pt Health is committed to respecting the privacy of individuals and to recognizing the need of our patients and employees for the appropriate management and protection of any personal and personal health information that we receive. We acknowledge the responsibility in regards to personal and personal health information that is collected, used, retained or disclosed. pt Health is compliant with federally and substantially similar provincially mandated legislation, specifically Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA), BC’s Personal Information Protection Act (PIPA), Alberta’s Personal Information Protection Act (PIPA), New Brunswick’s Personal Health Information Privacy and Access Act (PHIPAA) and Ontario’s Personal Health Information Protection Act (PHIPA).
Definition of personal and/or personal health information
Under PIPEDA, personal information is defined as including any factual or subjective information about an identifiable individual, recorded or otherwise. Examples include:
- Age, name, ID numbers, income, ethnic origin, or blood type;
- Opinions evaluations, comments, social status, or disciplinary actions; and
- Employee files, credit records, loan records, medical records, existence of a dispute between a customer and a merchant and intentions (for example, to acquire goods and services).
Personal information does NOT include the name, title, business address or telephone number of an employee of an organization.
Under PHIPA in Ontario, personal health information is defined as identifying information about an individual, in oral or recorded form, if the information:
- Relates to the physical or mental health of the individual, including information that consists of the health history of the individual’s family.
- Relates to the provision of health care to the individual, including the identification of a person as a provider of health care to the individual.
- Is a plan of service within the meaning of the Home Care and Community Services Act, 1994 for the individual.
- Relates to payments or eligibility for health care, or eligibility for coverage for health care, in respect of the individual.
- Relates to the donation by the individual of any body part of bodily substance of the individual or is derived from the testing or examination of any such body part of bodily substance.
- Is the individual’s health number.
- Identifies an individual’s substitute decision maker.
Under PHIPAA in New Brunswick, personal health information is defined as identifying information about an individual regardless of form, including information that is oral, written or photographed. It applies to information recorded or stored in media such as paper, microfilm, x-rays and electronic records if the information:
- Relates to an individual’s physical or mental health, family history or health-care history, including genetic information about the individual;
- Is the individual’s registration information, including the Medicare number of an individual;
- Relates to the provision of health care to an individual;
- Relates to information about payments or eligibility for health care in respect of an individual, or eligibility for coverage for health care in respect of an individual;
- Relates to the donation by an individual of any body part or bodily substance of the individual or is derived from the testing or examination of any body part or bodily substance;
- Identifies an individual’s substitute decision maker; and
- Identifies an individual’s health care provider.
Under PIPA in Alberta, personal information is defined as information about an identifiable individual. In BC, PIPA defines personal information as information about an identifiable individual and includes employee personal information, but does NOT include contact information or work product information.
Accountability for pt Health’s compliance with the policy rests with the pt Health Privacy Officer. The Privacy Officer is responsible for monitoring company-wide adherence to privacy policies; ensuring pt Health is in compliance with applicable legislation and acting as a liaison with the Federal and Provincial Privacy Commissioner’s offices as needed. The Privacy Officer acts as a resource for employees within pt Health who are responsible for the day-to-day collection and use of personal information. The Privacy Officer manages complaints and responds on behalf of pt Health to any internal or external requests for personal and personal health information and any inquiries about pt Health’s health information management. pt Health is responsible for personal information in its possession or custody, including information that has been transferred to a third party for processing.
As an organization, pt Health:
- Implements policies and procedures to protect personal information, including information relating to patients, staff, employees, and agents.
- Has established policies and procedures to receive and respond to complaints and inquiries.
- Trains and communicates to staff and agents information about pt Health’s privacy policies and practices.
In addition, all pt Health employees sign an internal confidentiality agreement which states that they agree to comply with all applicable legislative regulations as well as pt Health’s own internal privacy codes.
