Policy Section: Customer Service Policy No: Subject: Policy Regarding Privacy and Protection of Personal Health Information Effective Date: June 5, 2006 Approved by: Board of Directors Revision Date: CENTRE FOR INDEPENDENT LIVING IN TORONTO (C.I.L.T.), INC. POLICY REGARDING PRIVACY AND PROTECTION OF PERSONAL HEALTH INFORMATION Purpose The purpose of this policy is to ensure that the Centre for Independent Living in Toronto (C.I.L.T.), Inc. (referred to in this policy as CILT) complies with its obligation to protect the confidentiality of personal health information that is in its custody and control. In particular, this policy is intended to ensure that anyone who collects, uses or discloses personal health information on behalf of CILT conforms to the procedures outlined or referred to in this Policy. 1.Definitions and Responsibility for Personal Health Information a.CILT is committed to protecting the confidentiality of the personal health information in its custody and control, and recognizes its responsibility to do so. b.In this Policy : (i)“personal health information” means identifying information about an individual in oral or recorded form, if the information, A.relates to the physical or mental health of the individual, including information that consists of the health history of the individual’s family, B.relates to the providing of health care to the individual, including the identification of a person as a provider of health care to the individual, C.is a plan of service within the meaning of the Long- Term Care Act, 1994 for the individual, D.relates to payments or eligibility for health care in respect of the individual, E.relates to the donation by the individual of any body part or bodily substance, F.is the individual’s health number, or G.identifies an individual’s substitute decision-maker; (ii)“identifying information” means information that identifies an individual or for which it is reasonably foreseeable in the circumstances that it could be utilized, either alone or with other information, to identify an individual; and (iii) “personal health information” does not include does not include identifying information contained in a record that is in the custody or under the control of CILT if A.the identifying information contained in the record relates primarily to one or more employees or other agents of the custodian; and B.the record is maintained primarily for a purpose other than the provision of health care or assistance in providing health care to the employees or other agents. c.CILT has designated the Manger of the Direct Funding Program as its chief privacy co-ordinator, who is responsible for ensuring CILT’s compliance with this Policy and related legislation. d.This Policy applies to all staff, volunteers, partner agencies or contracted agents of CILT. 2.Collection of Personal Health Information: Purposes for Collection and Limitations on Collection a.CILT will identify, and explain as necessary, for the individual from whom it is collecting personal health information why CILT is collecting such information. The identification will be given either to the individual about whom the personal health information relates or the person authorized to act on behalf of that individual. b.CILT collects personal health information for purposes related to establishing and verifying the ongoing need for attendant services, or other disability-related needs, of its clients in order to identify the appropriate services, financial support and/or appropriate referrals for the individual about whom the personal health information relates. As well, personal health information is also collected for purposes related to CILT’s administration and management of its services in the Direct Funding Program and the Project Information Centre, statistical reporting to its government funder, and as permitted or required by law. c.There may be circumstances in which CILT will want to use personal health information for a purpose not previously identified to the individual from whom it was collected. If that is the case, then CILT will identify the new purpose to such individual. d.Consent will be required before personal health information can be used for a new purpose not previously identified to the individual from whom it was collected, except if the new purpose is permitted or required by law. e.CILT will limit the amount and type of personal health information it collects to what is required to accomplish the purposes identified when the personal health information is collected. Personal health information will be collected directly from the individual about whom it pertains, except if such individual has authorized another person to give such information to CILT or if the law permits or requires collection from a third party. 3.Collection, Use, and Disclosure of Personal Health Information: Consent and Withdrawal of Consent a.CILT generally will rely on implied consent from an individual or his or her legally authorized representative for the collection, use, or disclosure of personal health information. In some circumstances, as CILT may determine from time to time, CILT will obtain express consent to collect, use or disclose personal health information as required by CILT policies. b.Before any personal health information is handled on behalf of CILT, the person handling such information will receive instruction on the requirements to be met under the Act by the chief privacy co-ordinator or another person designated by the chief privacy co- ordinator. c.As permitted or required by law, CILT may disclose personal health information without the consent of the individual about whom the personal health information relates. d.An individual may withdraw consent for the collection, use, or disclosure of personal health information at any time, but the withdrawal will not have retroactive effect. 