use or modification regardless of the format in which it is held. The safeguards used shall depend upon the sensitivity of the information and the format of the information.  

The methods of protection will include:
• Physical means such as locked filing cabinets, locked filing rooms and restricted access to the physical location
• Access to the information by those that have a “need to know” and only that information that is required in the fulfillment of that person’s responsibilities
• Technological measures such as use the passwords, encryption, screen savers, virus protection, access to specified personal health information and audits on the access, entry and modification of personal health information
All employees, volunteers and all agents must sign a Confidentiality Agreement at the beginning of employment or relationship with MSH.

The same safeguards used in the collection, use and disclosure of the information shall be used in the destruction of the information to ensure its continued confidentiality.

Openness about Personal Health Information 

Upon request MSH shall make readily available information on its policies and practices relating to the management of personal health information.

This information will include:

• The name of the Privacy Officer who is responsible for the privacy policies and practices at MSH

• A general description of MSH’s information practices

• How to access the personal health information held by MSH

• How to request correction of personal health information

• How to make a complaint to the Privacy Officer and to the Information and Privacy Commissioner

Individual Access to Personal Health Information 

Upon written request an individual shall be provided access to his/her personal health information that is in the custody and control of MSH unless:

• Granting the access could reasonably be expected to result in a risk of serious harm to the treatment or recovery of the individual or risk of seriously bodily harm to the individual or another person

• Lead to the identification of a person who provided information in confidence

• Lead to the identification of a person who was required by law to provide information

• The information was collected or created in the course of an inspection, investigation or similar procedure authorized by law or undertaken for the purpose of the detection, monitoring or prevention of a person receiving a service or benefit to which the person is not entitled

• Information that was collected in anticipation of or use in a legal proceeding and is subject to legal privilege

• Information that was collected in the monitoring of quality of care

The individual shall have access to that part of the record of personal health information that can be severed and shall be informed of the reason why the record has been severed. If access is denied the individual shall be informed of the reason for the denial. If access to the record is refused in whole or in part, MSH shall advise that the individual is entitled to make a complaint about the refusal to the Privacy Officer.

MSH shall respond to the request for access as soon as possible but within thirty days. MSH may extend the time limit for a further thirty days when it is not feasible to meet the initial time period. MSH shall notify the individual of the extension of the time, the reasons for the extension and the right to make a complaint to the Privacy Officer in respect to the extension.
MSH shall charge a reasonable fee for the printing and copying of the information in keeping with the statutory regulations and shall notify the individual of the approximate cost prior to the access.

If the individual believes that the information is inaccurate or incomplete, the individual may request in writing that a correction be made to the record. MSH shall notify the individual within thirty days of making the request as to the action taken on the request.

If the request for correction is refused, MSH shall set out the reasons for the refusal and indicate that the individual has the right to make a complaint about the refusal to the Privacy Officer and the right to make a statement of disagreement that sets out the correction that was refused. MSH shall not make corrections if MSH did not create the original record or the information is a professional opinion or observation that was made in good faith about the individual at the time the record was made.

At the request of the individual and when possible MSH shall notify any third parties of the requested correction if the correction is expected to impact on the ongoing provision of health care.

Challenging Compliance with MSH’s Privacy Policies and Practices 

An individual shall be able to challenge MSH compliance to its policies and practices directly to the Privacy Officer or the Chief Executive Officer. MSH shall investigate all complaints and shall take appropriate measures to amend policies and practices to comply with information and privacy legislation and practices.

EXPECTED OUTCOME OF THIS POLICY:

The privacy, integrity and availability of personal health information shall be maintained by all hospital employees, volunteers, and associated personnel and that they shall understand and practice the principles for the collection, use and disclosure of personal health information.

04/05/19