Commitment to privacy
i. COLLECTION – pt Health collects, uses, discloses and retains personal and personal health information in order to provide superior health care and service. pt Health makes all reasonable efforts to fully inform patients and employees about the planned use and disclosure of their personal and personal health information and will obtain explicit consent from patients in regards to their information when necessary.
The collection of personal and personal health information is limited to that which is necessary for the purposes identified by pt Health. Information is collected by fair and lawful means.
- pt Health does not collect personal or personal health information from staff or patients indiscriminately. Both the amount and the type of information collected are limited to that which is necessary to fulfill the purposes identified.
- pt Health recognizes and respects the need to collect personal and personal health information by fair and lawful means. At or before the time personal or personal health information is collected, pt Health staff identifies the purposes for which personal and personal health information is collected. For employees, the information is used for the purposes of staffing, payroll and legal requirements around human resources.
For patients, the primary purposes for collecting personal and personal health information are the delivery of direct patient care, the administration of the health care systems, research, teaching, statistics, and meeting legal and regulatory requirements.
At the time of collection, pt Health staff:
- Identifies the purposes for which personal or personal health information is collected from the individual.
- The identified purposes of the personal or personal health information are explained to the individual. Depending upon the way in which the information is collected, this explanation can be given orally or in writing: for example, an admission form or posted notice may give notice of the purposes.
- When personal information that has been collected is to be used for a purpose not previously identified, the new purpose will be disclosed prior to use. Unless the new purpose is required by law, the consent of the individual is required before information can be used for that purpose.
- Persons collecting personal information shall be able to explain to individuals the purposes for which the information is being collected.
ii. CONSENT FOR COLLECTION, USE, AND DISCLOSURE OF PERSONAL INFORMATION
pt Health will limit collection and use of personal and personal health information to that which the person has provided consent for.
The knowledge and consent of the individual is required for the collection, use or disclosure of personal or personal health information, except where inappropriate.
Note: In certain circumstances personal or personal health information can be collected, used or disclosed without the knowledge and consent of the individual. For example, legal, medical or security reasons may make it impossible or impractical to seek consent. When information is being collected for the detection and prevention of fraud or for law enforcement, seeking the consent of the individual might defeat the purpose of collecting the information. Seeking consent may be impossible or inappropriate when the individual is a minor, seriously ill, or mentally incapacitated. In these circumstances, the pt Health representative should, where possible, seek consent from a substitute decision maker. In addition, if pt Health does not have a direct relationship with the individual, it may not be possible to seek consent.
- Consent is required for the collection of personal information and the subsequent use or disclosure of this information. pt Health staff members seek consent for the use or disclosure of the information at the time of collection. In certain circumstances, consent with respect to use or disclosure may be sought after the information has been collected, but before use (for example, when pt Health staff wish to use information for a purpose not previously identified).
Consent means “knowledge and consent”. pt Health staff members make a reasonable effort to ensure that the individual is advised of the purposes for which the information will be used. To make the consent meaningful, the purposes must be stated in such a manner that the individual can reasonably understand how the information is to be used or disclosed.
- The form of the consent sought by the pt Health representative may vary, depending upon the circumstances and type of information. In determining the form of consent to use, pt Health takes into account the sensitivity of the information.
- The way in which pt Health seeks consent may vary, depending upon the circumstances and the type of information collected. For example, pt Health seeks express consent when the information is likely to be considered sensitive. Pt Health seeks consent from an authorized representative such as a substitute decision maker if the patient is not capable of giving or refusing consent.
- Individuals can give consent in many ways, for example:
- An admission form may be used to seek consent, collect information and inform the individual of the use that will be made of the information. By completing and signing the form, the individual is giving consent to the collection and the specified uses.
- Individuals will have the opportunity to request that that their names and addresses not be given to other organizations or transferred to a third party.
- Consent may be given orally when information is collected over the telephone. Consent may be given at the time that individuals use a health service.
