Section Title
1. Who We Are
2. Accountability: Our Responsibilities and Commitment to
Protecting your Privacy
3. What Personal Information We Collect & Why
4. Consent
4.1. Placing Conditions on or Restricting Consent
4.2. Withholding or Withdrawing Consent
4.3. When an Individual is Unable or Incapable of Providing Consent
5. Limiting the Collection, Use, Disclosure and Retention of Personal Information
5.1. Limiting the Collection of Personal Information
5.2. Limiting the Use and Disclosure of Personal Information
5.3. Retention
6. Accuracy of Your Personal Information
7. Safeguards- How We Protect Your Personal Information
8. Openness
9. Individual Access to Personal Information about Themselves
9.1. Correcting Personal Information
10. Changes to Our Privacy Policy & Privacy Officer Contact Information
The privacy of personal information is a valued and important principle to CMA Imagng, o/a Canadian Diagnostic Network. We collect, use and disclose personal information according to the regulations and guidelines established by the Personal Health Information Protection Act (PHIPA). The standards of PHIPA are included as an integral component of our organization’s policies and procedures, ensuring the individuals’ rights to privacy in regards to the obtainment and use of personal information. In many ways PHIPA simply builds on our existing professional regulations, policies, guidelines and practices.
1. WHO WE ARE
CMA Imaging, o/a Canadian Diagnostic Network is a privately owned, independent health service facility providing a variety of medical services, examinations and procedures in order to assist in the diagnosis and treatment of the patients of referring medical physicians. Because we provide a wide range of health care services, we often deal with a number of other health care and health service providers and third parties. These include hospitals, family physician practices, walk-in medical facilities, specialists, laboratories, the Ministry of Health for Ontario, Cancer Care Ontario, and other independent health facilities. In order to provide care and treatment for the patient, these affiliates and third parties may require limited access to personal information. We restrict their access to only the personal information that is required to provide the patient with an adequate level of health care, service, diagnosis and/or treatment, with the patient’s authorization. Any affiliates or third parties we work with have assured us that they follow privacy procedures according to their own established policies under the Personal Health Information Protection Act and/or the Personal Information Protection and Electronic Documents Act.
2. ACCOUNTABILITY- Our Responsibilities and Commitment to Protecting Your Privacy
We accept responsibility for collecting and handling any personal information of an individual. A specific Privacy Officer has been appointed, in charge of ensuring our adherence to PHIPA and to handle any questions or concerns raised by the public. The Privacy Officer has the support of other staff members and has been given the authority to intervene in privacy issues. The Privacy Officer is responsible for analyzing existing procedures and making sure they coincide with PHIPA at both the written stages of the policy and the execution and implementation of the policy. Our Privacy Officer’s name as well as their contact information is provided below. Our staff have been informed and trained regarding our privacy and policy procedures. They know how to respond to public inquiries, are able to explain the concept of consent, are able to provide information for how an individual may go about requesting access to their personal information, understand that concerns regarding privacy are to be dealt by the Privacy Officer and are aware of the security measures taken to protect personal information. Policies and procedures for our organization have been created and implemented to protect personal information. Firstly, individuals are made aware what personal information is required and why we require that personal information by accessing our entire Privacy Policy, which is readily available on our website. We limit the collection, use and disclosure of personal information by only providing it to the referring physician and other health care providers according to our professional standards of practice and/or as authorized by the individual (the patient). We do our best to ensure that the personal information collected is complete, accurate and up-to-date. Security measures have been implemented to protect personal information from any potential external threats. We also try to be as open and transparent as possible in regards to how we collect, handle, use and disclose personal information. All these measures will be explained in greater detail throughout our Private Policy.
3. WHAT PERSONAL INFORMATION we COLLECT and WHY
Personal health information refers to identifiable personal information, which may be factual or subjective. It is information about an individual’s health or healthcare history regarding an individual’s physical or mental condition, including family medical history; the provision of healthcare to an individual; long-term healthcare services; payment or eligibility for healthcare; and the identity of a healthcare provider or substitute decision-maker for an individual. In accordance with Regulations made under the Independent Health Facilities Act, our organization is required to create and/or keep a health record relating to the health services provided in our facility for each individual who is or was a patient. Upon arrival at the clinic, the patient will be asked to complete the information on the requisition, or if they have had a previous visit, they will be asked to confirm their personal information. If an individual is not comfortable disclosing this information, they should inform the front desk and we will do our best to make other arrangements; however, if the patient does not provide certain personal information, the provision of health services may be interrupted or denied. We only collect personal information that is important to the creation of a health file and in the function and operation of our facility. The personal information that is collected is meant enhance the efficiency and quality of care we provide. Personal health information includes the following:
Generally, the personal health information is collected, used and disclosed in order to provide the individual with an adequate level of health service and to ensure accurate medical diagnosis.
