Privacy and Confidentiality of Patient Personal Health Information
PRIVACY AND CONFIDENTIALITY
OF PATIENT PERSONAL HEALTH INFORMATION
Manual/Section: ADMINISTRATION
Key Words: personal health information, privacy, confidentiality
Policy No. 10
1. PURPOSE:
1.1 To establish a set of uniform rules for the collection, use and
disclosure of patient Personal Health Information in a manner that
recognizes the right to privacy of individuals with respect to their
Personal Health Information, and the need of Children's Hospital of
Eastern Ontario’s (CHEO) to collect, use or disclose Personal
Health Information for the purposes outlined in this policy.
1.2 To ensure CHEO practices related to collection, use or disclosure
of Personal Health Information is compliant with privacy legislation
in Ontario.
2. POLICY:
2.1 CHEO, in the course of carrying out its business, collects uses and
discloses Personal Health Information.
CHEO is committed to protecting the privacy, confidentiality and
security of all Personal Health Information to which it is entrusted in
order to carry out its mission.
2.2 In accordance with the Personal Health Information Protection Act
(PHIPA), 2004, and other relevant legislation CHEO has a corporate
responsibility to support and adhere to the following Ten Guiding
Principles also known as the Canadian Standards Association’s (CSA)
Model Code for the Protection of Personal Information published in
March 1996. CHEO will adhere to the Ten Guiding Principles as a
whole, which will form the basis of CHEO’s Privacy and Confidentiality
of Patient Personal Health Information Policy (Appendix A).
 Principle 1: Accountability for Personal Health Information
 Principle 2: Identifying Purposes for the Collection of Personal
Health Information
 Principle 3: Consent for the Collection, Use or Disclosure of
Personal Health Information
 Principle 4: Limiting Collection of Personal Health Information
 Principle 5: Limiting Use, Disclosure and Retention of Personal
Health Information
 Principle 6: Accuracy
 Principle 7: Safeguards
 Principle 8: Openness
 Principle 9: Individual Access
 Principle 10: Challenging Compliance
3. SCOPE:
This policy applies to all staff, employees, physicians,
trainees/students, volunteers, consultants, vendors, agents or anyone
at CHEO that may use, collect and disclose patient Personal Health
Information stored in any format (e.g. paper, verbal and electronic
format, etc).
Approved By: Executive Team
Revision Number: 1
Date: June 15, 2010
1
Privacy and Confidentiality of Patient Personal Health Information
4. DEFINITIONS:
Agent: any person that, with the authorization of CHEO, acts
for or on behalf of CHEO with respect of Personal Health Information
for the purposes of CHEO and not the agent’s own purposes (e. g.
service providers, suppliers etc.)
Breach of privacy, confidentiality or security: unauthorized access,
collection, use, or disclosure of any Personal Health Information.
Collect: to gather, acquire, receive or obtain the information by any
means from any source. Information may be collected in a variety of
forms.
Confidentiality: CHEO’s obligation to protect the Personal Health
Information with which it has been entrusted.
Disclose: in relation to Personal Health Information in the custody or
under the control of a health information custodian or a person, means
to make the information available or to release it to another health
information custodian or to another person/organization that is not an
agent of CHEO.
Health information custodian: a person or organizations that have
custody or control of Personal Health Information as a result of or in
connection with performing the person’s or organization’s powers or
duties or the work.
Individual: in relation to Personal Health Information, means the
individual, whether living or deceased, with respect to whom the
information was or is being collected or created.
Identifying information: includes Personal Health Information that
could identify an individual when used alone or in conjunction with
other information.
Personal Health Information: is” identifying information” whether
verbal, written or electronic form. It includes information about an
individual’ health or health care history in relation to:
 The individual’s physical or mental health, including family medical
history;
 The provision of health care to the individual, including the
identification of a person as the health care provider, to the
individual;
 The individual’s health care number and other information that is
collected in the course of the providing health services;
 Blood or body-part donations;
 Payments or eligibility for health care; and
 The identity of an individual’s substitute decision-maker
Approved By: Executive Team
Revision Number: 1
Date: June 15, 2010
2
Privacy and Confidentiality of Patient Personal Health Information
Privacy: provides an individual with the right to control the circulation
of information about him//herself within social relationships; freedom
from unreasonable interference in an individual’s private life; an
individual’s right to protection of information regarding him/her against
misuse or unjustified publication.
