Header Image - diagnostics-updated-1600795669.jpg

St. Francis Memorial Privacy Policy

home >> Resources

 SFMH PRIVACY STATEMENT

St. Francis Memorial Hospital (SFMH) recognizes that privacy, confidentiality, and security of personal health information (PHI) are fundamental patient rights that must be protected. This includes the right of each individual patient to determine when, how, and to what extent their personal health information is disclosed. Additionally, each patient shall be assured that PHI is secure from unauthorized use or disclosure. Protection of personal health information includes all PHI related to patients, employees, medical staff, students, volunteers, and contractual workers. Staff members are accountable for maintaining the privacy and confidentiality of PHI, as outlined in this and related policies and procedure both during and after their employment or  professional contact with SFMH. Collection, use, access, and disclosure of personal information by staff members is solely on a need-to- know basis to perform job duties.

Privacy Policy General Compliance Principles

  1. The purpose for which personal health information is collected shall be identified at or before the time the information is collected. Information posters and brochures are available for patients of SFMH outlining this information.

  1. Whenever possible, personal health information will be collected directly from the individual. In cases when this is not possible, personal health information will be collected indirectly from a family member or friend / coworker for the purpose of providing health care, in the absence of the Substitute Decision Maker.

  1. There shall be no collection, use or disclosure of personal health information if other information will serve the purpose.

  1. There shall be no collection, use or disclosure of more personal health information than is necessary to meet the purpose.

  1. When consent is obtained for the collection, use or disclosure of personal health information, there shall be no collection, use or disclosure of such information for any purpose other than to which the person has consented, or for any purpose that a reasonable person would not consider appropriate in the circumstances.
  1. It is understood that contractual arrangements with third parties shall be made in keeping with the established privacy principles.

  1. Follow departmental procedures for determining capacity and obtaining consent, if consent is not expressed, implied, or informed.

  1. Follow departmental procedures for security of personal health information.

  1. Challenges concerning compliance with the Privacy Policy and / or relevant legislation, will be directed, in writing, to the Director of Operations.

  1. The role of staff members is to protect the privacy, confidentiality, and security of personal information of patients and other staff members. Staff members’ responsibilities include:

  • Reviewing the Privacy Policy and related procedures dealing with security of personal information.
  • Practicing secure behaviors at all times, such as discussing personal health information in areas* where it cannot be overheard, and not sharing passwords

  • It is understood that there are locations within SFMH where health care providers perform their duties that are “public” in nature and are open and accessible by the general public.

For example, nursing stations, rooms with multiple patients, registration areas are generally open and accessible by the general public, and hence, are not private. In these circumstances, confidentiality may be difficult to achieve, and the responsibility of the staff member is to take reasonable and practical means of protecting the individual’s privacy.

  1. Violation of Privacy Policy is grounds for disciplinary action.

Background and Definitions

On November 1, 2004, the Personal Health Information Protection Act, 2004 (PHIPA) came into force.

Reference:      Health Information Protection Act, 2004 – Bill 31

Schedule A:  The Personal Health Information Protection Act 2004 (PHIPA)

Schedule B:    The Quality of Care Information Protection Act, 2004 (QCIPA)

Website: http://www.e-laws.gov.on.ca/, and key in Health Information Protection Act.

 

Health Information Custodians & Agents

Health information custodians are defined as any person or organization who controls other people’s personal health information as part of their role as:

