In anticipation of Ontario health privacy legislation, Bill 31, the Personal Health Information Protection Act (PHIPA) and the Quality of CareInformation Protection Act (QCIPA), Trellis Mental Health and Developmental Services (hereafter to be referred to as Trellis) intends to self-regulate, to the fullest intent possible, on the model of the Canadian Standards Association Model Code because it is the de facto national privacy standard for Canada and is currently considered a best practice that health care facilities should adopt. The Ontario Legislature has legislated a comparable standard effective October 2004.
Staff/Volunteer/Student Personal Health Information.
Trellis will apply the CSA Model Code to all information it collects, uses and discloses as it applies to staff, volunteers and students. The contact person for all staff, volunteer and student personnel files will be the Manager of Human Resources and Finance.
The Ten Privacy Principles (CSA) will be used by Trellis to guide our self-regulatory effort.
These will not replace any statutory, common law, ethical or contractual obligations that are in place with respect to how Trellis collects, uses and discloses personal information.
Procedures and training sessions are available to enable implementation and education to explain to staff and the public what these rules mean in practice.
Principle 1 – Accountability for Personal Information
Trellis is responsible for personal information under its control and has designated the Executive Director as the responsible official. The Executive Director (Health Information Custodian) delegated responsibility to the Trellis Privacy Officer (HIS Service Manager) who acts as an “agent” for the custodian and works with the privacy team, the Trellis Program Policy and Priorities Committee, and Operations Committee who are accountable for Trellis’ compliance with the following principles.
Accountability for Trellis’ compliance with the principles rests with the designated individuals, even though individuals within Trellis may be responsible for the day-to-day collection and processing of personal information.
The identity of the individual(s) designated by Trellis to oversee its compliance with the principles will be made known.
Trellis is responsible for personal information in its possession or custody, including information that has been transferred to a third-party for processing. It will use contractual or other means to provide a comparable level of protection while the information is being processed by a third-party.
Trellis will implement policies and practices to give effect to the principles including
- Implementing procedures to protect personal information;
- Establishing procedures to receive and respond to complaints and inquiries
- Training staff and communicating to staff information with respect to Trellis’ policies and practices;
- Developing information to explain its policies and procedures.
Principle 2 – Identifying Purposes for Collecting Personal Information
Trellis will identify the purposes for which personal information is collected at or before the time the information is collected.
Trellis collects personal information for the purposes of:
- Direct Client Care;
- Administration and management of the health care system (mental health, development services, preschool services)
- Research, teaching and statistics;
- Complying with legal and regulatory requirements.
Identifying the purposes for which personal information is collected at or before the time of collection allows Trellis to determine the information it needs to collect to fulfill these purposes. The Limiting Collection (Clause 4) requires Trellis to collect only that information that is necessary for the purposes that have been identified.
Trellis will specify the identified purposes at or before the time of collection to the individual from whom personal information is collected. Depending upon which way the information is collected; this can be done orally or in writing. An admission or appointment form, for example may give notice of the purposes.
When personal information that has been collected is to be used for a purpose not previously identified, the new purpose will be identified prior to use. Unless the new purpose is required by law, the consent of the individual is required before information can be used for that purpose.
Persons collecting personal information will be able to explain to individuals the purposes for which the information is collected. A pamphlet or information sheet can serve this purpose.
Principle 3 – Consent for Collection, Use, and Disclosure of Personal Information
The knowledge and consent of the individual are required for the collection, use, or disclosure of personal information, except where inappropriate.
Note: In certain circumstances personal information can be collected, used or collected without the knowledge and consent of the individual. For example, legal, medical, or security reasons may make it impossibleimpractical to seek consent. Seeking consent may be impossible or inappropriate when the individual is a minor, seriously ill or mentally incapacitated. Therefore, it is prudent to review exceptions with designated supervisor and/or back up.
Consent is required for the collection of personal information and the subsequent use or disclosure of this information. Typically, Trellis will seek collection for the use or disclosure of the information at the time of collection. In certain circumstances, consent with respect to use or disclosure may be sought after the information has been collected but before use (for example, when Trellis wants to use information for a purpose not previously identified).
