Procedure 20-9

Handling Personal Health Information

Adoption
Date : 2022-04-20
Instance of approval : University Secretary-General
Originating/Responsible Department : Office of the Secretary-General

PURPOSE

  1. The purpose of this Procedure is to set out the responsibilities of the University’s Health Information Custodians and their respective Agents regarding the proper handling of Personal Health Information in accordance with the Personal Health Information Protection Act, 2004 (“PHIPA”).

INTERPRETATION

  1. This Procedure shall be read in a manner that is consistent with the University’s obligations under PHIPA as well as Policy 90 – Access to Information and Protection of Privacy.
  2. Capitalized words or expressions used in this Procedure are defined in Policy 90 or in this Procedure.

SCOPE

  1. This Procedure applies to all Health Information Custodians or Agents of Health Information Custodians working at the University of Ottawa when handling Personal Health Information for a Health Care purpose.
  2. This Procedure does not apply to the handling of Health Care or medical information collected for any purpose other than for the purpose of providing Health Care (e.g., academic accommodations) see Policy 90.

DEFINITIONS

  1. The definitions below may be non-exhaustive as there may be a full legislative definition found in PHIPA or other applicable Personal Health Information legislation:

Agent” means an agent of a Health Information Custodian including anyone who is authorized by the Health Information Custodian to collect, use and disclose Personal Health Information on behalf of the custodian for the purposes defined by the custodian.

Collect", in relation to Personal Health Information, means to gather, acquire, receive or obtain the information by any means from any source. "Collection" has a corresponding meaning.

Consent” means written or verbal permission for the provision of healthcare to an individual and for the collection, use and disclosure of PHI of the individual. Consent can be express or implied. Valid consent must relate to treatment, be informed, be given voluntarily and must not be obtained through misrepresentation or fraud.

Health Care” means any observation, examination, assessment, care, service or procedure that is done for a health related purpose and that is carried out or provided: to diagnose, treat or maintain an individual’s physical or mental condition; to prevent disease or injury or to promote health; or as part of palliative care.

Health Information Custodian (HIC)” is defined in PHIPA and includes an individual employed or engaged by the University who has custody or control of PHI, is a health care practitioner, is a member of a regulated health profession and by virtue of their University job functions, provides health care. Whether an individual qualifies as a HIC will depend on whether the individual meets the definition of HIC and whether their University job duties amount to providing health care within the meaning of PHIPA.

Operational Authority” is the individual who is a HIC, who is the highest managerial level of authority within a unit and who is responsible for compliance with this Procedure. See the appendix for a non-exhaustive list of examples of units at the University in which there are employees who are considered Operational Authority for compliance with this Procedure.

Personal Health Information (PHI)” means any information relating to a person’s health that identifies the person, including for example, information about their physical or mental health, family health history, information relating to payments or eligibility for health care and health care numbers.

Protection of Personal Health Information Act” or “PHIPA” means the Personal Health Information Act, 2004, Statutes of Ontario, Chapter 3, Schedule A, including the regulations made pursuant to it, and any statute or regulations that may be substituted therefor, as amended or replaced from time to time.

