Importance of Privacy
Why Does CFSSC Need PHI and PI?
CFSSC provides counselling services, family life education programs and participates in community development activities with a wide range of clients. We require PI to create and maintain client lists; and collect demographics to inform our strategic planning process. We collect PHI in order to create client treatment plans.
1.0 What PHI and PI do we collect?
(a) CFSSC only collects information that is required to provide services to clients.
What PHI and PI do we collect? (cont’d)
(c)PHI/PI that we may collect includes, but is not necessarily limited to, the following, for service:
(i) Name, home address, and home telephone and/or cell phone numbers; E-mail address
(ii) Issues/problems, clinical observations, treatment plans, recommendations
(iii) Doctor, lawyer and community service workers;
(iv) Information contained in the following documents:
(v) Intake Form
(vi) Employee Assistance Program Forms
(vii) Closing Profiles and Summaries
(viii) Banking information.
(ix) Credit card information
2.0 How do we collect PHI/PI?
2.1 We collect information only by lawful and fair means and not in an unreasonably intrusive way. Wherever possible we collect PHI/PI directly from the client at the start of services. We may obtain additional information from other service providers with client consent.
2.2 Sometimes we are provided information about clients from other sources, for example:
(ii). Government agency or registry;
(iii). Hospital or other treatment organization;
(iv). Mental health professionals or other social service agencies;
(v). Family or other natural supporters;
(vi). Employee Assistance Programs;
(vii). Insurance Company.
3.0 Exchanges of information
All requests for an exchange of information between the Agency and any external third party shall require that a release of information form be signed by the client or the client’s legal guardian, and be witnessed. In cases where the file concerns a couple or family, the written consent of all parties is needed. If these consents are not provided, the information pertaining to the others involved in the counselling shall be omitted and only information pertaining to the client(s) who signed a release of information form shall be shared. A notice shall be attached to all written information from the Agency that the information being provided is not to be shared with anyone other than the individual named on the release form.
4.0 Requests for Information Access and/or Corrections Individuals who have any questions, or wish to access PHI/PI, shall put requests in writing to our Privacy Officer/Health Information Custodian,
Michelle Bergin Executive Director
Catholic Family Services of Simcoe County
20 Anne St. South
Consent obtained from the client will cover the duration period of the care and services received by the client at CFSSC.
5.1 All clients shall be provided with the Agency’s “Welcome” brochure which contains statements on client rights, including the Agency’s confidentiality policy and its limitations. In addition to this, the counsellor shall provide verbal interpretation and support for all clients, particularly those for whom there are difficulties with the English language and/or with their level of literacy and/or due to visual impairment. A “Conditions of Service” form shall be provided to the client, who is requested to sign it to indicate that the Welcome brochure was received, read and/or explained and understood.
5.2 A client may withdraw consent at any time, subject to legal or contractual restrictions and reasonable notice, by notifying his/her counsellor or our privacy officer. Any limitations that may arise as a result of withdrawing consent will be discussed with the applied as of the date consent is withdrawn (i.e. it is not retroactive).
5.3 Any youth 12 years of age or older may request counselling without a parent’s consent. If an individual is a child who is less than 16 years of age and who is capable of consenting to the collection, use or disclosure of PHI/PI their decision to give, withdraw or withhold consent shall prevail over another substitute decision maker (e.g. parent or guardian), unless court ordered otherwise.
5.4 The term “parent” does not include a parent who has only a right of access to the child.
6.0 Use of PHI/PI Information
6.1 CFSSC uses PHI/PI to provide services and to include the client in any direct mailings of information relating to community development that may be of some interest. It is also used for marketing activities such as notification of upcoming meetings; courses, seminars, conferences and CFSSC related information. If an individual indicates that he/she no longer wishes to receive information about services, seminars or about new community development activities, no further material will be sent. PHI/PI may also be used for supervision, quality improvement initiatives and accreditation.
6.2 CFSSC does not reveal PHI/PI to any third party, without consent except as set out in clause 7 below.
7.0 Disclosure of PHI/PI
7.1 Under certain circumstances, CFSSC will disclose PHI/PI:
(a) When the law requires or authorizes us to do so, for example, if a court issues a subpoena;
(b) When a client has consented to the disclosure;
(d) If we retain agents or consultants to help us in completing research relating to CFSSC or mental health services;
(e) If the information is already publicly available.
(f) If any agent of CFSSC reasonably believes that not to disclose the information may result in significant bodily harm to the client or another individual.
(g) If the information we collect suggests that a child is being or is at risk of being abused, then an agent of CFSSC is legally obligated to report this information to the Children’s Aid Society as per the Child and Family Services Act.
7.2 In these instances we will only disclose such PHI/PI as the circumstances require.
7.3 Notice of Theft, Loss or Unauthorized Use or Release of Information
(a) If PHI/PI is stolen, lost or has been the subject to unauthorized access, CFSSC will inform the Executive Director immediately.
