Privacy and Confidentiality of Patient Personal Health Information PRIVACY AND CONFIDENTIALITY OF PATIENT PERSONAL HEALTH INFORMATION Manual/Section: ADMINISTRATION Key Words: personal health information, privacy, confidentiality Policy No. 10 1. PURPOSE: 1.1 To establish a set of uniform rules for the collection, use and disclosure of patient Personal Health Information in a manner that recognizes the right to privacy of individuals with respect to their Personal Health Information, and the need of Children's Hospital of Eastern Ontario’s (CHEO) to collect, use or disclose Personal Health Information for the purposes outlined in this policy. 1.2 To ensure CHEO practices related to collection, use or disclosure of Personal Health Information is compliant with privacy legislation in Ontario. 2. POLICY: 2.1 CHEO, in the course of carrying out its business, collects uses and discloses Personal Health Information. CHEO is committed to protecting the privacy, confidentiality and security of all Personal Health Information to which it is entrusted in order to carry out its mission. 2.2 In accordance with the Personal Health Information Protection Act (PHIPA), 2004, and other relevant legislation CHEO has a corporate responsibility to support and adhere to the following Ten Guiding Principles also known as the Canadian Standards Association’s (CSA) Model Code for the Protection of Personal Information published in March 1996. CHEO will adhere to the Ten Guiding Principles as a whole, which will form the basis of CHEO’s Privacy and Confidentiality of Patient Personal Health Information Policy (Appendix A). Principle 1: Accountability for Personal Health Information Principle 2: Identifying Purposes for the Collection of Personal Health Information Principle 3: Consent for the Collection, Use or Disclosure of Personal Health Information Principle 4: Limiting Collection of Personal Health Information Principle 5: Limiting Use, Disclosure and Retention of Personal Health Information Principle 6: Accuracy Principle 7: Safeguards Principle 8: Openness Principle 9: Individual Access Principle 10: Challenging Compliance 3. SCOPE: This policy applies to all staff, employees, physicians, trainees/students, volunteers, consultants, vendors, agents or anyone at CHEO that may use, collect and disclose patient Personal Health Information stored in any format (e.g. paper, verbal and electronic format, etc). Approved By: Executive Team Revision Number: 1 Date: June 15, 2010 1 Privacy and Confidentiality of Patient Personal Health Information 4. DEFINITIONS: Agent: any person that, with the authorization of CHEO, acts for or on behalf of CHEO with respect of Personal Health Information for the purposes of CHEO and not the agent’s own purposes (e. g. service providers, suppliers etc.) Breach of privacy, confidentiality or security: unauthorized access, collection, use, or disclosure of any Personal Health Information. Collect: to gather, acquire, receive or obtain the information by any means from any source. Information may be collected in a variety of forms. Confidentiality: CHEO’s obligation to protect the Personal Health Information with which it has been entrusted. Disclose: in relation to Personal Health Information in the custody or under the control of a health information custodian or a person, means to make the information available or to release it to another health information custodian or to another person/organization that is not an agent of CHEO. Health information custodian: a person or organizations that have custody or control of Personal Health Information as a result of or in connection with performing the person’s or organization’s powers or duties or the work. Individual: in relation to Personal Health Information, means the individual, whether living or deceased, with respect to whom the information was or is being collected or created. Identifying information: includes Personal Health Information that could identify an individual when used alone or in conjunction with other information. Personal Health Information: is” identifying information” whether verbal, written or electronic form. It includes information about an individual’ health or health care history in relation to: The individual’s physical or mental health, including family medical history; The provision of health care to the individual, including the identification of a person as the health care provider, to the individual; The individual’s health care number and other information that is collected in the course of the providing health services; Blood or body-part donations; Payments or eligibility for health care; and The identity of an individual’s substitute decision-maker Approved By: Executive Team Revision Number: 1 Date: June 15, 2010 2 Privacy and Confidentiality of Patient Personal Health Information Privacy: provides an individual with the right to control the circulation of information about him//herself within social relationships; freedom from unreasonable interference in an individual’s private life; an individual’s right to protection of information