Your Personal Health Information
Providing the highest possible quality of care for our patients
We value your privacy
Ottawa Valley Family Health Team Privacy Policy
The Ottawa Valley Family Health Team is guided by the Personal Health Information Protection Act, (PHIPA).
PHIPA sets out rules for the collection, use and disclosure of personal health information. These rules will apply to all health information custodians operating within the province of Ontario and to individuals and organizations that receive personal health information from health information custodians. The rules recognize the unique character of personal health information – as one of the most sensitive types of personal information that is frequently shared for a variety of purposes, including care and treatment, health research, and managing our publicly funded health care system.
The legislation balances individuals’ right to privacy with respect to their own personal health information with the legitimate needs of persons and organizations providing health care services to access and share this information. With limited exceptions, the legislation requires health information custodians to obtain consent before they collect, use or disclose personal health information. In addition, individuals have the right to access and request correction of their own personal health information.
For more information about the Personal Health Information Protection Act, please click here.
To contact our Privacy Officer, please click here.
The Ottawa Valley Family Health Team abides by the following Principles:
Principle 1 – Accountability for Personal Health Information
The OVFHT is responsible for any personal health information we hold. We have designated our Chief Executive Officer as our Privacy Officer. This position is accountable for the OVFHT’s compliance with this Privacy Policy and compliance with PHIPA.
The OVFHT demonstrates our commitment to privacy by implementing privacy policies and procedures to protect the personal health information we hold and by educating our staff and any others who collect, use or disclose personal health information on our behalf about their privacy responsibilities.
All OVFHT staff and those who act on our behalf must abide by PHIPA, this policy and any applicable rules of professional conduct.
Principle 2 – Identifying Purposes for Collecting Personal Health Information
The OVFHT collects personal health information for purposes related to direct patient care, administration and management of our programs and services, patient billing, administration and management of the health care system, research, teaching, statistical reporting, fundraising, meeting legal obligations and as otherwise permitted or required by law.
A patient who presents for treatment gives implied consent for the use of his or her personal health information for authorized purposes, unless expressly instructing otherwise.
When personal health information that has been collected by the OVFHT is to be used for a purpose not previously identified, the new purpose will be identified prior to use. Unless the new purpose is permitted or required by law, consent will be required before the information can be used for that purpose.
Principle 3 – Consent for the Collection, Use and Disclosure of Personal Health Information
The OVFHT requires consent in order to collect, use, or disclose personal health information. However, there are some cases where the OVFHT may collect, use or disclose person health information without consent as permitted or required by law. For example, the OVFHT does not require consent for using or disclosing information for billing, risk management or quality improvement purposes or to fulfill mandatory reporting obligations.
The OVFHT assumes that a patient’s request for treatment constitutes implied consent for specific purposes, unless expressly instructed otherwise.
If consent is sought by the OVFHT, a patient may choose not to give consent. If consent is given, a patient may withdraw consent at any time, but the withdrawal cannot be retrospective. The withdrawal may also be subject to legal or contractual restrictions and reasonable notice.
Principle 4 – Limiting Collection of Personal Health Information
The OVFHT limits the amount and type of personal health information we collect to that which is necessary to fulfill the purposes identified. Information is collected directly from the patient, unless the law permits or requires collection from third parties. For example, from time to time we may need to collect information from patients’ family members or other health care providers.
Principle 5 – Limiting Use, Disclosure and Retention of Personal Health Information
Personal health information will not be used or disclosed by the OVFHT for purposes other than those for which it was collected, except with the consent of the patient or as permitted or required by law. Personal health information will be retained by the OVFHT only as long as necessary for the fulfillment of those purposes. Personal health information that is no longer required to fulfill the identified purposes will be destroyed, erased, or made anonymous.
Principle 6 – Accuracy of Personal Health Information
The OVFHT will take reasonable steps to ensure that information we hold is as accurate, complete, and up to date as is necessary to minimize the possibility that inappropriate information may be used to make a decision about a patient.
Principle 7 – Safeguards for Personal Health Information
The OVFHT has put in place safeguards for the personal health information we hold, which include:
- Physical safeguards (such as locked filing cabinets and rooms);
- Organizational safeguards (such as permitting access to personal health information by staff on a “need-to-know” basis only); and
- Technological safeguards (such as the use of passwords, encryption, and audits).
The OVFHT requires anyone who collects, uses or discloses personal health information on our behalf to be aware of the importance of maintaining the confidentiality of personal health information. This is done through the signing of confidentiality agreements, privacy training, and contractual means.
The OVFHT takes steps to ensure that the personal health information we hold is protected against theft, loss and unauthorized use or disclosure.
Care is used in the disposal or destruction of personal health information, to prevent unauthorized parties from gaining access to the information.
Principle 8 – Patient Access to Personal Health Information
Patients may make written requests to have access to their records of personal health information, in accordance with “Authorization For Disclosure of Medical Records”
The OVFHT will respond to a patient’s request for access within reasonable timelines and costs to the patient, as governed by law.The OVFHT will take reasonable steps to ensure that the requested information is made available in a format that is understandable.
Patients who successfully demonstrate the inaccuracy or incompleteness of their personal health information may request that we amend their information. In some cases instead of making a correction, patients may ask to append a statement of disagreement to their file.
Please Note: In certain situations, the OVFHT may not be able to provide access to all the personal health information we hold about a patient. Exceptions to the right of access requirement will be in accordance with law. Examples may include information that could reasonably be expected to result in a risk of serious harm or the information is subject to legal privilege.
