Personal Health Information Protection Act, 2004
Information Practices Statement - County of Oxford – Public Health
Oxford County Public Health and Emergency Services (“OCPHES”) is responsible under the Health Protection and Promotion Act (“HPPA”) for the organization and delivery of programs and services that promote health and prevent the spread of disease. In providing some of these programs and services, OCPHES may need your personal health information and, as an individual who uses our services, you have the right to know what personal health information we collect, how we use it, to whom we disclose it, and how we protect it.
Consent and Your Personal Health Information
PHIPA protects your privacy by giving you the ability to give, refuse or withdraw consent to the collection, use and/or disclosure of your own personal health information. The Act allows two forms of consent; express and implied. Express consent is where staff must obtain explicit verbal permission or written authorization from you or your substitute decision-maker. Implied consent is where staff reasonably believe that you have agreed to the collection, use or disclosure of your personal health information. For example, PHIPA allows staff to rely on assumed implied consent to share personal health information with other health care providers for the provision of health care. This arrangement is referred to as the “circle of care”. However, any sharing of personal health information with other health care providers for purposes other than health care or with persons or organizations that are not health care providers (such as insurers, employers, etc.) requires your express consent.
Health Promotion services offered at the health unit are normally voluntary, meaning that members of the public choose to participate in the service. For these types of services, PHIPA’s express consent requirement applies. This means you may give, withhold or withdraw consent to the collection, use or disclosure of all or some of your personal health information needed by staff to provide these services. Just be aware that your decision to withhold information may limit our ability to provide care. Health Promotion services include:
- the Healthy Babies Healthy Children program for new mothers;
- dental services;
- voluntary immunizations; and
- voluntary testing for HIV or sexually transmitted diseases.
Health Protection services are normally mandated under the HPPA or other laws. This means the collection, use or disclosure of personal health information is authorized by law. In these situations, OCPHES is not required to obtain the consent of the affected individual. Examples of these types of activities include:
- the collection of information about persons who are infected with designated infectious (communicable) diseases;
- contact tracing and investigations related to disease and outbreak control;
- compiling immunization histories for school children;
- reporting of suspected child abuse cases to the Children’s Aid Society; and
- disclosure of reportable diseases and immunization information to the Ministry of Health and Long-Term Care.
Some OCPHES services are regulatory in nature and do not generally require the collection of personal health information. Information collected in carrying out these types of activities is generally subject to the MFIPPA; not the PHIPA. Examples include:
inspection of food premises for compliance with food safety regulations;
enforcing rabies vaccination requirements for pets;
private sewage system approvals; and
enforcement of the Smoke-Free Ontario Act.
Consent for Children under 16 Years of Age
Many Public Health activities are available to or directly delivered to youth less than 16 years of age (e.g. immunization, health education and counseling, and school-based activities). Custodial parents of children younger than 16 years of age normally exercise the privacy rights relating to the child's information, but there are exceptions. PHIPA also allows children to give, withhold or withdraw consent to the collection, use and disclosure of their own personal health information if:
- it relates to treatment requiring consent under the Health Care Consent Act, 1996;
- the minor decides on his/her own to seek counseling or to use a Public Health service; or
- where the minor's decision conflicts with that of a parent or guardian.
Collection and Use of Personal Health Information
OCPHES staff may collect your personal health information directly from you or from a person acting on your behalf such as a substitute decision-maker or a parent or legal guardian of a minor. We may also collect personal health information about you from other sources if your consent has been obtained or if the law permits or requires the collection. County staff and agents will only collect your personal information to support purposes allowed by law and will not collect more information than is reasonably necessary.
OCPHES staff and agents may use your personal health information for the following purposes:
- the provision or assisting in the provision of health care;
- public health administration and management;
- program planning, delivery, evaluation and monitoring;
- processing payments for the provision of health related goods or services;
- compiling statistics for programming, surveillance or research purposes (personal information not used, generic data only);
- compliance with legal and regulatory requirements; and
- any other purposes permitted or required by law.
Disclosure of Personal Health Information
Your personal health information is private. We cannot and will not disclose it without your consent unless we are allowed or required by PHIPA or another law. PHIPA permits the sharing of personal health information without consent for a number of purposes:
- with other health care professionals for the provision of health care when it is not reasonably possible to obtain your consent, for example you are seriously ill or mentally incapacitated;
- in order to determine provincial funding or payments to the County of Oxford for the provision of health care services;
- determining or verifying the eligibility of an individual to receive coverage for health related services funded in whole or in part by the province, a local health integration network or the municipality;
- to the Ontario Agency for Health Protection and Promotion if the disclosure is made for a purpose of the Ontario Agency for Health Protection and Promotion Act, 2007;
- in order to eliminate or reduce a significant risk of serious bodily harm to a person or group of persons;
- for the purpose of a legal proceeding or pursuant to a summons, subpoena or court order;
- to a person carrying out an inspection or investigation authorized by a warrant or by law; or
- for the purpose of analysis or compiling statistical information with respect to the management of, evaluation or monitoring of, the allocation of resources to or planning for the delivery of services.
