The Shelter Health Network (“SHN”) is a group of healthcare professionals who offer medical services at locations (or “clinics”) provided by partner agencies. This Privacy Statement outlines what personal health information SHN collects from our patients, what we use it for, patients’ rights, and how we safeguard our patients’ privacy.
1. Our Commitment to Privacy
SHN is committed to complying with the Ontario Personal Health Information Protection Act, 2004 (“PHIPA”). This law governs the collection, use, and disclosure of personal health information in Ontario. Personal health information (“PHI”) is any information regarding a person’s physical or mental health, oral or written, that alone or together with other information can be used to identify them.
SHN typically needs the express or implied consent of a patient to collect, use, and disclose their PHI. Patients have the right to withhold and/or withdraw their consent to the collection, use, and disclosure of their PHI at any time.
If a patient is not capable of making decisions about their own information, SHN will consult the patient’s substitute decision-maker (“SDM”), as determined by law. A parent or guardian may also consent to the collection, use, or disclosure of a child’s PHI, unless the information relates to treatment or counselling sought by the child on their own.
Patients may withdraw or limit their consent at any time, unless doing so prevents SHN agents from recording information required by law or under professional standards. In those situations, SHN agents may not be able to provide services. Patients may also give SHN instructions that specific information may only be used by or disclosed to certain individuals or for certain purposes (sometimes called a “lock box”). The Privacy Officer or a health care provider who is working with a patient can help with this process.
SHN may collect, use, or disclose patient information without consent in certain limited circumstances that are expressly permitted by PHIPA. For example, some laws provide for mandatory disclosure of information in certain circumstances, such as the Child, Youth and Family Services Act, 2017, the Health Protection and Promotion Act and the Workplace Safety and Insurance Act, 1997.
3. The Information We Collect
SHN will collect PHI directly from patients, or from a person authorized to act on their behalf. SHN will not collect PHI if other information will serve the same purpose and will not collect more PHI than is reasonably necessary to meet the purpose it is collected for. Examples of PHI that SHN collects may include:
- date of birth;
- contact information;
- health history and family health history;
- records of visits with SHN professionals; and
- the treatments or investigations that were provided during those visits.
Occasionally, SHN may also collect PHI from other sources like health care providers, laboratories, insurers, or legal representatives, where it has obtained patient consent to do so or as otherwise permitted by law.
4. How We Use the Information We Collect
SHN may share PHI with SHN agencies, health professionals, and other agents in order to provide medical services. SHN may share patient information with other health professionals involved in the patient’s care, such as their family doctor, unless asked not to (i.e. there is a lock box in place).
SHN uses and discloses PHI to:
- facilitate and provide medical services;
- obtain payment for health care services, including payment from insurance providers;
- plan, administer and manage its internal operations;
- conduct risk management and quality improvement activities;
- conduct research (as permitted by PHIPA)
- comply with legal and regulatory requirements; and
- fulfill other purposes permitted or required by law.
5. Safeguarding PHI
SHN recognizes the importance of safeguarding PHI and takes all reasonable steps to ensure that physical and electronic PHI records are protected against loss, theft, or unauthorized access, use, or disclosure. SHN also protects PHI from unauthorized copying, modification, or disposal. In order to protect patient information, SHN has taken steps to meet the need for physical security, technological security, and administrative controls.
SHN uses a program called OSCAR to maintain electronic medical records (“EMR”). program is very secure and allows for better more coordinated care across SHN agencies. SHN also uses a virtual private network (“VPN”) that can only be accessed by authorized individuals with an account and password who are using an authorized SHN device. Other technological security measures that SHN uses include:
- restricting office and device access to authorized individuals;
- password controls and search controls;
- firewalls and anti-virus software;
- logging, auditing, and monitoring of all access to electronic records of PHI; and
- encryption of all mobile electronic devices that contain PHI.
All SHN clinics use the same EMR. This means that you can go to any SHN clinic and SHN healthcare professionals and administrative staff will be able to use and add to your SHN medical record. Your medical records are confidential within SHN and will not be shared with non-SHN staff or our partner agencies.
SHN also uses administrative controls to protect the PHI records we maintain, including:
- requiring all SHN agents to sign a confidentiality agreement;
- prohibiting SHN agents from printing, copying, or downloading electronic records except where necessary for the provision of care;
- conducting regular audits of the EMR and our privacy practices; and
- appointing a Privacy Officer to oversee privacy compliance at SHN.
