PRIVACY AND CONFIDENTIALITY POLICY

PURPOSE
To outline the policy for protecting the personal, organizational, and health information of individuals receiving services at Hospice Vaughan, staff, volunteers, donors, and other stakeholders as well as handling cases of suspected or confirmed breach of privacy.

DEFINITIONS

Clients
• Inclusive of individuals participating in any Hospice Vaughan programs and services.

Express Consent
• Consent that is given either verbally or in writing, to a custodian to collect, use, and/or disclose an individual’s personal health information¹

Implied Consent
• Consent that one concludes has been given based on what an individual does or does not do in the circumstances.²

Personal Information
• Information about an identifiable individual that is recorded in any form including, but not limited to:

    • The physical or mental health of the individual, including information that consists of the health history of the individual’s family
    • The provision of healthcare to the individual, including the identification of a person as a provider of healthcare to the individual
    • An individual’s plan of care and service within the meaning of the Home Care and Community Services Act, 1994 for the individual
    • Payments or eligibility for healthcare, or eligibility for coverage for healthcare, in respect of the individual information
    • The donation of anybody part or bodily substance of the individual or is derived from the testing or examination of such body part or bodily substance
    • An individual’s health number
    • An individual’s substitute decision maker.4

Organizational Information
Information that includes, but is not limited to:

    • Financial information that is not contained in a public budget or in a public report
    • Non-publicinformationaboutHospiceVaughan’soperation,itsstaff,itsplans,aspectsof the relationship between Hospice Vaughan and other agencies, etc.
    • Reports or information received or discussed in a closed meeting.

Privacy Breach or Breach of Confidentiality
A privacy breach occurs when personal information is collected, retained, used, disclosed, or disposed of in ways that do not comply with Ontario’s privacy laws.

POLICY

Hospice Vaughan is committed to maintaining the privacy and confidentiality of the personal, organizational, and health information of our clients, staff, volunteers, donors, and other stakeholders regardless of the medium (verbal, written, or electronic) in accordance with our mission, Ontario’s Personal Health Information Protection Act (PHIPA Bill 31), public expectations for privacy, and internationally accepted information principles. This is inclusive of the collection, use, and disclosure of personal health information and the storage, retention, transfer, and disposal of client and organizational records.

Section 12(1) of PHIPA requires health information custodians to take steps that are reasonable in the circumstances to ensure personal health information in their custody or control is protected against theft, loss, and unauthorized use or disclosure and to ensure that records containing personal health information are protected against unauthorized copying, modification, or disposal.

During the course of our various programs and services, we frequently gather and use personal and health information. This information will be carefully protected. Utilization or sharing of this information will be limited to relevant healthcare providers and individuals the client identifies through express or implied consent.

PRIVACY PRACTICES

Hospice Vaughan takes measures to ensure the integrity of personal and health information is maintained. Hospice Vaughan retains personal and health information for the time period required to fulfil the purposes for which the information was collected or as authorized or required by PHIPA and as defined in the Storage, Retention, Transfer, and Disposal of Client and Organizational Records Policy.

Privacy policies are reviewed every two years unless there is legislated or significant practice changes. Privacy training is provided to all staff, volunteers, and students in accordance with legislative and professional practice standards. All staff, volunteers, and students sign an agreement annually that they will uphold Hospice Vaughan’s privacy and confidentiality policies and for the containment, resolution, and investigation of privacy and security incidents within the organization.

With regard to its privacy and confidentiality practices, Hospice Vaughan will respond in a timely manner to potential breaches, inquiries, and complaints (as defined in 2.38 Concerns, Complaints, and Compliments Policy).

PROCEDURE

All Hospice Vaughan staff, volunteers, and students will participate in privacy and confidentiality training and indicate comprehension and agreement by signing the Confidentiality Agreement Form of Acknowledgement upon commencement of work and on an annual basis.

With regard to its privacy and confidentiality practices, all staff, volunteers, and students will respond in an appropriate manner to potential breaches, inquiries, and complaints (as defined in 2.38 Concerns, Complaints, and Compliments Policy).