In these situations, the disclosure of personal health information is authorized by law and OCPHES is not required to obtain your consent.
How we Protect Your Personal Health Information
The PHIPA requires a health information custodian to protect personal health information in its custody or control and to ensure that those records are retained, transferred and disposed of in a secure manner. At the County of Oxford, we employ physical, organizational, procedural and technological safeguards to protect your personal health information against loss, theft and unauthorized access, copying, modification, use, disclosure and disposal. The safe storage of your personal health information involves not only the physical security of your paper health records, such as locked filing cabinets and restricted office access, but also the technological security and administrative controls necessary to protect electronic records such as complex passwords. These technological controls also include the encryption of your personal health information being transported on laptops, tablets or any other removable storage media, such as USB keys or memory sticks.
Staff and agents of the County of Oxford that come into contact with your personal health information are aware of its sensitive nature and are required to sign a confidentiality agreement as a condition of employment. Confidentiality is considered to be breached when an employee releases or discusses the personal information of a client, patient or resident with any third party, including other staff members, without consent from the individual to whom the information relates, unless it falls under one of the legally permitted uses/disclosures. Breaches of confidentiality include accessing personal information without authorization and without a need-to-know. Disciplinary action up to and including termination of employment may be taken against any employee who breaches the confidentiality agreement.
Retention and Disposal
Both paper and electronic records are retained and destroyed in accordance with the County of Oxford’s Records Retention By-law #4957-2008. Confidential waste material (like your personal health information) is deposited into secure shredding consoles or otherwise disposed of in a manner that preserves the confidentiality of the information contained in the records.
The County of Oxford has an obligation to notify you at the first reasonable opportunity if your personal health information is lost, stolen or accessed by unauthorized persons.
Access to Your Personal Health Record
Any person can make a request for access to records. Individuals who wish to view or obtain a copy of their own personal health records are encouraged to first contact the department that holds the information.
The procedure for making a formal access request under the PHIPA is as follows:
- All requests are to be made in writing and forwarded to the attention of the Legislative Services Coordinator, Department of Corporate Services, County of Oxford, 21 Reeve Street, P.O. Box 1614, Woodstock, Ontario, N4S 7Y3. A Request to Access Personal Health Information form is available for use by the public, but a simple letter will suffice as long as it specifies that a request is being made under the Act.
- The requester must provide sufficient detail to enable the Legislative Services Coordinator, upon a reasonable effort, to identify the requested record(s).
- While there is no prescribed administration fee under PHIPA, you may be charged a reasonable cost recovery fee for photocopies of $0.20/page.
- Photo identification bearing a signature is required in order to assist in verifying the identity of the requester.
The Act requires that the municipality issue a decision letter within 30 days of receipt of the request. This means that the County must either grant access to the requested record(s) or notify the individual that access is denied along with a reason for the refusal.
Correction of Your Personal Health Record
Pursuant to Sec. 55 of the Act, you have the right to challenge the accuracy and completeness of your own personal health information held by the County if you believe there has been an error or omission.
Oxford County staff will make every effort to ensure that your personal health information is accurate, complete and up-to-date. If it is demonstrated to our satisfaction that your information is outdated, incomplete or inaccurate, it will be severed from the record and corrected by staff.
If there is a dispute about the accuracy or completeness of the information in the record, the requester may attach an explanatory note or statement of disagreement to the information reflecting any correction that was requested but not made. If this is not satisfactory, the requester has the right to appeal.
Inquiries and Complaints
We encourage you to first direct questions, comments or complaints about County of Oxford information handling practices, or about our alleged contraventions of the PHIPA or its regulations, to the Legislative Services Coordinator (contact information below) who will investigate and attempt to resolve all complaints.
If not satisfied, you also have the right to address complaints and concerns to the IPC, the impartial body that oversees compliance with PHIPA, at the following address:
Information and Privacy Commissioner of Ontario
Suite 1400 - 2 Bloor St. E.
For more information, please contact the IPC at 416-326-3333 or toll free at 1-800-387-0073 or visit their website at http://www.ipc.on.ca.
How to contact us
For more information about access and privacy at the County of Oxford, please contact the Legislative Services Coordinator, Department of Corporate Services at 21 Reeve Street, P.O. Box 1614, Woodstock, ON, N4S 7Y3 or (519) 539-9800 (ext. 3017) or firstname.lastname@example.org.