ADMINISTRATIVE MANUAL Policy and Procedure

Transcription

1 ADMINISTRATIVE MANUAL Policy and Procedure TITLE: Privacy NUMBER: CH Date Issued: April 2010 Page 1 of 7 Applies To: Holders of CDHA Administrative Manual POLICY 1. In managing personal information, Capital Health recognizes the importance of privacy and the sensitivity of personal information and has a responsibility: 1.1. To protect the privacy of each individual whose personal information it holds; 1.2. To afford the individual an opportunity to access that personal information; 1.3. To use and share personal information effectively to support the provision of health care, research and planning. 2. The right of individuals to privacy and to control use of their personal information, within the limits of the law, is essential to client care and the service provider relationship. 3. SCOPE 3.1. This policy applies, along with other relevant Capital Health policies, to any access to personal information in the custody of Capital Health including, but not necessarily limited to: All programs and services of the Capital Health, and all employees of those programs and services; All medical, dental and scientific staff with privileges at Capital Health; Researchers, research assistants, fellowships and all other employees, learners and contractors conducting research on the premises of Capital Health or using personal health information related to individual of Capital Health that is collected or in the custody of Capital Health; All learners completing internships, practicums, or work terms at Capital Health; All volunteers of Capital Health including but not limited to all persons appointed or invited to fulfill advisory, consultation or decision-making roles on Capital Health committees, panels, etc All agents and contractors of the Capital Health;

2 Privacy Page 2 of All consultants hired or engaged by the Capital Health; The members of the Board of Directors of Capital Health and of Capital Health Community Health Boards. 4. Capital Health only collects personal information from and about an individual: 4.1. To provide care and treatment; 4.2. For any purposes associated with the administration and management of Capital Health; 4.3. To plan, administer and manage quality of care provided by Capital Health; 4.4. To meet any legislative and regulatory requirements (e.g. Vital Statistics); 4.5. To support and promote research and education. 5. COMPLIANCE 5.1. Any breach of this Policy may result in significant disciplinary action up to and including termination or revocation of privileges, and termination of access to information Personal information may only be used as permitted by Capital Health and under the same legislation legal limitations that apply to Capital Health The Capital Health Privacy Officer is to be notified at the first reasonable opportunity if personal information is lost, stolen or accessed without authorization. DEFINITIONS Personal Information: Information in any form, including personal health information, that identifies an individual or could enable the individual to be identified, including but not necessarily limited to information about an individual, including: The individual s name, address or telephone number; The individual s race, national or ethnic origin, colour, or religious or political beliefs or associations The individual s age, sex, sexual orientation, marital status or family status; An identifying number, symbol or other particular assigned to the individual; The individual s fingerprints, blood type or inheritable characteristics; Information about the individual s physical or mental health which may include family history as reflected in the individual s health record; Information about the individual s educational, financial, criminal or employment history; Anyone else s opinions about the individual; and The individual s personal views or opinions, except if they are about someone else and the person who generated the opinion did so in the course of employment with Capital Health.

