Privacy Code and Policies of The Pacific Wellness Institute (PWI)
The Pacific Wellness Institute (PWI) Privacy Code
A. General Requirements
The Ontario Personal Health Information Protection Act (PHIPA) and federal Personal Information Protection and Electronic Documents Act (PIPEDA) apply to each person and business that collects and handles the personal information of patients or clients. It enables individuals to have control over how their personal information is handled in the private sector. The term “Personal information” for the purposes of the Policy includes any personal information that might identify a person such as, for example, an individual’s name, their address, gender, ethnicity, education, employment, and personal health information and health history.
Under PHIPA, a business is responsible for the protection of personal health information and under PIPEDA a business is responsible for the protection of general personal information at all times. The 10 principles that businesses must follow are:
- Identifying purposes
- Consent of the individual
- Limiting collection
- Limiting use, disclosure, and retention
- Maintaining accuracy of information
- Safeguards to disclosure
- Openness to process requests
- Individual access
Each business is required to appoint an individual to be responsible for compliance, to ensure that all personal information collected by the business or transferred to a third party is protected and for developing and implementing personal information policies and practices. The business is required to analyze its personal information handling practices and ask questions such as:
- What personal information we collect?
- Why do we collect it?
- How do we collect it?
- What do we use it for?
- Where do we keep it?
- How is it secured?
- Who has access to or uses it?
- To whom is it disclosed?
- When is it disposed of?
In addition businesses are required to develop and implement policies and procedures to protect personal information as follows:
- define the purposes of its collection
- obtain consent from staff, contract workers and volunteers
- limit its collection, use and disclosure
- ensure information is correct, complete and current
- ensure adequate security measures
- maintain a retention and destruction timetable
- process access requests, and
- respond to inquiries and complaints.
Businesses are required to include a privacy clause in third party contracts to ensure the third party provides the same level of protection as the business, inform and train staff on privacy policies and procedures and have information available explaining these policies and procedures to clients and customers.
The Ontario Privacy Information Officer acts as the ombudsman for complaints under PHIPA. The Officer investigates complaints, conducts audits, promotes awareness of and undertakes research about privacy matters. The Information Privacy Commission (IPC) has developed extensive educational tools on PHIPA, including comprehensive Frequently Asked Questions, providing a general overview of the legislation. Other key publications include a Guide to the Personal Health Information Protection Act, primarily aimed at health care providers, and The Personal Health Information Protection Act and Your Privacy, a short brochure aimed at the general public. These can be accessed on the IPC’s website, www.ipc.on.ca.
B. Under PHIPA, PWI is required to have the following:
1) Privacy Officer (PO). The PO is the public contact person for PWI, and is responsible for all questions and concerns regarding this Privacy Code. The PO is also responsible for ensuring compliance of the policies of this Code by PWI Staff, as defined below, informing and, if necessary, training the members of PWI staff on the policies and procedures to comply with the Code, and carrying out the process to deal with complaints by clients, as defined below.
2) Privacy Code. A copy of the Privacy Code is available to clients on request. At PWI, each client is asked to read, understand and consent to PWI’s collection, use and disclosure of their personal information through a consent form (Appendix 1). Each PWI staff is required to read and agree to comply with all terms of the Code. It may be necessary to amend the Code from time to time, in which case PWI staff will be informed and each will be responsible for reading and complying with the amendments.
C. Policies and Procedures for Collecting, Using and Disclosing Personal Information
1) Defined Terms:
i) Personal Information: Personal Information is any information that contributes to the identity of an individual. This may include, but is not limited to, name, gender, age, ethnicity, religion, education, marital and financial status, employment and health history.
ii) Consent: Consent is specific permission, written, verbal or implied, given by a client to PWI Staff to the PWI Staff collecting Personal Information about the Client. Examples may be as between a client and therapist or PWI Staff or between PWI Staff and an insurance company. Implied consent arises where consent may be reasonably be inferred from the action or inaction of the individual. Implied consent, for example, would arise where a client tells a therapist about her arthritis and the resulting pain during the intake. Consent may be collected in person, by phone, through mail, e-mail or any other method of communication. For consent to be valid, the client must be aware of the nature and purpose of the information being requested.