Record: a record of information in any form or in any medium, whether
in written, printed, photographic or electronic form or otherwise, but
does not include a computer program or other mechanism that can
produce a record.
Security: refers to the safeguards or process an organization
develops and implements to protect Personal Health Information under
its custody or control. New privacy legislation typically requires
organizations to implement three different type of safeguards-physical
(e.g. locked doors), technical (e.g. passwords and encryption) and
administrative (e.g. policies).
Use: in relation to Personal Health Information in the custody or under
the control of a Personal Health Information custodian or a person,
means to handle or deal with the information.
5. RESPONSIBILITY:
While responsibility for CHEO’s compliance with the Privacy Ten
Guiding Principles rests with the Chief Information and Privacy Officer,
all individuals who collect, use and disclose Patient Health information
are responsible for maintaining the Privacy Ten Guiding Principles
(Appendix A) in their day to day work.
5.1 Chief Information and Privacy Officer is responsible to:
 Facilitate the custodian's compliance with legislation;
 Ensure that all agents of the custodian are appropriately informed
of their duties;
 Respond to inquiries from the public about the hospital’s
information practices;
 Respond to requests of an individual for access to or correction of
a record of Personal Health Information about the individual ;
 Receive complaints from the public about the custodian's alleged
contravention of privacy legislation;
 Chair the Privacy Advisory Committee;
 Monitor privacy, confidentiality and security related activities
throughout CHEO. This includes access to Personal Health
Information by patients and their families, as well as amendments
to Personal Health Information in compliance with current and
upcoming federal and provincial laws and the CHEO’s information
privacy practices;
 Ensure compliance with current Personal Health Information
privacy legislation including the privacy principles;
 Ensure that all research studies are implemented in accordance
with current legal requirements and standards for ethical
acceptability, and that they adhere to these principles of privacy,
Approved By: Executive Team
Revision Number: 1
Date: June 15, 2010
3
Privacy and Confidentiality of Patient Personal Health Information

confidentiality and security; and
Review policies to ensure compliance with current health privacy
legislation and best data protection practices in other jurisdictions.
5.2 Directors/ Managers are responsible to:
 Ensure compliance with privacy policies and procedures within
their areas of responsibility;
 Ensure all staff from both the inpatient units and Ambulatory Care
Departments adhere to the privacy, confidentiality and security of
Personal Health Information they have access to;
 Approve Information Technology (IT) requirements for their staff
and ensure practices to secure computerized data; and
 Ensure all staff, trainees/students documenting electronically have
signed CHEO’s “Confidentiality Agreement” (Form No. 6021)
5.3 Staff, employees, physicians, volunteers, researcher
trainee/student, consultants, vendor, contractors are
responsible to:
 Maintain the confidentiality and security of Personal Health
Information they have access to; and
 Sign the “Confidentiality Agreement” by an effective date.
5.4 Human Resources is responsible to:
 Have all staff, employee, physicians, volunteers, researcher,
trainee/student, consultant, vendor, contractors or other sign the
“Confidentiality Agreement” (Form# 6021).
5.5 Information Systems (IS) / (IT) is responsible to:
 Ensure the network environment has appropriate security
commensurate with sensitivity, criticality, etc;
 Provide a secure, managed firewall;
 Provide reasonable protection from security breaches such as virus
attacks and hackers;
 Ensure that security is cost-effective based on a cost versus risk
ratio, or that is necessary to meet with applicable mandates;
 Ensure individual accountability for the appropriate use of
information technology;
 Conduct regular audits of the network environment,
 Inform all end-users of the auditing functions and capabilities; and
 Provide a secure environment with authorized physical access to
the CHEO’s data processing facilities.
