CATC is committed to protecting the privacy, confidentiality, and security of all personal health information with which it is entrusted and to ensuring that staff and agents of the organization uphold this obligation.
Purpose: This policy details the regulatory requirements related to the collection, use, and disclosure of Personal Health Information (PHI).
Policy: CATC collects, uses, and may disclose personal health information and is, therefore, a health information custodian (HIC) as defined by the relevant provincial Personal Health Information Protection Act. A Health Information Custodian (HIC) is defined as an individual or organization that as a result of its power or duties has custody or control of Personal Health Information (PHI).
“A health information custodian is not free to disclose personal health information about an individual without the express consent of the individual, or incapable individual’s substitute decision maker, or as required or permitted by law, for example, pursuant to a warrant or court order (PHIPPA [s.43(1)]).”
Accountability for overseeing compliance with this policy rests with each person that works for CATC. While the designated Privacy Officer for CATC has ultimate accountability, each team member will need to work together to ensure our patients’ information is kept confidential and secure.
All staff and care providers that work in our clinics are responsible for maintaining the privacy, confidentiality, and security of a patient’s PHI at all times and are asked to sign a Confidentially Agreement that details our expectations when they start working with us.
A care team member should only access a patients’ medical record if they are directly providing care to that patient or asked to consult on the care of a patient. In other words, it would be inappropriate to view a patient’s medical file because you are interested in how they are doing at another clinic or because you used to know them in high school. If you are not sure if you should be accessing the patient’s EMR, you can always ask your manager for guidance.
A care team member should not disclose information about a patient to another patient, a family member, or any other third party without written consent from the patient. In other words, the information that you learn about a patient by caring for them should never be shared outside of the circle of care. The circle of care is defined as those individuals who are permitted to rely on the patient’s implied consent for collecting, using, or disclosing personal health information for the purpose of providing health care or assisting in providing health care.
If you feel that you may have inadvertently breached a patient’s privacy, you must report it to your manager as soon as possible to mitigate any impacts of the potential breach.
It is important that our patients know and understand why we collect their PHI and are confident that we will keep their information safe and secure. CATC has designed a Privacy Practices Summary that is available to be provided to all patients upon request. The Privacy Practices Summary details the purposes for which the personal health information may be collected, used, and disclosed, the steps we take to safeguard patients’ privacy.
At CATC, we protect Personal health information by utilizing:
PHIPA permits CATC to rely on patients’ implied consent for the collection, use, or disclosure of PHI for the delivery of health services within a patient’s circle of care. This means that the CATC will assume that the patient consents to the disclosure of information to, and receipt of information from, all members of the patient’s circle of care (i.e. all of the providers of health care services to the patient), unless a patient tells explicitly removes his/her consent.
CATC staff are considered part of the circle of care of a patient, if they are actively involved in providing care for that patient, or if they are asked to consult on the care of a patient being treated in one of our clinics by another care team member.
CATC MUST obtain the patient’s expressed consent before disclosing PHI to any third party. In certain rare circumstances, legal and regulatory requirements may compel the CATC to disclose PHI without a patient’s consent, for example, disclosures to the relevant provincial Ministry of Health for billing purposes or disclosures to support a legal investigation/proceeding. If you have a request for information and you are unsure, please contact your manager.
All steps outlined in the Release of Personal Health Information SOP must be adhered to prior to the release of ANY patient information.