regarding him/her against misuse or unjustified publication. Record: a record of information in any form or in any medium, whether in written, printed, photographic or electronic form or otherwise, but does not include a computer program or other mechanism that can produce a record. Security: refers to the safeguards or process an organization develops and implements to protect Personal Health Information under its custody or control. New privacy legislation typically requires organizations to implement three different type of safeguards-physical (e.g. locked doors), technical (e.g. passwords and encryption) and administrative (e.g. policies). Use: in relation to Personal Health Information in the custody or under the control of a Personal Health Information custodian or a person, means to handle or deal with the information. 5. RESPONSIBILITY: While responsibility for CHEO’s compliance with the Privacy Ten Guiding Principles rests with the Chief Information and Privacy Officer, all individuals who collect, use and disclose Patient Health information are responsible for maintaining the Privacy Ten Guiding Principles (Appendix A) in their day to day work. 5.1 Chief Information and Privacy Officer is responsible to: Facilitate the custodian's compliance with legislation; Ensure that all agents of the custodian are appropriately informed of their duties; Respond to inquiries from the public about the hospital’s information practices; Respond to requests of an individual for access to or correction of a record of Personal Health Information about the individual ; Receive complaints from the public about the custodian's alleged contravention of privacy legislation; Chair the Privacy Advisory Committee; Monitor privacy, confidentiality and security related activities throughout CHEO. This includes access to Personal Health Information by patients and their families, as well as amendments to Personal Health Information in compliance with current and upcoming federal and provincial laws and the CHEO’s information privacy practices; Ensure compliance with current Personal Health Information privacy legislation including the privacy principles; Ensure that all research studies are implemented in accordance with current legal requirements and standards for ethical acceptability, and that they adhere to these principles of privacy, Approved By: Executive Team Revision Number: 1 Date: June 15, 2010 3 Privacy and Confidentiality of Patient Personal Health Information confidentiality and security; and Review policies to ensure compliance with current health privacy legislation and best data protection practices in other jurisdictions. 5.2 Directors/ Managers are responsible to: Ensure compliance with privacy policies and procedures within their areas of responsibility; Ensure all staff from both the inpatient units and Ambulatory Care Departments adhere to the privacy, confidentiality and security of Personal Health Information they have access to; Approve Information Technology (IT) requirements for their staff and ensure practices to secure computerized data; and Ensure all staff, trainees/students documenting electronically have signed CHEO’s “Confidentiality Agreement” (Form No. 6021) 5.3 Staff, employees, physicians, volunteers, researcher trainee/student, consultants, vendor, contractors are responsible to: Maintain the confidentiality and security of Personal Health Information they have access to; and Sign the “Confidentiality Agreement” by an effective date. 5.4 Human Resources is responsible to: Have all staff, employee, physicians, volunteers, researcher, trainee/student, consultant, vendor, contractors or other sign the “Confidentiality Agreement” (Form# 6021). 5.5 Information Systems (IS) / (IT) is responsible to: Ensure the network environment has appropriate security commensurate with sensitivity, criticality, etc; Provide a secure, managed firewall; Provide reasonable protection from security breaches such as virus attacks and hackers; Ensure that security is cost-effective based on a cost versus risk ratio, or that is necessary to meet with applicable mandates; Ensure individual accountability for the appropriate use of information technology; Conduct regular audits of the network environment, Inform all end-users of the auditing functions and capabilities; and Provide a secure environment with authorized physical access to the CHEO’s data processing facilities. 