3 Privacy Confidentiality Security Privacy Page 3 of 7 Includes an individual s right to determine when, how, and to what extent they share information about themselves with others. The right of privacy and consent are essential to the trust of the client care or service provider relationship. Means the obligation of an individual, organization or custodian to protect the information entrusted to it and not misuse or wrongfully disclose it. [Source: Preliminary Draft of the Pan-Canadian Health Information Privacy and Confidentiality Framework]. Includes the measures taken to protect personal health information from unauthorized or unintentional loss, theft, access, use, modification or disclosure. GUIDING PRINCIPLES 1. This Privacy Policy outlines how Capital Health manages personal information and safeguards privacy. 2. Management and protection of health information at Capital Health is governed by the Hospitals Act, Section 71, all other personal information is governed by the Freedom of Information and Protection of Privacy Act (the FOIPOP Act). The Personal Information International Disclosure Protection Act (PIIDPA) governs the access, storage, disclosure and transportation of personal information outside of Canada. Capital District Health Authority is responsible to comply with this and any other relevant legislation PROCEDURE 1. Accountability for Personal Information 1.1. All Capital District Health Authority staff and individuals outlined in the policy Scope are accountable to protect the privacy of personal information under the control of Capital District Health Authority The Chief Executive Officer of Capital Health delegates responsibility for the management of privacy issues to the Privacy Officer including, but not limited to: Privacy policy and guideline development; Privacy education and training; Privacy inquires and complaints; 1.3. The Privacy Officer, on an on-going basis, monitors the Privacy policy and makes recommendations related to the protection of personal information. 2. Identifying Purposes for the Collection of Personal Information 2.1. All persons collecting personal information on behalf of Capital Health explains, to the extent necessary and as requested by the individual, the purpose for which the information is being collected or direct the individual to a person who can provide that information Explain verbally or by using an admission or appointment form, poster or brochure Capital Health makes available to individuals written information on the general uses and disclosures of personal information.

4 Privacy Page 4 of This information may be contained in posters, brochures or forms available to all individuals and should make reference to administration of health care services, research and statistics, legal and regulatory requirements, and education of health care providers At the request of the individual, Capital Health provides as much information as is available on the specific uses and disclosures of their personal information. 3. Limiting Collection of Personal Information 3.1. Capital Health: limits the collection of personal information to that which is necessary to fulfill the purposes identified collects the information by fair and lawful means. 4. CONSENT for the Use and Disclosure of Personal Health Information As per Section 71 of the Hospitals Act, individual consent is not required for the use or disclosure of personal health information for care and treatment of the individual if the use or disclosure is by a person on staff at the hospital, or by the qualified medical practitioner of the person concerned designated by the person as his physician. Consent to use and disclose personal health information is not required for the following purposes: Payment by the individual for any non-insured hospital services; Administration and management of Capital Health (e.g. wait list management); Compliance with any legislative/legal and regulatory requirements (e.g. providing birth and death information to NS Vital Statistics; compliance with Ministerial Authorizations compliance with a valid search warrant or subpoena) Ensure that the individual knows of and consents to the use and disclosure of the individual s personal information for all purposes, except as required or authorized by law. (See Capital Health s Release of Information from the Health Record, CH , for further information.) Note: Disclosures required by law include but are not necessarily limited to communicable diseases, child and adult protection matters and compliance with court orders. Disclosures authorized by law include disclosures pursuant to a Ministerial Authorization. As per Section 71(5) (e) of the Hospitals Act, the Minister of Health may authorize access to individuals records without the individuals consent. Only the information specified in the Ministerial Authorization may be provided to the individuals named in the Authorization. 5. Limiting Use and Disclosure and Retention of Personal Information 5.1. Capital Health limits the use and disclosure of personal information to the identified purposes, except with the consent of the individual or as required or authorized by law. (Refer to Capital Health s Interacting With Law Enforcement Agencies CH and Capital Health Release of Information from the Health Record CH )

