Norfolk General Hospital
At Norfolk General Hospital privacy is governed by the Personal Health Information Protection Act (PHIPA), a law that establishes rules concerning the collection, use and disclosure of personal health information. As a health information custodian, Norfolk General Hospital and its agents (including staff, physicians, students and volunteers) are responsible for ensuring that the personal health information of our patients is treated with respect and sensitivity.
Accountability for Personal Health Information
Norfolk General Hospital is responsible for personal health information under its control in compliance with the Personal Health Information Protection Act (PHIPA), 2004.
Accountability for compliance of the Norfolk General Hospital with the policy rests with the President and Chief Executive Officer, although other individuals within Norfolk General Hospital are responsible for the day-to-day collection and processing of personal health information. In addition, other individuals within Norfolk General Hospital are delegated to act on behalf of the Chief Executive Officer, such as the designated privacy contact person, the Director of Patient Information. Norfolk General Hospital is responsible for personal health information in its possession or custody, including information that has been transferred to an agent of Norfolk General Hospital. Norfolk General Hospital will use contractual or other means to provide a comparable level of protection while the information is being processed by a third party. Norfolk General Hospital has implemented policies and practices to give effect to this policy, including:
a. Procedures to protect personal health information.
b. Signing of a Confidentiality Agreement by all agents of Norfolk General Hospital prior to commencement of employment or affiliation with Norfolk General Hospital.
c. Procedures to receive and respond to complaints and inquiries about Norfolk General Hospital's information practices.
d. Orientating and training staff and communicating to staff and other agents on information about PHIPA policies and practices
e. Responding to requests for access to, or corrections of, personal health information in the custody of Norfolk General Hospital.
In compliance with the Personal Health Information Protection Act, Norfolk General Hospital will inform patients of the loss, theft or inappropriate access of their personal health information as soon as reasonably possible. Breaches of this policy and related privacy policies may be subject to disciplinary action. Norfolk General Hospital and its agents are also subject to the fines and penalties set out in the Personal Health Information Protection Act.
Identifying Purposes for the Collection of Personal Health Information
Norfolk General Hospital shall identify the purposes for which personal health information is collected. This has been done by our Statement of Information Practices and is available to patients. Permitted purposes are the delivery of direct patient care, the administration of the health care system, research, teaching, statistics, fundraising, and meeting legal and regulatory requirments as directed in the Personal Health Information Protection Act.
Identifying the purposes for which personal health information is collected at or before the time of collection allows Norfolk General Hospital to determine the information it needs to collect to fulfill these purposes.
The identified purposes are specified at or before the time of collection to the individual from whom the personal health information is collected. Depending upon the way in which the information is collected, this can be done verbally or in writing. A patient who presents for treatment is also giving implied consent for the use of his or her personal health information for authorized purposes.
Notices identifying the purposes for the collection of personal health information are readily available to patients.When personal health information that has been collected is to be used for a purpose not previously identified; the new purpose will be identified prior to use. Unless law requires the new purpose, the consent of the individual is required before information can be used for that purpose.
Persons collecting personal health information will be able to explain to individuals the purposes for which the information is being collected.
Consent for the Collection, Use & Disclosure of Personal Health Information
The knowledge and consent of the individual are required for the collection, use, or disclosure of personal health information, except where inappropriate.
Note: In certain circumstances, personal health information can be collected, used, or disclosed without the knowledge and consent of the individual. For example, legal, medical, or security reasons may make it impossible or impractical to seek consent. Seeking consent may be impossible or inappropriate, for example when the individual is seriously ill or mentally incapacitated. In these circumstances, consent of the individual's substitute decision maker will be sought, where feasible.
Consent is required for the collection of personal health information and the subsequent use or disclosure of this information. Typically, Norfolk General Hospital will seek consent for the use or disclosure of the information at the time of collection. In certain circumstances, consent with respect to use or disclosure may be sought after the information has been collected but before use (for example, when Norfolk General Hospital wants to use information for a purpose not previously identified). Norfolk General Hospital will make a reasonable effort to ensure that the individual is advised of the purposes for which the information will be used. To make the consent meaningful, the purposes must be stated in such a manner that the individual can reasonably understand how the information will be used or disclosed. Norfolk General Hospital will not, as a condition of providing care, require an individual to consent to the collection, use, or disclosure of information beyond that required to fulfill the specified and legitimate purposes. In obtaining consent, the reasonable expectations of the individual are also relevant. Norfolk General Hospital can assume that an individual's request for treatment constitutes implied consent for specific purposes. The way in which Norfolk General Hospital seeks consent may vary, depending on the circumstances and the type of information collected.