  • a health care practitioner or operator of a group practice of health care practitioners,
  • a service provider who provides a community service under the Long-Term Care Act,
  • a community care access corporation under the Community Care Access Corporations Act,
  • someone who operates one of the following facilities, programs, or services:
    • a hospital under the Public Hospitals Act, a private hospital under the Private Hospitals Act, a psychiatric facility under the Mental Health Act, an institution under the Mental Hospitals Act or an independent health facility under the Independent Health Facilities Act,
    • an approved charitable home for the aged under the Charitable Institutions Act, a placement coordinator under the Charitable Institutions Act, a home or joint home under the Homes for the Aged and Rest Homes Act, a placement coordinator under the Homes for the Aged and Rest Homes Act, a nursing home under the Nursing Homes Act, a placement coordinator under the Nursing Homes Act or a care home under the Tenant Protection Act,
    • a pharmacy under the Drug and Pharmacies Regulation Act,
    • a laboratory or specimen collection center under the Laboratory and Specimen Collection Centre Licensing Act,
    • an ambulance service under the Ambulance Act,
    • a home for special care under the Homes for Special Care Act, or
    • a center, program or service for community health or mental health whose primary purpose is to provide health care,
  • an evaluator under the Health Care Consent Act or an assessor under the Substitute Decisions Act,
  • a medical officer of health or a board of health under the Health Protection and Promotion Act,
  • the Minister or Ministry of Health and Long-Term Care, and
  • any other person described as a health information custodian under the regulations to the Act with custody or control of personal health information as part of performing powers, duties, or work.

Agents, in relation to a health information custodian, are persons that, with the authorization of the custodian, act for or on behalf of the custodian with respect to personal health information for the purposes of the custodian whether the agent has the authority to bind the custodian, is employed by the custodian or is being paid. Agents of the health information custodians are subject to the same legislative requirements. Examples of agents are:

  • employees
  • physicians with privileges at St. Francis Memorial Hospital
  • volunteers
  • students
 

The Personal Health Information Protection Act (PHIPA)

The Personal Health Information Protection Act, hereinafter referred to as the Act, regulates how health information custodians such as SFMH collect, use, retain, transfer, disclose, provide access to, and dispose of patients’ personal health information.

The purposes of the Act are to:

  • establish rules for the collection, use and disclosure of personal health information that protect the confidentiality of that information and the privacy of individuals, while facilitating the effective provision of health care,
  • to provide individuals with a right to access and correct their personal health information (with a few limited and specific exceptions),
  • provide for independent review and resolution of complaints about personal health information, and
  • provide effective remedies for contraventions of the Act.

The expectation is that the collection, use and disclosure of personal information by agents of SFMH is strictly on a legitimate need-to-know basis to perform job duties, or when authorized to do so through informed consent or legislative requirements.

Personal Health Information (PHI)

Personal health information (PHI) is any identifying information provided about an individual in oral, written, or electronic format that relates to:

  • a person’s physical or mental health or family health history
  • health care an individual receives, including who provided the health care
  • a plan of service for an individual under the Long-Term Care Act,
  • an individual’s eligibility for health care payments or the payments made for an individual’s health care,
  • an individual’s donation of any body part or bodily substance or anything derived from testing or examining a donated body part or bodily substance,
  • an individual’s health number,
  • anything that identifies an individual’s substitute decision-maker (SDM), and
  • anything that identifies an individual and that is contained in a personal health record.

Personal health information does not include records maintained for human resources purposes

Circle of Care

The term “circle of care” is not a defined term in the Personal Health Information Protection Act, 2004 (PHIPA). It is a term commonly used to describe the ability of certain health information custodians to assume an individual’s implied consent to collect, use or disclose personal health information for the purpose of providing health care, in circumstances defined in PHIPA.

The term “circle of care” normally includes those identified in the list below who provide health care or assist in providing health care to a particular patient:

  • health care practitioners and groups of health care practitioners,
  • public and private hospitals
  • pharmacies,
  • laboratories,
  • ambulance services,
  • community care access corporations,
  • community service providers (defined in the Long-Term Care Act),
  • psychiatric facilities,
  • independent health facilities,
  • homes for the aged, rest homes, nursing homes, care homes and homes for special care, and
  • community health or mental health centers, programs and services whose primary purposes are providing health care

Members of a particular patient’s “circle of care” can provide health care to that patient based on implied consent to collect, use and disclose the patient’s personal health information for that care, unless they know that the patient has expressly withheld or withdrawn consent. The “circle of care” does not include those health care practitioners who do not provide health care to the patient.

