Privacy, Confidentiality Policy and Pledge

SCOPE

RVH is committed to safeguarding privacy and the confidentiality of information under its control. Information will be protected in accordance with the Personal Health Information Protection Act, 2004 (PHIPA), the Freedom of Information and Protection of Privacy Act (FIPPA), and other legislation as applicable from time to time. All authorized users are required to read and acknowledge their agreement to comply with the terms and conditions of the attached Privacy/Confidentiality Pledge (“Pledge”) by signing the Pledge upon beginning their relationship with RVH, and re-sign annually thereafter. RVH may amend the Pledge in response to changes in the law or findings of the Information and Privacy Commissioner or Ontario (“IPC”) or the courts. Authorized users will be notified of any changes to the Pledge. Authorized users will be given access to Personal Information, Personal Health Information and Confidential Information (as defined below and collectively referred to hereinafter as “Confidential Information”). Access to Confidential Information is a privilege that is granted on a need-to-know basis as defined or required by the authorized users’ relationships with RVH. Authorized users may see, hear or have access to sensitive information about RVH personnel, patients, and/or the operations of RVH. All such information is Confidential Information of RVH and must be held in strict confidence, which means that it may not be discussed or otherwise disclosed or provided to anyone other than those authorized to receive the information for the purpose of performing their work for RVH, unless authorized by the CEO or designate.

POLICY STATEMENT

RVH is committed to safeguarding privacy and the confidentiality of information under its control. Information will be protected in accordance with the Personal Health Information Protection Act, 2004 (PHIPA), the Freedom of Information and Protection of Privacy Act (FIPPA), and other legislation as applicable from time to time.

All authorized users are required to read and acknowledge their agreement to comply with the terms and conditions of the attached Privacy/Confidentiality Pledge (“Pledge”) by signing the Pledge upon beginning their relationship with RVH, and re-sign annually thereafter.

RVH may amend the Pledge in response to changes in the law or findings of the Information and Privacy Commissioner or Ontario (“IPC”) or the courts. Authorized users will be notified of any changes to the Pledge.

Authorized users will be given access to Personal Information, Personal Health Information and Confidential Information (as defined below and collectively referred to hereinafter as “Confidential Information”). Access to Confidential Information is a privilege that is granted on a need-to-know basis as defined or required by the authorized users’ relationships with RVH.

Authorized users may see, hear or have access to sensitive information about RVH personnel, patients, and/or the operations of RVH. All such information is Confidential Information of RVH and must be held in strict confidence, which means that it may not be discussed or otherwise disclosed or provided to anyone other than those authorized to receive the information for the purpose of performing their work for RVH, unless authorized by the CEO or designate.

DEFINITIONS

Business Information: Information collected or created for RVH administration and operations, including but not limited to:

  • Financial information – such as information about salaries, fees, costs and expenses (e.g., of personnel, consultants, suppliers, debtors) that is not made public by RVH;
  • Human resources information – information collected or created for the purpose of creating, maintaining and/or terminating an employment or other relationship with RVH (e.g., performance-related information, compensation, benefits, WSIB, or occupational health and safety information);
  • Human rights information – information associated with an informal or formal human rights complaint, including an abuse or harassment complaint;
  • Legal information – information prepared by RVH or its lawyers in connection with a transaction, proceeding, or opinion (e.g., purchase orders, agreements, disputes, complaints, questions about the application of the law);
  • Administrative information – information used for administrative purposes (e.g., schedules, patient census, employee lists, patient lists, donor lists, etc.);
  • Business planning information – information relating to ongoing, future or proposed initiatives or strategies (e.g., organizational restructuring, mergers, outsourcing of services).

Confidential Information: All information that is not made public by RVH, and which by its nature merits protection, including collectively, Business Information, Personal Information and Personal Health Information under the control of RVH.

Confidentiality: The obligation of an individual, organization or custodian to protect the Personal Health Information (PHI)/Personal Information (PI), business information entrusted to it and not to misuse or wrongfully disclose it.

Personal Health Information: Information defined in PHIPA as identifying information collected about an individual in oral or recorded form. It is information about an individual’s health or health care history in relation to:

  • The individual’s physical or mental condition/status, including family medical history;
  • The provision of health care to the individual;
  • Long-term health care services;
  • The individual’s health card number;
  • Blood or body-part donations;
  • Payment or eligibility for health care;
  • The identity of a health care provider or a substitute decision maker for the individual.

