Introduction

Health Unit agents collect and use personal information including personal health information in the management and delivery of public health services for the following purposes:

• To conduct business and manage the daily operations of the health unit
• To assess current status in order to provide direct care, programs and services
• To respond to complaints about public health issues
• To provide public health interventions to clients
• To contribute to quality improvement processes or research; and
• To comply with legislative and professional requirements

Purpose

The purpose of this policy is to inform Simcoe Muskoka District Health Unit Board of Health members, employees, students, volunteers, contractors (collectively defined as Health Unit agents) and members of the public of:

1. the policies and procedures in place to guide the collection and use of personal information including personal health information and to protect the privacy and security of this information;
2. the policies and procedures in place to inform the public of how personal information including personal health information is protected by the Simcoe Muskoka District Health Unit.

While this policy focuses on collection and use of personal information including personal health information, it should be interpreted within the context of the PERSONAL INFORMATION INCLUDING PERSONAL HEALTH INFORMATION PRIVACY – PRINCIPLES policy and the related set of policies that collectively define the information practices of the Health Unit for the purposes of all applicable privacy legislation.

Policy Definitions & Interpretations

This policy and any specific terms used herein will be interpreted to ensure consistency with all applicable information privacy legislation, including MFIPPA, RHPA and PHIPA. This policy cannot fully describe how the legislation is to be applied in every instance by the Health Unit. As a result, there may be circumstances where the legislation itself should be referred to, or specialized advice regarding privacy should be obtained.

For the purposes of this policy statement:

“agent” means a person that, with the authorization of the Medical Officer of Health as a Health Information Custodian (HIC), acts for or on behalf of the HIC in respect of personal health information for the purposes of the HIC, and not for the agent’s own purposes, whether or not the agent has the authority to bind the HIC, whether or not the agent is employed by the HIC, and whether or not the agent is being remunerated;

“applicable privacy legislation” means MFIPPA, and PHIPA;

“health information custodian (HIC)” means a person or organization …who has custody or control of personal health information as a result of or in connection with performing the person’s or organization’s powers or duties or the work as a medical officer of health of a board of health within the meaning of the Health Protection and Promotion Act , 1990

“Health Unit” means the Simcoe Muskoka District Health Unit

“MFIPPA” – means Municipal Freedom of Information and Protection of Privacy Act, 1991

“PHIPA” – means Personal Health Information Protection Act, 2004

 “personal health information” means identifying information about an individual in oral or recorded form, if the information:

• relates to the physical or mental health of the individual, including information that consists of the health history of the individual’s family,
• relates to the providing of health care to the individual, including the identification of a person as a provider of health care to the individual,
• is a plan of service within the meaning of the Long-Term Care Act, 1994 for the individual,
• relates to payments or eligibility for health care in respect of the individual,
• relates to the donation by the individual of any body part or bodily substance of the individual or is derived from the testing or examination of any such body part or bodily substance,
• is the individual’s health number, or
• identifies an individual’s substitute decision-maker.

“personal information” means recorded information about an identifiable individual, including:

• information relating to the race, national or ethnic origin, colour, religion, age, sex, sexual orientation or marital or family status of the individual,
• information relating to the education or the medical, psychiatric, psychological, criminal or employment history of the individual or information relating to financial transactions in which the individual has been involved,
• any identifying number, symbol or other particular assigned to the individual,
• the address, telephone number, fingerprints or blood type of the individual,
• the personal opinions or views of the individual except if they relate to another individual,
• correspondence sent to an institution by the individual that is implicitly or explicitly of a private or confidential nature, and replies to that correspondence that would reveal the contents of the original correspondence,
• the views or opinions of another individual about the individual, and
• the individual’s name if it appears with other personal information including personal health information relating to the individual or where the disclosure of the name would reveal other personal information including personal health information about the individual.
  

