Subject: Collection, Use, Disclosure, Retention of Confidential Information
Division: Administrative Services
Procedure Number: CA.58.02.107
Effective Date: October 12, 2016
Wellington-Dufferin-Guelph Public Health (WDGPH) follows the rules set out in the Personal Health Information Protection Act (PHIPA) and Municipal Freedom of Information and Privacy Protection (MFIPPA) for the collection, use, disclosure and retention of personal and/or personal health information (confidential information).
As a custodian we must generally have the consent of the individual to collect, use or disclose a person’s confidential information. The exception is when the legislation allows us to act without consent.
An individual’s consent may be either express or implied. Express consent can be verbal or written. If verbal consent is given, it must be documented in the person’s file.
When we collect, use and share confidential information we usually rely on implied consent. If the purpose is something other than what the information was collected for (e.g. healthcare), we must obtain express consent, with the exception of specified circumstances when we can act without consent.
This is a working procedure only – for full details regarding Collection, Use and Disclosure see WDGPH Privacy Guidance Document (CA.30.01.100).
Consent is valid if it is:
- Knowledgeable – reasonable to believe that the individual understands why we are collecting, using, or sharing the information, and that he or she has the right to withhold or withdraw consent;
- Voluntary (i.e., without deception or coercion);
- Related to the information in question; and
- Given by the individual directly, or someone with legal authority to consent for the individual (substitute decision-maker).
As agents, we are acting on the Agency’s behalf and we may only collect a person’s confidential information that we are authorized to collect and that is required in the course of their duties. Notice of Collection statements outline the information we collect, its use, disclosure, and retention. These are placed in publicly accessible areas at each site where we offer services, it’s on our Agency’s forms when we collect confidential information, and are on the Agency’s website.
We can collect the following confidential information:
- Name, address, date of birth, and Ontario Health Card number;
- Facts about health, health care and individual/family history; and
- Information about payment for health care, when required for certain public health services.
When we can collect confidential information directly:
- We can assume when a person asks for a program or service, he or she is providing implied consent to the collection of his or her personal or personal health information for the purpose of providing him or her with that program or service;
- We must tell the person why we are collecting his or her personal or personal health information and how this information will be used or shared;
- We explain this either before or at the time we collect the information. We need to use plain language and make sure the person clearly understands; and
- This information can be given face-to-face, in writing, or electronically and documented per program procedures.
When can we collect confidential information indirectly:
We can collect a person’s confidential information indirectly (i.e., not from the person who is the subject of the information) when the person consents to this manner of collection and/or when certain legal exemptions apply. For example, we can collect it indirectly when it’s needed for:
- Providing services when it’s not possible to get the information directly from the person at that time for example: HIV testing;
- Research – provided certain conditions are met for example: review by a research ethics committee, aggregate data; and
- Legal reasons.
Confidential information of WDGPH clients will not be used by, or disclosed to, third parties for purposes other than those stated when it was collected, except with the express consent of the client or as required by law. System audit logs of electronic record systems will be conducted on a regularly scheduled basis to ensure all access to confidential information is authorized and appropriate.
Where a person’s personal health information is collected for the purpose of providing programs and services, the information can be shared between members of the client’s care team (‘circle of care’) for the purpose of providing or supporting the provision of WDGPH healthcare programs and services. This is considered a ‘use’ of the information.
Prior to using a person’s confidential information, we must:
- Get the person’s consent directly, unless you have authority to collect it indirectly. PHIPA allows use without consent in some instances;
- Tell the person in plain language how we will use it;
- Makes sure the person clearly understands; and
- Give the person this information face-to-face, in writing, or electronically, either before or at the time we collect the information.
We can use a person’s confidential information for:
- The purpose for which it was collected and all the functions reasonably necessary for carrying out that purpose; and
- Another purpose, but we must first let the person know and get his or her express consent. The exception is if the information is required by law.