Health care, as defined in the Act, means treating, observing, examining, assessing, or caring for a person for a health-related purpose and includes:

  • diagnosing, treating, or maintaining the person’s physical or mental condition
  • preventing disease or injury and promoting health
  • providing a service as part of palliative care
  • compounding, dispensing or selling drugs, devices, equipment or any other item prescribed to an individual.
  • any community service a service provider performs – see the Long Term Care Act.

Such information shall not be collected, used, or disclosed without the prior knowledge and consent of the individual concerned, except as required by Federal and/or Provincial statutes, or for any purpose that a reasonable person would not consider appropriate in the circumstances.

 

Privacy Principles

The ten privacy principles, which are derived from the Canadian Standards Association’s Model Code for the Protection of Personal Information, form the basis of the SFMH Privacy Policy, and govern the collection, use, disclosure, and protection of personal health information.

  1. Accountability
  2. Identifying Purposes
  3. Consent
  4. Limiting Collection
  5. Limiting Use and Disclosure
  6. Accuracy
  7. Safeguards
  8. Openness
  9. Access
  10. Challenging Compliance
 

Policy

Accountability for Personal Information

SFMH is ultimately responsible for personal information under its control and has designated an individual who is accountable for the organization’s compliance with this privacy policy, related procedures, and legislation.

  • At SFMH, the Manager of Health Information Services shall assume the responsibilities of the Chief Privacy Officer (CPO)
  • The name of the CPO designated by SFMH to oversee its compliance with these principles is a matter of public record and is indicated on the SFMH Written Statement of Information Practices, patient information pamphlets, and on the SFMH website.
  • SFMH is responsible for personal information in its possession, including information that has been transferred to a third party for processing. Contractual or other means shall be used to provide a comparable level of protection for the information being processed by a third party.
  • To ensure compliance with the legislation, SFMH shall have:
    • policies and procedures to ensure that personal information is protected.
    • procedures to respond to complaints and inquiries.
    • education and training for staff about privacy policies
    • procedures in place to ensure that agents understand their responsibilities to comply with the legislation.
    • information pamphlets to explain privacy policies and procedures in place.
 

Identifying Purposes for the Collection of Personal Information

At or before the time PHI is collected, SFMH shall identify the purposes for which PHI is collected, used, and disclosed and shall provide notice to its patients through reasonable means (e.g. signage, information brochures, web site). 

  • Identifying the purposes for which personal health information is collected at or before the time of collection allows SFMH to determine the information it needs to collect to fulfill these purposes. The Limiting Collection principle (# 4) requires that SFMH collect only that information that is necessary for the purposes that have been identified.
  • When personal health information that has been collected is to be used for a purpose not previously identified, the new purpose must be identified prior to use. Unless the new purpose is required to be collected by law, the consent of the individual is required before the information can be used for that purpose.

Consent for Collection, Use and Disclosure of Personal Health Information

In general, implied or express consent from the individual is required prior to the collection, use or disclosure of PHI, except where permitted by law, or where inappropriate.

Typically, SFMH relies upon implied consent when the purpose of collection, use and disclosure of PHI is for the provision of or assistance in the provision of health care. Express consent is required when the collection, use and disclosure of PHI is not for the purpose of providing health care. 

  • The consent must be valid. To be a valid, the consent must be obtained voluntarily, directly from the patient, if capable, or from the patient’s SDM, if the patient does not have the capacity to consent. The consent must be knowledgeable and related to the information in question. (Refer to Consent Policy).
  • SFMH shall not collect, use or disclose personal health information without patient/SDM consent only when legally required to do so, or when necessary for the purpose of eliminating or reducing a significant risk of serious bodily harm to a person or a third party.
  • An individual has the right to refuse, withdraw or place conditions on their consent, and SFMH shall inform the individual of the implications.
  • An individual may withdraw consent at any time, subject to legal or contractual restrictions and reasonable notice. SFMH shall inform the individual of the implications of such withdrawal.