6. PROCEDURE:
Approved By: Executive Team
Revision Number: 1
6.1 CHEO has a corporate responsibility to support the following data
protection strategies. The strategies include the development and
implementation of:
 Policies for the protection of all Personal Health Information;
 Policies that clearly define and limit access to Personal Health
Information;
 Data security measures that include physical, technical and
administrative safeguards;
Date: June 15, 2010
4
Privacy and Confidentiality of Patient Personal Health Information





7. CROSS- REFERENCES: 







A Privacy Advisory Committee to coordinate and monitor privacy
related activities throughout CHEO;
Identification of a Chief Information and Privacy Officer;
Appropriate staff education relating to Patient Health Information
protection;
Appropriate review processes for research through the Research
Ethics Board; and
Regular review of policies to ensure compliance with current health
privacy legislation and best data protection practices in other
jurisdictions.
CHEO, Access to and Disclosure of Patient Health Information
Policy
CHEO, Access Control to Information Systems Policy
CHEO, Acceptable Use of Information Systems Policy
CHEO, Confidentiality and Protection of Employee Personal
Information Policy
CHEO, Consent Policy
CHEO, Retention and Destruction of Health Records Policy
CHEO, Security Of Personal Health Information Policy
Authorization to Disclosure of Personal Health Information (Form No.
4010)




Confidentiality Agreement (Form No.6021)
Consent to Disclosure of Personal Health Information (Form No 4010)
Patient Consent for Email Communication (Form No.1234)
Protecting the Privacy of Patient Information at CHEO (Form No.
P5520E/F)
8. REFERENCES:

Withdrawal of Consent for Further Use/Disclosure of Personal
Health Information. (Form No.1139)

Colleges from Ontario (Audiologist, Child Life Specialist, Child and
Youth Counsellor, Diagnostic Medical Sonographer, Dietitian,
Genetic Counsellor, Medical Radiation Technologist,
Neurophysiology, Nurses, Occupational Therapist, Pharmacist,
Physicians and Surgeons, Physiotherapist, Psychologists, Nurses,
Registered Respiratory Therapist, Speech Language Pathologist,
Social Workers/Registered Social Worker).
Consent to Treatment Act
CSA Model Code for the Protection of Personal Information.
Ontario Health Association (OHS) Guidelines for Managing
Privacy, Data Protection and Security
eHealth Ontario Privacy and Data Protection Policy-Version 3
Frequently asked Questions: Personal Health Information
Protection Act. February 2005
Ontario Bill 31
Ontario Mental Health Act
Ontario Substitute Decisions Act
Personal Health Information Protection Act (PHIPA), 2004
Personal Information Protection and Electronic Documents Act









Approved By: Executive Team
Revision Number: 1
Date: June 15, 2010
5
Privacy and Confidentiality of Patient Personal Health Information

9. ATTACHMENTS:
10. DEVELOPED BY:
Approved By: Executive Team
Revision Number: 1



(PIPEDA)
Privacy Impact Assessment Guidelines for the Ontario Personal
Health Information Protection Act
Public Hospital’s Act (PHA)
The Ottawa Hospital (TOH) Privacy Policy 2004
Appendix A: Privacy: The Ten Guiding Principles
Privacy Advisory Committee
Health Records
Information Services
Date: June 15, 2010
6
Privacy and Confidentiality of Patient Personal Health Information
APPENDIX A
PRIVACY
The Ten Guiding Principles
Principle 1: Accountability for Personal Health Information
CHEO is responsible for Personal Health Information under its custody or control.
Accountability to CHEO’s compliance with the principles rests with the Chief Information and
Privacy Officer, even though other individuals within CHEO are also responsible for the dayto day collection and processing of Personal Health Information.
CHEO is responsible for Personal Health Information that has been transferred to a third
party for processing. CHEO will use contractual or other means to provide a comparable
level of protection while information is being processed by a third party.
When CHEO retains an external agent (service providers, suppliers, etc) to assist in
providing services, CHEO will enter into a written agreement with the agent which includes:
CHEO shall use affiliation agreements or other means to provide a comparable level of
protection while Personal Health Information is being processed or accessed by a third
party.