Principle 9 – Challenging Compliance with OVFHT Privacy Policies and Practices
Any person may ask questions or challenge our compliance with this policy or with PHIPA by contacting our Privacy Officer.
The OVFHT will receive and respond to complaints or inquiries about our policies and practices relating to the handling of personal health information. We will inform patients who make inquiries or lodge complaints of other available complaint procedures.
The OVFHT will investigate all complaints. If a complaint is found to be justified, the OVFHT will take appropriate measures to respond.
The Information and Privacy Commissioner of Ontario oversees our compliance with privacy rules and PHIPA. Any individual can make an inquiry or complaint directly to the Information and Privacy Commissioner of Ontario by writing to or calling:
2 Bloor Street East, Suite 1400
Toronto, Ontario M4W 1A8
Phone: 1 (800) 387-0073
Principle 1 – Accountability for Personal Health Information
The OVFHT is responsible for any personal health information we hold. We have designated our Chief Executive Officer as our Privacy Officer. This position is accountable for the OVFHT’s compliance with this Privacy Policy and compliance with PHIPA.
The OVFHT demonstrates our commitment to privacy by implementing privacy policies and procedures to protect the personal health information we hold and by educating our staff and any others who collect, use or disclose personal health information on our behalf about their privacy responsibilities.
All OVFHT staff and those who act on our behalf must abide by PHIPA, this policy and any applicable rules of professional conduct.
Privacy Definitions
Capacity to consent
Capacity is not determined by a person’s age. Individuals must be capable of providing consent for the collection, use or disclosure of personal information. Capable means they are able to:
- understand the information that is relevant to deciding whether to consent and
- appreciate the reasonably foreseeable consequences of giving, withholding, or withdrawing the consent.
When determining someone’s capacity to consent, you can presume that an individual of any age is capable, unless you have reasonable grounds to believe they are not. For example, while Part X does not link capacity to age or provide a minimum age for consent, it would be reasonable to conclude that an infant is incapable of providing consent.
Note that a person can be capable of consenting at one time, but incapable at another.
For example, a traumatic event or a new medication might temporarily affect an individual’s capacity to provide consent.
Individuals can also be capable of providing consent for some parts of their personal information, but not others. For example, a child may be capable of consenting to the disclosure of most of her record to another service provider, but incapable of appreciating the consequences of disclosing or not disclosing a particularly sensitive part of the record.
When assessing if an individual is capable:
- provide them with all the relevant information, including the purpose for the proposed collection, use or disclosure. When you are collecting the information directly, advise them that it may be used or disclosed in accordance with Part X
- consider asking the individual to repeat the relevant information back to you — it may help you to assess their level of understanding.
- ensure that language barriers, speech impairments or cultural differences do not influence your assessment of capacity.
Power of Attorney
A power of attorney is a legal document that gives someone you trust the right to make financial or health care decisions for you. This trusted person does not have to be a lawyer to be your attorney.
Types of powers of attorney
There are two types of powers of attorney:
- personal care
- property
Personal care
An attorney for personal care can make decisions about your:
- health care
- housing
- other aspects of your personal life such as meals and clothing
If you do not have an attorney for personal care, your family can make some decisions, but not all.
Property
An attorney for property can make decisions about your financial affairs including:
- paying your bills
- collecting money owed to you.
- maintaining or selling your house
- managing your investments
Without an attorney for property, your family, including your spouse, cannot automatically step in to make financial decisions for you. They might have to go to court to become your court-appointed guardian.
Circle of Care
The term “Circle of Care” describes the ability of certain custodians to assume your implied consent to collect, use or disclose personal health information for the purpose of providing health care.
The “Circle of Care” may include the doctors, nurses, pharmacists, physiotherapists, clinical clerks and employees assigned to your health care. Custodians who are not part of your direct or follow-up treatment are not included within the “Circle of Care.”
Implied Consent
mplied consent is not defined in PHIPA; however, it is understood to be consent that one concludes has been given based on what an individual does or does not do in the circumstances.
For example, a custodian is not required to obtain your written or verbal consent every time your personal health information is collected or used in the course of receiving medical care. It may be reasonable for the custodian to conclude that consent has been given to the collection or use of personal health information because of certain things you do in the context of a physician’s office, such as consenting to an examination or a medical test.
It may also be reasonable for a custodian to conclude that you have consented to the disclosure of your personal health information to another custodian for the purposes of providing or assisting in providing health care. For example, when you consent to a physician issuing a prescription, it may be reasonable for the physician to conclude that you have given implied consent to the disclosure of your personal health information for the purposes of filling a prescription. Similarly, by receiving the prescription from you or your physician, the pharmacist can reasonably conclude that you consented to the collection of this information for the same purposes.
Express Consent
Express consent is given either verbally or in writing, to a custodian to collect, use or disclose your personal health information. Except in circumstances where PHIPA permits the collection, use or disclosure without consent, express consent is required if:
- personal health information is disclosed to a person or an organization, such as an insurance company, that is not a custodian
- personal health information is disclosed by one custodian to another for a purpose other than providing or assisting in providing health care
- a custodian collects, uses or discloses personal health information for the purpose of marketing or market research
- a custodian collects, uses or discloses personal health information for the purpose of fundraising activities if the information consists of more than your name and certain contact information (implied consent is all that is required for a name and contact information.)
Just like it is possible to provide express consent, it is also possible to expressly withhold or refuse to give consent to the collection, use or disclosure of personal health information. If consent is withheld or not given, then the custodian cannot collect, use or disclose your personal health information unless PHIPA otherwise allows the practice without consent.