  • Note: In certain circumstances, personal health information can be collected, used or disclosed without the knowledge and consent of the individual. Legal, medical or security reasons, for example, may make it impossible or impractical to seek consent. When information is being collected for the detection and prevention of fraud or for law enforcement, seeking the consent of the individual may defeat the purpose for collecting the information. Seeking consent may be impossible or inappropriate when the individual is a minor, is seriously ill, or mentally incapacitated. In addition, if SFMH does not have a direct relationship with the individual, seeking consent may not always be possible.
 

Limiting Collection of Personal Information

At SFMH, the collection of PHI shall be limited to that which is necessary for the purposes identified by the organization. The purposes are clearly outlined in the SFMH Statement of Written Information Practices.

  • SFMH shall not collect personal health information indiscriminately and shall specify the type of information collected as part of their information-handling practices, in accordance with the Openness principle (# 8).
  • Information is collected by fair and lawful means. Consent with respect to collection must not be obtained through deception or coercion.

Limiting Use, Disclosure and Retention of Personal Health Information

PHI shall not be used or disclosed for purposes other than those for which it is collected, except with the consent of the individual, or as required by law. Refer to Appendix A: Personal Health Information: Disclosure and Tables 1, 2 & 3 Disclosure refers to access by individuals other than patients or their substitute decision makers. PHI will be retained only as long as necessary for the fulfillment of those purposes.

  • When using PHI for a new purpose, SFMH shall document this new purpose and ensure there is consent of the individual.
  • SFMH has guidelines and procedures in place with respect to the retention of PHI. These guidelines include minimum and maximum retention periods. Refer to Records Retention:  Summary of Retention Periods. PHI that has been used to decide about an individual will be retained long enough to allow the individual access to the information after the decision has been made. SFMH is subject to and will comply with legislative requirements under the Public Hospitals’ Act with respect to retention periods.
  • PHI that is no longer required to fulfill the identified purposes shall be destroyed, or de-identified. SFMH has developed policies and implemented procedures to govern the destruction and de-identification of personal health information.  Refer to Records Retention and Destruction Policy.

Accuracy of Personal Information

PHI collected shall be as accurate, complete, and up to date as is necessary for the purposes for which it is to be used.

  • The extent to which PHI is accurate, complete, and up to date will depend upon the use of the information, considering the interests of the individual. Information will generally be sufficiently accurate, complete, and up to date to minimize the possibility that inappropriate information may be used to decide about the individual.
  • PHI that is used on an ongoing basis, including information that is disclosed to third parties, will be accurate and up to date, unless limits to the requirement for accuracy are clearly set out.
 

Safeguards for Personal Health Information

Security safeguards appropriate to the sensitivity of the information shall protect PHI. If PHI is stolen, lost or accessed by unauthorized persons, the patient(s) must be informed as soon as possible, in writing, of the breach of privacy. Refer to Privacy Breach: Policy and Process.

  • The security safeguards in place reasonably protect personal health information stored at SFMH against loss or theft, as well as unauthorized access, disclosure, copying, use or modification. SFMH shall protect PHI regardless of the format in which it is held.
  • The nature of the safeguards varies depending upon the sensitivity of the information that has been collected, the amount, distribution, format of the information, and the method of storage. A higher level of protection is required to safeguard more sensitive information, such as medical and health records.
  • The methods of protection in place at SFMH include:
    • Physical measures, for example, locked filing cabinets / rooms, and restricted access to offices.
    • Technological measures, for example, the use of passwords, firewalls, and audits as access controls.
    • Administrative controls, for example, access restrictions, staff education and training, and confidentiality agreements.
  • Employees of SFMH receive education and training to ensure they are aware of the importance of maintaining the confidentiality of personal health information. As a condition of employment, all new employees must sign the SFMH Pledge of Confidentiality.
  • Disposal or destruction of personal information and personal health information is by containment and subsequent shredding to prevent unauthorized parties from gaining access to the information.

Openness about Privacy Policy

SFMH shall make specific information available and be open about its policies and practices relating to the management of PHI.