1. A description of the services that the agent will provide;
2. A description of the administrative, technical and physical safeguards relating to the
confidentiality and security of the information;
3. A statement restricting the use of the information only for the stated purpose and for no
other purpose except as permitted or required by law;
4. A statement that the agent is aware of, and will comply with, their duties as an agent
under the Protection of Personal Health Information Act and its regulations;
5. A statement of the agent’s obligation to notify CHEO at the first reasonable opportunity if
Personal Health Information handled by the agent on CHEO’s behalf is stolen, lost or
accessed by unauthorized persons; and
6. A statement that upon termination or expiry of the agreement, all Personal Health
Information that the agent may possess as a result of the agreement, in any form, shall
be returned to CHEO or destroyed (as appropriate) and that no copies will be retained.
CHEO has policies and practices to give effect to this policy. These include:
 Procedures to protect Personal Health Information;
 Procedures to receive and respond to complaints and enquiries. Patient/family
concerns/complaints would be received and responded through Patient and Family
Representative and the Chief Information and Privacy Officer’s office;
 Education and communication to all staff/employees about CHEO’s policies and
procedures; and
 Providing oversight and leadership with respect to privacy and protecting Personal
Health Information through the Chief Information and Privacy Officer.
Approved By: Executive Team
Revision Number: 1
Date: June 15, 2010
7
Privacy and Confidentiality of Patient Personal Health Information
All staff/employees/agents and other listed in this policy are responsible to report any breach
of this policy. If there is a known breach of confidentiality, the infraction must be reported to
CHEO’s Chief Information and Privacy Officer and to the person responsible for protecting
the Personal Health Information (e.g. manager, director, etc.). Violation of this policy is
grounds for disciplinary action up to and including dismissal. Physicians and residents
breaching their duty of privacy and confidentiality as outlined in this policy may be subject to
suspension or termination of privileges.
Principle 2: Identifying Purposes for the Collection of Personal Health Information
CHEO will collect Personal Health Information for the following purposes:
 Provide clinical care to patients;
 Assess resource utilization in the delivery of care;
 Plan for the development and delivery of care and services across the City of Ottawa
and Eastern Ontario;
 Document patterns of illness to support prevention programs and early disease
detection. Statistics and quality improvement (including risk management);
 Monitor and evaluate the quality of care and the outcomes resulting from that care;
 Administration and management of the hospital (including payment claims);
 Support and promote research and education;
 Support and promote fundraising for CHEO; and
 Meet legal and regulatory requirements.
CHEO shall only collect the Personal Health Information it needs to fulfill these purposes.
Persons collecting Personal Health Information on behalf of CHEO shall be able to explain
to individuals the purpose for which the information is being collected.
The identified purposes shall be specified, at or before the time of direct collection, to the
individual from whom the personal health information is collected. Depending on the way in
which the Personal Health Information is collected, this will be done orally or in writing
through the use of notice sign, brochures, etc.
When Personal Health Information that has been collected is to be used for a purpose not
previously identified the consent of the individual or substitute decision-maker will be
obtained, unless the new purpose is required by law.
Principle 3: Consent for the Collection, Use or Disclosure of Personal Health
Information
The knowledge and consent of the individual are required for the collection, use or
disclosure of Personal Health Information, except where it may be inappropriate due to
legal, medical or security reasons.
Typically, CHEO will seek consent, whether written or electronic, oral or implied, for the use
or disclosure of the information at the time of collection. Users are to use extreme caution
when communicating confidential or sensitive information via email (Acceptable Use of
Information Systems Policy and Patient Consent for Email Communication). All Health Care
Providers must follow their College scope of practice/service regarding the use of electronic
mail for communicating Personal Health Information.
Approved By: Executive Team
Revision Number: 1
Date: June 15, 2010
8
Privacy and Confidentiality of Patient Personal Health Information
CHEO will make a reasonable effort to ensure that the individual is advised orally and in
writing (through the use of notice signs and brochures) about the collection, use or
disclosure of their Personal Health Information.
Note: When Personal Health Information is being collected for the detection and prevention
of fraud or for law enforcement, seeking the consent of the individual might defeat the
purpose of collecting the information. Seeking consent may be impossible or inappropriate
when the individual is a minor, seriously ill, or mentally incapacitated. If CHEO does not
have a direct relationship with the individual, it may not be able to seek consent.