(b) The staff member directly involved will complete an incident report concerning the event and send it to their direct supervisor and the Executive Director. The Executive Director will notify the Board of Directors and the Insurance Company.
(c) The Executive Director and direct supervisor will use the Information and Privacy Commissioner/Ontario guidelines for the health sector of “What to do when faced with a privacy breach available from the website www.ipc.on.ca/images/Resources/up-hprivbreach.pdf
d) The client(s) who’se information was stolen, lost or accessed without authorization will be notified by the program supervisor.
8.0 Accuracy of Information As the agency uses PHI/PI to provide our services, it is important that the information be accurate and up-to-date. While clients are involved in agency services any PHI/PI changes, CFSSC requests individuals to inform us so that we can make any necessary changes.
9.0 Access to PHI/PI
9.1 A client may request access to any PHI/PI that is on record at CFSSC by writing to our Privacy Officer. Typically CFSSC will request that the client or individual review his/her PHI contained in a case file at our office in the presence of our Privacy Officer or delegate. In the case of files about couples and families, an individual shall only have access to that part of the file that is specific to that individual or to the couple/family as a whole. Any part of the file relating specifically to the other individual will not be released without his/her express written consent.
9.2 An individual may request a copy of any PHI/PI on record at CFSSC specific to themselves. The Privacy Officer has 30 days to respond to the request and may in extenuating circumstances request an extension. In such situations the Privacy Officer shall inform the individual why the extension has been requested.
9.3 Summary information is available on request. More detailed requests that require archive or other retrieval costs may be subject to a reasonable fee.
9.4 CFSSC reserves the right to confirm the identity of the person seeking access to PHI/PI before complying with any access requests. Clients must submit access requests in writing or via e-mail to our Privacy Officer.
10.0 Correcting Errors
10.1 If CFSSC holds information about a client and he/she can establish that it is not accurate, complete and up-to-date, CFSSC will take reasonable steps to correct it. In the case of PHI, the Privacy Officer shall respond in writing as soon as possible but no later than 30 days after written submission of correct information, indicating what steps have been taken to correct the information and to share the correction with other parties, with the individual’s consent which may have received the previous erroneous information.
10.2 A Privacy Officer is not required to correct a record of personal health information if it consists of a record that was not originally created by the Officer; or if it consists of a professional opinion or observation that a custodian has made in good faith about the individual.
11.0 Access Denied to PHI/PI
11.1 Clients of CFSSC will have access to the PHI/PI we store. However, there may be rare occasions when we deny access to your PHI/PI, for example, both PHIIPA and PIPEDA permit the refusal of access based on the following:
(i). Access rights to PHI/PI are not absolute; e, g. if safety is at risk.
(ii). Law has required or authorized denial of access;
(iii). When granting access would have an unreasonable impact on other people’s privacy;
(iv). Where the request is frivolous or vexatious.
11.2 If we deny a request for access to, or refuse a request to correct information, the Privacy Officer will explain why in writing.
12.0 Requests for Anonymity Whenever it is legal and practicable, CFSSC may offer the opportunity to deal with general inquiries without providing an individual’s name (for example, by using general information on our website).
13.0 Credit Bureaus On occasion CFSSC may request information about a client from the files of consumer agencies or file complaints with those agencies, such as where a client has failed to pay a debt owed to CFSSC.
14.0 Email or Facsimile Communication Individuals should be aware that e-mail and fax are not a 100% secure medium, and should be aware of this when contacting CFSSC to send personal or confidential information or requesting CFSSC to respond by e-mail or fax.
16.1 An individual wishing to make a formal complaint about our privacy practices shall make it in writing to our Privacy Officer. She/he will acknowledge receipt of the complaint; ensure that it is investigated promptly and that the individual making the complaint is provided with a formal decision and reasons in writing.
16.2 For more general inquiries or if not satisfied with our response, with regard to PI an individual can contact the Information and Privacy Commissioner of Canada: 112 Kent Street Ottawa Ontario, K1A 1H3 1-800-282-1376 www.privcom.gc.ca
16.3 For more general inquiries or if not satisfied with our response, with regard to PHI an individual can contact the
Information and Privacy Commissioner of Ontario
2 Bloor Street East, Suite 1400
Toronto, ON M4W 1A8
Telephone: 416.326.3333 or 1.800.387.0073
16.4 We may seek external advice, where appropriate, before providing a final response to individual complaints.
17.0 Employment Inquiries When an individual applies for a job at CFSSC, PI will be considered as part of the hiring process. PI is normally retained from candidates after we decide, unless requested by a candidate to not retain the information. If CFSSC makes a job offer, which is accepted, PI will be retained according to our privacy procedures for employee records.
18.0 Web Site
18.2 On our website, like many commercial websites, we may monitor traffic patterns, site usage and related site information to optimize our web service. We may provide aggregated information to third parties, but these statistics do not include any identifiable PI.