Personal information: Information defined in FIPPA as recorded information about an identifiable individual, including:

  • Information relating to the race, national or ethnic origin, colour, religion, age, sex, sexual orientation, or marital or family status of the individual,
  • Information relating to the education or the medical, psychiatric, psychological, criminal, or employment history of the individual or information relating to financial transactions in which the individual has been involved,
  • Any identifying number, symbol or other particular assigned to the individual,
  • The address, telephone number, fingerprints, or blood type of the individual,
  • The personal opinions or views of the individual except where they relate to another individual,
  • Correspondence sent to an institution by the individual that is implicitly or explicitly of a private or confidential nature, and replies to that correspondence that would reveal the contents of the original correspondence,
  • The views or opinions of another individual about the individual, and
  • The individual’s name where it appears with other personal information relating to the individual or where the disclosure of the name would reveal other personal information about the individual.

Privacy: The right of individuals to decide how and for what purposes their Personal Information/Personal Health Information will be collected, used and disclosed.

PROCEDURE

Authorized users must read and sign the Privacy/Confidentiality Policy and Pledge before being granted access to Confidential Information and annually thereafter.

Users with access to the Learning Management System (LMS) will review and sign the Privacy/Confidentiality Policy and Pledge via the LMS on or before the day of their annual Performance Evaluation. Those without access to the LMS (students, vendors, contractors etc.) will review and sign a hard copy of the Privacy/Confidentiality Policy and Pledge which will then be filed with the appropriate RVH department/liaison (i.e. Interprofessional Practice, Procurement etc.).

Authorized users will report any breach or suspected breach of this or any other RVH privacy or security-related policy, at the first reasonable opportunity, to their immediate supervisor or contact, who will then notify the RVH Privacy Office who will initiate a confidential investigation (see Whistle Blowing Protection Policy).

RVH audits user access to Confidential Information and investigates reports of violations of its privacy and security-related policies and Pledges. Such violations may result in disciplinary action, up to and including termination of employment, privileges, affiliation and/or contract, a report to the applicable professional College, licensing body, educational institution regardless of the status of their practicum, the IPC and/or the police, prosecution and/or civil action (lawsuit), as well as the disclosure of the identity of those responsible to affected individual(s) including patient(s) and/or their representatives.

Any questions about compliance with RVH privacy and confidentiality related policies and procedures, the Pledge or applicable law should be directed to the RVH Chief Privacy Officer.

CROSS REFERENCES

RVH Discipline for a Patient Health Information Privacy Breach, 2018

RVH Whistle Blowing Protection Policy, 2018

REFERENCES

Personal Health Information Protection Act, 2004, S.O. 2004, c. 3, Sched. A. s.2-4. (2004). Retrieved from https://www.ontario.ca/laws/statute/04p03?search=personal+health#top

Personal Health Information Protection Act, 2004, S.O. 2004, c. 3, Sched. A. s.10-12. (2004). Retrieved from https://www.ontario.ca/laws/statute/04p03?search=personal+health#top

Personal Health Information Protection Act, 2004, S.O. 2004, c. 3, Sched. A. s.17. (2004). Retrieved from https://www.ontario.ca/laws/statute/04p03?search=personal+health#top

Personal Health Information Protection Act, 2004, S.O. 2004, c. 3, Sched. A. s.17.1. (2004). Retrieved from https://www.ontario.ca/laws/statute/04p03?search=personal+health#top

Personal Health Information Protection Act, 2004, S.O. 2004, c. 3, Sched. A. s.37. (2004). Retrieved from https://www.ontario.ca/laws/statute/04p03?search=personal+health#top

Personal Health Information Protection Act, 2004, S.O. 2004, c. 3, Sched. A. s.38-50. (2004). Retrieved from https://www.ontario.ca/laws/statute/04p03?search=personal+health#top

Personal Health Information Protection Act, 2004, S.O. 2004, c. 3, Sched. A. s.65. (2004). Retrieved from https://www.ontario.ca/laws/statute/04p03?search=personal+health#top

Freedom of Information and Protection of Privacy Act, R.S.O. 1990, c. F.31. s. 2. (2012). Retrieved from https://www.ontario.ca/laws/statute/90f31?search=freedom+of+information

Freedom of Information and Privacy Protection Act

Confidentiality. Horizon Health Network, 2011.

Confidentiality Agreement. St. Joseph’s Health Centre, 2004.

“Detecting and Deterring Unauthorized Access to Personal Health Information”. Information and Privacy Commissioner of Ontario, 2015.