- An individual may withdraw consent at any time, subject to legal or contractual restrictions, application college regulations and reasonable notice. The pt Health representative informs the individual of the implications of such withdrawal.
iii. ACCURACY OF PERSONAL OR PERSONAL HEALTH INFORMATION
pt Health will make every reasonable effort to ensure that personal and personal health information collected and used is accurate. Patients providing personal information will have the opportunity to review and correct their personal information.
If pt Health discloses personal or personal health information about an individual, pt Health will take reasonable steps to ensure that the information is accurate, complete and up-to-date for the purposes that are known to pt Health at the time of the disclosure. Otherwise, pt Health will clearly set out any limitations or qualifications relating to the accuracy of the disclosure.
iv. LIMITING USE, DISCLOSURE, AND RETENTION OF PERSONAL INFORMATION
pt Health will store personal and personal health information using hard copy and/or electronic means in such a way as to prevent unauthorized collection, access, use, disclosure or disposal of the personal information. pt Health will not disclose any personal or personal health information unnecessarily to employees or any third party unless the affected patient consents or unless required by law.
Personal or personal health information is not used or disclosed for purposes other than those for which it was collected, except with the consent of the individual or as required by law. Personal or personal health information is retained only as long as necessary for the fulfillment of those purposes and/or as required by an applicable regulatory body.
- If using personal information for a new purpose, pt Health documents this purpose.
- pt Health has guidelines and implements procedures with respect to the retention of personal information. These guidelines include retention periods for personal health information as required by college regulations. Personal information that has been used to make a decision about an individual is retained long enough to allow the individual access to the information after the decision has been made.
- Personal or personal health information that is no longer required to fulfill the identified purposes and/or has past the required retention period as set out in college regulations is destroyed, erased, or made anonymous. pt Health has guidelines and implements procedures to govern the destruction of personal and personal information in accordance with applicable legislative requirements.
v. ENABLING SAFEGUARDS FOR PERSONAL INFORMATION
Security safeguards appropriate to the sensitivity of the information protect personal information. Security safeguards protect personal information against loss, theft, unauthorized access, disclosure, copying, use or modification or destruction. pt Health protects personal information regardless of the format in which it is held. The nature of the safeguards varies depending on the sensitivity of the information that has been collected, the amount of information collected, the extent of the distribution of information, the format of the information and the method of storage. A higher level of protection safeguards more sensitive information, such as personal health information records. Extreme care is taken when disposing or destroying personal information in order to prevent unauthorized parties from gaining access to the information.
The methods of protection include:
- Physical measures, for example, locked filing cabinets and restricted access to offices;
- Organizational measures, for example, limiting access on a “need-to-know” basis; and
- Technological measures, for example, the use of passwords, encryption, password protection on email attachments and audits.
pt Health makes its staff and agents aware of the importance of maintaining the confidentiality of personal information. As a condition of employment, appointment, or agency, all pt Health staff and agents must sign the pt Health Confidentiality Agreement. In addition, those with access to electronic health records must sign individual User Agreements.
pt Health uses third party service providers to process and store the personal information we collect from our patients. This personal information may be stored on servers located outside of Canada. As such, this information may be available to the government or agencies of that country under a lawful order made in that country. pt Health remains accountable for all information we collect. We ensure that personal information sent to or shared with any foreign jurisdiction for processing or storage will be safeguarded, used, disclosed, and disposed of in a way that is compliant with Canadian federal and provincial privacy laws as well as with pt Health internal privacy policies. Personal information will only be used for purposes in keeping with the original reason for its initial collection.
vi. ACCESS TO PERSONAL OR PERSONAL HEALTH INFORMATION
pt Health promotes an employee’s or patient’s right of access to his/her personal or personal health information and will provide this information in an understandable format. pt Health will provide access to information upon request within 30 days as required under federal law, although the Privacy Officer may request an extension of another 30 days.