4. CONSENT
Our organization believes that consent is extremely important when collecting, handling and disclosing personal information of an individual. According to the guidelines established by PHIPA, we must obtain an individual’s “knowledgeable consent” to collect, use and disclose personal information. Knowledgeable consent means that an effort must be made to make an individual aware of what personal information is being collected by our organization, how we plan to use it, and how it will be disclosed. An individual must be informed of their rights to withhold and withdraw consent. Under PHIPA, consent is considered valid if it is knowledgeable, voluntary, related to the information in question, and is given by the individual or an authorized decision-maker. Consent can be implied for the collection, use or disclosure of personal health information in order to provide healthcare or assisting in providing care A patient’s circle of care refers to individuals, activities and services provided, which are related to the care and treatment of a particular patient. Subsequently, it includes health care providers such as doctors, as well as other related activities, such as diagnostic imaging. More simply, it refers to all health-related people, procedures and services provided to adequately diagnose and treat a particular patient. This means personal health information might need to be shared with other healthcare providers for the purpose of providing care. Other healthcare providers may include, but are not limited to hospitals, specialists, surgeons, and other diagnostic imaging facilities. Consent can be implied through a patient’s conduct and behavior with our facility. For example, consent is implied for the collection, use and disclosure of personal health information for purposes related to an individual’s healthcare (as mentioned above), if you attend our facility for any health-related services. PHIPA also outlines various circumstances where express consent of an individual is required. Express consent is explicit and direct and may be given verbally, in writing or electronically. Circumstances where express consent is required:
4.1 PLACING CONDITIONS ON or RESTRICTING CONSENT
An individual has the right to restrict our organization from sharing all or any part of his/her personal information. This means the individual has the right to tell our organization not do disclose certain personal health information to another custodian. It should be noted that if an individual instructs our organization not to disclose part of their personal health information to another health information custodian, we are required to inform the receiving health information custodian that some personal health information is unobtainable. More simply, a patient has the right to exercise the restriction of sharing or disclosing personal information at any time, albeit pre or post. However, when a patient exercises this, it is our legal obligation to tell the third party that information has been “locked” by the patient. Moreover, there is significant chance that the medical report of the patient will be incomplete. According to our Privacy Policy, the report will include the clause, “The information contained in this report is incomplete. It was affected by the patient’s right to withhold information from other parties. The information that is being withheld is only available from the patient.” Our policy requires a patient wishing to restrict/limit access to his/her personal health information to complete, sign and date a form, which instructs them of their specific rights, and outlines the limitations of this right in this particular area. We are permitted to disclose any information to a recipient custodian when in our professional opinion, the disclosure is needed to eliminate or reduce this risk of bodily harm to an individual or group of people. Also, an individual’s conditions or restrictions may not impede the collection, use or disclosure of personal health information that is required by other laws such as the Canada Health Act, the Independent Health Facilities Act and/or professional or institutional practices as outline by the College of Physicians and Surgeons of Ontario.
4.2 WITHHOLDING or WITHDRAWING CONSENT
An individual can withdraw his/her consent at any time for the collection, use or disclosure of his/her personal health information by providing notice to our organization. Withdrawal of consent applies to both implied and express consent. It should be noted that withdrawing consent is not retroactive. More simply, if information has been disclosed based on implied or express consent, we are not required to recover the information that has already been disclosed. In the case of an individual refusing or withholding or withdrawing consent, our organization’s protocol is determined by professional standards of practices. Our policy is to refuse health services if a patient withholds and refuses to disclose personal health information that we require in the function and operation of our facility. This means, in some situation, depending on the information the patient withholds or withdraws, the provision of the health service may be denied. If a patient withdraws consent, the patient will be informed of the consequences. In some situations, this could result in the interruption or denial of certain health services. The existing records of the patient in question will be retained as required by the regulations and standards of practice established under the Independent Health Facilities Act. This maintains patient safety and ensures that audit and regulatory requirements have been met. We will record the withdrawal of consent as part of the patient’s existing file and will inform those to whom the personal information had been disclosed.