All staff, volunteers, and students who facilitate groups at Hospice Vaughan will remind participants to respect the privacy and confidentiality of fellow participants. In addition, group facilitators will:

  • Establish guidelines for each group which includes privacy and confidentiality amongst group members
  • Stress that “what is said in the group, stays in the group”
  • Inform participants how to proceed should they have concerns about privacy and confidentiality •
  • Ensure that group participants indicate comprehension and agreement by signing their client service agreement.

BREACH OF PRIVACY OR CONFIDENTIALITY PROCEDURE

1. Contain the breach and notify affected individuals

  • Alert all relevant staff of the breach, including Hospice Vaughan’s Privacy Officer, and determine who else within the organization should be involved in addressing the breach
  • Identify the nature and scope of the breach and the action needed to contain it
  • Determine what personal information is involved
  • Take corrective action:
    • Ensure that no personal information has been retained by an unauthorized recipient
    • Obtain their contact information in case follow up is required
    • Ensure that the breach does not allow unauthorized access to any other personal information by taking appropriate action (for example, changing passwords or identification numbers, temporarily shutting down a system, etc.)
    • In a case of unauthorized access by staff, consider suspending their access rights o Retrieve hard copies of any personal information that has been disclosed
    • Ensure soft copies of any personal information are permanently deleted

2. Notify those affected by the breach

  • Notify those affected as soon as reasonably possible if Hospice Vaughan determines that the breach poses a real risk of significant harm to the individual, taking into consideration the sensitivity of the information and whether it is likely to be misused
  • If law enforcement is involved, ensure that notification will not interfere with any investigations
  • Notification should be direct, such as by telephone, letter, e-mail, or in person. Indirect notification can be used in situations where direct notification is not possible or reasonably practical, for instance, when contact information is unknown or the breach affects a large number of people
  • Notification to affected individuals should include details of the extent of the breach and the specifics of the breach

3. Investigate

  • Identify and analyze the events that led to the breach
  • Review Hospice Vaughan policies and practices in protecting personal information, privacy breach response plans, and staff training to determine whether changes are needed
  • Determine whether the breach was a result of a systemic issue and if so, review Hospice Vaughan program-wide or organization-wide procedures
  • Take corrective action to prevent similar breaches in the future and ensure Hospice Vaughan staff are adequately trained
  • If the Information and Privacy Commissioner (IPC) is contacted, advise them of the findings and remedial measures and cooperate with any further investigation IPC may undertake into the incident

4. Notify the Information and Privacy Commissioner (IPC)

  • The IPC will be notified of significant breaches, such as those that may involve sensitive personal information or large numbers of individuals, or when you are having difficulties containing the breach. In these situations, you should notify the IPC as soon as reasonably possible
  • In situations where Hospice Vaughan will be notifying a large number of individuals, it is important to contact the IPC before beginning the notification process. The IPC can assist Hospice Vaughan with your breach response plan

5. Reduce the risk of future breaches

  • Educate Hospice Vaughan staff, volunteers, and students about Ontario’s privacy laws and the organization’s policies and practices governing the collection, retention, use, security, disclosure, and disposal of personal information.
  • Conduct privacy impact assessments before introducing or changing technologies, information systems, and processes to ensure privacy risks are identified and addressed.
  • Seek input from appropriate parties, such as Hospice Vaughan’s legal counsel and security units, freedom of information and privacy coordinator, the Ontario ministry responsible for information and privacy matters, and IPC as necessary.

POLICY COMMUNICATION PLAN

This policy is included in orientation for all staff, volunteers, and students in an annual refresher training and signing of the Confidentiality Agreement Form of Acknowledgement.

This policy and contact information for the Privacy Officer is posted on the Hospice Vaughan website and available in other accessible formats as needed.

POLICY REVIEW DETAILS

To ensure compliance and to identify any needed revisions, the policy will be reviewed when legislation or significant practice changes make it necessary.

REFERENCES

  • Information and Privacy Commissioner of Ontario
  • Information and Privacy Commissioner of Ontario’s “Privacy Breaches: Guidelines for Public Sector Organizations”
  • Personal Health Information Protection Act, 2004
  • Privacy Act, 2013
  • Summary of Privacy Laws in Canada
  • Hospice Peterborough’s Privacy and Confidentiality Policy

To contact the Privacy Officer please send an email to: exec@hospicevaughan.com