RESPONSIBILITIES

  1. Everyone who has access to PHI is responsible for taking reasonable steps to protect the privacy of PHI.
  2. The Chief Privacy Officer (CPO) shall:
    • determine what is adequate privacy training and ensuring that the training material is appropriate, accurate and up to date;
    • develop and review guidance material and other user-friendly tools which relates to the handling of PHI for alignment with and to support implementation of this Procedure;
    • prepare and submit the annual statistical reports as required under PHIPA;
    • notify the Chief Information Security Officer of any privacy breach that breaches the university’s information security policies and procedures in order to ensure appropriate investigative measures can be taken; and
    • when the collection of records containing PHI creates significant risks of privacy invasion, require the HIC to conduct a privacy impact assessment concerning that collection.
    • notify affected individuals per PHIPA requirements in the event of a privacy breach involving PHI.
    • notify the Information Privacy Commissioner of Ontario in the event of a privacy breach involving PHI where there is:
      1. Willful use or disclosure without authority;
      2. Stolen information;
      3. Further use or disclosure without authority after an initial breach;
      4. Patterns of similar breaches;
      5. Disciplinary action against a college member;
      6. Disciplinary action against a non-college member; or
      7. Significant breach
  3. The Operational Authority shall comply with the following and shall also ensure compliance by the HICs and Agents within their unit:
    • Collect only such PHI that is reasonably necessary for the Health Care being provided;
    • take reasonable steps to ensure PHI collected is accurate, complete and up to date for its anticipated purposes;
    • use their professional judgement when deciding the level of accuracy which is required and in cases where the individual is receiving treatment, a higher level of accuracy and completeness of the PHI is required;
    • develop, document and implement policies, procedures and guidelines specific to the department or unit as appropriate in alignment with this Procedure in consultation with the Chief Privacy Officer;
    • take reasonable measures to ensure that records containing PHI collected or received in accordance with this Procedure are protected from theft, loss, unauthorized access or modification, and inappropriate use or disclosure, whether intentional or unintentional;
    • report privacy breaches of PHI to the Chief Privacy Officer as soon as possible;
    • report security breaches relating to PHI to the Information Security Officer;
    • conduct a privacy impact assessment as directed by the Chief Privacy Officer;
    • ensure all other individuals who are engaged by, or work with, their department or unit are aware of the requirements of this Procedure and appropriately trained.
    • periodically review individual users’ physical or electronic access to PHI to evaluate who has access and whether access is still required and appropriate for their role or status at the University.
    • monitor the following types of events within the organization to determine if individual user access to PHI needs to be modified or revoked:
      1. Termination of employment;
      2. Extended leave of absence; or
      3. Change in status or in duties.
    • make its employees and agents aware of the Procedure Privacy and confidentiality of personal information.
  4. HICs and Agents shall:
    • Collect only such PHI that is reasonably necessary for the Health Care being provided;
    • only access, use or disclose PHI required to perform their duties, unless specifically authorized to do so by the Operational Authority for compliance with this Procedure;
    • take reasonable steps to ensure PHI collected is accurate, complete and up to date for its anticipated purposes;
    • ensure that PHI which has come into their custody or control is used only to perform duties on behalf of the HIC and is handled according to this Procedure;
    • undertake privacy training as recommended by the Chief Privacy Officer;
    • contain privacy breaches and immediately report to the HIC as well as the Chief Privacy Officer; and
    • comply with PHIPA, this Procedure and any further instructions or directives issued in accordance with it.

CONSENT CONCERNING PHI

  1. Consent to Collect, use or disclose PHI can be express or implied. Each HIC can assume that an individual’s request and/or receipt of Health Care constitutes implied Consent for corresponding purposes, unless the individual explicitly states otherwise.
  2. Use or disclosure without consent may occur if permitted or required by law.
  3. Consent must be express where a HIC discloses PHI to a unit or department or person that is not a HIC, an agent of a HIC, or where the disclosure is not for the purposes of providing Health Care.
  4. Consent may be sought in a variety of ways, depending on the circumstances, the type of information being collected and may be given verbally or in writing. Where verbal Consent is provided, the exchange is to be documented. In the event of certified incapacity of the individual, their authorized substitute decision-maker may Consent on behalf of the individual.
  5. An individual may withdraw Consent at any time, subject to legal restrictions and reasonable notice. Withdrawal of the Consent will not be retroactive. Each HIC will inform the individual of the implications of such a withdrawal.

LIMITS TO CONFIDENTIALITY

  1. Although rare in their occurrence, there are situations in which it may be necessary to disclose your PHI without your Consent. These situations are described below:
    1. Where, in the reasonable judgment of the HIC or an Agent authorized to act on the HIC’s behalf, there is a serious risk to the health and safety of yourself, other members of the university community or the community at large, some of your personal information may be shared with appropriate parties (such as Protection Services, Persons of concern committee, the Police, etc.) in order to ensure your safety or that of others. In such instances, the nature and detail of the information shared would depend on the specific circumstances and only disclose the least amount of information necessary;
    2. In the event of an order of a court or tribunal to release student information, the University will be required to comply; and
    3. As otherwise permitted or required by law. This list is not exhaustive and is subject to change, for example:
      1. if the disclosure of PHI is reasonably necessary for providing Health care and Consent cannot be obtained in a timely manner, unless there is an express request from the individual instructing otherwise;
      2. In order for the Minister of Health and Long-Term Care to provide funding to the custodian for the provision of Health Care;
      3. For the purpose of contacting a relative or friend or potential substitute decision-maker of an individual who is injured, incapacitated or ill and unable to give Consent personally;
      4. When transferring records to storage for conservation purposes.
      5. For quality improvement purposes;