iii) Client: A client is any person who has provided any Personal Information to PWI Staff. It will include any client that has established a professional healthcare relationship with a PWI therapist, a client who provides personal information that is recorded into a file, the computer and/or financial records, and one who pays money in exchange for health services or advice at PWI. A client may also be PWI Staff, who receive the same rights and protection regarding privacy of personal information.
iv) PWI Staff: PWI Staff includes reception staff, therapists, volunteers and anyone who enters into a contract with PWI for the purpose of providing services or goods and who potentially would have access to client personal information. Excluded from this are clients, patients, sales representatives, previous PWI staff members whose employment period or contract has expired or been terminated, family and friends of current PWI Staff or anyone who has not entered into a work related contract with PWI, and anyone who is restricted from the premises due to legal reasons or as determined by PWI or the owners of the building.
D. How PWI Collects, Uses and Discloses Personal Patient Information
PWI will collect, use and disclose information about a client for the following purposes:
1) For the purposes of delivering healthcare and health services:
- Each therapist is governed by his or her professional board, which may have policies regarding collecting and maintaining client information. Therapists and clinical assistants collect and record information as part of their health assessment and maintenance of client files. Included in these records may be, but is not limited to client contact information, administrative and assessment forms, information gathered by the therapist during an appointment, treatment given during an appointment, results of laboratory and diagnostic tests, notes made by the therapist that contribute to his or her overall clinical impression, diagnosis and care for the client. All this information may be required in order to properly assess that client’s health needs, deliver safe and effective patient care, advise clients of treatment options, for follow-up for treatment, care and billing.
- In order to deliver complete care to the client, it may be necessary to communicate with other relevant health-care providers.
- In the event of an emergency or death, client information may be disclosed to notify or assist in notifying a family member or emergency contact person as specified by the client.
- Medical knowledge and advancement is built on clinical experience. PWI may carry out activities for teaching, demonstration and research purposes. Certain information may, from time to time, be extracted from client files and presented in an anonymous format. Steps will be taken to preserve privacy of client identity.
- PWI may need to contact, establish and maintain communication with clients for the purpose of following up treatment, prescription product pick-up or booking and confirming appointments, and may distribute healthcare information and patient education via the PWI’s newsletter. PWI may contact the client by telephone or e-mail using the phone number(s) and e-mail address as provided by the client.
Any personal information submitted through the website, such as your name, address, phone number, e-mail address and details of your health will be kept confidential. Any information provided in through this website will not be released, rented, sold nor be available to any parties other than The Pacific Wellness Institute, unless we are required to do so by law or we are authorized to do so by you or your authorized representative. In the future, The Pacific Wellness Institute may send you information regarding our service and offerings. You may opt out of receiving such communications.
We are continuously reviewing and updating our services and policies while striving to deliver a high standard of service to you. PWI provides a secure means of exchanging information via the Internet. However, when sending information using the current patient forms, it is technically possible for the information to be intercepted by a third party. This may be remote, but it is important for you to know that it is a possibility. If you would prefer to submit your personal information by some other means, please contact us at 416-929-6958.
In addition, communications through the PWI website and PWI e-mails may be available to PWI Staff other than a client’s therapist and therefore may not be confidential to a particular person of the PWI Staff.
Appointment reminders: PWI may call a client’s home or office prior to his or her scheduled appointment. If the client is not home, a reminder message may be left on the answering machine or with the person answering the telephone. No other personal health information is to be disclosed during this message other than the date, time and therapist of the scheduled appointment along with a request to call the clinic if the client needs to cancel or reschedule his/her appointment.
Open treatment areas: There are some open treatment areas at PWI in order to take advantage of space and natural light, and to enhance the effect of the therapeutic environment. It is possible that personal health information may be inadvertently disclosed during a client’s clinic visit if he or she is treated in these open areas. A client wishing to have privacy when discussing personal information may make such request prior to the scheduled appointment. Certain types of appointments that involve lengthy discussions, test results or other personal health information are conducted in a private room.