6. PROCEDURE: Approved By: Executive Team Revision Number: 1 6.1 CHEO has a corporate responsibility to support the following data protection strategies. The strategies include the development and implementation of: Policies for the protection of all Personal Health Information; Policies that clearly define and limit access to Personal Health Information; Data security measures that include physical, technical and administrative safeguards; Date: June 15, 2010 4 Privacy and Confidentiality of Patient Personal Health Information 7. CROSS- REFERENCES: A Privacy Advisory Committee to coordinate and monitor privacy related activities throughout CHEO; Identification of a Chief Information and Privacy Officer; Appropriate staff education relating to Patient Health Information protection; Appropriate review processes for research through the Research Ethics Board; and Regular review of policies to ensure compliance with current health privacy legislation and best data protection practices in other jurisdictions. CHEO, Access to and Disclosure of Patient Health Information Policy CHEO, Access Control to Information Systems Policy CHEO, Acceptable Use of Information Systems Policy CHEO, Confidentiality and Protection of Employee Personal Information Policy CHEO, Consent Policy CHEO, Retention and Destruction of Health Records Policy CHEO, Security Of Personal Health Information Policy Authorization to Disclosure of Personal Health Information (Form No. 4010) Confidentiality Agreement (Form No.6021) Consent to Disclosure of Personal Health Information (Form No 4010) Patient Consent for Email Communication (Form No.1234) Protecting the Privacy of Patient Information at CHEO (Form No. P5520E/F) 8. REFERENCES: Withdrawal of Consent for Further Use/Disclosure of Personal Health Information. (Form No.1139) Colleges from Ontario (Audiologist, Child Life Specialist, Child and Youth Counsellor, Diagnostic Medical Sonographer, Dietitian, Genetic Counsellor, Medical Radiation Technologist, Neurophysiology, Nurses, Occupational Therapist, Pharmacist, Physicians and Surgeons, Physiotherapist, Psychologists, Nurses, Registered Respiratory Therapist, Speech Language Pathologist, Social Workers/Registered Social Worker). Consent to Treatment Act CSA Model Code for the Protection of Personal Information. Ontario Health Association (OHS) Guidelines for Managing Privacy, Data Protection and Security eHealth Ontario Privacy and Data Protection Policy-Version 3 Frequently asked Questions: Personal Health Information Protection Act. February 2005 Ontario Bill 31 Ontario Mental Health Act Ontario Substitute Decisions Act Personal Health Information Protection Act (PHIPA), 2004 Personal Information Protection and Electronic Documents Act Approved By: Executive Team Revision Number: 1 Date: June 15, 2010 5 Privacy and Confidentiality of Patient Personal Health Information 9. ATTACHMENTS: 10. DEVELOPED BY: Approved By: Executive Team Revision Number: 1 (PIPEDA) Privacy Impact Assessment Guidelines for the Ontario Personal Health Information Protection Act Public Hospital’s Act (PHA) The Ottawa Hospital (TOH) Privacy Policy 2004 Appendix A: Privacy: The Ten Guiding Principles Privacy Advisory Committee Health Records Information Services Date: June 15, 2010 6 Privacy and Confidentiality of Patient Personal Health Information APPENDIX A PRIVACY The Ten Guiding Principles Principle 1: Accountability for Personal Health Information CHEO is responsible for Personal Health Information under its custody or control. Accountability to CHEO’s compliance with the principles rests with the Chief Information and Privacy Officer, even though other individuals within CHEO are also responsible for the dayto day collection and processing of Personal Health Information. CHEO is responsible for Personal Health Information that has been transferred to a third party for processing. CHEO will use contractual or other means to provide a comparable level of protection while information is being processed by a third party. When CHEO retains an external agent (service providers, suppliers, etc) to assist in providing services, CHEO will enter into a written agreement with the agent which includes: CHEO shall use affiliation agreements or other means to provide a comparable level of protection while Personal Health Information is being processed or accessed by a third party. 1. A description of the services that the agent will provide; 2. A description of the administrative, technical and physical safeguards relating to the confidentiality and security of the information; 3. A statement restricting the use of the information only for the stated purpose and for no other purpose except as permitted or required by law; 4. A statement that the agent is aware of, and will comply with, their duties as an agent under the Protection of Personal Health Information Act and its regulations; 5. A statement of the agent’s obligation to notify CHEO at the first reasonable opportunity if Personal Health Information handled by the agent on CHEO’s behalf is stolen, lost or accessed by unauthorized persons; and 6. A statement that upon termination or expiry of the agreement, all Personal Health Information that the agent may possess as a result of the agreement, in any form, shall be returned to CHEO or destroyed (as appropriate) and that no copies will be retained. CHEO has policies and practices to give effect to this policy. These include: Procedures to protect Personal Health Information; Procedures to receive and respond to complaints and enquiries. Patient/family concerns/complaints would be received and responded through Patient and Family Representative and the Chief Information and Privacy Officer’s office; Education and communication to all