Introduction: Privacy of personal information is an important principle and something we take very seriously. This policy applies to all services we provide in office or online and pertains to personal information as well as personal health information. Wherever we use the term “personal information” in this policy it implies personal health information. We provide various types of services and in the course of our work we collect personal information as well as personal health information. We are committed to collecting, using and disclosing personal information responsibly and only to the extent necessary for the services we provide. We strive to be open and transparent about how we handle personal information. This policy describes our practice with respect to personal and personal health information.
Policy Statement
What is Personal Health Information?
Personal health information is information about an identifiable individual. Personal health information includes information that relates to:
• the physical, nutritional or mental health of the individual (including family health history); • the provision of health care to the individual (including identifying the individual’s health care provider(s)); • a plan of service under the Home Care and Community Services Act, 1994; • payments or eligibility for health care or coverage for health care; • the donation or testing of an individual’s body part or bodily substance; • the individual’s health number; or • the identification of the individual’s substitute decision-maker.
The Registered Dietitian Practice- includes at the time of writing of this policy three Registered Dietitians and up to 2 office assistants. We do use a number of consultants and agencies that may, in the course of their duties, have limited access to personal health information and personal information we keep. These include computer consultants, bookkeepers and accountants, lawyers, credit card companies and website managers. We restrict their access to any personal information we hold as much as is reasonably possible. We also ask that they sign a confidentiality agreement or ask for and keep a copy of their privacy policy. The purpose is to ensure they follow principles that are in agreement with this policy.
2 2
Why Collect Personal Health Information and Personal Information
We collect, use and disclose personal information in order to serve our clients. For my clients, the primary purpose for collecting personal health information is to provide personalized medical nutrition therapy (which includes assessment, treatment and recommendations or interventions). For example, we collect information about a client’s health history, including their family medical history, physical condition and function and social situation in order to help us assess what their nutrition care needs are, to advise them of their options and then to provide the nutrition care we mutually decide upon. A second primary purpose is to obtain a baseline of health and social information so that in providing ongoing health services we can identify changes that are occurring over time.
We also collect, use and disclose personal health information for purposes related to or secondary to our primary purposes. Reasons include:
• To obtain payment for services or goods provided. Payment may be obtained from the individual, or private insurers or others.
• To promote our services, new services, special events and opportunities (e.g., a seminar or conference) that we offer. We can only do this with express consent from my client prior to collecting or handling personal health information for this purpose.
• To comply with external regulators. My professional is regulated in Ontario by the College of Dietitians of Ontario. This organizations may inspect my client records and interview me as a part of their regulatory activities in the public interest. The College of Dietitians of Ontario has its own strict confidentiality and privacy obligations. In addition, as a health professional, we are required to report serious misconduct, incompetence or incapacity of other health practitioners, whether they belong to other organizations or my own. We are obligated to report information suggesting illegal behaviour to the authorities. In addition, we may be required by law to disclose personal health information to various government agencies (e.g., the Ministry of Health, and Long-Term Care, children’s aid societies, Canada Customs and Revenue Agency, Information and Privacy Commissioner, Ontario, etc.).
• Insurance companies who cover have paid for your care in this clinic may request an audit of records to see that patients were seen on the dates they were billed. They may do this by phone or an onsite audit. Some insurance companies are Blue Cross, Manulife, Empire Life, SunLife and Green Shield, Shepell.fgi. , Aspiria, Nicole Doucet Communications and K3C.
• To facilitate the sale of my practice. If my practice or its assets were to be sold, the potential purchaser would want to conduct a “due diligence” review of my records to ensure that it is a viable business that has been honestly portrayed. The potential
3 3
purchaser must first enter into an agreement with me to keep the information confidential and secure and not to retain any of the information longer than necessary to conduct the due diligence. Once a sale has been finalized, we may transfer records to the purchaser, but we will make reasonable efforts to provide notice to my clients before doing so.
Protecting Personal Information
We understand the importance of protecting personal information. For that reason, we have taken the following steps:
Procedure NAS & Clinic will follow:
• Paper information is either under supervision or secured in a locked or restricted area in my office. • Electronic hardware is either under supervision or secured in a locked or restricted area at all times. In addition, strong passwords are used on all computers and mobile devices. • Personal health information is only stored on mobile devices if necessary. All personal health information stored on mobile devices is protected by strong encryption. • When paper personal information is being transported in my car the information is kept in a locked box in my car. • Paper information is transferred through sealed, addressed envelopes or boxes by reputable companies with strong privacy policies. • Electronic information is either anonymized or encrypted before being transmitted. • We are informed about my obligations to collect, use and disclose personal information only as necessary to fulfill mine and the duties of others and in accordance with our own privacy policy. • We do not post any personal information about my clients on social media sites and we are informed on the appropriate use of social media. • External consultants and agencies with access to any personal information we hold must enter into a privacy agreement with us.
Openness about the Personal Information Process Policy Statement: We are aware of our obligation to make our Privacy Policy available to the public and our Privacy Statement is given to all our clients. Individuals wanting a copy of our privacy policy can easily obtain it from our website at www.nutritionassessment.com or from our clinic staff.
Procedure NAS Clinic will follow: 1. We are responsible for providing our Privacy Policy document to anyone who requests it. 2. A short privacy policy statement is given to all clients and it clearly states where to obtain the more detailed privacy policy.
4 4
3. Our Privacy Policy is posted on our website at www.nutritionassessment.com 4. A privacy statement summarizing the Privacy Policy document is provided to each new client at the time the consent form is signed.
Right to Access Personal Information Policy Statement:
Individuals have the right (with some exceptions) to access personal information about themselves held by us and to know what we have done with it. This ensures that the personal information is adequate, correct and up to date.