  • Individuals can acquire information about SFMH’s policies and practices without unreasonable effort. This information is made available in a format that is generally understandable.
  • The information made available will include:
    • The name or title, and the address of the CPO, who is accountable for the privacy policies and practices of SFMH, and to whom complaints or inquiries can be forwarded.
    • The means of gaining access to PHI held by SFMH.
    • A description of the types of PHI held by SFMH, including a general account of its use;
    • A copy of any brochures or other information that explain SFMH’s policies, standards, or codes; and
    • What personal information is made available to related organizations.
  • SFMH may make information on its policies and practices available in a variety of ways. For example, brochures are made available in high traffic patient areas, online access on the website provides information and an avenue to register a concern.
 

Individual Access to Personal Information

Patients or their SDM’s have the right to access their personal health records, except under special circumstances. An SDM can request access on a patient’s behalf because the right of access exists whether the patient has capacity.

Patients may request access to their personal health records orally or in writing. Oral requests for access may occur informally, often while the patient is still receiving care, and will be responded to by the Unit Charge Nurse, in most circumstances. Access may be granted in the presence of the attending physician, the Unit Charge Nurse, or the Director of Patient Care Services. To invoke the rights and procedural requirements set out in the PHIPA, requests for access must be in writing to the Clinical Records Manager.

Note: In certain situations, SFMH may not be able to provide access to all the personal information it holds about an individual. Exceptions to the access requirement will be limited and specific. The reasons for denying access will be provided to the individual upon request. Exceptions may include information that cannot be disclosed for legal, security, or commercial proprietary reasons, and information that is subject to solicitor- client or litigation privilege. Refer to Appendix B: Personal Health Information: Access to Personal Health Record.

  • Upon request for access to a personal health record, SFMH shall verify the patient’s identity or the SDM’s authority.
  • SFMH shall determine if the request contains sufficient information to locate the record. If unable to do so, the individual can be asked to provide additional information to be used only for this purpose. If the record is unable to be located after a reasonable search, the requestor is informed in writing.
  • SFMH shall determine if a legal exception applies to providing access. Refer to

Appendix B:  Reason for Refusal of Access Table.

If a legal exception applies:

  • Inform the requestor in writing that you are refusing access, in whole or in part, and why you are doing so,
  • Where possible, sever the record and provide access only to the part of the record where no legal exception applies,
  • Inform the requestor about how to register a complaint, and if the requestor is not satisfied with the resolution of the complaint, the requestor may complain to the Information and Privacy Commissioner/Ontario.
  • There are circumstances where SFMH will be unable to inform the requestor that a personal health record exists.
  • If no legal exception applies and the record can be located, SFMH shall provide access by showing the original record. SFMH permits the individual monitored access to this information to ensure that the original record is not altered in any way. Medical information shall be made available in the presence of a medical practitioner to answer any questions about any medical terms or abbreviations used in the record. In addition, SFMH shall provide an account of the use that has been made or is being made of this information and an account of the third parties to which it has been disclosed.
  • SFMH shall endeavor to be as specific as possible when providing an account of third-parties to which it has disclosed an individual’s personal information. When it is not possible to provide a list of organizations to which it has disclosed information about an individual, SFMH shall provide a list of organizations to which it may have disclosed information about the individual.
  • SFMH shall respond to an individual’s request within 30 days from the date of the request and at minimal cost to the individual.
  • When an individual successfully demonstrates the inaccuracy or incompleteness of personal health information, SFMH shall amend the information, as required. Refer to Appendix C: Personal Health Information: Request for Correction. Depending upon the nature of the information challenged, amendment involves the correction, deletion, or addition of information. Where appropriate, the amended information shall be transmitted to third parties having access to the information in question.
  • When a challenge is not resolved to the satisfaction of the individual,
  • SFMH will document the unresolved issues. When appropriate, the existence of the unresolved challenge will be transmitted to third parties having access to the information in question.

Challenging Compliance with the Privacy Policy

An individual shall be able to address a challenge concerning compliance with this policy to the CPO at SFMH

  • SFMH has procedures in place to receive and respond to complaints or inquiries about their policies and practices relating to the handling of personal information.
  • SFMH shall inform individuals who make inquiries or lodge complaints of the existence of relevant complaint procedures.
  • SFMH shall investigate all complaints. If a complaint is found to be justified, the Hospital shall take appropriate measures, if necessary, amending its policies and practices.

