Privacy of personal information is an important principle to Lawlor Therapy Support Services Inc. We are committed to collecting, using and disclosing personal information responsibly and only to the extent necessary for the goods and services we provide. We also try to be open and transparent as to how we handle personal information. This document describes our privacy policies and practices.
WHO WE ARE
Our organization, Lawlor Therapy Support Services Inc, includes at the time of writing 56 rehabilitation support workers and four support staff. We use a number of consultants and agencies that may, in the course of their duties, have limited access to personal health information we hold. These include computer consultants, bookkeepers and accountants, and lawyers. We restrict their access to any personal information we hold as much as is reasonably possible. We also have their assurance that they follow appropriate privacy principles.
WHAT IS PERSONAL INFORMATION?
Personal information is information about an identifiable individual. Personal information includes information that relates to their personal characteristics (i.e., gender, age, home address or phone number, ethnic background, family status, language, identifying features, insurance benefit coverage), their health (i.e., health history, health conditions, health services received by them, prognosis or other opinions formed during assessments or treatments, health diagnosis and assessment), or their activities and views (i.e., religion, politics, opinions expressed by an individual, an opinion or evaluation of an individual, criminal history, involvement with the agency). Personal information is to be contrasted with business information (i.e., an individual’s business address and telephone number), which is not protected by privacy legislation.
WE COLLECT PERSONAL INFORMATION: PRIMARY PURPOSES
We collect, use and disclose personal information in order to serve our clients. For our clients, the primary purpose for collecting personal information is to provide rehabilitation support services as an integral part of the client’s rehabilitation team. For example, we collect information about the results of client evaluations and assessments, physical condition and function, social and familial situations in order to implement rehabilitation recommendations. A second primary purpose is to seek recommendations from the client’s rehabilitation team and to document and report concerns and / or progress as needed. It would be rare of us to collect such information without, the client’s expressed consent, but this might occur in an emergency (i.e., the client is unconscious) or where we believe the client would consent if asked and it is impractical to obtain consent (i.e., a family member passing a message on from our client and we have no reason to believe that the message is not genuine) or where consent is implied ( i.e., sharing information with a medical professional when attending an appointment with the client). In cases were the client in incapable of consenting (i.e., a child, an incapacitated person), an appropriate substitute will provide the consent (i.e., parent, guardian, spouse, power of attorney).
About Client Family and Friends
We collect, use and disclose personal information in order to serve our clients. As part of the rehabilitation process, the agency and it’s employees are exposed to private familial and social relations and matters. For the families and friends of our clients the primary purpose for collection of personal information is to provide effective rehabilitation services to the client. A second primary purpose is to seek recommendations from the client’s rehabilitation team and to document and report concerns and / or progress as needed. It would be rare of us to collect such information without the client’s express consent, but this might occur in an emergency or where the clients. health and safety or that of a family member or friend is at risk. In such cases consent is not needed to report the incident or situation to the appropriate organization (i.e., Children’s Aid Society, Police).
About Prospective Clients
Our prospective clients, our primary purpose for collecting personal information is to evaluate the availability of services we have and can offer. A second primary purpose is to match the prospective client’s personality, and needs to that of the potential therapy support worker to ensure a successful therapeutic relationship. Consent to collect such information is implied when contact is initiated by the client’s rehabilitation team, family and / or the client themselves.
About Members of The General Public
For members of the general public, our primary purpose for collecting personal information is to make them aware of Lawlor Therapy Support Services Inc. For example, while we try to use work contact information where possible, we might collect home addresses, fax number and email addresses. We try to obtain consent before using any such information, but where this is not, for any reason, possible, we will upon request immediately remove any personal information from our distribution list. On our website we only collect, with the exception of cookies, the personal information you provide and only use that information for the purpose you gave it to us (i.e., to respond to your email message). Cookies are only used to help you navigate our website and are not used to monitor you.
For employees of Lawlor Therapy Support Services Inc., our primary purpose for collecting personal information is for necessary work-related communication (i.e., sending out pay cheques, tax receipts), to monitor work-related performance and for necessary work-related communication. Examples of the type of personal information we collect for those purposes include home addresses and telephone numbers. It is rare for us to collect the information without prior consent, but it may happen in the case of a health emergency or to investigate a possible breach of law (i.e., if a theft were to occur in the office). If employees with a letter of reference or an evaluation, we will collect information about their work related performance and provide a report as authorized by them.
About Contract Staff, Volunteers and Students
For people who are contracted to do work for us (i.e., temporary workers), our primary purpose for collecting personal information is to ensure we can contact them in the future (i.e., for new assignments) and for necessary work-related communication (i.e., sending out pay cheques, tax receipts). Examples of the type of personal information we collect for those purposes include home addresses and telephone numbers. It is rare for us to collect such information without prior consent, but it might happen in the case of a health emergency or to investigate a possible breach of law (i.e., if a theft were to occur in the office). If contract staff, volunteers or students with a letter of reference or an evaluation, we will collect information about their work related performance and provide a report as authorized by them.