COLLECTION, USE AND DISCLOSURE OF PHI

  1. Each HIC shall identify the purposes for which PHI is collected within their service. The purpose for the collection shall be conveyed to the individual by means of a written public statement. The written public statement shall include:
    • a general description of the HIC’s information practices;
    • information on how an individual may obtain access to or correct a record of PHI;
    • a reference to Policy 90 and this Procedure;
    • whether the PHI is stored on an Electronic Medical Record (EMR)
    • a description of how to contact the HIC; and
    • information on how to make a complaint to the HIC and to the Information and Privacy Commissioner under PHIPA.
  2. PHI that has been collected shall not be used for a previously unidentified purpose. The new purpose shall be identified prior to use. Unless law requires the new purpose, the Consent of the individual is required before information can be used for that purpose.
  3. PHI shall be retained only as long as necessary for the fulfillment of its purpose as documented in the University’s Records Retention Schedule or as required by relevant Health Care professional regulatory and/or licensing bodies.
  4. Each HIC may indirectly Collect PHI where, for example:
    1. The individual Consents;
    2. The collection is necessary for providing Health Care and it is not possible to Collect PHI on directly from the individual that can be relied on as accurate and complete;
    3. The collection is necessary for providing Health Care and it is not possible to Collect PHI directly from the individual in a timely manner;
    4. The custodian Collects PHI for the purposes of research from a person who is not a custodian, with approval of the appropriate Research Ethics Board; and
    5. The indirect collection is required or permitted by law;

ACCESSING AND CORRECTING RECORDS OF PHI

  1. HICs may provide access to individuals seeking their own PHI on an informal basis, at their discretion.
  2. Individuals seeking formal access to their own PHI may make such a request to the University’s Access to Information and Privacy Office central privacy office for processing in accordance with PHIPA or FIPPA and Procedure 20-5 – Handling Access to Information Requests.
  3. Individuals seeking to formally correct their own record of PHI will make such a request to the university’s Access to Information and Privacy Office for processing in accordance with PHIPA or FIPPA.
  4. HICs may refuse to provide access to records of PHI in whole or in part to individuals seeking their own PHI if:
    1. The record contains raw data from standardized psychological tests or assessments.
    2. The identity or authority of the requestor cannot be proven.
    3. The information in the record was collected or created in anticipation of or use in an inspection, investigation, proceeding or similar procedure that has not concluded.
    4. Granting access could reasonably be expected to result in a risk of serious bodily harm to the patient or to others. Where this is suspected, it is authorized to consult a physician or psychologist before deciding to refuse access.
    5. The request for access is frivolous, vexatious or made in bad faith.
  5. HICs may refuse to make a correction of a record of PHI after it has been provided to the individual:
    1. That was not created by uOttawa’s HICs or Agents.
    2. If there is insufficient knowledge, expertise or authority to correct the record.
    3. If the patient has failed to demonstrate that the record is not correct or complete.
    4. If the patient has not given out the information or has not had access to the information needed to make the correction.
    5. If the information in question is a professional opinion or observation made in good faith about a patient.
    6. The request for correction is frivolous, vexatious or made in bad faith.

SAFEGUARDING PHI

  1. PHI in all its forms (electronic, paper, verbal, or other) shall be safeguarded throughout its lifecycle (collection, use, disclosure, retention and disposal) through reasonable measures of protection as determined by Policy 117 – Information Classification and Handling, by legislation and regulation, and other authorities.
  2. Each HIC shall dispose or destroy PHI in accordance with IT Schedule J - IT Asset Disposal and Procedure 20-4, to prevent unauthorized access to the information, and to ensure that it is destroyed in such a way that it cannot be reconstructed or retrieved. 
  3. If PHI is lost, stolen, or used or disclosed without authority, the responsible HIC shall report the Privacy Breach (whether confirmed or suspected) to AIPO and the Privacy Breach shall be handled in accordance with Procedure 20-8 – Privacy Breach Response Protocol.

CHALLENGING COMPLIANCE

  1. The University’s Chief Privacy Officer will investigate any complaints regarding the handling of PHI within the custody or control of a HIC or Agent of a HIC in accordance with its Procedure 20-7 – Handling Privacy Complaints. If the complaint is judged to be valid, the Chief Privacy Officer will take and/or recommend to the relevant authority at the University corrective measures were warranted and as appropriate to the circumstances.

AMENDMENTS

  1. The Secretary-General of the University may approve exceptions or make amendments to this Procedure.

APPENDIX: Operational Authority for compliance with this Procedure

Unit

Operational Authority for compliance with this Procedure

Student Health and Wellness Centre

Health Services

Counselling Services

Medical Director

HR Health and Wellness

Director, Health & Wellness

Centre for Psychological Services and Research (CPSR)

Director, Centre for Psychological Services and Research (CPSR)