4.3 WHEN an INDIVIDUAL IS UNABLE or INCAPABLE of PROVIDING CONSENT
In general, PHIPA assumes that individuals are capable of making decisions pertaining to the collection, use and disclosure of their own personal health information, if they are able to comprehend the consequences of providing, withholding or withdrawing their consent. If we believe an individual is incapable of providing consent, PHIPA allows a substitute decision-maker like a relative, spouse, child’s parent, or Public Guardian and Trustee.
5. LIMITING the COLLECTION, USE, DISCLOSURE and RETENTION of PERSONAL INFORMATION
5.1 LIMITING the COLLECTION of PERSONAL INFORMATION
The personal information collected is necessary for the function and day-to-day operations of our organization. Personal information is collected with discretion and confidentiality. The collection of personal health information is limited to that which is necessary for the purposes outlined in section 3 of our Privacy Policy. The Ministry of Health for the province of Ontario, under the Independent Health Facilities has established regulations in regards to what personal information can be and needs to be collected to compile a health record within the facility. Personal information collected is typically used for administrative and billing purposes, to perform the examination, and to ensure accurate diagnosis and communication among the health care providers for the particular patient. More specific and detailed purposes for collecting personal information can be found in our Privacy Policy under the section 3. Personal information that is not essential to the purposes of collection, use or disclosure need not be provided and will not be collected as part of the patient’s health record at our facility. Although PHIPA requires the collection of personal health information to be directly from the patient, there are certain circumstances where our facility may be able to collect personal information indirectly. Exceptions to the direct collection of personal health information are as following:
5.2 LIMITING the USE and DISCLOSURE of PERSONAL INFORMATION
Personal information collected will not be used or disclosed for any purposes other than those for which it was originally collected. More specifically, personal information will only be used or disclosed for the purposes outlined in section 3 of our Privacy Policy. If personal information needs to be used or disclosed for any reason other than the purposes outlined in section 3, the individual in question must consent to the use or disclosure of their personal information, or the use or disclosure must be authorized under the Personal Health Information and Protection Act. Consent for the use and disclosure of an individual’s personal information is not necessary when/if:
5.3 RETENTION
Our retention policies for patient records coincide with the guidelines established under the Independent Health Facilities Act. Maximum and minimum retention periods have been established based on these guidelines. When a patient’s health record is purged, imaging media is destroyed, paper records or documents are shredded and electronic computer files containing information are erased from the computer’s hard drive. Information that does not have a specific purpose or no longer fulfills its intended purpose will be destroyed or disposed accordingly. Instructions for the retention of personal information in the patient’s health record, as well as the proper way to dispose or discard the personal information is included in our policy and procedures manual for employees. Following these guidelines and regulations ensure that an individual’s personal information is not stored or kept unnecessarily, and protects the patient’s privacy rights.
6. ACCURACY of YOUR PERSONAL INFORMATION
We will do our best to ensure that personal information is as accurate, complete and up-to-date as possible. This will reduce the chances of incorrect personal information being used or disclosed to third parties. However, personal information will only be up-dated based on necessity and only to fulfill the required purposes. Certain personal information such as the patient’s name, address, phone number and OHIP or other billing information (commonly referred to as “factual information”) will be up-dated directly on our secured patient database when the patient comes in for an examination. Because our patient database is separate and for our facility’s use only, certain personal information is not automatically up-dated when an individual up-dates their information with OHIP. Also, when we receive personal information from third parties, we will make sure that the information is complete. The patient cannot demand that their record be changed instantly; instead, they can seek correction and change, which will then be taken into consideration and reviewed by the Privacy Officer who will determine whether or not the change should be made.