We Collect Personal Information: Related and Secondary Purposes
Like most organizations, we also collect, use and disclose information for purposes related to or secondary to our primary purposes. The most common examples of our related and secondary purposes are as follows:
- To invoice clients for goods or services or collect unpaid accounts.
- To advise clients and others of special events or opportunities (i.e., presentations, seminars, programs, new services) that we have available.
- Our agency reviews client and other files for the purpose of ensure that we provide high quality services, including assessing the performance of our staff. In addition, external consultants (i.e., lawyers, accountants, practice consultants) may on our behalf do audits and continuing quality improvement reviews of our agency, including reviewing client files and interviewing our staff.
- As professionals, we will report serious misconduct, incompetence or incapacity of other rehabilitation team members if necessary. Also, our organization believes that it should report information suggesting serious illegal behaviour to the authorities. External regulators have their own strict privacy obligations. Sometimes these reports include personal information about our client, or other individuals, to support he concern (i.e., improper services). Also, like all organization, various government agencies (i.e., Canada Customs Agency, Information and Privacy Commission, Human Rights Commission, etc.) have the authority to review our files and interview our staff as part of their mandates. In these circumstances, we may consult with professionals (i.e., lawyers, accountants) who will investigate the matter and report back to us.
- In addition, we may be required by law to disclose personal health information to other government agencies (e.g. Ministry of Health, children’s aid societies, WSIB, OHSA etc.).
- Our agency is legally obligated to copy and forward the client’s file where a subpoena, warrant or court order has been issued to do so.
- Our agency believes it should report information suggesting self harm, danger to self or others to the authorities.
- The cost of some goods / services provided by the agency to clients is paid for by third parties (i.e., OHIP, WSIB, private insurance). These third party payers often have your consent or legislative authority to direct us to collect and disclose to them certain information in order to demonstrate client entitlement to this funding.
- Clients or other individuals we deal with may have questions about our goods or services after they have been received. We also provide ongoing services for many of our clients over a period of months or years for which our previous records are helpful. We retain our client information for a minimum of ten years after the last contact to enable us to respond to those questions and provide these services.
- To facilitate the sale of our organization. If the organization or its assets were to be sold, the potential purchaser would want to conduct a “due diligence” review of the organization’s records to ensure that it is a viable business that has been honestly portrayed. The potential purchaser must first enter into an agreement with the organization to keep the information confidential and secure and not to retain any of the information longer than necessary to conduct the due diligence. Once a sale has been finalized, the organization may transfer records to the purchaser, but it will make reasonable efforts to provide notice to the individual before doing so.
Lawlor Therapy Support Services Inc. will manage all client records and confidential corporate information in a safe, secure and confidential manner consistent with current legislation regarding Freedom of Information and Privacy including, but not limited to, the Personal Health Information Protection Act 2004 (PHIPA), other orders released by the Information and Privacy Commissioner/Ontario, FSCO Service Provider Licensing Regulations, and College standards.
Personal Health Information relates to the:
- Physical or mental health of the individual, including information that consists of the health history of the individual‚ and family.
- Providing of health care to the individual, including the identification of a person as a provider of health care to the individual.
- Plan of service for the individual.
- Payment or eligibility for health care, or eligibility for coverage for health care, in respect of the individual.
- The donation by the individual of any body part or bodily substance of the individual or is derived from the testing or examination of any such body part or bodily substance.
- Individual’s health number, or
- IIdentification of the individual’s substitute decision maker.
Confidential Corporate Information relates to:
- Information about any and all company personnel (employees and contractors) including but not limited to personal information gathered for the purposes of selection, hiring, enrollment in the extended health plan, payment, and management of performance-related matters.
- Information to support corporate operations that contains:
- Private personal information such as staff lists and contact information
- Sensitive financial information such as pay rates, corporate expenses and revenues
- Information that might be deemed to be the property of Lawlor Therapy Support Services Inc., such as:
- Identification of clients (individual and agency) and referral sources
- Customized forms and processes.
Content & Accuracy of Files
Client files will contain all records related to client assessments and treatment including but not limited to clinical notes, reports, invoices and receipts relating to goods purchased to support treatment.
As – Needed Basis:
Only as much personally identifiable client and corporate information as is necessary to fulfill clinical, reporting and management requirements shall be collected and maintained. No personnel will share the client’s health record and related information with any party other than the client, members of the health care team, or a third-party without proper authorization. While relevant information about the client may be shared with health-care team members to facilitate care, irrelevant information about the client or his/her conduct remains confidential.