In certain circumstances, this consent may be sought after the Personal Health Information
has been collected but before use (for example, when CHEO wants to use Personal Health
Information for a purpose not previously identified). The purposes for the collection, how the
Personal Health Information will be used and disclosed will be stated in such a manner that
the individual can reasonably understand.
CHEO will not, as a condition of the supply of a product or service, require an individual to
consent to the collection, use, or disclosure of Personal Health Information beyond that
required to fulfill the explicitly specified and legitimate purposes. To make the consent
meaningful, the purposes must be stated in such a manner that the individual can
reasonably understand how the Personal Health Information will be used or disclosed.
An individual may withdraw consent (Form No. 1139) at any time, subject to legal or
contractual restrictions and reasonable notice. Withdrawal of consent has no retroactive
effect. CHEO will inform the individual of the implications of such withdrawal. An individual
may also place certain conditions on their consent for the collection, use or disclosure of
their Personal Health Information. The conditions may not prohibit or restrict any recording
of Personal Health Information that is required by law or by established standards of
professional practice or CHEO policy.
Persons who may consent
According to Personal Health Information Protection Act, 2004, the following may consent to
the collection use or disclosure of Personal Health Information:
 If the individual is at least 16 years of age and capable, the individual or any person who
the individual has authorized in writing to act on his/her behalf;
 If the individual is a child less than 16 years of age, a parent or other person who has
lawful custody ("parent" does not include a parent who has only a right of access to the
child) unless the information relates to treatment about which the child has made a
decision on his or her own. NOTE: If there is a conflict between substitute decisionmaker and the capable child less than 16 years of age related to consenting to the
collection, use or disclosure of the Personal Health Information, the decision of the child
prevails;
 If the individual is incapable, a substitute decision maker; and
 If the individual is deceased, the deceased estate trustee.
Principle 4: Limiting Collection of Personal Health Information
CHEO will:
 Limit both the amount and the type of Personal Health Information collected to that which
is necessary for the purposes identified. The Personal Health Information will be
collected by fair and lawful means;
Approved By: Executive Team
Revision Number: 1
Date: June 15, 2010
9
Privacy and Confidentiality of Patient Personal Health Information


Not collect Personal Health Information indiscriminately or in a misleading manner; and
Not collect, use or disclose Personal Health Information if other information will serve the
purpose of the collection, use or disclosure.
Principle 5: Limiting Use, Disclosure and Retention of Personal Health Information
Limiting Use and Disclosure:
CHEO will not use or disclose Personal Health Information for purposes other than those for
which it was collected, except with the consent of the individual or as required by law.
Personal Health Information Protection Act permits the use of Personal Health Information:
 for which the information was collected;
 for planning or delivering programs or services;
 for the purpose of risk, error, quality of care management;
 for educating agents to provide health care;
 for the purpose of disposing of the information or modifying the information in order to
conceal the identity of the individual;
 for the purpose of seeking the individual's consent, when limited to the individual's name
and contact information;
 for the purpose of proceeding, or contemplated proceeding;
 for the purpose of obtaining payment or processing claims for payment; and
 for research conducted by the custodian.
Personal Health Information Protection Act permits certain disclosures of Personal Health
Information (Access to and Disclosure of Patient Health Information Policy).
Personal Health Information is to be maintained in the strictest of confidence and is not to be
shared with unauthorized persons. For example, employees/agents must avoid engaging in
discussions about Personal Health Information in public areas such as hallways, elevators,
cafeterias, etc.
Access to confidential information will be limited to only those employees authorized to hold,
view or handle such information for their current job duties. Access information they require
is to be determined by the employee’s Director. (Access Control to Information Systems
Policy). Audits will be conducted on the CHEO’s electronic records. Limitations are placed
on users to ensure that they only have access to information they require for their current
job duties.
Authorized access to a computer system requires user sign-on, User Identification (ID) and
Password. There are different layers of access, each requiring a unique User ID and
Password.
It is the responsibility of each User to ensure that his/her password is secure. Users are
prohibited from sharing (lending or borrowing) their password on any system. (Acceptable
Use to Information Systems Policy). If there is a reason to believe a password has been
Approved By: Executive Team
Revision Number: 1
Date: June 15, 2010
10
Privacy and Confidentiality of Patient Personal Health Information
compromised, it is to be changed immediately followed immediate notification to one’s
Director.