2) In processing financial transactions:
- Information to complete and submit insurance claims for third party adjudication and payment may be disclosed to the insurance provider as required. This information may include itemized billing statements, medical information and diagnosis, date of condition and appointment, and description of health care services received and therapist(s) who administered the services.
- PWI produces invoices and receipts for goods and services, processes credit card payments, and collects unpaid accounts.
- In the even PWI is sold or merges with another company, all health information, records and files of the clinic will become the property of the new owner. Any new owner would be required to maintain the privacy of client personal information, by law.
3) In complying with the law and regulatory standards:
- The personal information of PWI clients may be accessed when necessary by the legal and regulatory requirements of the board that governs each therapist. The purpose of such disclosure or audit is to ensure that the therapist is in compliance with his or her professional regulatory requirements in collecting, keeping and maintaining client information, appointment records and files.
- Client information may also be accessed to assist this clinic in complying with all legal and regulatory requirements, including but not limited to reporting child abuse or neglect, problems with products and reactions to medications, identifying or locating a suspect, material witness or missing person, complying with a court order or subpoena, and other law enforcement purposes.
- Public health: As required by law, a therapist of PWI may be required to disclose health information to public health authorities in the case of reporting communicable disease or infection exposure. Health Canada has a list of reportable diseases that health care providers are required to report. If you wish to be tested for any of the reportable diseases on an anonymous basis, the clinic may be able to provide you with the name of a clinic that provides such a service.
E. Procedures for ensuring privacy of Personal Information
- Only PWI Staff who have read, understand and signed a Privacy Agreement are entitled to collect, use and disclose the personal information of clients.
- Storage of files and records: Files are kept in a separate storage space that is inaccessible to the public. The space is accessible only by designated PWI Staff and is locked after clinic business hours. Electronic records are protected by password. Records containing personal information (such as files, invoices and schedule book) remain within PWI at all times. No PWI Staff is permitted to remove any records, including patient files, from the PWI premises. PWI Staff are required to prevent files and records from being accessed or inadvertently read by other clients.
- No personal information, health or financial records (copies, written or verbal forms) from PWI released to any third parties without first obtaining consent from the client. The only exception to this may be personal information released to an emergency contact person specified by the client in the case of emergency or death of that client. “Emergency” is defined as an event that requires immediate ambulance, hospitalization, or legal action.
- Appointment book: Only PWI Staff may access, record and change entries in the appointment book. Information regarding any scheduled appointments cannot be released to anyone other than the client (for example, appointment information cannot be released to family members or co-workers inquiring about a client).
- Messages: If the clinic needs to contact a client at his or her home or office, the phone number provided by the client is used. Telephone messages recorded on a machine or left with another person will provide minimal information regarding scheduled appointments and the name of PWI therapist. No other personal information will be given out.
- Other correspondence: PWI establishes and maintains correspondence via e-mail and fax. E-mail and faxes of a personal nature (such as assessment forms and treatment information) will be sent only after consent from the client is obtained. PWI periodically sends e-mail newsletters and updates to the e-mail address provided by the client. The client at any time can request that his or her e-mail address be removed from the newsletter mailing list.
- PWI does not sell any client information to third parties.
F. Exceptions to Consent
1) PWI may collect, use and disclose personal information without the individual’s knowledge or consent only if:
- it is clearly in the individual’s interest and consent is not available in a timely way
- knowledge and consent would compromise the availability or accuracy of the information and collection is required to investigate a breach of an agreement or contravention of a federal or provincial law and/or the PWI has reasonable grounds to believe the information could be useful when investigating a contravention of a federal, provincial or foreign law and the information is used for that investigation
- the information is publicly available
- requested by a lawyer representing PWI
- to collect a debt the individual owes to PWI
- to comply with any law, subpoena, a warrant or an order made by a court or other body with appropriate jurisdiction
- to a government institution that has requested the information, identified its lawful authority, and indicates that disclosure is for the purpose of enforcing, carrying out an investigation, or gathering intelligence relating to any federal, provincial or foreign law; or suspects that the information relates to national security or the conduct of international affairs; or is for the purpose of administering any federal or provincial law
- to an investigative body named in the Regulations of PIPEDA or PHIPA or government institution on the organization’s initiative when PWI believes the information concerns a breach of an agreement, or a contravention of a federal, provincial, or foreign law, or suspects the information relates to national security or the conduct of international affairs
- 20 years after the individual’s death or 100 years after the record was created
G. The Personal Information Rights of the Client
All clients and PWI Staff have the right to:
- Request restrictions on certain uses and disclosures of your health information
- Access copies of his or her personal health information. The client must first sign a release form authorizing the copies and release of information and records from PWI and the account balance of the patient must be zero before a copy of his or her files and records will be made.