Oath of Confidentiality:
All Lawlor Therapy Support Services Inc. personnel will sign an Oath of Confidentiality upon joining the company.
Obtaining Client Information:
A signed consent form will be obtained from the client to enable Lawlor Therapy Support Services Inc. personnel to obtain such information from other sources as may be deemed necessary to provide services to the client.
Client and Personnel Records:
Client and personnel records are the property of Lawlor Therapy Support Services Inc.; the responsibility for the client’s chart is shared by the treating RSW and Lawlor Therapy Support Services Inc. has a right to access client records. Except in cases where the preservation of confidentiality poses a risk of serious and imminent harm to the client or to others, or where there is a legal requirement, clients have the right to determine what shall be done with information included in their records.
Rough notes and documents that do not form part of a client medical or personnel record will be destroyed as soon as they are no longer useful. Such information, contained in rough notes, etc., as may form part of the medical record, should be expeditiously transferred to the medical record before the rough notes are destroyed.
Releasing Client Information
With only a few exceptions, you have the right to see what personal information we hold about you, by contacting Angie Cunningham. We can help you identify what records we might have about you. We will also try to help you understand any information you do not understand (e.g., short forms, technical language, etc.). We will need to confirm your identity, if we do not know you, before providing you with this access. We reserve the right to charge for photocopying charges.
We may ask you to put your request in writing. We will respond to your request as soon as possible and generally within 30 days, if at all possible. If we cannot give you access, we will tell you the reason, as best we can, as to why.
If you believe there is a mistake in the information, you have the right to ask for it to be corrected. This applies to factual information and not to any professional opinions we may have formed. We may ask you to provide documentation that our files are wrong. Where we agree that we made a mistake we will make the correction. At your request and where it is reasonably possible, we will notify anyone to whom we sent this information (but we may deny your request if it would not reasonably have an effect on the ongoing provision of health care). If we do not agree that we have made a mistake, we will still agree to include in our file a brief statement from you on the point.
The FSCO Service Provider Licensing Regulations state that service providers are not required to give individuals information or documents that relate to an examination of the individual conducted by or on behalf of the service provider if the examination was required by an insurer under section 44 of the Statutory Accident Benefits Schedule (i.e., Insurer Examination).
To the Payer and Other Team Members:
The treating clinician is responsible for ensuring that the client understands, at the initiation of the professional relationship, that a copy of the assessment and treatment reports will be forwarded to the referral source and that information may also be shared with other health care team members.
To Third Parties:
- Upon receipt of a request to release health information, a written consent from the client to release said information will be obtained.
- If the client is not the direct payer of the service, the request will be forwarded to the referring agency/company.
To Law Enforcement Representatives:
Client information will not be released to law enforcement representatives, without a search warrant or the written consent of the client.
In Response to a Subpoena:
Upon receipt of a subpoena or other legal directive requiring a care provider or records custodian to attend or give evidence, he or she shall not disclose health information without the authorization of the client, in advance of, or in preparation for, attendance as a witness in the proceeding.
In Response to a Claim or Legal Action:
Where a claim is made or an action is brought against a referring agency Lawlor Therapy Support Services Inc. by a client or former client in respect to the care given the client, the referring agency or Lawlor Therapy Support Services Inc. may disclose the contents of the client’s medical record to the referring agency or Lawlor Therapy Support Services Inc. liability insurer and solicitor. This will enable them to ascertain the circumstances giving rise to the claim or action and, where appropriate, to defend the referring agency or Lawlor Therapy Support Services Inc. position.
For Outside Research:
Access to confidential information for the purposes of research, statistical compilation or education by persons external to the company carrying out medical and epidemiological research, will be granted only with the consent of the client or if the information can be transmitted to researchers in such a form as to effectively mask the identity of the client.
Service orders and referrals are either faxed or emailed to a secure location or placed in staff mail folders. The staff person is then responsible for the safe and confidential handling of client records, as per College standards and this policy and related procedures.
When transporting client records, personnel will ensure that these records are carried with caution or transported in a locked case in the trunk of a vehicle.
Storage of hard copy client records and confidential corporate information at Lawlor Therapy Support Services Inc. RSW’s home offices will be consistent with College standards and the guidelines outlined below. Minimally, all hard copy client information will be filed in secure file cabinets. Electronic records will be stored securely (see Security Protocols below).
Lawlor Therapy Support Services Inc. will retain client information i.e. hard copy, disks, and tapes in accordance with the standards of practice of the Colleges and for a minimum of 10 years (Note: Licensing Regulations require 6 year only) after the last date of entry of record. Records of pediatric clients will be kept until ten years after the day on which the client reached, or would have become, 18 years of age. Client information will be destroyed when it is no longer needed, pursuant to regulated timeframes. Hard copy records will be shredded and electronic records deleted. We destroy paper files containing personal health information by cross-cut shredding. We destroy electronic information by deleting it in a manner that it cannot be restored. When hardware is discarded, we ensure that the hardware is physically destroyed or the data is erased or overwritten in a manner that the information cannot be recovered.