If an employee/agent is in doubt as to whether or not to disclose Personal Health
Information, the employee shall consult with his or her immediate supervisor, or contact the
Chief Information and Privacy Officer.
Employees/agents may not disclose Personal Health Information to legal authorities such as
police officers or lawyers without the consent of the data subject (e.g. patient, his or her
substitute decision-maker, or employee) unless there is a valid search warrant or subpoena
issued. The search warrant or subpoena should specify the type of information requested.
All proposed research uses of Personal Health Information are subject to review by the
Research Ethics Board prior to consideration by CHEO.
Limiting Retention:
Personal Health Information will be retained only for as long as necessary to fulfill those
purposes or as governed by legislation. Personal Health Information that is no longer
required to fulfill the identified purposes will be destroyed, cleared, or de-identified.
(Retention and Destruction of Patient Health Records Policy).
Personal Health Information used for research purposes will be in accordance with CHEO’s
requirements for clinical research. CHEO is subject to legislative requirements with respect
to retention periods.
Principle 6: Accuracy
Personal Health Information will be as accurate, complete, and up-to-date as is necessary
for the purposes for which it is to be used and to minimize the possibility that inappropriate
information may be used to make a decision about the individual.
CHEO shall not routinely update Personal Health Information, unless such a process is
necessary to fulfill the purposes for which the information was collected.
CHEO will update Personal Health Information (including demographic information) when
the appropriate documentation has been received verifying the change. Demographic
information will be verified and updated at time of registration. Changes should not be made
from information received over the telephone, except in the case of notification of death from
a reliable source.
Personal Health Information that is used on an ongoing basis, including information that is
disclosed to third parties, shall generally be accurate and up-to-date, unless limits to the
requirement for accuracy are clearly set out.
Principle 7: Safeguards
CHEO will use security safeguards, appropriate to the sensitivity of the Personal Health
Information, to protect it against loss or theft, as well as unauthorized access, disclosure,
copying, use or modification. CHEO will protect the Personal Health Information regardless
of the format in which it is held.
Approved By: Executive Team
Revision Number: 1
Date: June 15, 2010
11
Privacy and Confidentiality of Patient Personal Health Information
CHEO shall notify the individual at the first reasonable opportunity if the Personal Health
Information is stolen, lost or accessed by unauthorized persons.
The methods of protection will include:
 Physical measures, for example, secure locked filing cabinets and restricted access to
offices. The keys to these cabinets must also be kept in a secure area away from the
cabinets themselves;
 Administrative measures, for example, limiting access on a "need-to-know" basis, and

Technical measures, for example, the use of passwords, encryption, and audits.
Users are strongly discouraged from saving any identifiable patient information outside of
CHEO’s Information Systems to portable IT equipment and removable media. Users must
take appropriate steps to protect privacy and confidentiality of the Personal Health
Information if this information leaves CHEO’s premises on portable IT equipment, removable
media or as electronic mail or file transfer. Refer to these policies for more information
(Security of Health Records Policy, Access Control to Information Systems Policy,
Acceptable Use of Information Systems Policy)
CHEO will make its employees, physicians, volunteers and agents aware of the importance
of maintaining the confidentiality of Personal Health Information. As a condition of
employment, all new staff, employees, consultant, contractor, physician, student, volunteer,
researcher, vendor and other are required to sign a “Confidentiality Agreement” (Form # 6021).
Confidential Information:
 Is not be left in written form or displayed on computer terminals in areas or locations
where unauthorized individuals may access it;
 Is not to be left unattended where there is no one to receive the information (e.g. fax
machines);
 Transportation of Personal Health Information is to be done in a secure manner. Any
information that is lost and found, which is deemed to be confidential, should be returned
immediately to the appropriate area to which it belongs; and
 Care will be used in the destruction, clearance and de-identification of Personal Health
Information, to prevent unauthorized parties from gaining access to the information
(Retention and Destruction of Patient Health Records Policy).