6. Retention and Disposal of PHI
SHN will retain PHI records for the later of: ten (10) years from the date of the last entry in the record; or ten (10) years following the eighteenth birthday of the patient to whom the record relates; or in accordance with any minimum retention period that is established by law.
SHN will take reasonable steps to ensure secure and permanent destruction and disposal of PHI, whether physical or electronic. If a third party is retained to dispose of PHI, SHN will enter into a written agreement with them that sets out the requirements for secure disposal and require the third party to confirm in writing that secure disposal has occurred. SHN keeps a record of all PHI that has been destroyed, including the date and how the PHI was disposed of.
7. Privacy Breaches
If an SHN agent becomes aware of PHI being stolen, lost, or subject to unauthorized use, access, disclosure, copying, or modification, they will immediately notify the Privacy Officer and anyone else from within and outside SHN who should be involved in addressing the breach (i.e. involved staff, outside experts, and legal counsel). SHN’s first priority will be to identify and contain the breach, and then to take steps to correct it and to prevent similar breaches in the future.
SHN will notify any patient whose PHI may have been stolen, lost, or accessed in an unauthorized manner, at the first reasonable opportunity. SHN will also advise patients of their right to contact the Information and Privacy Commissioner. SHN will then investigate the breach and take any reasonable steps to remediate it. Finally, SHN will consider whether a report to the Information and Privacy Commissioner or any regulatory college is required.
8. Access to Record of PHI
Patients and their authorized representatives have a general right to access their PHI. If a patient is not capable of consenting to the collection, use, or disclosure of their PHI, the patient’s SDM may request access to information on the patient’s behalf. If a patient is deceased, their SDM will be the trustee, executor, or administrator of their estate.
A patient’s right to access their PHI is not absolute. SHN may deny an access request where:
- the information does not exist or cannot be found;
- the information is not in the custody and control of SHN;
- denial of access is required or authorized by law; or
- the request is frivolous, vexatious, or made in bad faith.
All requests for access to PHI will be responded to as soon as possible, but no later than 30 days from the date of the request. Patients may be asked to put their request in writing. If the Privacy Officer refuses access to records, written reasons will be provided to the patient as to why this decision was made. The patient will also be notified of their right to make a complaint about the refusal to the Information and Privacy Commissioner.
SHN may ask for verification of the individual’s identity before providing access to PHI. SHN may charge a reasonable cost recovery fee for making information available and/or providing copies of PHI records. If we choose to do so, we will provide notice of the fee in advance of processing the request.
9. Correction of Record of PHI
SHN takes all reasonable steps to ensure all PHI is as accurate, complete, and up to date as necessary for the purpose the information is being used.
If a patient believes that their PHI is not accurate or complete, they may make a written request to the Privacy Officer to have the information corrected. SHN will correct PHI where it is demonstrated that the information in the patient record is, in fact, inaccurate or incomplete and the necessary information is provided to correct the record. If a correction is made, the original information will be kept in the patient record to maintain a complete record.
SHN may refuse to correct a record of PHI where:
- it is not satisfied that the record is incomplete or inaccurate for the purposes for which the information was collected or used;
- the record containing the PHI was not originally created by SHN or SHN does not have enough knowledge, expertise, and authority to correct the record;
- the request consists of a professional opinion or observation that a health care provider has made in good faith; or
- the request is frivolous, vexatious, or made in bad faith.
All requests for correction of PHI will be responded to as soon as possible, but no later than 30 days after receiving the request. Where a correction request is denied, patients will be notified of the reasons for the refusal and will be informed that they are entitled to prepare a short statement of disagreement to have appended to their PHI record. In addition, patients are entitled to make a complaint about the refusal to the Information and Privacy Commissioner using the information provided at the end of this policy.
10. How to Contact Us
If you have any questions or concerns about the collection, use, disclosure, or protection of your PHI, please contact our Privacy Officer, who can be reached at email@example.com.
11. Information and Privacy Commissioner
If we are not able to address your privacy concerns, or if you require further information regarding privacy in Ontario, you may contact the Information and Privacy Commissioner of Ontario at 1-800-387-0073 or firstname.lastname@example.org.
Last Updated – August 2023