Upon request, an individual is informed of the existence, use, and disclosure of his or her personal information and is given access to that information. pt Health may ask the individual to supply enough information in order to confirm the existence, use and disclosure of the personal or personal health information. pt Health will inform the individual how the information is or has been used and will provide a list of any organization to which it has been disclosed (if any). An individual is able to challenge the accuracy and completeness of the information and have it corrected or amended as appropriate.
When a challenge is not resolved to the satisfaction of the individual, pt Health records the nature of the unresolved challenge. When appropriate, the existence of the unresolved challenge is transmitted to third parties having access to the information in questions (if any).
Note: In certain situations, pt Health may not be able to provide access to all the personal information they hold about an individual. Exceptions to the access requirement are limited and specific. The reasons for denying access are provided to the individual upon request. Exceptions may include information that is prohibitively costly to provide, information that contains references to other individuals, information that cannot be disclosed for legal, security, or proprietary reasons, and information that is subject to solicitor-client or litigation privilege.
vii. OPENNESS ABOUT PERSONAL INFORMATION POLICIES AND PRACTICES
pt Health makes readily available to individuals specific information about its policies and practices relating to the management of personal information. Individuals are able to acquire information about pt Health policies and practices without unreasonable effort. This information is made available in a form that is generally understandable.
The information made available includes:
- The contact information to reach the Privacy Officer who is accountable for the pt Health privacy policies and practices, and to whom complaints or inquiries can be forwarded;
- The means of gaining access to personal information held by pt Health;
- A description of the type of personal information held by pt Health, including a general account of its use;
- A copy of any brochures or other information that explains the pt Health policies, standards, or codes.
pt Health makes information on their policies and practices available in a variety of ways to address varied information needs and to ensure accessibility to information: for example, pt Health may choose to make brochures available in its places of business, mail information to its clients, post signs, provide online access, or through the Internet and Intranet.
viii. CHALLENGING COMPLIANCE
pt Health has established procedures in place to receive and respond to complaints or inquiries about its policies and practices relating to the handling of personal information. In case of a complaint, the complainants will be informed about how to proceed. On its website and consent forms, pt Health provides contact information for the pt Health Privacy Officer. The Privacy Officer tracks and investigates all complaints made about pt Health’s personal and personal health information management and will take appropriate action to correct any inaccurate personal information or modify policies and procedures if needed.
ix. Website Privacy
This section is designed to ensure you are aware of how your data is being used while you are visiting our website and to provide you with choices about that use. Your continued use of the pt Health website after any modification indicates your agreement to the new terms.
We use Google Analytics, Remarketing with Google Analytics, Google AdWords Conversion tracker, and other Google services such as display advertising that place cookies on a browser across the website. These cookies help us increase our website’s effectiveness for our visitors. These cookies are set and read by Google. To opt out of Google tracking, please visit this pagehttp://www.google.com/policies/technologies/ads/.
x. CASL (Canada’s Anti-Spam Law)
CASL is a law that sets the rules for Commercial Electronic Messages, establishes requirements for commercial messages, gives recipients the right to have emails stopped from being sent to them, and spells out penalties for violations.
We collect your email address in order to:
- Send information, respond to inquiries, and/or other requests or questions.
- Process online bookings and to send information, updates, and reminders pertaining to online bookings.
- We may also send you additional information related to your product and/or service.
- Send periodic commercial electronic messages to clients with whom we have a pre-existing business relationship (i.e. the recipient purchased or leased good or services within the previous two years).
In accordance with CASL, we agree to the following:
- We will only send messages up for up to 2 years after the business relationship began.
- CEMs will contain the following:
- Information identifying the person who sent the message and/or the person on whose behalf it was sent;
- Information enabling the recipient to contact the sender of the message, and;
- A valid unsubscribe mechanism allowing the recipient to stop receiving CEMs from the sender.
The unsubscribe mechanism will enable the recipient to remove themselves from the mailing list and will be effective not more than 10 days after the request is made.
Links to Other non pt Health Web Sites
The privacy officer can be reached at our toll-free number, (866) 749-7461, or at [email protected].