2.1 In most cases, for example, the physician is accountable. This is for the protection of the health records. However, the patients get the responsibility to protect their documents since we are an out-patient setting. We trust that our patients are responsible for maintaining records for follow-up reviews and future use.
2.3 All persons in this office who have access to personal information must adhere to the following information management practices:
- Access is on a need to know basis
- Access is restricted to authorized users
- Contractual privacy clauses/agreements with third parties including cleaning, security personnel, building maintenance personnel, and network technicians.
- We protect the confidentiality of any personal information we access in the course of providing patient care.
- Thus, we collect, use and disclose personal information only for the purposes of providing care and treatment or the administration of that care, or for other purposes expressly consented to by the patient.
- We adhere to the privacy and security policies and procedures of this office.
- We educate and train staff on the importance of protecting personal information.
3. Collection of personal information
3.1 We collect the following personal information
- Identification and contact information including name and date of birth
- Billing information including state/district health insurance plan (health card) number and private medical insurance details, if applicable
- Health information may include medical history and presenting symptoms
3.2 Limits on collection
We will only collect the information that is required to provide care, administrate the care that is provided and communicate with patients. We will not collect any other information or allow information to be used for other purposes, without the patient’s express consent – except where authorized to do so by law. These limits on collection ensure that we do not collect unnecessary information.
4. Use of personal information
4.1 Personal information collected from patients is used by this office for the purposes of
- Identification and contact – Emergency contact
- To provide continuity of care: Historical record and Health promotion and prevention
- Administration of the care provided: Prioritization of appointment scheduling and billing the provincial health plan
- Professional requirements: Risk or error management and Quality assurance (peer review)
- Research studies and trials
5. Disclosure of personal information – I
5.1 Implied consent (Disclosures to other providers)
- Unless otherwise indicated, it is assumed that patients have consented to the use of their information for the purposes of providing them with care, including sharing the information with other health providers involved in their care. By virtue of seeking care from us, the patient’s consent is implied for the provision of that care.
- Relevant health information is shared with other providers involved in the patient’s care, including, but not limited to, other physicians involved in providing care.
5.2 Without consent (Disclosures mandated or authorized by law) there are limited situations where the physician is legally required to disclose personal information without the patient’s consent. Examples of these situations include, but are not limited to,
- billing state health plans
- reporting specific diseases
- while reporting abuse (child, elder, spouse, etc.)
- reporting fitness (to drive, fly, etc.)
- by court order (when subpoenaed in a court case)
- in regulatory investigations
- for quality assessment (peer review)
- for risk and error management, e.g., medical-legal advice
5.1 Disclosure of Personal Information – II
5.3 Express Consent (Disclosures to all other third parties)
- The patient’s express consent, oral or written, is required before we will disclose personal information to third parties for any purpose other than to provide care or unless authorized to do so by law.
- Examples of situations that involve disclosures to third parties include, but are not limited to third party medical examinations and provision of charts or chart summaries to insurance companies or lawyers who have obtained the necessary permission from responsible authorities
- Disclosure Log – Before a disclosure is made to a third party, a notation shall be made in the file that the patient has provided express consent or a signed patient consent form is appended to the file.
5.4 Withdrawal of consent is used if
- Patients have the option to withdraw consent to share their information with other health providers at any time.
- Patients also have the option to withdraw consent to have their information shared with third parties.
- Moreover, if a patient chooses to withdraw their consent, the physician discusses with patients any significant consequences that might result with respect to their care and treatment.
6. Security measures
6.2 A combination of physical, technological and administrative security measures are included in these safeguards.
6.2.1 The following physical safeguards are used
- limited access to the office is used: monitored alarm system and deadbolt entry lock or keypad entry system
- limited access to records are used: need to know basis and locked cabinets
- office layout/features are used: front desk privacy screens and soundproofing to ensure confidentiality
6.2.2 The following technological safeguards are used
- protected computer access for patient health information including passwords and user authentication is used
- system protection including firewall software and virus scanning software is used
- protected external electronic communications with separate Internet access is used
- secure electronic record disposal is used: we safely dispose of computer hard drives and destroy all other removable media
- wireless connections that are separated from internet connections carrying patient data
7. Administrative Safeguards
- office information management practices: access is on a need to know basis and is restricted to authorized users
- contractual privacy clauses/agreements with third parties included cleaning, security personnel, building maintenance personnel, and network technicians.
- Staff signed confidentiality agreements as part of their employment contract, and this confidentiality agreement or clause extends beyond the term of employment.
7.2 Personal information is protected regardless of the format.
7.3 Specific procedures are followed to communicate personal information by
- In addition, patient preference with regards to phone messages will be taken into consideration
- Unless authorized, we only leave our name and phone number on message for patients
- We only receive digital faxes accessible by secure sign on
- Pre-programmed numbers are used to ensure fax received by proper recipient
- However, we do not use email for confidential messages, except if consented by the patient. We assume that when patients initiate a confidential message by email, they have given implied consent for us to reply by email
- Thus, firewall and virus scanning software is in place to mitigate against unauthorized modification, loss, access or disclosure
- In addition, letters are sent in a sealed envelope marked confidential
9. Record retention
8.2 We use secure offsite record storage.
10. Procedures for secure disposal/destruction of personal information
- We use paper shredding to destroy paper records
- Also, we physically destroy computer hard drives
- In addition, we shred electronic media storage
9.2 Disposal log
Before the secure disposal of a health record, a log is maintained with the patient’s name, the time period covered by the destroyed record, the method of destruction and the person responsible for supervising the destruction – are all normal procedures.
11. Access to information
10.1 Patients have the right to access their record in a timely manner.
10.2 Thus, if a patient requested a copy of their records, then it will be provided at a reasonable cost.
10.3 However, access will only be provided with approval of the treating physician.
10.4 Thus, if the patient wishes to view the original record, one of our staff shall be present so that integrity of the record is maintained, and a reasonable fee could possibly be charged for this access.
10.6 However, specific procedures are followed to respond to access requests
- Acknowledge receipt of request
- Respond within a timely fashion not exceeding 30 days
12. Limitations on access
11.1 In extremely limited circumstances it is possible that access to the patient records is denied. This is only if providing access will create a risk to the patient or to another person.
11.1.1 Accordingly, for example, when the information could reasonably be expected to seriously endanger the mental or physical health or safety of the individual making the request or another person.
11.1.2 For instance, if the disclosure will reveal personal information about another person who is not consented to the disclosure. In this case, only relevant information is separated and other documents are censored.
13. Accuracy of information
12.1 Thus, we make every effort to ensure that all patient information is recorded accurately, as per the privacy polity.
12.2 Nevertheless, if an inaccuracy is noted, the patient can request changes in their own record, and this request is documented by an annotation in the record.
12.3 Finally, no notation shall be made without the approval or authorization of the physician.