 

Relevant Legislation

  • Public Hospital’s Act
  • Health Care Consent Act, 1996
  • Substitute Decisions Act, 1992
  • Mental Health Act
  • Long-Term Care Act
  • Employment Standards Act
  • Coroner’s Act
  • Child and Family Services Act
  • Regulated Health Professions Act

DISCLOSURE

The issue of disclosure of personal health information is complex. The following tables provide a pictorial representation of the most common examples of disclosures to help determine when disclosure must or can be made.

Mandatory Disclosure

The Personal Health Information Protection Act specifically permits the disclosure of personal health information for a number of purposes as required by other statutes. Consent is not required for these specific purposes. Refer to Table 1 for examples of information that you are required to provide under mandatory disclosure.

Disclosure for Health Related Programs and Legislation

Refer to Table 2 for examples of personal health information that may be disclosed. Refer to

Consent Policy for additional information on consent requirements.

Disclosure to Lawyers, Insurance Companies, Adjusters, Investigators, Legal Authorities and Law Enforcement

Refer to Table 3 for examples of personal health information that may be disclosed, and consent requirements for such disclosure.

 

MANDATORY DISCLOSURE TABLE

To Whom Disclosure Must Be Made

What Information Must Be Disclosed

Authority

Aviation Medical Advisor (note this is mandatory disclosure for a physician, not for a hospital)

Information about flight crew members, air traffic controllers or other aviation license holders who have a condition that may impact their ability to perform their job in a safe manner.

Aeronautics Act

Chief Medical Officer of Health

Information to diagnose, investigate, prevent, treat or contain communicable diseases.

Health Promotion & Protection Act Personal Health Information Protection Act

Chief Medical Officer of Health or Medical Officer of Health or physician designated by Chief Medical Officer of Health

Information to diagnose, investigate, prevent, treat or contain FRI (Febrile Respiratory Illness) or SRI (Severe Respiratory Illness)

Public Hospitals Act

Children’s Aid Society

Information about a child in need of protection (e.g. abuse or neglect)

Child and Family Services Act

College of a Regulated Health Care Professional

Where there are reasonable ground to believe a health care professional has sexually abused a patient, details of the allegation, name of the health care professional and name of the allegedly abused patient. The patient’s name can only be provided with consent. The individual filing the report must also include their name.

Regulated Health Professions Act

College of a Regulated Health Care Professional

A written report, within 30 days, regarding revocation, suspension, termination or dissolution of a health care professional’s privileges, employment or practice for reasons of professional misconduct, incapacity or incompetence.

Regulated Health Professions Act
 

To Whom Disclosure Must Be Made

What Information Must Be Disclosed

Authority

College of Physicians & Surgeons of Ontario

Information about the care or treatment of a patient by the physician under investigation. Notice must be given to the Chief of Staff and the COO of the hospital.

Public Hospitals Act

Coroner or designated Police Officer

Facts surrounding the death of an individual in prescribed circumstances (e.g. violence, negligence or malpractice). Information about a patient who died while in hospital after being transferred from a listed facility, institution or home. Information requested for the purpose of an investigation.

Coroners Act

Minister of Health & Long Term Care

Information for data collection, organization and analysis.

Public Hospitals Act

Ontario Health Insurance Plan

Information about the funding of patient services.

Public Hospitals Act

Order, warrant, writ, summons, subpoena or other process issued by an Ontario court

Information outlined on warrant, summons, etc.

Personal Health Information Act

Physician Assessor appointed by the MOHLTC

Information to evaluate applications to the Underserviced Area Program

Public Hospitals Act

Registrar General

Births and deaths

Vital Statistics Act

Registrar of Motor Vehicles

Name, address and condition of a person who has a condition that may make it unsafe for them to drive.  Note that this is mandatory disclosure for a physician not a hospital)

Highway Traffic Act
 

To Whom Disclosure Must Be Made

What Information Must Be Disclosed

Authority

Trillium Gift of Life Network

For tissue donation or transplant purposes, notice of the fact that a patient died or is expected to die imminently. Consent must be decided jointly with the Network to determine the need to contact the patient of SDM.