7. SAFEGUARDS- How We Protect Your Personal Information
Given the sensitive nature of the personal information we collect and use, confidentiality has always been a strong pillar of our organization’s set of values. Privacy and confidentiality have always been an important value in the provision of health services and our organization is no exception. We believe in protecting and securing an individual’s personal information from unauthorized and inappropriate access. Information will be safeguarded from unauthorized access, use, disclosure, copying or modification. Personal information, regardless of the format will be protected. We have implemented a variety of security safeguards to protect personal information. These security measures seek to ensure no unauthorized parties dispose, obtain access to, modify or destroy an individual’s personal information. This is a brief summary of the security measures we have taken:
Personal information is retained only for the time period required by the regulations made under the Independent Health Facilities Act; this ensures that personal information is not kept unnecessarily. When discarding personal information, we are guaranteed that it is done responsibly. For example, personal information recorded on paper is shredded so personal information of a patient is no longer comprehensible. Our security measures have been developed and implemented based on the nature and sensitivity of the personal information we collect, use and disclose, the amount of information we collect and retain, to whom we disclose the information to, the form of the information (electronic, imaging media, paper, files, etc.) and how we store the information. Our Privacy Officer and senior levels of management will periodically review our security measures and up-date and modify them if necessary.
8. OPENNESS
We want patients, referring physicians, third parties and employees to be informed of our policies and practices for the management and use of personal information. We try our best to make our privacy policies and procedures as transparent as possible. There are a number of ways we ensure openness and transparency in regards to our privacy policy and practices:
Our policies regarding how we collect use and disclose personal information are understandable, consistent and readily available to the public. We strongly believe that our patient should know about their privacy rights. Therefore, we try to be as open and as transparent in regards to Privacy practices.
9. Individual Access to their Personal Information
Under PHIPA, patients have the general right to access their personal health information. Laws explicitly state that the original documents are to be retained by us; however, having copies is your right. A patient can request access to their personal health information by putting their request in writing. A patient’s right to personal information is not unconditional (see below). According to PHIPA, we as health information custodians have 30 days to respond to the written request. Extensions beyond 30 days are allowed if fulfilling the request in 30 days obstructs the operation of our facility or when consultations with outside sources are required in order to meet the terms of the patient’s request. If this is the case, it is our policy to inform the patient, in writing, that we have received their request, but there will be a delay and outline the reasons for the delay. Our policy also requires that the patient requesting access fill out two access forms within our facility. These forms are needed for administrative purposes and so requests for access to and release of personal health information are properly recorded and documented as part of the patient’s health record. It should also be noted that requesting access to personal health information and the release of such information is not covered under the Ontario Health Insurance Program (OHIP). A patient’s rights to access their personal information are not unconditional. We can refuse access in limited situation, such as:
If we deny your request for access to personal information, we will explain why.
9.1 Corrections to Personal Health Information
If a patient believes that their personal health information is incomplete or erroneous, the individual has the right to request that we correct their file. A patient who wants to correct his/her personal health information must submit a written request to us. We will look into the request and respond within 30 days of receiving any such request. If replying within 30 days interferes with our daily operation, or if we need time to investigate the request and consult with third parties regarding the request we will inform the patient that we need more time and why we need more time. We will change and correct personal information after the individual has demonstrated to our satisfaction that the record is inaccurate or incomplete and provides us with the relevant information needed to correct the record. We will correct information responsibly and based on our existing standards of professional practice. Requests to correct personal information are limited to factual personal information and do not apply to professional opinions developed by our healthcare professionals. If correction is refused on such a basis, we will inform the patient of the refusal and the reasons for the refusal.
10. Changes to our Privacy Policy and Our Privacy Officer’s Contact Information
We will periodically review our privacy policies and procedures. We reserve the right to make amendments to our Privacy Policy in the future. Any specific inquiries and concerns can be directed to our appointed Privacy Officer. Written inquiries, concerns or requests can be in the form of a mailed letter, an e-mail or fax. Please direct the written request to our Privacy Officer. Our Privacy Officer can be contacted at:
Attention: Mrs. Lisa Simpson
Email: [email protected]CDN Imaging
1 Centrepointe Dr
Nepean, ON K2G 6E2
We take your privacy inquiries, concerns and requests very seriously. We will respond to you in a timely manner and to the best of our ability. If you are not satisfied with our response, the Information and Privacy Commissioner of Ontario can be reached at:
2 Bloor Street East, Suite 1400
Toronto, Ontario, M4W1A8
(416) 326-3333 1-800-387-0073 Website: www.ipc.on.caMake your Appointment
Your examination or doctor’s visit is 4 easy steps away
Request an Appointment