CANADIAN ADDICTION TREATMENT CENTRES
Human Resource Policy & Procedures Manual
Section: Patient Services
CATC is committed to protecting the privacy, confidentiality, and security of all personal health information with which it is entrusted and to ensuring that staff and agents of the organization uphold this obligation.
Purpose: This policy details the regulatory requirements related to the collection, use, and disclosure of Personal Health Information (PHI).
Policy: CATC collects, uses, and may disclose personal health information and is, therefore, a health information custodian (HIC) as defined by the relevant provincial Personal Health Information Protection Act. A Health Information Custodian (HIC) is defined as an individual or organization that as a result of its power or duties has custody or control of Personal Health Information (PHI).
“A health information custodian is not free to disclose personal health information about an individual without the express consent of the individual, or incapable individual’s substitute decision maker, or as required or permitted by law, for example, pursuant to a warrant or court order (PHIPPA [s.43(1)]).”
Accountability for Personal Health Information:
Accountability for overseeing compliance with this policy rests with each person that works for CATC. While the designated Privacy Officer for CATC has ultimate accountability, each team member will need to work together to ensure our patients’ information is kept confidential and secure.
All staff and care providers that work in our clinics are responsible for maintaining the privacy, confidentiality, and security of a patient’s PHI at all times and are asked to sign a Confidentially Agreement that details our expectations when they start working with us.
A care team member should only access a patients’ medical record if they are directly providing care to that patient or asked to consult on the care of a patient. In other words, it would be inappropriate to view a patient’s medical file because you are interested in how they are doing at another clinic or because you used to know them in high school. If you are not sure if you should be accessing the patient’s EMR, you can always ask your manager for guidance.
A care team member should not disclose information about a patient to another patient, a family member, or any other third party without written consent from the patient. In other words, the information that you learn about a patient by caring for them should never be shared outside of the circle of care. The circle of care is defined as those individuals who are permitted to rely on the patient’s implied consent for collecting, using, or disclosing personal health information for the purpose of providing health care or assisting in providing health care.
If you feel that you may have inadvertently breached a patient’s privacy, you must report it to your manager as soon as possible to mitigate any impacts of the potential breach.
Protecting our Patients
It is important that our patients know and understand why we collect their PHI and are confident that we will keep their information safe and secure. CATC has designed a Privacy Practices Summary that is available to be provided to all patients upon request. The Privacy Practices Summary details the purposes for which the personal health information may be collected, used, and disclosed, the steps we take to safeguard patients’ privacy.
At CATC, we protect Personal health information by utilizing:
- Physical measures – including keeping personal health information in locked filing cabinets, restricting office access to authorized people; and installing a security system in every clinic.
- Administrative measures – limiting access to records on a need-to-know basis; staff training and education on privacy and security issues; regular audits of our practices to ensure compliance with our policies; and confidentiality agreements.
- Technological measures – including the requirement for passwords and user IDs for access to all computers, encryption, and firewalls and anti-virus software, etc.
Consent for the collection, use, and disclosure of personal health information:
PHIPA permits CATC to rely on patients’ implied consent for the collection, use, or disclosure of PHI for the delivery of health services within a patient’s circle of care. This means that the CATC will assume that the patient consents to the disclosure of information to, and receipt of information from, all members of the patient’s circle of care (i.e. all of the providers of health care services to the patient), unless a patient tells explicitly removes his/her consent.
CATC staff are considered part of the circle of care of a patient, if they are actively involved in providing care for that patient, or if they are asked to consult on the care of a patient being treated in one of our clinics by another care team member.
CATC MUST obtain the patient’s expressed consent before disclosing PHI to any third party. In certain rare circumstances, legal and regulatory requirements may compel the CATC to disclose PHI without a patient’s consent, for example, disclosures to the relevant provincial Ministry of Health for billing purposes or disclosures to support a legal investigation/proceeding. If you have a request for information and you are unsure, please contact your manager.
All steps outlined in the Release of Personal Health Information SOP must be adhered to prior to the release of ANY patient information.
Response in the Event of a Privacy Breach
In the event that a patient’s PHI has been stolen, lost, or accessed by an unauthorized person, the following steps will be taken to contain and correct the privacy breach, in accordance with the Privacy Breach Protocol by the Privacy Officer or their delegate:
STEP 1: IMMEDIATELY IMPLEMENT PRIVACY BREACH PROTOCOL
- Notify all relevant staff of the breach, including the Chief Privacy Officer or PHIPA contact person, and determine who else from within the organization should be involved in addressing the breach.
- Develop and execute a plan designed to contain the breach and notify those affected.
- It is also highly recommended that you contact the relevant provincial privacy office and provide that office with details of what happened.
STEP 2: STOP AND CONTAIN THE BREACH
Identify the scope of the breach and take the necessary steps to contain it, including:
- Retrieve and secure any personal health information that has been disclosed.