- Correct or amend current information
- Access a copy of PWI’s Privacy Code
PWI is not required to agree to requests made to amend or restrict the use of personal health information if it is in conflict with legal and professional board regulation requirements of each therapist or it is in conflict with the therapist’s ability to deliver safe healthcare.
H. Procedures for Retaining and Destroying Information
- PWI is required to keep client information and records for a period as required by regulation. Currently the period is ten (10) years from the recorded date of the last appointment with a therapist or until age 28 for minors.
- Destruction of client information: When the required period has ended, PWI destroys files by shredding the information and deleting electronic records so that is no longer accessible or identifiable.
An individual may complain to the Privacy Officer (PO) of PWI. PWI has designated Claudia Tanaka as the PO. She has the authority to intervene on privacy issues of clients of PWI. PWI has implemented personal information handling practices, including ongoing activities and new initiatives, to ensure that client confidential information is protected.
1) Procedures for recourse for complaints made to PWI’s PO:
- Record the date a complaint is received and the nature of the complaint. The complainant is to acknowledge the receipt of his or her complaint.
- The PO investigates the complaint by accessing all relevant records and PWI Staff who handled the information.
- If the misconduct is the result of a violation of this Code, PWI will deal with that with the person responsible. If the misconduct is the result of following this Code or is the result of not having an existing procedure or policy, the appropriate amendments will be made to this Code and all PWI Staff will be notified of such an amendment.
- The complainant will be notified of the outcome of the investigation, and informed of any relevant steps taken. A report of the complaint, investigation and outcome will be included in the individual’s records.
2) An individual may also complain to the federal Privacy Commissioner for general breaches of personal information or the Ontario Information Privacy Officer about any alleged breaches privacy of personal health information. Either office may also initiate a complaint if there are reasonable grounds to believe that an investigation of a matter under PIPEDA or PHIPA is warranted.
3) Types of complaints may include misconduct of privacy of personal information as outlined in this Code, such as for example allegations that PWI:
- denied an individual access to personal information
- improperly collects, uses or discloses personal information
- refuses to correct inaccurate or incomplete information
- fails to provide access to personal information in an alternative format to an individual with a sensory disability
- does not use appropriate safeguards to protect personal information
J. Time limits
- There are no time limits for filing most types of complaints.
- The only exception may be a complaint that access to personal information has been denied. In this case, the complaint must be made within six months after PWI’s refusal to provide the information, or after the expiry of the time limit for responding to the request. However, the federal Commissioner or Ontario Information Privacy Officer may extend the time limit for an access complaint.
- The Commissioner or Information Privacy Officer is required prepare a report within a designated time-frame. Please consult the websites for details.
1) It is an offence to:
- destroy personal information that an individual has requested
- retaliate against an employee who has complained to the Ontario Privacy Information Officer, or who refuses to contravene PHIPA.
- obstruct a complaint investigation or an audit by the Ontario Privacy Information Officer or his delegate.
2) A person who is guilty of an offense under these laws may be liable to a fine, as determined by federal Information and Privacy Commissioner or Ontario Privacy Information Officer.
L. To File a Complaint or for General Inquiries
Under PIPEDA: Privacy Commissioner of Canada Phone: (613) 995-8210 Toll-free: 1-800-282-1376 TTY: (613) 992-9190
Under PHIPA: Ontario Ministry of Health and Long Term Care INFOline: 1-800-268-1154 In Toronto: 416-314-5518 TTY 1-800-387-5559 www.ipc.on.ca