staff/employees about CHEO’s policies and procedures; and Providing oversight and leadership with respect to privacy and protecting Personal Health Information through the Chief Information and Privacy Officer. Approved By: Executive Team Revision Number: 1 Date: June 15, 2010 7 Privacy and Confidentiality of Patient Personal Health Information All staff/employees/agents and other listed in this policy are responsible to report any breach of this policy. If there is a known breach of confidentiality, the infraction must be reported to CHEO’s Chief Information and Privacy Officer and to the person responsible for protecting the Personal Health Information (e.g. manager, director, etc.). Violation of this policy is grounds for disciplinary action up to and including dismissal. Physicians and residents breaching their duty of privacy and confidentiality as outlined in this policy may be subject to suspension or termination of privileges. Principle 2: Identifying Purposes for the Collection of Personal Health Information CHEO will collect Personal Health Information for the following purposes: Provide clinical care to patients; Assess resource utilization in the delivery of care; Plan for the development and delivery of care and services across the City of Ottawa and Eastern Ontario; Document patterns of illness to support prevention programs and early disease detection. Statistics and quality improvement (including risk management); Monitor and evaluate the quality of care and the outcomes resulting from that care; Administration and management of the hospital (including payment claims); Support and promote research and education; Support and promote fundraising for CHEO; and Meet legal and regulatory requirements. CHEO shall only collect the Personal Health Information it needs to fulfill these purposes. Persons collecting Personal Health Information on behalf of CHEO shall be able to explain to individuals the purpose for which the information is being collected. The identified purposes shall be specified, at or before the time of direct collection, to the individual from whom the personal health information is collected. Depending on the way in which the Personal Health Information is collected, this will be done orally or in writing through the use of notice sign, brochures, etc. When Personal Health Information that has been collected is to be used for a purpose not previously identified the consent of the individual or substitute decision-maker will be obtained, unless the new purpose is required by law. Principle 3: Consent for the Collection, Use or Disclosure of Personal Health Information The knowledge and consent of the individual are required for the collection, use or disclosure of Personal Health Information, except where it may be inappropriate due to legal, medical or security reasons. Typically, CHEO will seek consent, whether written or electronic, oral or implied, for the use or disclosure of the information at the time of collection. Users are to use extreme caution when communicating confidential or sensitive information via email (Acceptable Use of Information Systems Policy and Patient Consent for Email Communication). All Health Care Providers must follow their College scope of practice/service regarding the use of electronic mail for communicating Personal Health Information. Approved By: Executive Team Revision Number: 1 Date: June 15, 2010 8 Privacy and Confidentiality of Patient Personal Health Information CHEO will make a reasonable effort to ensure that the individual is advised orally and in writing (through the use of notice signs and brochures) about the collection, use or disclosure of their Personal Health Information. Note: When Personal Health Information is being collected for the detection and prevention of fraud or for law enforcement, seeking the consent of the individual might defeat the purpose of collecting the information. Seeking consent may be impossible or inappropriate when the individual is a minor, seriously ill, or mentally incapacitated. If CHEO does not have a direct relationship with the individual, it may not be able to seek consent. In certain circumstances, this consent may be sought after the Personal Health Information has been collected but before use (for example, when CHEO wants to use Personal Health Information for a purpose not previously identified). The purposes for the collection, how the Personal Health Information will be used and disclosed will be stated in such a manner that the individual can reasonably understand. CHEO will not, as a condition of the supply of a product or service, require an individual to consent to the collection, use, or disclosure of Personal Health Information beyond that required to fulfill the explicitly specified and legitimate purposes. To make the consent meaningful, the purposes must be stated in such a manner that the individual can reasonably understand how the Personal Health Information will be used or disclosed. An individual may withdraw consent (Form No. 1139) at any time, subject to legal or contractual restrictions