Personal Health Information Protection Act, 2004
Information Practices Statement - County of Oxford - Emergency Medical Services (EMS)
Oxford County Public Health and Emergency Services (“OCPHES”) is committed to providing reliable pre-hospital emergency medical care and transportation of the medically ill and injured in accordance with the Ambulance Act. In order to provide these services and to ensure that you receive proper care, OCPHES needs your personal health information and, as an individual who uses our services, you have the right to know what personal health information we collect, how we use it, to whom we disclose it, and how we protect it.
Consent and Your Personal Health Information
PHIPA protects your privacy by giving you the ability to give, refuse or withdraw consent to the collection, use and/or disclosure of your own personal health information. The Act allows two forms of consent; express and implied. OCPHES operates within the realm of implied consent. For example, if you call 9-1-1 and request emergency medical assistance, our paramedics will assume you are consenting to the collection of your personal health information such as details of the current medical emergency, your family medical history, or details of your currently prescribed medications. PHIPA also allows our paramedics to rely on “assumed implied consent” to share personal health information with other health care providers for the purpose of continued care, for example doctors and nurses at the hospital. This arrangement is referred to as the “circle of care”. However, any sharing of personal health information with other health care providers for purposes other than health care or with persons or organizations that are not health care providers (such as insurers, employers, etc.) requires your express consent. PHIPA also allows you to withdraw consent at any time, but this may affect our ability to provide care.
Collection of Personal Health Information
The County of Oxford may collect your personal health information directly from you or from a person acting on your behalf such as a substitute decision-maker or a parent or legal guardian of a minor. We may also collect personal health information about you from other sources if your consent has been obtained or if the law permits or requires the collection. For example, if you were unconscious and a paramedic could not reasonably collect information directly from you, then the paramedic might ask a friend, co-worker or other witness for details related to your condition. In this case, the indirect collection was necessary for the timely provision of health care; a permitted collection under PHIPA.
County staff and agents will only collect your personal health information to support purposes allowed by law and will not collect more information than is reasonably necessary.
Use of Personal Health Information
OCPHES may use your personal health information for the following purposes:
the provision or assisting in the provision of health care;
- EMS administration and management;
- strategic planning, evaluation and monitoring related to service delivery and quality of care;
- compiling statistics for programming, surveillance or research purposes (personal information not used, generic data only);
- compliance with legal and regulatory requirements; and
- any other purposes permitted or required by law.
Disclosure of Personal Health Information
Your personal health information is private. We cannot and will not disclose it without your consent unless we are allowed or required by PHIPA or another law. PHIPA permits the sharing of personal health information without consent for a number of purposes:
- with other health care professionals for the provision of health care when it is not reasonably possible to obtain your consent, for example you are seriously ill or mentally incapacitated;
- in order to determine provincial funding or payments to the County of Oxford for the provision of health care;
- for the purpose of analysis or compiling statistical information with respect to the management of, evaluation or monitoring of, the allocation of resources to or planning for the delivery of services;
- to a person conducting an audit or accreditation review or to a person carrying out an inspection or investigation authorized by a warrant or by law; and
- pursuant to a summons, subpoena or court order.
In these situations, the disclosure of personal health information is authorized by law and OCPHES is not required to obtain your consent.
How we Protect Your Personal Health Information
The PHIPA requires a health information custodian to protect personal health information in its custody or control and to ensure that those records are retained, transferred and disposed of in a secure manner. At the County of Oxford, we employ physical, organizational, procedural and technological safeguards to protect your personal health information against loss, theft and unauthorized access, copying, modification, use, disclosure and disposal. The safe storage of your personal health information involves not only the physical security of your paper health records, such as locked filing cabinets and restricted office access, but also the technological security and administrative controls necessary to protect electronic records such as complex passwords. These technological controls also include the encryption of your personal health information being transported on laptops, tablets or any other removable storage media, such as USB keys or memory sticks.
Staff and agents of the County of Oxford that come into contact with your personal health information are aware of its sensitive nature and are required to sign a confidentiality agreement as a condition of employment. Confidentiality is considered to be breached when an employee releases or discusses the personal information of a client, patient or resident with any third party, including other staff members, without consent from the individual to whom the information relates, unless it falls under one of the legally permitted uses/disclosures. Breaches of confidentiality include accessing personal information without authorization and without a need-to-know. Disciplinary action up to and including termination of employment may be taken against any employee who breaches the confidentiality agreement.
Retention and Disposal
Both paper and electronic records are retained and destroyed in accordance with the County of Oxford’s Records Retention By-law #4957-2008. Confidential waste material (like your personal health information) is deposited into secure shredding consoles or otherwise disposed of in a manner that preserves the confidentiality of the information contained in the records.
The County of Oxford has an obligation to notify you at the first reasonable opportunity if your personal health information is lost, stolen or accessed by unauthorized persons.
Access to Your Personal Health Record
Any person can make a request for access to records. Individuals who wish to view or obtain a copy of their own personal health records are encouraged to first contact the department that holds the information.
The procedure for making a formal access request under the PHIPA is as follows:
- All requests are to be made in writing and forwarded to the attention of the Legislative Services Coordinator, Department of Corporate Services, County of Oxford, 21 Reeve Street, P.O. Box 1614, Woodstock, Ontario, N4S 7Y3. A Request to Access Personal Health Information form is available for use by the public, but a simple letter will suffice as long as it specifies that a request is being made under the Act.
- The requester must provide sufficient detail to enable the Legislative Services Coordinator, upon a reasonable effort, to identify the requested record(s).
- While there is no prescribed administration fee under PHIPA, you may be charged a reasonable cost recovery fee for photocopies of $0.20/page.
- Photo identification bearing a signature is required in order to assist in verifying the identity of the requester.
The Act requires that the municipality issue a decision letter within 30 days of receipt of the request. This means that the County must either grant access to the requested record(s) or notify the individual that access is denied along with a reason for the refusal.
Correction of Your Personal Health Record
Pursuant to Sec. 55 of the Act, you have the right to challenge the accuracy and completeness of your own personal health information held by the County if you believe there has been an error or omission.
Oxford County staff will make every effort to ensure that your personal health information is accurate, complete and up-to-date. If it is demonstrated to our satisfaction that your information is outdated, incomplete or inaccurate, it will be stricken from the record and corrected by staff.
If there is a dispute about the accuracy or completeness of the information in the record, the requester may attach an explanatory note or statement of disagreement to the information reflecting any correction that was requested but not made. If this is not satisfactory, the requester has the right to appeal.
Inquiries and Complaints
We encourage you to first direct questions, comments or complaints about County of Oxford information handling practices, or about our alleged contraventions of the PHIPA or its regulations, to the Legislative Services Coordinator (contact information below) who will investigate and attempt to resolve all complaints.
If not satisfied, you also have the right to address complaints and concerns to the IPC, the impartial body that oversees compliance with PHIPA, at the following address:
Information and Privacy Commissioner of Ontario
Suite 1400 - 2 Bloor St. E.
For more information, please contact the IPC at 416-326-3333 or toll free at 1-800-387-0073 or visit their website at www.ipc.on.ca.
How to contact us
For more information about access and privacy at the County of Oxford, please contact the Legislative Services Coordinator, Department of Corporate Services at 21 Reeve Street, P.O. Box 1614, Woodstock, ON, N4S 7Y3 or (519) 539-9800 (ext. 3017) or firstname.lastname@example.org.