Individuals can give consent in many ways. For example:
a. A form may be used to seek consent, collect information, and inform the individual of the use that will be made of the information. By completing and signing the form, the individual is giving consent to the collection and specified uses and/or disclosures.
b. Consent may be given verbally or in writing at the time that individuals use a health service
c. Consent may be given verbally when information is collected over the telephone.
In cases where express consent is required and it is provided verbally, this exchange is documented in the patient's record of personal health information.
An individual may withdraw consent at any time, subject to legal restrictions and reasonable notice. Withdrawal of the consent will not have a retroactive effect. Norfolk General Hospital will inform the individual of the implications of such withdrawal.
Limiting Collection of Personal Health Information
The collection of personal health information will be limited to that which is necessary for the purposes identified by Norfolk General Hospital. Information will be collected by fair and lawful means. Norfolk General Hospital will not collect personal health information indiscriminately. Information collected will be limited to that which is necessary to fulfill the purposes identified. This requirement implies that consent with respect to collection must not be obtained through deception.
Limiting Use, Disclosure & Retention of Personal Health Information
Personal health information will not be used or disclosed for purposes other than those for which it was collected, except with the consent of the individual or as required by law. Personal health information will be retained only as long as necessary for the fulfillment of those purposes. If using personal health information for a new purpose, Norfolk General Hospital will document this purpose. Personal health information that is no longer required to fulfill the identified purposes will be destroyed, erased, or made anonymous in accordance to applicable legislation.
Ensuring Accuracy of Personal Health Information
Norfolk General Hospital will take reasonable steps to ensure that information is as accurate, complete, and up to date as is necessary to minimize the possibility that inappropriate information may be used to make a decision about the individual. Limitations on the accuracy and completeness of personal health information disclosed will be clearly set out to the recipient where possible. When an individual successfully demonstrates the inaccuracy or incompleteness of personal health information; Norfolk General Hospital will amend the information as required. Depending upon the nature of the information challenged, amendment involves the correction, deletion, or addition of information. Where appropriate, the amended information will be transmitted to third parties having access to the information in question.
When a challenge is not resolved to the satisfaction of the individual, Norfolk General Hospital will record the substance of the unresolved challenge in the form of a letter from the patient stored in the patient's medical record. When appropriate, the existence of the unresolved challenge will be transmitted to third parties having access to the information in question.
Ensuring Safeguards for Personal Health Information
Security safeguards appropriate to the sensitivity of the information will protect personal health information. Security safeguards are used to protect personal health information against loss or theft, as well as unauthorized access, disclosure, copying, use, or modification. Norfolk General
Hospital protects personal health information regardless of the format in which it is held. The nature of safeguards will vary depending on the sensitivity of the information that has been collected, the amount, distribution, and format of the information, and the method of storage.
The methods of protection will include:
a. physical measures, for example, locked filing cabinets and restricted access to offices
b. organizational measures, for example, policies, training, limiting access on a "need-to-know" basis
c. technological measures, for example, the use of passwords, secure computer networks, encryption, and audits
Norfolk General Hospital will make its employees aware of the importance of maintaining the confidentiality of personal health information. As a condition of employment, all new Norfolk General Hospital employees/agents (e.g., employee, clinician, allied health, volunteer, researcher, student, consultant, or contractor) must sign a Confidentiality Agreement with Norfolk General Hospital. All employees are required to review a Confidentiality Agreement on an annual basis. This safeguard may also be facilitated though contractual provisions. Personal health information being transported outside of NGH will be done so in a secure manner.
Care will be used in the disposal or destruction of personal health information, to prevent unauthorized parties from gaining access to the information.
Openness About Personal Health Information Policies & Practices
Norfolk General Hospital makes readily available to individuals specific information about its policies and practices relating to the management of personal health information. A written public statement is made available to the public. This notice:
a. provides a general description of Norfolk General Hospital's information practices
b. describes how to contact the designated privacy person
c. describes how an individual may obtain access to or request correction of a record of personal health information
d. describes how an individual may make a complaint to Norfolk General Hospital or to the
Information and Privacy Commissioner of Ontario
Norfolk General Hospital makes information on its policies and practices available in a variety of ways. For example, Norfolk General Hospital may choose to make brochures available, post signs, or provide online via its public web site.