and reasonable notice. Withdrawal of consent has no retroactive effect. CHEO will inform the individual of the implications of such withdrawal. An individual may also place certain conditions on their consent for the collection, use or disclosure of their Personal Health Information. The conditions may not prohibit or restrict any recording of Personal Health Information that is required by law or by established standards of professional practice or CHEO policy. Persons who may consent According to Personal Health Information Protection Act, 2004, the following may consent to the collection use or disclosure of Personal Health Information: If the individual is at least 16 years of age and capable, the individual or any person who the individual has authorized in writing to act on his/her behalf; If the individual is a child less than 16 years of age, a parent or other person who has lawful custody ("parent" does not include a parent who has only a right of access to the child) unless the information relates to treatment about which the child has made a decision on his or her own. NOTE: If there is a conflict between substitute decisionmaker and the capable child less than 16 years of age related to consenting to the collection, use or disclosure of the Personal Health Information, the decision of the child prevails; If the individual is incapable, a substitute decision maker; and If the individual is deceased, the deceased estate trustee. Principle 4: Limiting Collection of Personal Health Information CHEO will: Limit both the amount and the type of Personal Health Information collected to that which is necessary for the purposes identified. The Personal Health Information will be collected by fair and lawful means; Approved By: Executive Team Revision Number: 1 Date: June 15, 2010 9 Privacy and Confidentiality of Patient Personal Health Information Not collect Personal Health Information indiscriminately or in a misleading manner; and Not collect, use or disclose Personal Health Information if other information will serve the purpose of the collection, use or disclosure. Principle 5: Limiting Use, Disclosure and Retention of Personal Health Information Limiting Use and Disclosure: CHEO will not use or disclose Personal Health Information for purposes other than those for which it was collected, except with the consent of the individual or as required by law. Personal Health Information Protection Act permits the use of Personal Health Information: for which the information was collected; for planning or delivering programs or services; for the purpose of risk, error, quality of care management; for educating agents to provide health care; for the purpose of disposing of the information or modifying the information in order to conceal the identity of the individual; for the purpose of seeking the individual's consent, when limited to the individual's name and contact information; for the purpose of proceeding, or contemplated proceeding; for the purpose of obtaining payment or processing claims for payment; and for research conducted by the custodian. Personal Health Information Protection Act permits certain disclosures of Personal Health Information (Access to and Disclosure of Patient Health Information Policy). Personal Health Information is to be maintained in the strictest of confidence and is not to be shared with unauthorized persons. For example, employees/agents must avoid engaging in discussions about Personal Health Information in public areas such as hallways, elevators, cafeterias, etc. Access to confidential information will be limited to only those employees authorized to hold, view or handle such information for their current job duties. Access information they require is to be determined by the employee’s Director. (Access Control to Information Systems Policy). Audits will be conducted on the CHEO’s electronic records. Limitations are placed on users to ensure that they only have access to information they require for their current job duties. Authorized access to a computer system requires user sign-on, User Identification (ID) and Password. There are different layers of access, each requiring a unique User ID and Password. It is the responsibility of each User to ensure that his/her password is secure. Users are prohibited from sharing (lending or borrowing) their password on any system. (Acceptable Use to Information Systems Policy). If there is a reason to believe a password has been Approved By: Executive Team Revision Number: 1 Date: June 15, 2010 10 Privacy and Confidentiality of Patient Personal Health Information compromised, it is to be changed immediately followed immediate notification to one’s Director. If an employee/agent is in doubt as to whether or not to disclose Personal Health Information, the employee shall consult with his or her immediate supervisor, or contact the Chief Information and Privacy Officer. Employees/agents may not disclose Personal Health Information to legal authorities such as police officers or lawyers without the consent of the data subject (e.g. patient, his