We are committed to patient privacy and to protecting the confidentiality of the health information we hold. The personal health information we hold about our patients is sensitive and valuable to our patients and we are obliged by ethical codes and by law to treat it carefully.
Health Information Custodian and Agents
Our doctors belong to a Family Health Organization (FHO) and are collectively health information custodians (HICs) under the Personal Health Information Protection Act, 2004 (PHIPA). The FHO is accountable and liable for compliance with PHIPA and the protection of health records. For the purposes of privacy obligations, the Central Hastings Family Health Team and our staff are agents of the FHO.
The Administrator of the FHT in consultation with the Lead Physician of the FHT has been designated as the Privacy Officer.
The Privacy Officer is accountable for compliance with our privacy policies and compliance with PHIPA.
Our commitment to privacy is demonstrated by adherence to privacy policies and procedures to protect the personal health information we hold and by educating our staff and any others who collect, use or disclose personal health information on our behalf about their privacy responsibilities.
Informing Patients about their Privacy Rights
We post privacy posters in patient areas and on our website.
Why We Collect Personal Health Information
We collect personal health information for purposes related to:
- Providing direct patient care
- Communicating with other health care providers who also provide services to our patients
- Administration and management of our programs and services
- Patient billing
- Administration and management of the health care system
- Research (with research ethics board approval)
- Statistical reporting
- Meeting legal obligations and as otherwise permitted or required by law.
When personal health information that has been collected is to be used for a purpose not previously identified, the new purpose will be identified prior to use. Unless the new purpose is permitted or required by law, consent will be required before the information can be used for that purpose.
We require consent in order to collect, use, or disclose personal health information. However, there are some cases where we may collect, use or disclose person health information without consent as permitted or required by law.
Implied consent (Disclosures to other health care providers for health care purposes) – Circle of Care
When a patient comes for health services, it is implied we have consent to use and disclose his/her personal health information for health care purposes, unless there is an express instruction otherwise.
Patient information may be released to a patient’s other health care providers for health care purposes (within the “circle of care”) without express written or verbal consent as long as it is reasonable in the circumstances to believe that the patient wants the information shared with the other health care providers. No patient information will be released to other health care providers if a patient has stated he/she does not want the information shared (for instance, if there is a “lockbox” on his/her health records or if the patient has specifically asked that it not be shared).
Who can be in the “circle of care” includes (among others providing direct patient care if authorized by PHIPA):
- Within the physician’s office and Family Health Team
- Other physicians in this practice
- Other physicians in the after hours call group
- Interprofessional health providers
- Medical students and residents
- Nursing or other allied health care students
- Outside of the Family Health Team
- Community Care Access Centres
- Community Health Centres
- Long-term care homes
- Regulated health professionals in sole practice or group
- Social workers and social service workers in sole practice or group
- A centre, program or service for community health or mental health whose primary purpose is the provision of health care
- And others
For clarity – the following groups are NOT in the circle of care and we do not share personal health information about our patients with them relying on implied consent. That does not mean we never disclose to these groups – but we may only do so if we have express consent or if we are otherwise permitted or required by law to disclose:
- Ministry of Health and Long-Term Care staff
- Insurance companies
- Workplace Safety and Insurance Board
- Children’s Aid Society
- Landlords (other than some supportive housing and residential tenancies who may be in the circle)
- Teachers and schools (however, psychologists, social workers, nurses, psychiatrists, speech-language pathologists, occupational therapists, physiotherapists, or audiologists affiliated with schools may be in the circle of care if they are providing health care)
- External unregulated care providers
- Spiritual leaders/healers
A general rule is if we are disclosing personal health information to someone other than a health care provider for health care purposes, we need express consent. For example, if an employer, landlord, school, insurance company, or family member (who is not a substitute decision maker) would like health information about our patient, we need express consent. There are some exceptions to the general rule (see “no consent” below). Details of how we release client information to third parties is set out in our “Access, Correction and Release of Patient Information Policy”.