Individual Access to Own Personal Health Information
Upon request, an individual will be informed of the existence, use, and disclosure of his or her personal health information and will be given access to that information. A written request may be required by Norfolk General Hospital to adequately identify you. An individual will be able to challenge the accuracy and completeness of the information and have it amended as appropriate.
Note: In certain situations, Norfolk General Hospital may not be able to provide access to all the personal health information it holds about an individual. Exceptions to the access requirement will be in accordance with the law. The reasons for denying access will be provided to the individual. Examples may include information that could reasonably be expected to result in a risk of serious harm or the information is subject to legal privilege.
Upon request, Norfolk General Hospital will inform an individual whether or not it holds personal health information about that individual. Norfolk General Hospital will seek to indicate the source of this information and will allow the individual access to this information. However, it may choose to make sensitive medical information available through a medical practitioner.
An individual will be required to provide sufficient information to permit Norfolk General Hospital to provide an account of the existence, use, and disclosure of personal health information. The information provided will only be used for this purpose. In providing an account of third parties to which it has disclosed personal health information about an individual, Norfolk General Hospital will attempt to be as specific as possible. When it is not possible to provide a list of the organizations to which it has actually disclosed information about an individual, Norfolk General Hospital will provide a list of the organizations to which it may have disclosed information.
Norfolk General Hospital will respond to an individual's request within the period specified in the
Personal Health Information Protection Act, (30 days or with notice to the patient, 60 days for more complex requests) and at reasonable cost to the individual. Norfolk General Hospital uses the fee structure recommended by the Information and Privacy Commissioner of Ontario.
Challenging Compliance with Norfolk General Hospital's Privacy Policies & Practices
An individual will be able to address a challenge concerning compliance with this policy. Norfolk General Hospital has procedures in place to receive and respond to complaints or inquiries about its policies and practices relating to the handling of personal health information. Norfolk General Hospital will inform individuals who make inquiries or lodge complaints of the existence of relevant complaint procedures. Norfolk General Hospital will investigate all complaints. If a complaint is found to be justified, Norfolk General Hospital will take appropriate measures, including, if necessary, amending its policies and practices.
Complaints can be directed to the Director of Patient Information at:
(519) 426-0130 extension 1475
Individuals may also make a complaint to the Ontario Information and Privacy Commissioner.
Agent - A person that, with the authorization of Norfolk General Hospital, acts for or on behalf of the organization in respect of personal health information for the purposes of Norfolk General Hospital and not the agent's own purposes, whether or not the agent has the authority to bind the custodian, whether or not the agent is employed by Norfolk General Hospital and whether or not the agent is being remunerated. Examples of agents of Norfolk General Hospital include, but are not limited to: employees, volunteer, students, physicians, residents, consultants, researchers, vendors.
Health Information Custodian - Listed persons or organizations under the Personal Health Information Protection Act such as hospitals, who have custody or control of personal health information as a result of the work they do. As a public hospital, Norfolk General Hospital is considered to be a Health Information Custodian (Personal Health Information Protection Act, 2004, Schedule A).
Personal Health Information - Information about an individual whether living or deceased and whether in oral or recorded form. It is information that can identify an individual and that relates to matters such as the individuals physical or mental health, the providing of health care to the individual, payments or eligibility for health care in respect of the individual, the donation by the individual of a body part or bodily substance and the individuals health number. (Personal Health Information Protection Act, 2004, section 4.1) Personal health information can be information about a physician or other care provider, a hospital staff person, a patient, or a patient's family member. Examples of personal health information include a name, medical record number, health insurance number, address, telephone number, and personal health information related to a patient's care such as blood type, X-rays, consultation notes, etc.
Record of Personal Health Information - The Personal Health Information Protection Act defines a record as personal health information in any form or in any medium whether in written, printed, photographic or electronic form or otherwise. Furthermore, any information in a health record under the custody or control of the Norfolk General Hospital Health Records Department, Norfolk General Hospital physician offices and departmental clinics (as per the Public Hospitals Act, Regulation 965, Sec. 20.3), includes, but is not limited to:
- patient name, medical record number, health insurance number, address, telephone number
- all the names of clinical staff involved in the patients care, films, slides, diagnoses, discharge summaries, progress notes, transcribed reports, orders, consents, electronic images and photographs
- any information that has been scanned, the electronic copy (scanned version) is the official copy or source documentation for patient care and research purposes
- any information and/or medical images in E-film or the Picture Archiving and Communication System (PACS)
- any information in the Norfolk General Hospital Clinical Desktop, including information from other systems any information in other Norfolk General Hospital clinical systems that are integrated into the Norfolk General Hospital clinical desktop