Introduction

Health Unit agents collect, use and maintain records of personal information including personal health information in the management and delivery of public health services for the following purposes:

• To conduct business and manage the daily operations of the health unit
• To assess current status in order to provide direct care, programs and services
• To respond to complaints about public health issues
• To provide public health interventions to clients
• To contribute to quality improvement processes or research; and
• To comply with legislative and professional requirements

The Municipal Freedom of Information and Protection of Privacy Act, 1991 and The Personal Health Information Protection Act, 2004 establish an individual’s right of access to records with their personal information including personal health information held by the agency and their right to request corrections to those records.

Purpose

The purpose of this policy is inform Simcoe Muskoka District Health Unit Board of Health members, employees, students, volunteers, contractors (collectively defined as Health Unit agents) and members of the public of their rights and obligations regarding access to records containing personal information including personal health information and requests for correction.

While this policy focuses on how to make or respond to requests to correct personal information including personal health information, it should be interpreted within the context of the PERSONAL INFORMATION INCLUDING PERSONAL HEALTH INFORMATION PRIVACY-PRINCIPLES policy and the related set of policies that collectively define the information practices of the Health Unit for the purposes of all applicable privacy legislation.

Policy Definitions & Interpretations

This policy and any specific terms used herein will be interpreted to ensure consistency with all applicable information privacy legislation, including MFIPPA, RHPA and PHIPA. This policy cannot fully describe how the legislation is to be applied in every instance by the Health Unit. As a result, there may be circumstances where the legislation itself should be referred to, or specialized advice regarding privacy should be obtained.

For the purposes of this policy statement:

“agent” means a person that, with the authorization of the Medical Officer of Health as a Health Information Custodian (HIC), acts for or on behalf of the HIC in respect of personal health information for the purposes of the HIC, and not for the agent’s own purposes, whether or not the agent has the authority to bind the HIC, whether or not the agent is employed by the HIC, and whether or not the agent is being remunerated;

“applicable privacy legislation” means MFIPPA, and PHIPA;

“health information custodian (HIC)” means a person or organization …who has custody or control of personal health information as a result of or in connection with performing the person’s or organization’s powers or duties or the work as a medical officer of health of a board of health within the meaning of the Health Protection and Promotion Act , 1990

“Health Unit” means the Simcoe Muskoka District Health Unit

“MFIPPA” – means Municipal Freedom of Information and Protection of Privacy Act, 1991

“PHIPA” – means Personal Health Information Protection Act, 2004

 “personal health information” means identifying information about an individual in oral or recorded form, if the information:

• relates to the physical or mental health of the individual, including information that consists of the health history of the individual’s family,
• relates to the providing of health care to the individual, including the identification of a person as a provider of health care to the individual,
• is a plan of service within the meaning of the Long-Term Care Act, 1994 for the individual,
• relates to payments or eligibility for health care in respect of the individual,
• relates to the donation by the individual of any body part or bodily substance of the individual or is derived from the testing or examination of any such body part or bodily substance,
• is the individual’s health number, or
• identifies an individual’s substitute decision-maker.

“personal information” means recorded information about an identifiable individual, including:

• information relating to the race, national or ethnic origin, colour, religion, age, sex, sexual orientation or marital or family status of the individual,
• information relating to the education or the medical, psychiatric, psychological, criminal or employment history of the individual or information relating to financial transactions in which the individual has been involved,
• any identifying number, symbol or other particular assigned to the individual,
• the address, telephone number, fingerprints or blood type of the individual,
• the personal opinions or views of the individual except if they relate to another individual,
• correspondence sent to an institution by the individual that is implicitly or explicitly of a private or confidential nature, and replies to that correspondence that would reveal the contents of the original correspondence,
• the views or opinions of another individual about the individual, and
• the individual’s name if it appears with other personal information including personal health information relating to the individual or where the disclosure of the name would reveal other personal information including personal health information about the individual.
  

"record" is broadly defined to include any record of information however recorded.  This includes correspondence, minutes, reports, photographs, computer tapes and disks, files, and any other recorded information regardless of medium or format.  The definition also includes a record that does not yet exist but which can be created from existing data in a computer system.

“RHPA” – means Registered Heath Professions Act, 1991

Policy

To the extent reasonably possible, Health Unit agents will ensure personal information including personal health information collected, used and disclosed by the Health Unit is accurate, complete and up to date as is necessary for the purposes for which it is to be used.

Health Unit agents will not routinely update personal information including personal health information unless this is necessary to fulfill the purposes for which the information was collected.

Where personal information including personal health information is disclosed by the Health Unit for authorized purposes, any limitation on the accuracy of the information will also be disclosed.

Requests for corrections to personal information including personal health information records must be in writing.  Health Unit agents will make the requested correction if the client provides sufficient evidence to prove that the record is not correct or complete for the purposes for which the information was collected.