4.Use and Disclosure of Personal Health Information: Limitations a.CILT will limit the use and disclosure of personal health information to purposes related to: (i)establishing and verifying the ongoing need for attendant services, or other disability-related needs, of its clients in order to identify the appropriate services, financial support and/or appropriate referrals for the individual about whom the personal health information relates; (ii)analysing trends, forecasting future needs, or developing new strategies to address unmet needs of its members / participants; (ii)CILT’s administration and management of its services in the Direct Funding Program and the Project Information Centre, research, statistical reporting to its government funder; and (iii)what is permitted or required by law. b.No personal health information that CILT has control or custody of will be used for any research purposes, except if the individual about whom the personal health information relates expressly consents to such use. 5.Retention and Destruction of Personal Health Information a.CILT will retain personal health information for so long as it is necessary to accomplish the purpose for which such information was collected or as required by law. CILT will not retain personal health information after the purpose for which it was collected has been accomplished unless required by law to do so. b.If CILT no longer requires the retention of personal health information, then CILT will destroy, erase, or make anonymous such information. c.Before personal health information is destroyed, the chief privacy co-ordinator or his/her designate will be consulted to ensure that the destruction is appropriate. d.Instead of destruction, the information may be altered to remove identifying information if appropriate. e.CILT will ensure that appropriate pre-cautions will be taken when destroying personal health information, in order to prevent unauthorized parties from gaining access to such information. f.The chief privacy co-ordinator will organize regular reviews to ensure that personal health information in the custody and control of CILT is not retained unnecessarily. 6.Accuracy of Personal Health Information a.CILT will take such steps as are reasonably possible to ensure that personal health information is as accurate, complete, and current as is necessary for the purposes for which such information is to be used. b.CILT will not regularly update personal health information, except if doing so is required to accomplish or fulfill the purposes for which such information has been collected. 7.Security Measures for Personal Health Information a.CILT will implement, maintain and update, as necessary, security measures necessary to safeguard the personal health information it holds, such measures to include, but not be limited to: (i)Office measures, including: A.the locking of filing cabinets in which personal health information is held; B.the requirement that all CILT staff will not leave any file, document or note identified with an individual on desks, tabletops, bookshelves, filing cabinets out upon any surface where it is possible for personal health information to be viewed by an unauthorized person; and C.any documentation containing any personal health information, such as a discarded mailing list or mailing labels, is to be shredded. In the case of documents containing personal health information that are to be collected for shredding by a professional shredding company, while the documents are waiting for collection they will be held by a locked container in an office to be locked after hours. (ii)Technological measures, including: A.the use of passwords and/or encryption for all personal health information held electronically; and B.the requirement that all data are to be backed up on a daily basis and the back-up tapes or disks (which themselves will be password protected) are to be stored off premises in a locked bank vault. (iii)Organizational measures, including: A.prohibiting access by any person to personal health information except on a need-to-know basis; B.requiring anyone who collects, uses or discloses personal health information on behalf of CILT to be aware of the importance of maintaining the confidentiality of personal health information, and, if necessary to enter into confidentiality agreements with CILT; and C.implementing a system of training in privacy and confidentiality for CILT’s staff and volunteers and any other person who collects, uses or discloses personal health information on behalf of CILT. b.All measures implemented to safeguard personal health information will be reasonably strict and will be reviewed on a regular basis by the chief privacy co-ordinator. 8.Access to Personal Health Information and Transparency About CILT’s Practices and Procedures a.Individuals may make written requests to CILT to have access to the records containing personal health information that relates to them and that are held by CILT. b.CILT will respond to an individual's request within reasonable timelines and costs to the individual, as set out in the Act. c.CILT will take reasonable steps to ensure that the requested information is made available to the individual in a form that the individual is able to understand. d.In certain circumstances, it may not be possible to provide access to all the personal health information that CILT holds about an individual. The reasons for denying access will be provided to the individual upon request. Exceptions may include information that contains references to other individuals, information that cannot be disclosed for legal or commercial proprietary reasons, and information that is subject to solicitor-client or litigation privilege. e.Individuals who show the inaccuracy or incompleteness of records containing personal health information about them may request that CILT amend the records and the personal health information about such individuals that CILT holds. f.If the chief privacy co-ordinator is not satisfied that there is any inaccuracy, and if the individual who has challenged the accuracy of his or her personal health information held by CILT maintains the challenge, then the substance of the unresolved challenge will be recorded in the individual’s file, including the chief privacy co- ordinator’s basis for refusing the challenge. When appropriate, the existence of the unresolved challenge may be transmitted to third parties having access to the information in question. g.As part of its commitment to transparency in its collection, use and disclosure of personal health information, CILT will make available to the public: (i)a description of the type of personal health information that CILT holds, including a general account of CILT’s use and disclosure of such information; (ii)a copy of any brochures or other information that explains CILT’s privacy policies, standards, or codes related to personal health information; (iii)the process for obtaining access to the records containing the personal health information that CILT holds and for making requests for the correction of such records; and (iv)the contact information of CILT’s chief privacy co-ordinator. 9.Complaints and Contacting the Chief Privacy Co-ordinator a.An individual may address a complaint about with this policy to the chief privacy co-ordinator, at (416) 599-2458, or by e-mail at: privacy@cilt.ca. b.CILT will respond to complaints or inquiries about its policies and practices relating to personal health information. c.CILT will inform individuals who make inquiries or lodge complaints of other available complaint procedures. d.CILT will investigate all complaints. If a complaint is found to have merit, then CILT will take measures to remedy the situation. The following definitions are from the Personal Health Protection Act, 2004, section 3 (in this Policy referred to as the Act).