Privacy Policy

NAME:  Privacy Policy
MANUAL:  General Policy Manual
CODE #:  WE-MI-01
EFFECTIVE DATE:  June 11, 2014
LAST REVISION DATE:  December 2, 2013

1.  PURPOSE
To outline the policies and procedures that will be used by WECHC to protect the privacy and confidentiality of personal information.

2.  SCOPE
This policy applies to all employees, contractors, sub-contractors, students and volunteers.

3.  POLICY
3.1.  WECHC is committed to protecting the privacy of the community, clients and individuals with respect to the confidentiality of personal information held by the Centre and to ensuring that employees, students and volunteers abide by the requirements of legislation and the standards of practice for the respective professional colleges.

3.2.  WECHC policies, practices and procedures comply with the Personal Health Information Protection Act (PHIPA), 2004 and reflect the ten (10) privacy principles derived from the Canadian Standards Association’s (CSA) Model Code for the Protection of Personal Information.

3.3.  Refer to the Resource Guide – Privacy and Confidentiality for detailed information.

3.4.  Privacy Principles
3.4.1.  Accountability for Personal Information

  • Every individual is responsible for the day to day collection and processing of personal information.
  • The Executive Director (ED) has designated a Privacy Officer who is accountable for compliance with the privacy principles. Other individuals within WECHC may be delegated to act on behalf of the Privacy Officer.
  • The Privacy Officer facilitates:
    • the development and implementation of policies, practices and procedures to protect personal information and respond to privacy complaints or inquiries;
    • the development of information to explain policies, practices and procedures;
    • training and education of employees, students and volunteers.

3.4.2.  Identifying Purposes for Collecting Personal Information

  • WECHC will specify the purpose(s) for collecting personal information at or before the time of collection to the individual from whom the personal information is collected.

3.4.3.  Consent for Collection, Use, and Disclosure of Personal Information

  • The knowledge and consent of the individual are required for the collection, use, or disclosure of personal information. WECHC will not, as a condition of the supply of a service, require an individual to consent to the collection, use, or disclosure of information beyond that required to fulfill the explicitly specified and legitimate purposes.
  • The form of the consent sought by WECHC may vary, depending upon the circumstances and the type of information.
  • An individual may withdraw consent at any time and will be informed of the implications of such withdrawal.

3.4.4.  Limiting Collection of Personal Information

  • Both the amount and type of personal information collected will be limited to that which is necessary for the purposes identified.

3.4.5.  Limiting Use, Disclosure, and Retention of Personal Information

  • Personal information will not be used or disclosed for purposes other than for those which it was collected, except with the consent of the individual or as required by law.
  • Guidelines have been developed and procedures implemented with respect to the retention and destruction of personal information, including minimum and maximum retention periods subject to legislative requirements.

3.4.6.  Accuracy of Personal Information

  • Personal information will be as accurate, complete, and up-to-date as is necessary for the purposes for which it is to be used.
  • An individual will be able to challenge the accuracy and completeness of the information and have it amended as appropriate.
  • When a challenge is not resolved to the satisfaction of the individual, WECHC will record the substance of the unresolved challenge.

3.4.7.  Safeguards for Personal Information

  • The security safeguards will protect personal information against loss or theft, as well as unauthorized access, disclosure, copying, use, or modification regardless of the format in which it is held. Methods of protection will include physical, organizational and technological measures.
  • EMR (electronic medical record) should only be accessed on WECHC issued hardware
  • EMR should only be accessed via “a wired connection or a wireless connection that is either WPA (Wi-Fi Protected Access) or WPA 2 (secure) enabled.  Unsecured, open or WEP (Wired Equivalent Privacy) secured wireless networks may not be used under any circumstances.” (for example, Starbucks is not a secure network and can not be used and WEP security does not provide a sufficient level of security).
  • Any laptops that are used off site should be connected to the WECHC network on a weekly basis
  • No PHI (personal health information) should be stored locally on any computer (do not save to your hard drive).

3.4.8.  Openness about Privacy Policy

  • WECHC will be open about its policies, practices and procedures with respect to the management of personal information. Individuals will be able to acquire information without unreasonable effort in a form that is generally understandable.
  • The information made available will include:
    • The name or title, of the person who is accountable for WECHC’s policies and practices, the Privacy Officer, and to whom complaints or inquiries can be forwarded;
    • The means of gaining access to personal information held by the Centre;
    • A description of the types of personal information held by the Centre, including a general account of its use;
    • A copy of any brochures or other information that explain the Centre’s policies, standards, or codes; and
    • The personal information that is made available to related organizations.

3.4.9.  Individual Access to Personal Information

  • The receipt of an individual’s request for information from the health record will be acknowledged within one (1) business day of the request and processed within 30 days (60 days for complex searches) at minimal or no cost to the individual. The requested information will be provided or made available in a form that is generally understandable.
  • Upon request, an individual will be informed of the existence, use, and disclosure of his or her personal information and will be given access to that information. In addition, the Centre will provide an account of the use that has been made or is being made of this information and an account of the third-parties to which it has been disclosed.

3.4.10.  Challenging Compliance with the Privacy Policy

  • An individual will be able to address a challenge concerning compliance with the above principles to the Privacy Officer or designate.
  • A review of all complaints will be initiated within one (1) business day. If a complaint is found to be justified, WECHC will take appropriate measures, including, if necessary, amending its policies, practices and procedures.

4.  RELATED DOCUMENTS

  • Confidentiality Agreement - Form# - WE-MI-05-001
  • Consent to Disclose Personal Health Information - Form # - WE-MI-07-001
  • Information Practices (English and French) - WE-MI-03-001
  • Resource Guide – Privacy and Confidentiality
  • Statement of Personal Health Information Practices for Clients (English - Form# - WE-MI-01-002 and French - Form# - WE-MI-01-002FR)
  • WECHC policy WE-MI-07 - Collection, Use and Disclosure of Personal Health Information
  • WECHC policy WE-MI-05 - Confidentiality
  • WECHC policy WE-MI-15 - Record Management – Storage, Retention and Destruction
  • WECHC policy WE-MI-08 – Transporting Sensitive Documents

Original Policy Approval Date:  June 26, 2011

Policy Revisions Subsequent to Original Approval

Number Initiator Reason Who Date Approver
1 ED Revision of policy format Consultant Dec 2, 2013 Privacy Officer
2 Dir Clinical Practice EMR Update Dir HR June 11, 2014 Privacy Officer