Introduction

Under the PERSONAL INFORMATION INCLUDING PERSONAL HEALTH INFORMATION PRIVACY - PRINCIPLES, the Board of Health and Medical Officer of Health will designate (an) individual(s) to be accountable for compliance with the obligations of all applicable privacy legislation.

Purpose

The purpose of this policy is to inform Simcoe Muskoka District Health Unit Board of Health members, employees, students, volunteers, contractors (collectively defined as Health Unit agents) and members of the public of the Health Unit framework and expectations for accountability in relation to compliance with applicable privacy legislation.

While this policy focuses on accountability, it should be interpreted within the context of the PERSONAL INFORMATION INCLUDING PERSONAL HEALTH INFORMATION PRIVACY – PRINCIPLES policy and the related set of policies that collectively define the information practices of the Health Unit for the purposes of all applicable privacy legislation.

Policy Definitions & Interpretation:

This policy and any specific terms used herein will be interpreted to ensure consistency with all applicable information privacy legislation, including MFIPPA, RHPA and PHIPA. This policy cannot fully describe how the legislation is to be applied in every instance by the Health Unit. As a result, there may be circumstances where the legislation itself should be referred to, or specialized advice regarding privacy should be obtained.

For the purposes of this policy statement:

“agent” means a person that, with the authorization of the Medical Officer of Health as a Health Information Custodian (HIC), acts for or on behalf of the HIC in respect of personal health information for the purposes of the HIC, and not for the agent’s own purposes, whether or not the agent has the authority to bind the HIC, whether or not the agent is employed by the HIC, and whether or not the agent is being remunerated;

“applicable privacy legislation” means MFIPPA, and PHIPA;

“health information custodian (HIC)” means a person or organization …who has custody or control of personal health information as a result of or in connection with performing the person’s or organization’s powers or duties or the work as a medical officer of health of a board of health within the meaning of the Health Protection and Promotion Act , 1990

“Health Unit” means the Simcoe Muskoka District Health Unit

“MFIPPA” – means Municipal Freedom of Information and Protection of Privacy Act, 1991

“PHIPA” – means Personal Health Information Protection Act, 2004

“personal health information” means identifying information about an individual in oral or recorded form, if the information:

• relates to the physical or mental health of the individual, including information that consists of the health history of the individual’s family,
• relates to the providing of health care to the individual, including the identification of a person as a provider of health care to the individual,
• is a plan of service within the meaning of the Long-Term Care Act, 1994 for the individual,
• relates to payments or eligibility for health care in respect of the individual,
• relates to the donation by the individual of any body part or bodily substance of the individual or is derived from the testing or examination of any such body part or bodily substance,
• is the individual’s health number, or
• identifies an individual’s substitute decision-maker.

“personal information” means recorded information about an identifiable individual, including:

• information relating to the race, national or ethnic origin, colour, religion, age, sex, sexual orientation or marital or family status of the individual,
• information relating to the education or the medical, psychiatric, psychological, criminal or employment history of the individual or information relating to financial transactions in which the individual has been involved,
• any identifying number, symbol or other particular assigned to the individual,
• the address, telephone number, fingerprints or blood type of the individual,
• the personal opinions or views of the individual except if they relate to another individual,
• correspondence sent to an institution by the individual that is implicitly or explicitly of a private or confidential nature, and replies to that correspondence that would reveal the contents of the original correspondence,
• the views or opinions of another individual about the individual, and
• the individual’s name if it appears with other personal information including personal health information relating to the individual or where the disclosure of the name would reveal other personal information including personal health information about the individual.
  

"record" is broadly defined to include any record of information however recorded.  This includes correspondence, minutes, reports, photographs, computer tapes and disks, files, and any other recorded information regardless of medium or format.  The definition also includes a record that does not yet exist but which can be created from existing data in a computer system.

“RHPA” – means Registered Heath Professions Act, 1991

Policy

Personal Information Protection and Access (MFIPPA)
The Board of Health for the Simcoe Muskoka District Health Unit, as the designated “Head” under MFIPPA, is accountable for ensuring the Health Unit’s overall compliance with MFIPPA.   The Board of Health has delegated the administration duties under MIFIPPA through the Medical Officer of Health to the Associate Director of Corporate Service (ADCS). 

The Associate Director of Corporate Service is the main contact for all inquiries regarding access to personal information under the legislation, responding to inquiries about the Health Unit’s information practices, educating Health Unit staff about their duties under the legislation, and receiving and responding to privacy complaints about the Health Unit’s alleged contravention of the legislation.  The Associate Director of Corporate Service is responsible for the Annual Report to the Information and Privacy Commission.