or her substitute decision-maker, or employee) unless there is a valid search warrant or subpoena issued. The search warrant or subpoena should specify the type of information requested. All proposed research uses of Personal Health Information are subject to review by the Research Ethics Board prior to consideration by CHEO. Limiting Retention: Personal Health Information will be retained only for as long as necessary to fulfill those purposes or as governed by legislation. Personal Health Information that is no longer required to fulfill the identified purposes will be destroyed, cleared, or de-identified. (Retention and Destruction of Patient Health Records Policy). Personal Health Information used for research purposes will be in accordance with CHEO’s requirements for clinical research. CHEO is subject to legislative requirements with respect to retention periods. Principle 6: Accuracy Personal Health Information will be as accurate, complete, and up-to-date as is necessary for the purposes for which it is to be used and to minimize the possibility that inappropriate information may be used to make a decision about the individual. CHEO shall not routinely update Personal Health Information, unless such a process is necessary to fulfill the purposes for which the information was collected. CHEO will update Personal Health Information (including demographic information) when the appropriate documentation has been received verifying the change. Demographic information will be verified and updated at time of registration. Changes should not be made from information received over the telephone, except in the case of notification of death from a reliable source. Personal Health Information that is used on an ongoing basis, including information that is disclosed to third parties, shall generally be accurate and up-to-date, unless limits to the requirement for accuracy are clearly set out. Principle 7: Safeguards CHEO will use security safeguards, appropriate to the sensitivity of the Personal Health Information, to protect it against loss or theft, as well as unauthorized access, disclosure, copying, use or modification. CHEO will protect the Personal Health Information regardless of the format in which it is held. Approved By: Executive Team Revision Number: 1 Date: June 15, 2010 11 Privacy and Confidentiality of Patient Personal Health Information CHEO shall notify the individual at the first reasonable opportunity if the Personal Health Information is stolen, lost or accessed by unauthorized persons. The methods of protection will include: Physical measures, for example, secure locked filing cabinets and restricted access to offices. The keys to these cabinets must also be kept in a secure area away from the cabinets themselves; Administrative measures, for example, limiting access on a "need-to-know" basis, and Technical measures, for example, the use of passwords, encryption, and audits. Users are strongly discouraged from saving any identifiable patient information outside of CHEO’s Information Systems to portable IT equipment and removable media. Users must take appropriate steps to protect privacy and confidentiality of the Personal Health Information if this information leaves CHEO’s premises on portable IT equipment, removable media or as electronic mail or file transfer. Refer to these policies for more information (Security of Health Records Policy, Access Control to Information Systems Policy, Acceptable Use of Information Systems Policy) CHEO will make its employees, physicians, volunteers and agents aware of the importance of maintaining the confidentiality of Personal Health Information. As a condition of employment, all new staff, employees, consultant, contractor, physician, student, volunteer, researcher, vendor and other are required to sign a “Confidentiality Agreement” (Form # 6021). Confidential Information: Is not be left in written form or displayed on computer terminals in areas or locations where unauthorized individuals may access it; Is not to be left unattended where there is no one to receive the information (e.g. fax machines); Transportation of Personal Health Information is to be done in a secure manner. Any information that is lost and found, which is deemed to be confidential, should be returned immediately to the appropriate area to which it belongs; and Care will be used in the destruction, clearance and de-identification of Personal Health Information, to prevent unauthorized parties from gaining access to the information (Retention and Destruction of Patient Health Records Policy). Reproduction of any Personal Health Information should be limited and in accordance with Bill 31 and should not interfere with the integrity of the information. Any employees/agents reproducing documents are responsible for ensuring that the documents are not left behind and that any discarded copies are to be disposed of according to the procedures and processes. Principle 8: Openness CHEO will make readily available to individuals specific information about its policies and practices relating to the