5 Privacy Page 5 of If a person or agent is in doubt as to whether or not to disclose personal information, consult with the immediate supervisor, and/or contact the Privacy Officer Retain individual records as per the Capital Health s record retention schedule. (Refer to Capital Health Retention of Records CH ) 5.4. Prior to the use of personal information in the course of research, obtain approval, in advance, by the Capital Health Ethics Review Board and in accordance Capital Health Research Ethics policies and Capital Health Release of Information from the Health Record Policy. 6. Accuracy of Personal Information 6.1. Ensure that personal information is as accurate, complete, and up-to-date as is necessary for the purpose of which it is to be used As per Section 25 of the FOIPOP Act, an individual who believes there is an error or omission in his/her personal information may make a request to Capital Health to correct the information Direct requests for changes of personal information in writing to the Privacy Officer Direct any concerns with regards to the individual s ability to place their request in writing to the Privacy Officer as well Capital Health is not required to correct the information if the Privacy Officer determines that a correction is not appropriate. Include the request for correction with the individual s record. 7. Safeguards for Personal Health Information 7.1. Capital Health protects personal information in its custody or control regardless of the format in which it is held The nature of safeguards varies depending on the sensitivity of the information These security safeguards are in keeping with industry standards and are designed to protect personal information against loss or theft as well as unauthorized access, disclosure, copying, use or modification The safeguards include, but are not limited to, the following: Appropriate storage of hospital records in secure cabinets and/or rooms; Password protection and restricted access for any information held electronically; Appropriate location of personal information, including placement of terminal screens, printers and paper records; Access to personal information permitted on a need-to-know basis; that is, if the information is required for an authorized person to perform his/her functions within Capital Health; Confidentiality Agreements for all employees and any other persons who may access personal information; and Technological safeguards such as security software and firewalls to prevent hacking or unauthorized computer access.

6 Privacy Page 6 of Capital Health provides all new staff and volunteers with appropriate training on the importance of maintaining the privacy and confidentiality of personal information. This may include: staff training orientation information signing and discussion of Capital Health s Confidentiality Agreement at time of hire or placement periodic re-signing of the Confidentiality Agreement. 8. Openness about Personal Information Policies and Practices 8.1. Capital Health provides copies of its Privacy Policy and associated policies/guidelines to any person who requests them Information made available includes: The name or title, and the contact information of the Privacy Officer; The process of gaining access to personal information held by Capital Health; A copy of the Privacy Policy and/or brochures or other information explaining the Privacy Policy. 9. Individual Access to One s Own Personal Information 9.1. Any individual can request a copy or to view his/her own personal information As per Section 71 of the Hospitals Act, if requested, any individual may receive or view personal health information (see Capital Health s Release of Information from the Health Record, #CH , for further information.) Advise the individual that fees for access may be charged as per the Hospitals Act Fees Regulations Any individual may receive personal information held by Capital Health by making an application to the Privacy Officer under the Nova Scotia Freedom of Information & Protection of Privacy Act If unable to provide access to all of the information held about an individual, explain the reason for denying the access. Note: Exceptions to the access requirement will be limited and specific and may include information that cannot be disclosed for legal, security, or commercial proprietary reasons, information that is deemed to be a physician s private office record, and information that is subject to solicitor-client privilege or other litigation purposes. 10. Challenging Compliance with the Privacy Policy The individual may challenge Capital Health s compliance with the principles set out in this Policy by submitting their concerns in writing to the Privacy Officer: Privacy Officer Capital District Health Authority Phone: Capital Health s Privacy Officer oversees the procedures taken to receive and respond to complaints or inquires about its handling of personal health information.

7 Privacy Page 7 of Capital Health investigates all complaints and takes appropriate measures to ensure compliance with this Policy. RELATED CDHA DOCUMENTS: Policies Release of Information from the Health Record CH Retention of Records CH Release of Information Restriction-Verbal (Communications Blackout) CH Release of Information: Fee Schedule CH Restricted Areas, Access to CH Interacting with Law Enforcement Agencies CH Web Policy - Internet and Intranet CH Computer end-user acceptable use CH Electronic Service CH Virtual Private Network CH Remote Access CH Password CH Internet Access/Use CH Information Technology Audit Ch Departmental and Enterprise Applications CH REFERENCES Nova Scotia Department of Health: Best Practices Privacy Committee The Ottawa Hospital Privacy Policy Nova Scotia Freedom of Information & Protection of Privacy Act Nova Scotia Hospitals Act Personal Information International Disclosure Protection Act (PIIDPA) Timmins and District Privacy Policy Vancouver Island Health Authority Privacy Policy The Hospital for Sick Children, Privacy of Personal Information University Health Network Privacy Policy CAN/CSA-Q Model Code for the Protection of Personal Information, CSA * * *