Lost or Stolen Records:
Every effort will be made to reconstruct lost or stolen client and personnel records. The loss will be documented in the client or personnel file and the appropriate parties (client, referral source, staff person) will be notified.
Guidelines & Procedures:
All systems and devices that store or transmit confidential client and corporate information must have proper security protection:
- Removable media including but not limited to CDROMS, DVDROMS, floppy disks, USB memory drives, external hard drives, and portable media/music players, must be encrypted; it is not acceptable to rely solely on login passwords to protect confidential information on mobile devices that are easily lost or stolen.
- Mobile devices including but not limited to cell phones, laptop computers and personal digital assistants must be encrypted and must not be used for the long term (e.g., more than 72 hours) storage of any confidential information.The confidentially and integrity of electronic data and the integrity of the corporate server and network will be maintained through the use by all staff of unique user identification and passwords; individuals shall be held accountable for all activity logged against his or her user name.
- User identifier: Refers to a set of characters uniquely identifying an individual for system access: Passwords: Passwords will be six characters long and contain a mixture of at least two/three of the following groups: lower case, upper case, numbers and special characters.
- To mitigate risks to business operations and minimize security issues, personnel will:
- Individual staff person will: change password at first use, advising admin/IT support, but otherwise keeping password confidential; change password immediately if he/she believes or suspects that it is no longer confidential.
- Admin/IT Support will provide the employee/contractor with an identifier and an expired password for first time access and reset passwords if compromised or forgotten once identity of the employee has been confirmed.
- Manager/delegate will determine and approve employee’s access to Lawlor Therapy Support Services Inc. information technology systems.
- Ensure that all electronic communication containing confidential client or corporate information is transmitted through secure, company-approved channels and/or is encrypted
- Ensure all confidential documents are password protected and/or saved in PDF or read-only form to minimize tampering.
- Refrain from opening an e-mail message received from an unfamiliar source unless there is some evidence that the message may be legitimate. In this case, each such message must be thoroughly investigated before it is opened to determine the source and objective of the e-mail.
- Not allow webmail or e-mail software to automatically remember passwords
- Not forward secure Lawlor Therapy Support Services Inc. email to any other e-mail account.
- We do not post any personal information about our clients on social media sites and our staff members are trained on the appropriate use of social media sites.
- External consultants and agencies with access to personal information must enter into privacy agreements with us.
If There Is A Privacy Breach
- Upon learning of a possible or known breach, we will take the following steps:
- While we will take precautions to avoid any breach of your privacy, if there is a loss, theft or unauthorized access of your personal health information we will notify you.
- We will contain the breach to the best of our ability, including by taking the following steps
- Retrieving hard copies of personal health information that have been disclosed
- Ensuring no copies have been made
- Taking steps to prevent unauthorized access to electronic information (e.g., change passwords, restrict access, temporarily shut down system)
- We will notify affected individuals
- We will provide our contact information in case the individual has further questions
- We will provide the Commissioner’s contact information
- We will investigate and remediate the problem, by:
- Conducting an internal investigation
- Determining what steps should be taken to prevent future breaches (e.g. Changes to policies, additional safeguards)
- Ensuring staff is appropriately trained and conduct further training if required
Depending on the circumstances of the breach, we may notify and work with the Information and Privacy Commissioner of Ontario. In addition, we may report the breach to the relevant regulatory College if we believe that it was the result of professional misconduct, incompetence or incapacity.
Do You Have Questions or Concerns?
Our Information Officer, Angie Cunningham, can be reached at: 905-451-1772 ex 242 firstname.lastname@example.org
She will attempt to answer any questions or concerns you might have. If you wish to make a formal complaint about our privacy practices, you may make it in writing to our Information Officer. She will acknowledge receipt of your complaint, and ensure that it is investigated promptly and that you are provided with a formal decision and reasons in writing. You also have the right to complain to the Information and Privacy Commissioner of Ontario if you have concerns about our privacy practices or how your personal health information has been handled, by contacting:
Information and Privacy Commissioner/Ontario 2 Bloor Street East, Suite 1400 Toronto, Ontario M4W 1A8 Telephone: Toronto Area (416/local 905): (416) 326-3333 Long Distance: 1 (800) 387-0073 (within Ontario) TDD/TTY: (416) 325-7539FAX: (416) 325-9195 www.ipc.on.ca
This policy is made under the Personal Health Information Protection Act, 2004, S.O. 2004, c. 3. It is a complex statute and provides some additional exceptions to the privacy principles that are too detailed to set out here.