As a health information custodian (HIC), Nucleus Independent Living (Nucleus), the CEO and its Board of Directors are committed to respecting the privacy rights of individuals and due to its sensitivity, ensuring a high level of protection of the personal health information (PHI) Nucleus Independent Living has in its custody and control.
To ensure that Nucleus Independent Living, its agents and health information network provider (HINP) comply with the Personal Health Information Protection Act (PHIPA).
- Nucleus collects, uses, discloses and retains personal health information (PHI) for:
- providing health care or assisting in providing health care, including communicating with health care providers;
- contacting next of kin or an individual authorized to act on behalf of an individual;
- educating agents to provide health care;
- conducting activities to improve quality of care or the quality of any program or service;
- planning, administering and managing its internal operations;
- processing, monitoring, verifying or reimbursing claims for payment for the provision of health care or health care related goods and services;
- reporting requirements;
- research; and
- other purposes as permitted by PHIPA or required by law.
- Nucleus will not collect, use or disclose PHI if other information will serve the purpose or more than is necessary to meet the purpose.
- Nucleus will only collect, use or disclose PHI if the individual consents or do so without consent if it is permitted or required by PHIPA.
- Nucleus will comply with an individual/consumer’s notice/request to withdraw consent to collect, use or disclose his/her personal health information, whether consent was implied or express.
- Nucleus endeavours to ensure that PHI is as accurate, complete and up-to-date as necessary for the purposes it is used and/or disclosed.
- Nucleus uses reasonable administrative, technical and physical safeguards in the circumstances to ensure PHI is protected from theft, loss and unauthorized use, disclosure, copying, modification or disposal while at rest, in transit or in use.
- Nucleus follows its breach protocol in the event of a privacy breach.
- Nucleus’ agents sign confidentiality agreements and take mandatory training to comply with this policy.
- Nucleus provides individuals/patients timely access to their PHI and with a written request, the right to correct a record that he/she believes is not accurate or complete.
- Nucleus makes its policy and practices governing PHI readily available to the public, has a designated contact person and makes it known that the individual is entitled to complain to the Information and Privacy Commissioner of Ontario.
- Nucleus includes privacy impact assessments as part of its overall enterprise risk management strategy.
- Nucleus monitors, evaluates and audits its policy and overall PHIPA program effectiveness and makes modifications as part of continuous improvement.
agent – Includes any person who is authorized by a health information custodian to perform services or activities on the custodian’s behalf and for the purposes of that custodian. An agent may include an individual or company that contracts with, is employed by or volunteers for a health information custodian and, as a result, may have access to personal health information.
circle of care – A term of reference not defined under PHIPA but used to describe health information custodians and their authorized agents who are permitted to rely on an individual’s implied consent when collecting, using or disclosing personal health information for the purpose of providing health care or assisting in providing health care.
collect – The gathering, acquiring, receiving or obtaining of personal health information. This means that personal health information can be collected by a health information custodian or an authorized agent.
a. Express consent to the collection, use or disclosure of PHI by a health information custodian is explicit and direct. It may be given verbally, in writing or by electronic means.
b. Implied consent permits a health care custodian to infer from the surrounding circumstances that an individual would reasonably agree to the collection, use or disclosure of his/her personal health information. Also refer to ‘circle of care.’
custody (of the record) – The best evidence of custody means the keeping, care, watch, preservation or security of the record for a legitimate purpose, not mere possession.
control (of the record) – Means the power or authority to make a decision about the use or disclosure of the record even if not in the possession of the organization.
disclose – Means to release or make personal health information available to another person, organization or health information custodian; it does not mean to use the information. It does not include providing information directly back to the person who provided it in the first place, whether or not the information has been altered, so long as it does not include additional identifying information.
health care – Means any observation, examination, assessment, care, service or procedure
provided for a health-related purpose and that is carried out or provided:
- For diagnosis, treatment or maintenance of an individual’s physical or mental condition;
- For prevention of disease or injury or the promotion of health, or as part of palliative care;
- The compounding, dispensing, or selling of a drug, device or equipment pursuant to a prescription;
- A community service that is described in the Home Care and Community Services Act, 1994.
health information custodian – A health information custodian is a listed individual or organization under PHIPA that, as a result of its power or duties, has custody or control of personal health information.
health information network provider – A person or organization who supplies goods and services to two or more HICs that enable the HICs to collect, use, modify, disclose, retain or dispose of PHI electronically.
Information and Privacy Commissioner of Ontario – The regulatory agency responsible for overseeing compliance with and enforcing PHIPA.
Nucleus Independent Living – A non-profit organization fully funded by the Ministry of Health and Long-Term Care (MOHLTC) and governed by a Board of Directors. Formally named Nucleus Housing the organization was officially established in 1983 to provide housing for individuals with physical disabilities. Since its inception, Nucleus has grown to include a wide range of outreach services in the community.
personal health information – “Identifying information” collected about an individual, whether oral or recorded. “Identifying information” includes health information that could identify an individual when used alone or in conjunction with other information. PHI includes information about an individual’s health or health care history in relation to:
- The individual’s physical or mental condition, including family medical history;
- The provision of health care to the individual;
- Long-term health care services;
- The individual’s health card number;
- Blood or body-part donations;
- Payment or eligibility for health care; and
- The identity of a health care provider or a substitute decision-maker for the individual.
Personal Health Information Protection Act – Ontario’s health-specific privacy legislation that came into force in 2004. This law governs the manner in which personal health information may be collected, used and disclosed within the health care system. It also regulates individuals and organizations that receive personal information from health care professionals.
privacy breach – A privacy breach includes the collection, use or disclosure of PI/PHI that is not in compliance with applicable privacy law, or circumstances where PI/PHI is stolen, lost or subject to unauthorized or inappropriate collection, use or disclosure, copying, modification, retention or disposal, whether at rest, in transit or while in use.
privacy impact assessment – A formal risk management tool used to identify the actual or potential effects that a proposed or existing information system, technology or program may have on individuals’ privacy.
safeguards – The physical, technological and administrative protective measures and security techniques that are designed to ensure that personal health information remains confidential, available and uncompromised. This includes measures such as encryption, passwords, and firewalls designed to prevent unauthorized access to information, to protect the integrity of computing resources, and to limit the potential damage that can be caused by unauthorized access.
use – The handling of or dealing with personal health information that is in the custody or control of a health information custodian or its authorized agent. This includes accessing or reproducing health information as required by the custodian.
withdrawal of consent (“Lock-box”) – A term of reference not defined under PHIPA but used to describe the right of an individual to instruct a health information custodian not to disclose specified personal health information to another custodian for the purpose of providing health care.
Information and Privacy Commissioner/Ontario PHIPA resources. [https://www.ipc.on.ca/english/phipa/]
Reviewed January 2019