Trillium Gift of Life Network Act

Workplace Safety and Insurance Board

Information the Board requires about a patient receiving benefits under the Workplace Safety and Insurance Act.

Workplace Safety and Insurance Act.
 

TABLE 2

DISCLOSURE FOR HEALTH RELATED PROGRAMS & LEGISLATION

Person requesting Record or Patient Information

Purpose

Consent Needed

Authority

Ambulance Services Operator or Delivery Agent or the Minister of Health & LTC

Administration/enforcement of the Ambulance Act.

No

Ambulance Act

Cancer Care Ontario (CCO)

Canadian Institute for Health Information (CIHI) Institute for Evaluative Sciences (ICES) Pediatric Oncology Group of Ontario

Analyze or compile statistical information.

No

Personal Health Information Protection Act

Chief Medical Officer of Health or Medical Officer of Health or physician

designated by Chief Medical Officer of Health

Reporting communicable diseases.

No

Health Protection and Promotion Act

College of Pharmacists Investigator

Administration/enforcement of the Drug Interchangeability and Dispensing Fee Act

No

Drug Interchangeability and Dispensing Fee Act

College under the RHPA or Social Work and Social Services Act or Board of Regents under the Drugless Practitioners Act

Administration/enforcement of the relevant statutes

No

Personal Health Information Protection Act

Deputy Minister of Veteran’s Affairs or person with express direction

Review information about the care received by a member of the Canadian Armed Forces

No

Public Hospitals Act

Person requesting Record or Patient Information

Purpose

Consent Needed

Authority

Individual assessing patient capacity who is not providing care to the patient

To assess capacity under the Substitute Decisions Act, Health Care Consent Act or Personal Health Information Protection Act

No

Substitute Decisions Act, Health Care Consent Act Personal Health Information Protection Act

Minister Inspector

Administration/enforcement of the Public Hospitals Act

No

Public Hospitals Act

Minister Inspector

Enforcement of Drug and Pharmacies Regulation Act

No

Drug and Pharmacies Regulation Act

Public Guardian and Trustee

Investigate an allegation that a patient is unable to manage their property.

No

Public Hospitals Act Personal Health Information Protection Act

Public Guardian and Trustees Children’s Lawyer

Residential Placement Advisory Committee Registrar of Adoption Information, Children’s Aid Society

Carry out their duties and, for the Public Guardian and Trustee, to investigate serious adverse harm resulting from alleged incapacity.

No

Personal Health Information Protection Act

DISCLOSURE TO LAWYERS, INSURANCE COMPANIES, ADJUSTERS, INVESTIGATORS, LEGAL AUHTORITIES AND LAW ENFORCEMENT

Person requesting Record or Patient Information

Purpose

Consent Needed

Authority

Lawyers, insurance companies, adjusters on behalf of patient

Assist patient with a claim or proceeding.

Yes

Express Consent

Lawyers, insurance companies, adjusters on behalf of a third party if the third party is an agent or former agent of the hospital/physician.

Assist third party with a proceeding.

No

Personal Health Information Protection Act

Head of penal or custodial institution or an officer in charge or a psychiatric facility where the patient is being lawfully detained.

Assist with health care or placement decisions.

No

Personal Health Information Protection Act

Investigator or inspector

Conduct an investigation or inspection authorized by a warrant or law.

No

Personal Health Information Protection Act

Police without a warrant

Legal authorities and law enforcement.

Yes

Express Consent

Police without a warrant

Where there are reasonable ground to believe that the disclosure is necessary for the purpose of eliminating or reducing a significant risk of serious bodily harm.

No

Personal Health Information Protection Act

Probation and Parole Services

Legal authorities and law enforcement.

Yes

Express Consent