management of Personal Health Information under its custody or control including: the name or title and the address, of the person(s) who is accountable for CHEO's policies and practices and to whom complaints or inquiries can be forwarded; the means of gaining access to Personal Health Information held by CHEO; a description of the type of Personal Health Information held by CHEO, including a general account of its use; Approved By: Executive Team Revision Number: 1 Date: June 15, 2010 12 Privacy and Confidentiality of Patient Personal Health Information a copy of any brochures or other information that explain CHEO's policies, standards, or codes; and a list of Personal Health Information that may be made available to other related agencies and health care professionals, Medical Officers of Health, researchers and CHEO’s Foundation. CHEO will make information on its policies and procedures available in a variety of ways such as notice signs, brochures, on-line information, etc. Principle 9: Individual Access Upon request, an individual will be informed of the existence, use, and disclosure of his or her Personal Health Information and will be given access to that information. Note: In certain situations, CHEO may not be able to provide access to all the Personal Health Information it holds about an individual. Exceptions to the access requirement will be limited and specific. The reasons for denying access will be provided to the individual upon request. Exceptions may include information that is prohibitively costly to provide, information that contains references to other individuals, information that cannot be disclosed for legal, security, or commercial proprietary reasons, and information that is subject to solicitor-client or litigation privilege. Upon request, CHEO will respond a within a reasonable time, no longer than 30 days, and at minimal or no cost to the individual. CHEO will seek to indicate the source of this Personal Health Information and will allow the individual access to this information. However, CHEO may choose to make sensitive medical information available through a medical practitioner. (Access to and Disclosure of Patient Health Information Policy). An individual will be able to challenge the accuracy and completeness of the information and have it amended as appropriate. When an individual successfully demonstrates the inaccuracy or incompleteness of Personal Health Information, CHEO will amend the information as required. Depending upon the nature of the information challenged, amendment may involve the correction, deletion, or addition of information. Where appropriate, the amended information will be transmitted to third parties having access to the information in question. They may be required to provide sufficient information to permit CHEO to provide an account of the existence, use, and disclosure of Personal Health Information. The Personal Health Information provided will only be used for this purpose. CHEO will provide an account of the use that has been made or is being made of this information and an account of the third parties to which it has been disclosed. In providing an account of third parties to which it has disclosed Personal Health Information about an individual, CHEO will attempt to be as specific as possible. When it is not possible to provide a list of the organizations to which it has actually disclosed Personal Health Information about an individual, CHEO will provide a list of the organizations to which it may have disclosed information about the individual. The requested information will be provided or made available in a form that is generally understandable. For example, if CHEO uses abbreviations or codes to record information, an explanation will be provided. Approved By: Executive Team Revision Number: 1 Date: June 15, 2010 13 Privacy and Confidentiality of Patient Personal Health Information When a challenge is not resolved to the satisfaction of the individual, the substance of the unresolved challenge will be recorded by CHEO. When appropriate, the existence of the unresolved challenge will be transmitted to third parties having access to the information in question. The challenge will be filed with the Chief Information and Privacy Officer. Principle 10: Challenging Compliance CHEO will investigate all complaints. If a complaint is found to be justified, CHEO will take appropriate measures, including, if necessary, amending its policies and procedures. An individual will be able to address a challenge concerning compliance with this policy to the Chief Information and Privacy Officer at CHEO. CHEO will put procedures in place to receive and respond to complaints or inquiries about its policies and procedures relating to the handling of Personal Health Information. The complaint procedures will be easily accessible and simple to use. CHEO will inform individuals who make inquiries or lodge complaints of the existence of relevant complaint procedures. A range of these procedures may exist. Approved By: Executive Team Revision Number: 1 Date: June 15, 2010 14