- Ensure that no copies of the personal health information have been made or retained by the individual who was not authorized to receive the information. Their contact information should be obtained, in the event that follow-up is required.
- Determine whether the privacy breach would allow unauthorized access to any other personal health information (e.g. an electronic information system) and take necessary steps, such as changing passwords, identification numbers, and/or temporarily shutting your system down.
STEP 3: NOTIFY THOSE AFFECTED BY THE BREACH
You must take the necessary steps to notify those individuals whose privacy was breached, including:
- Identify all affected individuals and notify them of the breach at the first reasonable opportunity. Notification can be by telephone, in writing, or depending on the circumstances, a notation made in the individual’s file to be discussed at his/her next appointment. There are numerous factors that may need to be taken into consideration when deciding on the best form of notification, such as the sensitivity of the personal health information.
- When notifying individuals affected by a breach:
- Provide details of the breach to affected individuals, including the extent of the breach and what personal health information was involved.
- Advise all affected individuals of the steps that you are taking to address the breach, and that they are entitled to make a complaint to the IPC. If you have reported the breach to the relevant provincial privacy office, advise them of this fact.
- Provide contact information for someone within your organization who can provide additional information, assistance, and answer questions.
STEP 4: INVESTIGATION AND REMEDIATION
We will be expected to conduct an internal investigation, including:
- Ensure that the immediate requirements of containment and notification have been met.
- Review the circumstances surrounding the breach.
- Review the adequacy of your existing policies and procedures in protecting personal health information.
- Ensure all staff are appropriately educated and trained with respect to compliance with the privacy protection provisions of PHIPA.
CATC will ensure that all staff are appropriately educated and trained with respect to compliance with the privacy protection provisions of PHIPA.
Limiting retention of personal health information
CATC will maintain PHI records for a period of ten years following a patient’s last attendance at or contact with the CATC, following which CATC will ensure the secure destruction of all personal health information no longer required. Paper records will be shredded, and electronic records will be securely destroyed.
Patient Access to their Medical Record
Patients of CATC have a right to access their personal health information and upon written request to the Privacy Officer, may receive a copy of their information within thirty (30) days of making the request. An access request may be denied where:
- the information does not exist or cannot be found;
- the denial of access is required or authorized by law; or
- the request is frivolous, vexatious, or made in bad faith.
CATC is committed to ensuring the accuracy of patient health information. If a patient believes that his or her PHI is not accurate or complete, he or she may make a written request to the Privacy Officer to have the information corrected. CATC will correct personal health information where it is demonstrated that the information in the patient’s record is, in fact, inaccurate or incomplete, and necessary information is provided to correct the record. However, we may refuse to correct personal health information if the information is a professional opinion or an observation of a health care provider. In these circumstances, where a correction request is denied, patients may append a short statement of disagreement to their record.
All requests for access to PHI will be responded to within thirty (30) days of inaccuracy request being made.
Day-to-Day Privacy Considerations
- It is important to remember that email is NOT considered to be a secure means of transferring Patient Health Information (PHI). No matter if it is a work email or a personal email, PHI is not permitted to be shared via email.
- If you need to communicate about a patient over email, you must use only the patient’s first name, first initial of their last name, and record number to identify the patient. Please do not use a patient’s full name in email correspondence or share any PHI.
- All personal health information is to be stored exclusively in the EMR and paper chart where applicable. Documents containing PHI should not be attached to emails. When there is a need to share a document among the care team, simply let others know where to locate the document in the EMR rather than attaching it to an email.
Removal of names – Where a patient’s full first and last names are present on medication containers that are awaiting disposal, this info will be marked out by a black China Marker prior to disposal. Garbage bins will not be placed in an area where a patient is able to dispose of those containers themselves without removing PHI.
Telephone call – When answering calls from patients, staff can only have a discussion over the phone once the patient’s identity has been confirmed. Confirmation will be acknowledged only if patients can provide their health card number (confirmed in the file) and a unique password. The password MUST be recorded in the patient demographic comment section at the bottom of the demographic tab and both must be verified prior to any discussion over the phone. All conversations must be documented in the patient file.
Computers – Personal Health Information should not be stored directly on a computer’s local hard-drive. Scanned documents to be uploaded to the EMR must be deleted on a daily basis from the computer’s local hard drive.
Video security surveillance is highly confidential
For purposes of security and quality assurance, all CATC clinics have in place surveillance cameras that record (without audio) activities that take place in the public areas of the clinic including all entrances and exits. Images on surveillance cameras do not form part of the personal health information record. Patients of CATC will not have access to the recorded video images. Video images are maintained for a minimum of two (2) weeks at which time they will be deleted and overwritten by newer images.
CATC’s Privacy Officer:
All staff and care providers should immediately bring questions or concerns related to privacy to their Manager and/or the Privacy Officer.