Corrections are not required if:

• the record was not created by the Health Unit or where there is not sufficient knowledge, expertise and authority to correct the record including the inability to  validate the new information being provided,
• there is reason to believe that the request for correction is frivolous, vexatious or made in bad faith (requests should only be refused for these reasons in the rarest of cases),
• the client has failed to demonstrate that the record is not correct or complete, or
• the patient has not given you the information you need to make the correction.

Health Unit agents are not required to change professional opinions or observation made in good faith about a client.

Where an individual is unsuccessful at having a record of their personal information corrected, they may prepare a statement outlining their objection to its accuracy.  This statement will be appended to the record held by the Health Unit.

Procedures

A. Receiving Requests

1. A form is available for use by the public in requesting a correction to a record of personal information From A1.045 (F1) Access/Correction Request. A request however, can also be in the form of a letter provided that the letter specifically cites the applicable Act and includes the information required to identify the records.
2. Requests will be received by reception at all health unit offices.
3. Questions regarding the Health Unit’s personal information practices will be directed to the Associate Director of Corporate Service (ADCS).

B. Processing Requests

1. The employee receiving the request will create a record of the request in the appropriate log indicating the date of receipt, the requester, and the disposition.
2. Within one business day, the request is placed in a sealed envelope marked Information Privacy Request and forwarded to the ADCS.
3. Upon receipt of the request ADCS will record the request and assign it a number.
4. Within three business days, the ADCS will pass the request on to the appropriate Service Director.
5. Within ten business days, the record requested will be procured and reviewed by the appropriate Service Director or designate in consultation with ADCS.
6. Within 30 days, the ADCS will provide a response to the request.
7. If replying to the request within 30 days would reasonably interfere with Health Unit activities because locating the personal health record requires a complex search, or the time required to undertake the necessary consultations would make it reasonably impractical to reply within 30 days, the ADCS will provide a written notice of extension with explanation and anticipated timelines for response to the requestor.  The maximum extension is 30 days.

C. Reviewing Requests

1. Verify the patient’s identity or substitute decision-maker’s authority.
2. Verify that the patient or substitute decision-maker has a right of access to the personal record.
3. Ensure the request for correction relates to a personal record created by a health unit staff member or agent of the health unit.
4. Determine who will validate the request and correct the personal record. Confirm that this person has the knowledge, expertise and authority to validate and make the correction.
5. If there is disagreement between the Service Director and the ADCS as to the exemptions or correction of the information this will be passed to the Medical Officer of Health for decision.

D. Making Corrections to A Record of Personal Information
The Service Director or Designate will:

1. Record the correct information in the record.
2. Place a notation on the file flagging the previous information and labeling this information as incorrect or updated.
3. Date and sign corrections and notations.
4. Notify anyone who is currently using the personal information of the correction.
5. The Associate Director Corporate Services will provide the client with a letter detailing how the correction was made.
6. If the client requests, the ADCS will, to the extent reasonably possible, provide letters to others to whom the personal information has been disclosed notifying them of the correction, unless the correction cannot reasonably be expected to affect the ongoing provision of health care or otherwise benefit the patient.
7. If it is not possible to record the correct information in the record, the ADCS will ensure that a system is put in place to inform anyone who uses the record that the information in the record is incorrect, and direct that person to the correct information.

E. Refusing Requests for Correction

1. If the request is deemed to be covered by the statute exceptions provided for under legislation, the ADCS will provide a written response to the requestor summarizing the reasons.
2. Upon receiving the refusal, the requestor can:
   1. prepare a brief written description of the correction that you refuse to make,
   2. require the Health Unit to attach this document to the client’s record, and disclose the document whenever the information to which it relates is disclosed,
   3. require the Health Unit to make all reasonable efforts to disclose this document to anyone to whom the patient’s personal health record had been disclosed, unless the correction cannot reasonably be expected to affect the ongoing provision of health care or otherwise benefit the patient, and
   4. complain about the refusal to the Privacy Commissioner.

Related Policies:
Policy A1.041  Personal Information Including Personal Health Information Privacy – Principles
Policy A1.042  Personal Information Including Personal Health Information Privacy – Accountability
Policy A1.043  Personal Information Including Personal Health Information Privacy – Consent
Policy A1.044  Personal Information Including Personal Health Information Privacy – Collection & Use
Policy A1.045  Personal Information Including Personal Health Information Privacy – Disclosure
Policy A1.046  Personal Information Including Personal Health Information Privacy – Access
Policy A1.047  Personal Information Including Personal Health Information Privacy – Correction
Policy A1.048  Personal Information Including Personal Health Information Privacy – Privacy Breach

Policy
Final Approval Signature: __________________________________
                                                            Board of Health

Review/Revision History:
2006-09-20 Revised

Procedure
Final Approval Signature: __________________________________
                                                            Executive Committee
                                                           
Review/Revision History:
2006-10-02 Revised