There are certain activities for which consent is not required to use or disclose personal health information. These activities are permitted or required by law. For example, we do not need consent from patients to (this is not an exhaustive list):
- Plan, administer and manage our internal operations, programs and services
- Get paid
- Engage in quality improvement, error management, and risk management activities
- Participate in the analysis, administration and management of the health care system
- Engage in research (subject to certain rules)
- Teach, train and educate our Team Members and others
- Compile statistics for internal or mandatory external reporting
- Respond to legal proceedings
- Comply with mandatory reporting obligations
- Anonymize health information
A list of mandatory reporting obligations is found in our “Access and Correction – Release of Patient Information Policy”.
If Team Members have questions about using and disclosing personal health information without consent, they can ask one of the Privacy Officers.
Consent by Authorized Persons: Who May Consent on Behalf of a Client
- The patient, if the patient is capable.
- There is no specific age of consent to make information decisions. The test is whether the individual is capable. A clinician determines capacity and it is usually connected with whether the patient is capable to make decisions about the specific treatment or counseling. Patients are presumed to be capable unless it is unreasonable in the circumstances to presume. Patients may be capable of some decisions and not all information decisions.
- Please note for capable patients under the age of 16: If a patient is capable and also under the age of 16, the patient may consent AND the patient’s parent or person who has lawful custody may also consent. BUT the parent or person with lawful custody may not consent if the information to be disclosed relates to “treatment” (as defined under the Health Care Consent Act, 1996) about which the patient has made his/her own decision or “counseling” (as defined under the Child and Family Services Act) about which the patient who is over the age of 12 participated on his or her own. (That means if a patient consented to the treatment or counseling on his/her own – a parent or legal guardian cannot consent to the release of that information on behalf of the patient). And if there is a disagreement between a capable patient under the age of 16 and the parent or legal guardian about the release of information, the capable patient’s wishes prevail.
- A substitute decision-maker, if the patient is incapable.
- Please refer to section 26 of PHIPA which lists the hierarchy of individuals/agencies that can act as substitute decision-makers:
- The individual’s guardian of the person or guardian of property, if the consent relates to the guardian’s authority to make a decision on behalf of the individual.
- The individual’s attorney for personal care or attorney for property, if the consent relates to the attorney’s authority to make a decision on behalf of the individual.
- The individual’s representative appointed by the Consent and Capacity Board, if the representative has authority to give the consent.
- The individual’s spouse or partner.
- A child or parent of the individual, or a children’s aid society or other person who is lawfully entitled to give or refuse consent in the place of the parent [Note: This paragraph does not include a parent who has only a right of access to the individual. If a children’s aid society or other person is lawfully entitled to consent in the place of the parent, this paragraph does not include the parent.]
- A parent of the individual with only a right of access to the individual.
- A brother or sister of the individual.
- Any other relative of the individual.
- Please refer to section 26 of PHIPA which lists the hierarchy of individuals/agencies that can act as substitute decision-makers:
- The estate trustee or person who has assumed responsibility for the deceased person’s estate if documented in writing, in the case of a deceased client.
Withholding or Withdrawal of Consent
If consent is sought, a patient may choose not to give consent (“withholding consent”). If consent is given, a patient may withdraw consent at any time, but the withdrawal cannot be retrospective. The withdrawal may also be subject to legal or contractual restrictions and reasonable notice.
PHIPA gives patients the opportunity to restrict access to any personal health information or their entire health record by their health care providers within the Family Health Team or by external health care providers. Although the term “lockbox” is not found in PHIPA, lockbox is commonly used to refer to a patient’s ability to withdraw or withhold consent for the use or disclosure of their personal health information for health care purposes. See our “Lockbox Policy” for details of how the lockbox works.
If a physician leaves the Family Health Organization, his/her patients will be notified and will have a choice whether to transfer their health records in accordance with the rules/guidelines set forth by the College of Physicians and Surgeons of Ontario.
Limiting Collection, Use and Disclosure of Personal Health Information
We limit the amount and type of personal health information we collect to that which is necessary to fulfill the purposes identified. Information is collected directly from the patient, unless the law permits or requires collection from third parties. For example, from time to time we may need to collect information from patients’ family members or other health care providers.
Personal health information may only be collected, used by or disclosed within the limits of each Team Member’s role. Team Members should not initiate their own projects to collect new personal health information from any source, or use it or disclose it without being authorized by a physician or the Family Health Team or the Privacy Officer.
Health records are retained as required by law and professional regulations and to fulfill our own purposes for collecting personal health information.