"record" is broadly defined to include any record of information however recorded.  This includes correspondence, minutes, reports, photographs, computer tapes and disks, files, and any other recorded information regardless of medium or format.  The definition also includes a record that does not yet exist but which can be created from existing data in a computer system.

“RHPA” – means Registered Heath Professions Act, 1991

Policy

Collection:
Directors will ensure that the collection of personal information and personal health information:

• is required for the management and delivery of the programs and services for which they are accountable;
• is limited to the information that is necessary for the purposes identified; and
• is conducted through lawful means and in a manner that does not mislead or deceive the public about the purpose for collection.

Program managers will define for each program activity, the types of information required for the purposes of delivering that program.

Program managers will ensure that all forms and documents used to collect information include a privacy statement outlining the authority for collection, the purpose for collection, how the information will be used and a contact for questions or concerns regarding information privacy and practices.

Health Unit agents will identify to clients the specific purposes for which their personal information including personal health information is being collected and seek consent for the collection of the information.

Use
Health Unit agents will only access and use personal information including personal health information for authorized purposes and where there is a “need to know” in order to fulfill one’s assigned responsibilities.

Personal information including personal health information will be shared with other Health Unit agents to the extent necessary for a Health Unit agent to fulfill assigned responsibilities. “De-identified” information will be used when this will serve the purpose identified.

Personal information including personal health information may be shared with other Health Unit agents where to do so will enhance comprehensive and coordinated service provision to the client.

Procedures for Collection of Information:

A. Client interaction:

1. Health Unit agents will:
   1. Inform clients that a record of information is being maintained, and under what authority, at the time a record is established.
   2. Identify the specific purposes for which the information is being collected.
   3. Seek the individual’s consent of the collection of the information.
   4. Collect and document only that information which is necessary to serve the purpose.
   5. Restrict the collection of information to that for which they have consent, are required by law to collect or required to provide healthcare to the client.
2. When personal health information is sought from a third party or entity, it is the responsibility of the Health Unit agent to provide a signed consent form from the client to the agency/person from whom the client’s information is sought.
3. When personal health information is provided by a third party (e.g. a third party referral) the Health Unit agent in receipt of the information will ask if the potential client has consented to the referral by the third party. If not, the referral will not be accepted until documentation of client consent has been obtained by the referring party and provided to the health unit agent. 

B. Forms:

1. Forms developed for the collection of personal information and personal health information will include a privacy statement that indicates:
   1. The authority under which the information is being collected.
   2. The purpose for collecting the information – how the information will be used.
   3. The position and contact information for directing questions related to agency information practices.
2. Program managers will review all forms used by the program to ensure that:
   1. Collection of information is restricted to that required for the delivery of programs and service.
   2. That a complete privacy statement is included on each form and that the statement accurately reflects the authority and purpose for the collection of the information.

C. Information Collection Practices Audit:

1. The Associate Director of Corporate Service will audit health unit forms and information collection practices annually to ensure compliance with the legislation.
2. The Associate Director Corporate Service will report audit findings and recommendations to Executive Committee.

 
Related Policies:
Policy A1.041  Personal Information Including Personal Health Information Privacy – Principles
Policy A1.042  Personal Information Including Personal Health Information Privacy – Accountability
Policy A1.043  Personal Information Including Personal Health Information Privacy – Consent
Policy A1.044  Personal Information Including Personal Health Information Privacy – Collection & Use
Policy A1.045  Personal Information Including Personal Health Information Privacy – Disclosure
Policy A1.046  Personal Information Including Personal Health Information Privacy – Access
Policy A1.047  Personal Information Including Personal Health Information Privacy – Correction
Policy A1.048  Personal Information Including Personal Health Information Privacy – Privacy Breach

Policy
Final Approval Signature: __________________________________
                                                            Board of Health
Review/Revision History:
2006-09-20 Revised

Procedure
Final Approval Signature: __________________________________
                                                            Executive Committee
                                                           
Review/Revision History:
2006-10-02 Revised