We can use a person’s confidential information without consent for the following:
- Risk management, error management, or activities to improve or maintain the quality of care or any related program or service;
- Educating agents to provide health care;
- Planning or delivering programs and services;
- Allocating resources to any programs or service provided or funded by the custodians;
- Obtaining payment or processing, monitoring, verifying, or reimbursing health care claims; and
- Research, provided Agency specific research ethics requirements and conditions are met.
When a request for personal or personal health information is made and the person’s information is not disclosed, the custodian must inform the requestor of the decision, and support the decision with reference to the appropriate section of the legislation.
When disclosing a person’s confidential information, precautions should be taken to prevent information from being disclosed inadvertently to third parties, such as:
- Ensure you have consent from the requestor with details for disclosure. This includes disclosure to another custodian, or a non-custodian. Privacy legislations do have exceptions that allow disclosure without consent;
- We can rely on a person’s implied consent to share personal health information with a custodian or agent as long as the sharing is about the person’s health care (‘circle of care’) and the person has not stated that you cannot use it;
- Ensure the information being disclosed is to the correct recipient (check using screening questions only client can answer), or ensure and confirm fax numbers are accurate, if faxing;
- Ensure consent is obtained from the requestor for email disclosure;
- Express consent must be obtained to disclose personal health information to:
- Someone other than a custodian or agent, or
- If you are disclosing to another custodian or agent for a purpose other than providing or assisting in health care (e.g. law enforcement); and
- If the information requested is being picked up at our location, ensure the requestor provides a piece if identification to confirm that he or she is indeed the person requesting, or identified to collect and receive the information.
In some cases, an individual may provide limited consent (‘lock-box’), where the individual consents to some, but not all, information being disclosed.
If WDGPH is asked to share a person’s confidential information for non-healthcare purposes, we will confirm:
- The information is used only for the purposes for which it was collected, unless the use is permitted, or required by law;
- The information must be returned, or disposed of securely once the purpose has been fulfilled, if permitted by law; and
- When possible, WDGPH will consider whether de-identified information can be used to serve the same purpose.
When we can disclose information without consent:
PHIPA – Personal health information can be disclosed without an individual’s consent in certain circumstances under Sections 35-50 of the PHIPA legislation.
Exemptions for disclosure of information:
MFIPPA contains three mandatory exemptions that prohibit WDGPH from disclosing requested information. WDGPH must refuse to disclose all information falling under a mandatory exemption without consent from the institution, organization or person to whom the information relates. The head of an institution can refuse to disclose a record under Sections 6-14 of the MFIPPA legislation.
A person’s confidential information may be retained for the periods mandated by the WDGPH Retention Schedule, or if the person consents to its earlier disposal. When the required retention period has passed, the information must be disposed through secure means, e.g. shredding.
WDGPH recognizes the high sensitivity and safe management of clients’ confidential information in our custody or control and will ensure that this information is kept secure at all times. When not in use, confidential information (both hard and electronic copy) must be maintained under “lock and key.” Confidential information in hard copy will be stored in lockable filing cabinets (even in secure areas) and all electronic information will be stored in a safe and secure password protected database.
Collect – To gather, acquire, receive, or get personal health information.
Disclose – To release, make available or share personal health information that is under our control (or an authorized agent) to another custodian, individual, or organization.
Use – How we handle or deal with personal health information that is in our custody or control. It includes how we access or reproduce health information.
Express Consent – Express consent can be verbal, written, or electronic. It is clear and definite.
Implied Consent – Consent is implied when you can conclude from the circumstances that a person would reasonably agree. When acting within the circle of care, you can rely on a person’s implied consent to collect, use and share personal health information. An authorized representative (such as a legal guardian or a person having power of attorney) can also give consent when it is appropriate.
REFERENCES AND RELATED FORMS, POLICIES AND PROCEDURES
Corresponding Policy: CA.58.01.100 Privacy Governance
CA.30.01.800 Privacy Guidance Document
CA.58.02.104 Access and Release of Information Procedure
CONTACT FOR INQUIRIES
Chief Privacy Officer at firstname.lastname@example.org or call at ext. 2975.
Director, Administrative Services