Procedure NAS & Clinic will follow: 1. A verbal request is all that is needed, however we may require the request to be in writing; 2. Theresa Schneider RD is available to assist anyone who wants to access their information for which we are the Health Information Custodian; 3. We will provide access upon request within 30 days unless grounds for refusal exist; 4. We will provide access not only to personal information on record, but also on how we have used and disclosed it; 5. We will keep records of any unusual uses or disclosure of personal information (e.g., systematically filing a cover letter, fax sheet or email in the relevant file); 6. We will confirm the identity of the individual requesting the information before disclosing it; 7. We will take reasonable and necessary steps to ensure that the individual requesting information can understand it (e.g., explain short forms or codes, provide it in an alternative format where the requester has a sensory disability); 8. We will provide access, despite a ground for refusal (except law enforcement) where the individual’s life, health or security is threatened. We are aware that grounds for refusal to access personal information could include: • It is quality of care information or information generated for the College’s quality assurance program; • Raw data from standardized psychological tests or assessments; • There is a risk of serious harm to the treatment or recovery of the individual or of serious bodily harm to another person; or • Access would reveal the identity of a confidential source of information
9. Even if we refuse the request, we are aware that we cannot destroy the information until the individual has had a chance to challenge the refusal.
10. Additional procedures for handling access requests: • We will notify the individual of his or her right to complain to the Information and Privacy Commissioner of Ontario if the request for access is refused (along with the reasons for the refusal) and that the burden of justifying the refusal is on me;
5 5
• We are aware that we can refuse frivolous, vexatious and bad faith requests for access; and • We are aware that we can only charge a reasonable cost recovery fee for access and must provide an estimate of the fee in advance. • Note: The Information & Privacy Commissioner’s Office of Ontario suggests a charge of $30.00 for the first twenty pages of records and 25 cents for each additional page.
Correction Requests Policy Statement Clients have the right to request a correction of erroneous information held by the organization. The purpose is to maintain appropriate and accurate information on clients.
Procedure NAS & Clinic will follow:
1. We strive to be fair to our clients.
2. Correction requests are restricted to factual information. Professional observations and opinions are not generally subject to correction requests.
3. Corrections are made without obliterating the original entry.
4. A notice of the disagreement is filed with the record where we do not agree that the information is incorrect. We will also provide an individual how we have notified of refusal to correct information of his or her right to complain to the Information and Privacy Commissioner about the refusal.
5. Corrections or notice of the disagreement are sent to third parties who have received the erroneous information unless doing so is not appropriate. However, there are limits that may include the following: • The individual must request it; • The notification need only be made where reasonably possible; and • The HIC can refuse to give the notification if the correction cannot reasonably be expected to have an effect on the ongoing provision of health care or some other benefit to the individual.
6. The individual will be given a timely response (usually within 30 days) to a request to correct, along with reasons for any refusal to do so and notice of any recourse.
7. Grounds to refuse correction may include requests where: • The request is frivolous, vexatious or made in bad faith; or • We did not create the record and we do not have sufficient knowledge, expertise or authority to make the correction.
6 6
Retention and Destruction of Personal Information
We need to retain personal information for some time to ensure that we can answer any questions you might have about the services provided and for our own accountability to external regulatory bodies.
We keep our client files for at least ten years from the date of the last client interaction or ten years from the date the client would have turns 18.
We destroy paper files containing personal health information by using an external confidential shredding company. We destroy electronic information by deleting it in a manner that it cannot be restored. When hardware is discarded, we ensure that the hardware is physically destroyed, or the data is erased or overwritten in a manner that the information cannot be recovered.
Complaints System
Procedure NAS & Clinic will follow:
1. Theresa Schneider is the designate to investigate complaints. She will: a) receive and promptly acknowledge receipt of a complaint; b) investigate the complaint; c) decide on the complaint; and d) She will consult with another private practice Registered Dietitian in Ontario to ensure fairness.
2. She will inform the Complainant of their recourse to external bodies as follows: a) the regulatory body(ies) for the organization or members of the organization (e.g., College of Dietitian of Ontario); b) the Office of the Privacy Commissioner of Canada; c) the Information and Privacy Commissioner of Ontario to the extent that the Personal Health Information Protection Act, 2004 applies.
7 7
If there is a Privacy Breach
While we will take precautions to avoid any breach of your privacy, if there is a loss, theft or unauthorized access of your personal health information Theresa Schneider will notify you.
Upon learning of a possible or known breach, we will take the following steps, as applicable:
• Consider whether the Commissioner must or should be notified • Assess what and how much information was breached and in what manner (e.g., paper format, electronic format). • Determine whether copies were made. • Implement any necessary action to contain further unauthorized access (e.g., change passwords, identification numbers and/or temporarily shut down a system). • Notify all individuals whose personal health information has been compromised in the most appropriate way possible in light of the sensitivity of the information (e.g., by phone, in writing, at your next appointment, etc.). • Inform all individuals of the steps that have or will be taken to address the privacy breach and that the Information and Privacy Commissioner’s Office, Ontario has been informed. • Provide the individuals with the Information and Privacy Commissioner’s Office of Ontario contact information in case individuals have further questions. • Advise the individual of their right to make a complaint to the Commissioner • Conduct an internal investigation into the matter to identify how and why the privacy breach occurred. • Take the necessary steps to implement a plan that strives to avoid a similar privacy breach from occurring in the future. • We will advise the Information and Privacy Commissioner’s Office of Ontario of the investigation findings and proposed future prevention plan and work together to make any necessary changes. • Report the results of investigation to the relevant regulatory College if appropriate or required.
This policy is made under the Personal Health Information Protection Act, 2004, S.O. 2004, c. 3.