All Service Directors are further delegated the responsibility within their respective Services for the disclosure of service records that involve grave environmental, health or safety issues.

All Service Directors may also disclose records containing personal information within established parameters, to the person to whom the information relates.

All Service Directors are responsible for ensuring that a proper notice of collection of personal information is provided in relation to any collection of personal information carried out by their service, and to ensure that any such records are accurately maintained.

Personal Health Information Protection and Access (PHIPA)
Under Ontario Regulation 329-04 the medical officer of health of a board of health within the meaning of the Health Protection and Promotion Act, 1991 is prescribed as a single health information custodian (HIC) in regards to information collected for the following purposes:

• providing consumer health information/advice;
• planning and delivering health services;
• maintaining health records, case and contact management and administration;
• treatment, intervention and assessment with consent;
• investigating and managing health hazards and incidents;
• epidemiological, research and surveillance; and
• enforcement of legislation.

 
The Medical Officer of Health as Health Information Custodian:

• is accountable for mandatory disclosure of personal health information involving grave environmental, health or safety issues and for discretionary disclosures where he/she believes on reasonable grounds that the disclosure is necessary for the purpose of eliminating or reducing a significant risk of serious bodily harm to a person or group of persons.
• may authorize the disclosure of personal health information to the individual to whom the information relates.
• is responsible for ensuring that a proper notice of collection of personal health information is provided in relation to any collection of personal health information and to ensure that any such records are accurately maintained.

The Associate Director of Corporate Service is designated as the contact person for the purpose of fulfilling the following functions:

• facilitates compliance with this policy;
• ensures that all agents of the Health Unit are appropriately informed of their duties under all applicable privacy legislation and this policy;
• responds to inquiries from the public about the information practices contained in this policy;
• responds to requests of an individual for access to or correction of a record of personal health information about the individual that is in the custody or under the control of the Health Unit; and
• receives complaints from the public about any alleged contravention of any applicable privacy legislation or this policy.

Orientation and Compliance
Directors, managers and supervisors will orient employees, students, volunteers, and contractors to the agency’s privacy, confidentiality and security policies and procedures.

All agents of the Simcoe Muskoka District Health Unit will comply with this policy and all applicable privacy legislation as it relates to their particular responsibilities and further all board of health members, employees, students, and volunteers, will sign a confidentiality agreement.

All contractors will sign an information sharing agreement or contract with obligations regarding security and confidentiality clearly delineated.

Misuse of personal information including personal health information will be considered grounds for disciplinary action.

Procedures

Employees, students, volunteers

1. Managers will ensure that an orientation is scheduled with the Human Resources Generalist (HR Generalist) for each new employee, student or volunteer.
2. As part of the human resources orientation, the HR Generalist will review the confidentiality agreement with the individuals and ensure that the agreement is signed and dated by the individual.  See form A1.042 (F1).
3. The HR Generalist will provide the individual with a signed copy of the agreement and maintain the original in the official personnel file.
4. Directors, managers and supervisors will review the confidentiality agreement with every employee, student and volunteer annually.
5. Human Resources will maintain a log of completed confidentiality agreements and follow up where required.

Contractors

1. The Associate Director of Corporate Service will maintain templates for Request for Tenders (RFT) and Request for Proposals (RFP) and contracts that includes obligations for information security and confidentiality.
2. Directors and managers seeking external consulting services will use the templates to draft proposals or contracts.
3. Proposals or contracts will be drafted in consultation with the Associate Director Corporate Service.
4. Original documentation (RFT,RFO,tender, proposal or contract) is retained on file within the corporate files of the agency.
5. A copy of the documentation is retained by the service area for the purpose of managing the contract.

Related Policies:
Policy A1.041  Personal Information Including Personal Health Information Privacy – Principles
Policy A1.042  Personal Information Including Personal Health Information Privacy – Accountability
Policy A1.043  Personal Information Including Personal Health Information Privacy – Consent
Policy A1.044  Personal Information Including Personal Health Information Privacy – Collection & Use
Policy A1.045  Personal Information Including Personal Health Information Privacy – Disclosure
Policy A1.046  Personal Information Including Personal Health Information Privacy – Access
Policy A1.047  Personal Information Including Personal Health Information Privacy – Correction
Policy A1.048  Personal Information Including Personal Health Information Privacy – Privacy Breach

Policy
Final Approval Signature: __________________________________
                                                            Board of Health
Review/Revision History:
2006-09-20, Revised replaces A1.030 Confidentiality

Procedure
Final Approval Signature: __________________________________
                                                            Executive Committee                                                       
Review/Revision History: