We collect personal health information about you in accordance with the Personal Health Information Protection Act, 2004 (PHIPA) to provide or assist in providing you with excellent health care. We may collect this information either from you directly or, in some circumstances, from a person designated to make care decisions on your behalf. The personal health information that we collect may include your contact information, health card number and medical history. We may also collect personal health information about you from other sources if we have obtained your consent to do so or if the law permits. 

We only use and share your information with those who are providing you with health care, such as doctors, nurses, residents, and other team members who provide care and assist in your care.  Note that service providers under contract to provide services on behalf of or to Mackenzie Health must follow the privacy standards required of Mackenzie Health.

We may collect, use, or share your health information without your consent, to:

• contact a relative or friend if you are incapacitated
• prevent serious harm to you or others
• report suspected types of abuse
• report certain diseases to public health authorities

We may also use and disclose your personal health information to:

• obtain payment for your treatment and care
• conduct quality improvement and risk management activities
• plan, deliver or improve our programs and services, manage our internal operations, and contribute to health system planning
• train and educate healthcare professionals and Mackenzie Health staff
• comply with legal and regulatory requirements
• fulfill other purposes as permitted or required by law

Mackenzie Health also collects personal information through recorded images using our video surveillance system for safety and security operations at the hospital.

There are other health care providers outside of Mackenzie Health who can access your electronic health record but they or their team must be involved in your care, and they must sign an agreement with Mackenzie Health. For more information, please contact the Privacy Office.

Provincial Shared Systems and Electronic Health Records

We may also provide your health information to Ontario Health to update your provincial electronic health record (EHR), to help facilitate and coordinate your care with other health care providers. 

For more information, please refer to the eHealth Ontario website.

Family, Friends, and Clergy:

We may share general information about you with others, such as your location in the hospital and your general health status, with others including your friends and family who are concerned about you, unless you tell us not to give out this information. Your consent is required to disclose any further information.

If you wish to limit who knows this information, please inform the person who has registered you, your health care team, or contact the Privacy Office.

Mackenzie Health is pleased to offer Spiritual Care Services.  While we do not ask about your religion when you are admitted to the hospital, please inform your health care team if you would like a visit from our multi-faith team.  If you tell us about your religious or other organizational affiliation, we may give your name and location to someone from that organization to provide you with support, such as spiritual care, unless you tell us not to.  Your consent is required to disclose any further information.

Fundraising, Surveys and Marketing:

Our hospital relies on patient and community support for a part of our funding.  Unless you tell us not to do so, we or others such as our Hospital Foundation may use your name and address to contact you for fundraising to ask for your support.

If you do not wish to be contacted regarding events and fundraising, please contact the Mackenzie Health Foundation.

We want to hear from you about the quality of care and services you received at Mackenzie Health. We may use your personal health information such as your name and address and dates of your visits to send you surveys. This information helps us improve the care we provide.

We may use your personal health information for marketing purposes only with your express consent.

Research, Education and Planning

We will get your permission before we use or give out your personal health information for research purposes.  However, some research projects do not require your consent under certain conditions.  These research projects must be approved by a Research Ethics Board and must have privacy safeguards in place to protect your privacy.

We may also use your personal health information for educational purposes and to plan and manage our services and may share this information with certain organizations for use in the planning and management of the health care system.

Your personal health information may be anonymized or de-identified for these purposes.

You or a person who can make decisions for you about your personal health information have the right to:

Access a copy of your personal health information

If you would like to have access to your personal health information in the custody or control of Mackenzie Health, please sign up for MyChart or contact the Health Information Services department.

Request corrections to personal health information

If you believe that the personal health information we have recorded about you is inaccurate or incomplete, please raise this with your care provider or contact the Health Information Services department.

Withdraw or withhold consent for the collection, use or disclosure of your personal health information for health care purposes (“Lockbox”)

You can limit the access, use and disclosure of your personal health information for health care purposes by placing a Consent Directive, also known as a “Lockbox” on your personal health information.  If you wish to withhold or withdraw the access, collection, and disclosure of your personal health information, please contact the Privacy Office to discuss. 

Please note that patients seeking to withdraw their consent for participation in a research study must contact the primary investigator or research coordinator of the study to do so.

For more information regarding Consent Directives (“Lockbox”):

• MH Lockbox Brochure

Be notified if your personal health information is stolen, lost, or improperly accessed

Mackenzie Health take steps to protect your personal health information from theft, loss, unauthorized access, copying, modification, use, disclosure, and disposal. We conduct audits and complete investigations to monitor and manage our privacy compliance. We ensure that everyone who performs services for us protects your privacy and only uses your personal health information for the purposes you have consented to.

The Personal Health Information Protection Act, 2004 (PHIPA) requires health information custodians to notify individuals affected by a privacy breach at the first reasonable opportunity. Notification can be by telephone or in writing. Affected individuals may file a complaint to the Information and Privacy Commissioner of Ontario.

Contact Mackenzie Health’s Privacy Office

We will promptly investigate all complaints regarding our compliance with PHIPA. All privacy complaints will be treated in a confidential manner.

If you have questions or concerns about our privacy practices, please contact our Privacy Office.

If you are concerned that another individual has inappropriately accessed your health care information or that of a loved one, please contact our Privacy Office.

File a complaint with the Information and Privacy Commissioner of Ontario

The Information and Privacy Commissioner of Ontario (IPC) is responsible for ensuring that privacy law is followed.  For more information about your privacy rights, or if you are not able to resolve a problem directly with our Hospital and wish to make a complaint, you may contact the IPC:

Information and Privacy Commissioner of Ontario

2 Bloor Street East
Suite 1400
Toronto, Ontario
M4W 1A8
info@ipc.on.ca / 1-800-387-0073 / www.ipc.on.ca
https://www.ipc.on.ca/about-us/contact-us/

Agent refers to an individual or organization authorized by Mackenzie Health (as a Health Information Custodian) to take specific actions with respect to the personal (health) information within Mackenzie Health’s custody and control (i.e., a vendor contracted to host personal health information).

Consent[1] means “the voluntary agreement with what is being done or proposed. Consent can be either express or implied. Express consent is given explicitly, either orally or in writing. Express consent is unequivocal and does not require any inference on the part of the organization seeking consent. Implied consent arises where consent may reasonably be inferred from the action or inaction of the individual.”  As per the Health Care Consent Act, consent must relate to the specific treatment or activity, it must be informed (information a reasonable person would need to make the decision), it must be given voluntarily, and it must not be obtained through misrepresentation or fraud (s.11(1)).

Freedom of Information (FOI) refers to a formal request for personal or general information that is subject to terms and conditions under the Freedom of Information and Protection of Privacy Act.

Governance refers to all of the mechanisms, processes, and oversight bodies necessary to control and direct the program, including, but not limited to, its direction, implementation and governance documentation.

Governance documentation is the set of documents documenting Mackenzie Health’s governance when related to the Privacy program. It includes, but is not limited to, the policies and procedures necessary for the efficiency of the program.

Hospital Team Member refers to all physicians, staff, volunteers, students, contractors and all others who provide goods, services or facilities on behalf of or with privileges at Mackenzie Health. 

Individual means any individual entrusting Mackenzie Health with their information like, but not limited to, patients, families, hospital team members, etc.

Information herein refers to any personal information or personal health information owned, used by, or entrusted to Mackenzie Health.

Personal Information has the same meaning as defined in section 2 of the Freedom of Information and Protection of Privacy Act (FIPPA)[2], and generally means non-health related identifying information about an individual in oral or recorded form. Examples include address, bank information, employment history, social insurance number, and any information that, 

directly or indirectly, identifies an individual. Note that, when associated with personal health information, personal information is deemed to be considered health related).

Personal Health Information has the same meaning as defined in section 4 of the Personal Health Information Protection Act (PHIPA)[3], and generally means identifying information about an individual in oral or recorded form, pertaining to that person’s health or health services provided to the individual. Examples include family health history, health card number, and any information that, directly or indirectly, identifies an individual and links them to a healthcare provider.

Privacy Specialists means Mackenzie Health hospital team members supervised by the Privacy Office who possess the required Privacy professional designations, training and/or experience.

_____________________________________

[1] Definition from the CSA standard Q830-14 Model Code for the Protection of Personal Information

[2] Available at https://www.ontario.ca/laws/statute/90f31#BK2

[3] Available at https://www.ontario.ca/laws/statute/04p03#BK5

The Privacy program will use the 10 Privacy Principles established by the Canadian Standards Association's Model Code for the Protection of Personal Information as its foundation.

Privacy Principles

Accountability

The Board of Directors of MH is accountable to individuals for the protection and privacy of the information with which MH has been entrusted. MH is committed to ensuring the highest standard of privacy and data protection is applied in the services it provides and technologies it manages whilst simultaneously providing transparency to matters of public interest.

The Board of Directors delegates authority for PHIPA compliance to the Chief Executive Officer (CEO). The CEO designates the Chief Privacy Officer (CPO) accountable for the design and implementation of privacy and data protection measures at MH.

The Board Chair delegates authority, in a duty- and power-specific manner, to the CEO and members of the Privacy Office with regards to compliance with the Freedom of Information and Protection of Privacy Act (FIPPA).  Such delegation is outlined in a Delegation of Authority Letter at the outset of any new Chair’s term, or at the discretion or recommendation of the Board of Directors or Management.

The CPO is responsible for overseeing MH’s Privacy program and ensuring compliance with respective legislation. The CPO delegates the responsibility of implementing and managing this program throughout the organization to the Manager, Privacy Office.

Key components of MH’s Privacy program include, but are not limited to:

• the necessary governance to support the effective management and operationalization of privacy in accordance with MH’s legal, corporate and contractual requirements;
• a risk management practice to ensure privacy risks are managed at an acceptable level not only to MH but also to the individuals who entrusted their information to MH; and
• a network of individuals across the organization with specific privacy responsibilities.

Management at all levels of MH has primary responsibility for ensuring that information is identified and collected, used and/or disclosed within their department/unit or assigned area of management accountability in alignment with this Policy. They are also responsible for taking the appropriate measures to prevent unauthorized access to or use, damage, loss, theft, or disclosure of information.

Employees also must take reasonable privacy precautions to prevent unauthorized collection, use, loss, theft, destruction, damage, misuse or disclosure of personal information in their care or custody.

Hospital team members shall comply with the requirements of this Policy, and any supporting governance documentation to appropriately protect the personal information in their care or custody, or which they use.  Where a responsive record to an FOI is available to any hospital team members, those hospital team members must produce the record for the Privacy Office’s assessment.

Identifying Purposes

MH hospital team members shall document the purpose(s) for which personal information is collected, used and/or disclosed. Information must not be used and/or disclosed for purposes other than those for which it was collected, except with the appropriate consent of the individual or as permitted or authorized by law.

Consent

MH shall make a reasonable effort to ensure that the individual is advised of the purposes for which their information will be collected, used or disclosed. To make the consent meaningful, the purposes must be stated in such a manner that the individual can reasonably understand how the information will be used or disclosed.

MH shall obtain consent voluntarily, at or before the time that personal information is collected, and not through coercion or deception. The type of consent sought out must be reasonable under the circumstances.

MH shall make reasonable effort to inform individuals about their privacy rights and the fact that they can withdraw their consent at any time.

Limiting Collection

MH shall not collect personal information indiscriminately. Both the amount and the type of information collected shall be limited to that which is necessary to fulfil the purposes identified. MH shall specify the type of information collected as part of their information-handling governance and practices.

Limiting Use, Disclosure, and Retention

MH shall only use the collected information for the purpose(s) identified and provided to the individuals as per section 1.2 Identifying Purposes.

MH shall not retain the collected information longer than necessary to fulfil the identified purpose(s) and/or legally required. Records are subject to MH’s Hospital Records Maintenance and Disposal Policy.

Accuracy

MH shall strive to ensure the personal information it owns, or it is entrusted with, is kept as accurate as reasonably possible.

The extent to which personal information shall be accurate, complete, and up-to-date will depend upon the use of the information, considering the interests of the individual. Information shall be sufficiently accurate, complete, and up-to-date to minimize the possibility that inappropriate information may be used.

Individuals are permitted to request corrections to their records in MH custody and control. Such requests pertaining to health records will follow the Chart Correction Policy.

Safeguards

Security safeguards shall protect personal information against loss or theft, as well as unauthorized access, disclosure, copying, use, or modification and thus regardless of the format in which this information is held. These safeguards should be physical, technical, and administrative.

Physical

MH shall ensure that all personal information is physically secured, in areas restricted to authorized hospital team members or contractors authorized as MH agents.

Technical

MH shall have an Information Security program to support the Privacy program’s security requirements. The level of security applied should be reasonable under the circumstances.

Administrative

In addition to a suite of policies, the Privacy Office is responsible for a broader privacy program intended to mitigate privacy incidents. This includes advisory supports, training and education, routine organizational engagements, third-party contract stipulations, and auditing.

Auditing: All electronic systems containing personal information or personal health information must be capable of logging and recording access to all or part of the information maintained in the system. The audit log must identify:

• the user who accessed the personal health information
• the date and time of the access
• the specific records that were accessed
• the level of access (e.g., viewed, modified, deleted)
• the location of the access

Proactive or reactive privacy audits can be initiated to:

• monitor and review the appropriateness of all user activities in electronic health records and their compliance with MH’s privacy policies and procedures;
• monitor where a consent directive or privacy warning flag has been implemented;
• investigate actual or suspected privacy breaches including cases of unauthorized access; and,
• to respond to inquiries or complaints by patients, families, or healthcare workers.

When working remotely, additional safeguards must be in place.  The Privacy & Freedom of Information Office will publish and maintain Privacy Guidance with respect to this topic.

Openness

MH shall be open about its governance and practices with respect to the management of personal information through a Privacy Notice. Individuals shall be able to acquire information about MH’s governance and practices without unreasonable effort. This information shall be made available in a form that is understandable.

The Privacy Office should be the primary point of contact should an individual require details of MH’s Privacy program.

With respect to FOI requests, MH will make good faith efforts to conduct a comprehensive search and in the application of any permitted exclusions or exemptions under FIPPA to any responsive records. Further, MH will make and maintain a Personal Data Bank inventory available publicly.

The Privacy Office will facilitate and engage in good faith with the Information and Privacy Commissioner of Ontario (IPC) as it relates to any privacy and/or freedom of information matters (complaint investigations, commissioner-initiated investigations, appeals, arbitration, etc.,), including the submission of any reporting (i.e., mandatory breach, annual statistics regarding activities under PHIPA and FIPPA, etc.).

Individual Access

MH shall provide individuals with access to their own information within the legal time frame (if any) as required under relevant legislation. This access includes, but is not limited to, how the information was used and to whom it was disclosed.

There may be instances where such access is denied, as outlined in both PHIPA and FIPPA.

As it is recognized that some information can be sensitive, MH shall make sure that the risk level of releasing such information is reasonable under the circumstances.

As it pertains to health records, access requests will follow the Access and Disclosure of Personal Health Information Policy. With respect to accessing audit logs, the Privacy Office will ensure the contents of such logs are aligned to the requirements under PHIPA.

Contentious Issues Management

With respect to FOI requests, there may be instances where the information being requested is sensitive, controversial or potentially exposes MH or others to risk or negative consequences. In such scenarios the Privacy Office shall notify key personnel (i.e. Enterprise Risk, Communications, Senior Leadership) to provide the opportunity to prepare to manage any such consequences.  This shall not interfere with the normal handling of the request and shall occur in parallel with FOI activities under FIPPA.

Challenging Compliance

The Privacy Office shall put procedures in place to receive and respond to complaints or inquiries about their governance and practices relating to the handling of personal information. The complaint procedures should be easily accessible and simple to use.

All complaints shall be investigated. If a complaint is found to be justified, management shall take appropriate measures, including, if necessary, amending its governance and/or practices.

Individuals have the right to complain to the Information and Privacy Commissioner of Ontario if they believe that MH violated their privacy, access/correction request rights, or failed to fulfil obligations under FIPPA.

Responsibilities

The Chief Privacy Officer (CPO) is responsible for:

• reporting to the Board of Directors as required or to designate a substitute;
• ensuring that Privacy goals are identified and that they meet organizational and legal requirements, and that they are addressed within the Privacy program.

Corporate Procurement and anybody developing and/or managing contracts are responsible for:

• ensuring that all contracts require service providers to comply with this Policy and its supporting governance documentation or have their own governance documentation that is consistent with the requirements of this Policy.

Health Information Services is responsible for:

• acting as the official custodian of the legal medical record;
• addressing the good faith operations related to records management, retention/destruction, and the search and retrieval process/parameters of the legal medical record;
• overseeing the appropriate access, release, and disclosure of personal health information;
• ensuring that the release of personal health information does not pose an unreasonable risk to the individual and/or to a third party; and
• maintaining and providing to the Privacy Office accurate statistics related to personal health information access requests and chart correction requests.

Human Resources are responsible for:

• ensuring that this Policy and other awareness information are included in new-hire orientations, and that mechanisms are in place to support mandatory training compliance; and
• developing, in collaboration with the Privacy Office, and administering processes for disciplining hospital team members for non-compliance with the Privacy program, in accordance with the laws of the jurisdiction.

Management, within their assigned area of responsibility, is responsible for:

• ensuring all hospital team members are educated in this Policy and the governance documentation that support it;
• ensuring this Policy is implemented effectively;
• developing all necessary area specific governance documentation to support this Policy; and
• identifying and protecting personal information. They are responsible for implementing all necessary privacy measures consistent with sound business practice, in compliance with corporate governance and regulatory requirements, and in line with any associated governance documentation.

The Manager, Privacy Office is responsible for:

• leading MH’s Privacy program, which includes defining goals, objectives, and metrics consistent with the corporate Strategic Plan to ensure that the organization’s privacy principles, governance, and practices support the protection of the individuals’ information;
• managing and coordinating the design, implementation, operation, and maintenance of MH’s privacy governance within the defined scope; and
• actively fostering a privacy culture by leading and supporting activities both internally and externally to increase awareness of MH’s privacy principles, policies, and procedures.

Hospital team members are responsible for:

• complying with this Policy and the governance documentation that supports it;
• reporting (including self-reporting) instances of non-compliance, and participating in any investigative and/or corrective action; and
• protecting the privacy of MH’s patients and hospital team members.

The Privacy Office is responsible for:

• managing the Privacy program, developing, and maintaining the necessary governance (including the necessary oversight body(ies) and documentation) to support this Policy and provide feedback to Senior Management on the effectiveness of the program;
• providing Privacy Specialists to meet the expectations set forth in this policy and deliver the privacy services part of the Privacy program;
• providing a comprehensive and role-based privacy awareness and training program to comply with this Policy and its supporting governance documentation;
• monitoring the effectiveness of the Privacy program;
• auditing, and/or reviewing departments/units security practices and compliance with the Privacy program as required;
• serving as the point of contact to individuals with respect to privacy and/or freedom of information matters; and
• conducting all necessary reporting or engagements with the IPC as required.

Senior Management is responsible for providing the necessary guidance and support for the development and maintenance of the Privacy program, in line with privacy and legal requirements and business strategy objectives. This support includes, but is not limited to, the following:

• integrating privacy goals into relevant processes;
• providing clear direction and visible management support for privacy initiatives;
• providing the resources required for privacy; and
• approving assignment of specific roles and responsibilities for information security across the organization.

• Canadian Standard Association standard Q830-14 Model Code for the Protection of Personal Information
• Freedom of Information and Protection of Privacy Act[1]
• Health Care Consent Act
• Personal Health Information Protection Act[2]
• Public Hospitals Act
• Regulated Health Professions Act

 

[1] Available at https://www.ontario.ca/laws/statute/90f31

[2] Available at https://www.ontario.ca/laws/statute/04p03

We recognize that individuals may wish to take photo, audio/video recordings while in hospital or on hospital grounds.   

To ensure that all recordings respect the individual privacy and confidentiality rights of others, photography and audio/video recordings are only permitted with the informed, expressed consent of all persons who may be recorded.

If you have questions, or for more information, please contact Mackenzie Health’s Privacy Office.