A1.041 - PERSONAL INFORMATION INCLUDING PERSONAL HEALTH INFORMATION PRIVACY

Simcoe Muskoka District Health Unit
Policy and Procedure Manual

Title:	PERSONAL INFORMATION INCLUDING PERSONAL HEALTH INFORMATION PRIVACY - PRINCIPLES
Reviewed Date:		Number:	A1.041
Revised Date:	September 20, 2006	Approved Date	September 20, 2006

Introduction

The Simcoe Muskoka District Health Unit’s practices related to personal information including personal health information are governed by:

the Municipal Freedom of Information and Protection of Privacy Act, 1991 and its regulations (MFIPPA),
the Regulated Health Professions Act, 1991 (RHPA) and itsregulations,
the practice standards of each profession as defined by the professional colleges which guide their practices, and
the Personal Health Information Protection Act, 2004 (PHIPA) and its regulations.

While MFIPPA, RHPA, professional standards of practice and PHIPA all apply in different contexts to the personal information including personal health information handled by the Health Unit, they each share a common list of ten (10) principles set out in the Canadian Standards Association Model Code for the Protection of Personal Information:

Accountability
Identifying Purposes
Consent
Limiting Collection
Limiting Use, Disclosure and Retention
Accuracy
Safeguards
Openness
Access
Challenging Compliance

These 10 principles form the basis for agency policy and practice.

Purpose

The purpose of this policy is to inform Simcoe Muskoka District Health Unit Board of Health members, employees, students, volunteers, contractors (collectively defined as Health Unit agents) and members of the public of the rights and obligations of the Simcoe Muskoka District Health Unit and the public in relation to the collection, use and disclosure of personal information including personal health information. This includes the administrative, technical and physical safeguards and practices that the Health Unit maintains with respect to this information.

The policy also describes the when, how and the purposes for which the Board of Health as the designated Head of the corporation and the Medical Officer of Health of a Board of Health as a Health Information Custodian (HIC) routinely collects, uses, modifies, discloses, retains or disposes of personal information including personal health information.
As a result, this policy provides a framework for the set of policies and procedures that collectively define the information practices of the Health Unit for the purposes of all applicable privacy legislation.

Policy Definitions & Interpretation:

This policy and any specific terms used herein will be interpreted to ensure consistency with all applicable information privacy legislation, including MFIPPA, RHPA and PHIPA. This policy cannot fully describe how the legislation is to be applied in every instance by the Health Unit. As a result, there may be circumstances where the legislation itself should be referred to, or specialized advice regarding privacy should be obtained.

For the purposes of this policy statement:

“agent” means a person that, with the authorization of the Medical Officer of Health as a Health Information Custodian (HIC), acts for or on behalf of the HIC in respect of personal health information for the purposes of the HIC, and not for the agent’s own purposes, whether or not the agent has the authority to bind the HIC, whether or not the agent is employed by the HIC, and whether or not the agent is being remunerated;

“applicable privacy legislation” means MFIPPA, and PHIPA;

“health information custodian (HIC)” means a person or organization …who has custody or control of personal health information as a result of or in connection with performing the person’s or organization’s powers or duties or the work as a medical officer of health of a board of health within the meaning of the Health Protection and Promotion Act , 1990

“Health Unit” means the Simcoe Muskoka District Health Unit

“MFIPPA” – means Municipal Freedom of Information and Protection of Privacy Act, 1991

“PHIPA” – means Personal Health Information Protection Act, 2004

“personal health information” means identifying information about an individual in oral or recorded form, if the information:

relates to the physical or mental health of the individual, including information that consists of the health history of the individual’s family,
relates to the providing of health care to the individual, including the identification of a person as a provider of health care to the individual,
is a plan of service within the meaning of the Long-Term Care Act, 1994 for the individual,
relates to payments or eligibility for health care in respect of the individual,
relates to the donation by the individual of any body part or bodily substance of the individual or is derived from the testing or examination of any such body part or bodily substance,
is the individual’s health number, or
identifies an individual’s substitute decision-maker.

“personal information” means recorded information about an identifiable individual, including:

information relating to the race, national or ethnic origin, colour, religion, age, sex, sexual orientation or marital or family status of the individual,
information relating to the education or the medical, psychiatric, psychological, criminal or employment history of the individual or information relating to financial transactions in which the individual has been involved,
any identifying number, symbol or other particular assigned to the individual,
the address, telephone number, fingerprints or blood type of the individual,
the personal opinions or views of the individual except if they relate to another individual,
correspondence sent to an institution by the individual that is implicitly or explicitly of a private or confidential nature, and replies to that correspondence that would reveal the contents of the original correspondence,
the views or opinions of another individual about the individual, and
the individual’s name if it appears with other personal information including personal health information relating to the individual or where the disclosure of the name would reveal other personal information including personal health information about the individual.

"record" is broadly defined to include any record of information however recorded. This includes correspondence, minutes, reports, photographs, computer tapes and disks, files, and any other recorded information regardless of medium or format. The definition also includes a record that does not yet exist but which can be created from existing data in a computer system.

“RHPA” – means Registered Heath Professions Act, 1991

Policy

The Board of Health as the Head of the agency and the Medical Officer of Health as the Health Information Custodian will designate (an) individual(s) to be accountable for compliance with the privacy obligations of all applicable privacy legislation.
The Board of Health and Medical Officer of Health will ensure policies and practices are in place to protect the privacy of personal information including personal health information collected by the Simcoe Muskoka District Health Unit.
The Board of Health and Medical Officer of Health will establish clear rules for the collection, use and management of personal information including personal health information and inform staff of those rules and their responsibilities.
The Board of Health and Medical Officer of Health will ensure policies and practices are in place to inform the public how personal information including personal health information is protected by the Simcoe Muskoka District Health Unit.
The Board of Health and Medical Officer of Health will ensure policies and practices are in place to inform the public of their right of access to existing records containing their personal information including personal health information in the custody or control of the Health Unit.
The Board of Health and Medical Officer of Health will ensure policies and practices are in place to inform the public on how they may make and submit complaints respecting the Health Unit’s management of personal information including personal health information.
The Board of Health and Medical Officer of Health will ensure that privacy policies and practices are consistent with all applicable information privacy legislation, including MFIPPA, RHPA and PHIPA.
The Board of Health and Medical Officer of Health will ensure that policies and practices put in place to comply with relevant legislation do not replace the normal process of providing information. The Health Unit routinely responds, within defined parameters, to oral and written requests for information and this approach to provision of information will continue.

Related Policies:

Policy A1.041 Personal Information Including Personal Health Information Privacy – Principles
Policy A1.042 Personal Information Including Personal Health Information Privacy – Accountability
Policy A1.043 Personal Information Including Personal Health Information Privacy – Consent
Policy A1.044 Personal Information Including Personal Health Information Privacy – Collection & Use
Policy A1.045 Personal Information Including Personal Health Information Privacy – Disclosure
Policy A1.046 Personal Information Including Personal Health Information Privacy – Access
Policy A1.047 Personal Information Including Personal Health Information Privacy – Correction
Policy A1.048 Personal Information Including Personal Health Information Privacy – Privacy Breach

Final Approval Signature: __________________________________
Board of Health
Review/Revision History:
2006-09-20 Revised