Reproduction of any Personal Health Information should be limited and in accordance with
Bill 31 and should not interfere with the integrity of the information. Any employees/agents
reproducing documents are responsible for ensuring that the documents are not left behind
and that any discarded copies are to be disposed of according to the procedures and
processes.
Principle 8: Openness
CHEO will make readily available to individuals specific information about its policies and
practices relating to the management of Personal Health Information under its custody or
control including:
 the name or title and the address, of the person(s) who is accountable for CHEO's
policies and practices and to whom complaints or inquiries can be forwarded;
 the means of gaining access to Personal Health Information held by CHEO;
 a description of the type of Personal Health Information held by CHEO, including a
general account of its use;
Approved By: Executive Team
Revision Number: 1
Date: June 15, 2010
12
Privacy and Confidentiality of Patient Personal Health Information


a copy of any brochures or other information that explain CHEO's policies, standards, or
codes; and
a list of Personal Health Information that may be made available to other related
agencies and health care professionals, Medical Officers of Health, researchers and
CHEO’s Foundation.
CHEO will make information on its policies and procedures available in a variety of ways
such as notice signs, brochures, on-line information, etc.
Principle 9: Individual Access
Upon request, an individual will be informed of the existence, use, and disclosure of his or
her Personal Health Information and will be given access to that information.
Note: In certain situations, CHEO may not be able to provide access to all the Personal
Health Information it holds about an individual. Exceptions to the access requirement will be
limited and specific. The reasons for denying access will be provided to the individual upon
request. Exceptions may include information that is prohibitively costly to provide,
information that contains references to other individuals, information that cannot be
disclosed for legal, security, or commercial proprietary reasons, and information that is
subject to solicitor-client or litigation privilege.
Upon request, CHEO will respond a within a reasonable time, no longer than 30 days, and
at minimal or no cost to the individual. CHEO will seek to indicate the source of this
Personal Health Information and will allow the individual access to this information.
However, CHEO may choose to make sensitive medical information available through a
medical practitioner. (Access to and Disclosure of Patient Health Information Policy).
An individual will be able to challenge the accuracy and completeness of the information
and have it amended as appropriate. When an individual successfully demonstrates the
inaccuracy or incompleteness of Personal Health Information, CHEO will amend the
information as required. Depending upon the nature of the information challenged,
amendment may involve the correction, deletion, or addition of information. Where
appropriate, the amended information will be transmitted to third parties having access to
the information in question.
They may be required to provide sufficient information to permit CHEO to provide an
account of the existence, use, and disclosure of Personal Health Information. The Personal
Health Information provided will only be used for this purpose.
CHEO will provide an account of the use that has been made or is being made of this
information and an account of the third parties to which it has been disclosed. In providing
an account of third parties to which it has disclosed Personal Health Information about an
individual, CHEO will attempt to be as specific as possible. When it is not possible to provide
a list of the organizations to which it has actually disclosed Personal Health Information
about an individual, CHEO will provide a list of the organizations to which it may have
disclosed information about the individual.
The requested information will be provided or made available in a form that is generally
understandable. For example, if CHEO uses abbreviations or codes to record information,
an explanation will be provided.
Approved By: Executive Team
Revision Number: 1
Date: June 15, 2010
13
Privacy and Confidentiality of Patient Personal Health Information
When a challenge is not resolved to the satisfaction of the individual, the substance of the
unresolved challenge will be recorded by CHEO. When appropriate, the existence of the
unresolved challenge will be transmitted to third parties having access to the information in
question. The challenge will be filed with the Chief Information and Privacy Officer.
Principle 10: Challenging Compliance
CHEO will investigate all complaints. If a complaint is found to be justified, CHEO will take
appropriate measures, including, if necessary, amending its policies and procedures.
An individual will be able to address a challenge concerning compliance with this policy to
the Chief Information and Privacy Officer at CHEO.
CHEO will put procedures in place to receive and respond to complaints or inquiries about
its policies and procedures relating to the handling of Personal Health Information. The
complaint procedures will be easily accessible and simple to use.
CHEO will inform individuals who make inquiries or lodge complaints of the existence of
relevant complaint procedures. A range of these procedures may exist.
Approved By: Executive Team
Revision Number: 1
Date: June 15, 2010
14