The principle requires “knowledge and consent”. Trellis will make a reasonable effort to ensure that the individual is advised of the purposes for which information will be used. To make the consent meaningful, the purposes must be stated in such a manner that the individual can reasonable understand how the information will be used or disclosed.
Trellis will not, as a condition of the supply of a service, require an individual to consent to the collection, use or disclosure of information beyond that required to fulfill the explicitly specified and legitimate purposes.
The form of the consent sought by Trellis may vary, depending upon the circumstances and the type of information. In determining the form of consent to use, Trellis will take into account the sensitivity of the information. Any information can be sensitive, depending upon the context.
In obtaining consent, the reasonable expectations of the individual are also relevant. For example, Trellis can assume that the individual’s request for services constitutes consent for specific, treatment purposes, including contact to the referring physician to report results or placing an individual on a wait list. On the other hand, an individual would not reasonably expect that personal information shared to Trellis would be given to a company selling products unless consent was obtained.
The way in which Trellis seeks consent may vary, depending on the circumstances and the type of information collected. Trellis will generally seek express consent when information is likely to be considered sensitive. Implied consent would generally be appropriate when the information is less sensitive (eg. Appointment time to GP; demographic information for purposes of referral to) an authorized representative (such as a legal guardian or a person having Power of Attorney) can also give Consent.
Individuals can give consent in the following ways:
- An admission or appointment form may be used to seek consent, collect information, and inform the individual of the use that will be made of the information. By completing and signing the form, the individual is giving consent to the collection and specified uses:
- Consent may be given orally when information is collected over the telephone and followed up with written consent in writing; or
- Consent may be given at the time that individuals receive a service or treatment.
An individual may withdraw consent at any time, subject to legal or contractual restrictions and reasonable notice. Trellis will inform the individual of the implications of such withdrawal.
Principle 4 – Limiting Collection of Personal Information
Trellis will limit the collection of personal information to that which is necessary for the purposes identified. Information will be collected by lawful means.
Trellis will not collect personal information indiscriminately. Both the amount and the type of information collected will be limited to that which is necessary to fulfill the purposes identified. Trellis will specify the type of information collected as part of its information-handling policies and practices in accordance with the Openness principle (Clause 8).
The requirement that personal information be collected by fair and lawful means is intended to prevent Trellis from collecting information by misleading or deceiving individuals about the purpose for which information is being collected. This requirement implies that consent with respect to collection must not be obtained through deception.
Principle 5 – Limiting use, Disclosure, and Retention of Personal Information
Personal information will not be used or disclosed for purposes other than those for which it was collect, except with the consent of the individual or as required by law. Personal information will be retained only as long as necessary for the fulfillment of those purposes.
Organizations using personal information for a new purpose will document this purpose (Clause 2.1)
Trellis will develop guidelines and implement procedures with respect to the retention of personal information. These guidelines will include minimum and maximum retention periods. Personal information that has been used to make a decision about an individual will be retained long enough to allow the individual access to the information after the decision has been made. Trellis may be subject to legislative requirements with respect to retention periods.
Personal Information that is no longer required to fulfill the identified purposes will be destroyed, erased, or made anonymous. Trellis will develop guidelines and implement procedures to govern the destruction of personal information.
Principle 6 – Accuracy of Personal Information
Personal information will be accurate, complete and up-to-date as is necessary for the purposes for which it is to be used.
The extent to which personal information will be accurate, complete and up-to-date will depend upon the use of the information, taking into account the interests of the individual. Information will be sufficiently accurate, complete and up-to-date to minimize the possibility that inappropriate information may be used to make a decision about the individual.
Trellis will not routinely update personal information, unless such a process is necessary to fulfill the purposes for which the information was collected.
Personal Information that is used on an ongoing basis, including information that is disclosed to third parties, will generally be accurate and up-to-date, unless limits to the requirement for accuracy are clearly set out.
Principle 7 – Safeguards for Personal Information
Security safeguards appropriate to the sensitivity of the information will protect personal information.
The security safeguards will protect personal information against loss of theft, as well as unauthorized access, disclosure, copying, use or modification. Trellis will protect personal information regardless of the format in which it is held.