The Canadian Medical Protective Association (CMPA) and College of Physicians and Surgeons of Ontario (CPSO) advise their members to retain health records for at least 10 years from the date of last entry or, in the case of minors, 10 years from the time the patient would have reached the age of majority (age 18). There may be reasons to keep records for longer than this minimum period.
Personal health information that is no longer required to fulfill the identified purposes is destroyed, erased, or made anonymous safely and securely. Please see our “Safeguards for Patient Information Guidelines”.
Accuracy of Personal Health Information
We will take reasonable steps to ensure that information we hold is as accurate, complete, and up to date as is necessary to minimize the possibility that inappropriate information may be used to make a decision about a patient.
Safeguards for Personal Health Information
We have put in place safeguards for the personal health information we hold, which include:
- Physical safeguards (such as restricted office access, using alarm systems, locked filing cabinets and rooms where health information is stored, keeping portable devices in a secure location such as a locked drawer or cabinet when unattended);
- Organizational safeguards (such as permitting access to personal health information by staff on a “need-to-know” basis only, and confirming patient contact information on a regular basis); and
- Technological safeguards (such as the use of passwords, encryption, firewalls, anti-malware scanners and audits).
We take steps to ensure that the personal health information we hold is protected against theft, loss and unauthorized use or disclosure. The details of these safeguards are set out in our “Safeguards for Patient Information Guidelines”.
We require anyone who collects, uses or discloses personal health information on our behalf to be aware of the importance of maintaining the confidentiality of personal health information. This is done through the signing of confidentiality agreements, privacy training, and contractual means.
Care is used in the disposal or destruction of personal health information, to prevent unauthorized parties from gaining access to the information.
Patients Have a Right to Access Their Personal Health Information
Patients may make written requests to have access to their records of personal health information, in accordance with our “Access and Correction Policy – Release of Patient Information” policy.
We will respond to a patient’s request for access within reasonable timelines and costs to the patient, as governed by law. We will take reasonable steps to ensure that the requested information is made available in a format that is understandable.
Patients who successfully demonstrate the inaccuracy or incompleteness of their personal health information may request that we amend their information. In some cases instead of making a correction, patients may ask to append a statement of disagreement to their file.
Please Note: In certain situations, we may not be able to provide access to all the personal health information we hold about a patient. Exceptions to the right of access requirement will be in accordance with law. Examples may include information that could reasonably be expected to result in a risk of serious harm or the information is subject to legal privilege.
For details about how we deal with a privacy breach, please see our “Privacy Breach Protocol”.
Concerns, Complaints, Public Information and Questions about our Privacy Practices
Any person may ask questions or challenge our compliance with this policy or with PHIPA by contacting our Privacy Officer.
Central Hastings Family Health Team
52 St. Lawrence St. E.
Madoc, ON K0K 2K0
613-472-1167 ext 216
Attention: Mary Stuart, Administrator
We will receive and respond to complaints or inquiries about our policies and practices relating to the handling of personal health information. We will inform patients who make inquiries or lodge complaints of other available complaint procedures.
We will investigate all complaints. If a complaint is found to be justified, we will take appropriate measures to respond.
The Information and Privacy Commissioner of Ontario oversees our compliance with privacy rules and PHIPA. Any individual can make an inquiry or complaint directly to the Information and Privacy Commissioner of Ontario by writing to or calling:
Information and Privacy Commissioner of Ontario
2 Bloor Street East, Suite 1400
Toronto, Ontario M4W 1A8 Canada
Phone: 1 (800) 387-0073 (or 416-326-3333 in Toronto)
Consequences for Breach of Privacy
Failure by Team Members to adhere to this policy or other privacy policies may result in disciplinary measures up to and including termination of employment or contract.
We are obligated to notify any affected patient(s) of a privacy breach and their rights and will do so in accordance with the requirements of PHIPA and our “Privacy Breach Protocol”.
Appendix A –Supporting Privacy Policies
- Access and Correction Policy – Release of Patient Information (2017)
- Lockbox Policy (2018)
- Lockbox Information Sheet for Patients (2018)
- Patient Lockbox Request Form (2018)
- Privacy Breach Protocol (2018)
- Public-Friendly Privacy Notice (2017)
- Safeguards for Patient Information Guidelines (2017)
- EMR Access Audit (2014)