The nature of the safeguards will vary depending on the sensitivity of the information that has been collected, the amount, distribution, and format of the information, and the method of storage. A higher level of protection will safeguard more sensitive information.
The methods of protection will include:
- Physical measures, for example, locked filing cabinets and restricted access to offices;
- Organizational measures, for example, confidentiality agreements and limiting access on a “need-to-know” basis; and
- Technological measures, for example, the use of passwords and access controls.
Trellis will make its employees aware of the importance of maintaining the confidentiality of personal information.
Care will be used in the disposal or destruction of personal information, to prevent unauthorized parties from gaining access to the information (Clause 5.3).
Trellis will make readily available to individuals specific information, about its policies and practices relating to the management of personal information.
Trellis will be open about its policies and practices with respect to the management of personal information. Individuals will be able to acquire information about its policies and procedures without unreasonable effort. The information will be made available in a form that is generally understandable.
The information made available will include:
- The name or title, and the address of the person who is accountable for Trellis’ policies and procedures and to whom complaints or inquiries can be forwarded ;
- The means of gaining access to personal information held by Trellis;
- A description of the types of personal information held by Trellis, including a general account of its use;
- A copy of any brochures or other information that explain Trellis’ policies, standards, or codes; and
- What personal information is made available to related organizations (e.g., the foundation).
Trellis may make information on its policies and practices in a variety of ways such as Privacy and Client Rights notices at first appointment interviews.
Principle 9 – Individual Access To Personal Information
Upon request, an individual will be informed of the existence, use, and disclosure of his or her personal information and will be given access to that information. An individual will be able to challenge the accuracy and completeness of the information and have it amended as appropriate.
Note: In certain situations, Trellis may not be able to provide access to all the personal information it holds about an individual. Exceptions to the access requirement will be limited and specific. The reasons for denying access will be provided to the individual upon request. Exceptions may include information prohibitively costly to provide, information that contains references to other individuals, information that cannot be disclosed for legal, security, or commercial proprietary reasons, and information that is subject to solicitor-client or litigation privilege.
Upon request, Trellis will inform an individual whether or not it holds personal information about the individual. It is encouraged to indicate the source of this information. Trellis will allow the individual access to this information. Clinical interpretation will be offered as required. Trellis will provide an account of the use that has been made or is being made of this information and an account of third parties to which it has been disclosed.
An individual may be required to provide sufficient information to permit Trellis to provide an account of the existence, use, and disclosure of his or her personal information. The information provided will only be used for this purpose.
In providing an account of third parties to which it has disclosed personal information about an individual, Trellis will attempt to be as specific as possible.
Trellis will respond to an individual’s request within a reasonable time and at a minimal or no cost to the individual. The requested information will be provided or made available in a form that is generally understandable. For example, if Trellis uses abbreviations or codes to record information, an explanation will be provided.
When an individual successfully demonstrates the inaccuracy or incompleteness of personal information, Trellis will amend the information as required. Depending upon the nature of the information challenged, amendment involves the correction, deletion, or addition of information.
Where appropriate, the amended information will be transmitted to third parties having access to information in question.
When a challenge is not resolved to the satisfaction of the individual, Trellis will record the substance of the unresolved challenge. When appropriate, the existence of the unresolved challenge will be transmitted to third parties having access to the information in question.
An individual will be able to address a challenge concerning compliance with the above principles to the designated individual or individuals accountable for Trellis’ compliance.
An individual will be able to address a challenge concerning compliance with the above principles to the designated individuals or individuals accountable for Trellis’ compliance.
The individual accountable for Trellis’ compliance is discussed in Clause 1.1.
Trellis will put procedures in place to receive and respond to complaints or inquiries about their policies and practices relating to the handling of personal information. The complaints procedures will be easily accessible and simple to use.
Trellis will inform individuals who make inquiries or lodge complaints of the existence of relevant complaint procedures. A range of these procedures exist.
Trellis will investigate all complaints. If a complaint is found to be justified, Trellis will take appropriate measures, including, if necessary, amending its policies and practices.
Executive Director: Fred Wagner, Executive Director
HIS Service Manager: Anna Tersigni Phelan