As defined in PHIPA, “personal health information” is identifying information about an individual, in oral or recorded form, if the information:
- Relates to the physical or mental health of an individual, including the individual’s medical history and the individual’s family history;
- Relates to the providing of health care to the individual, including the identification of a person as a provider of health care to the individual;
- Relates to payment or eligibility for health care;
- Is the individual’s health number; or
- Identifies an individual’s substitute decision-maker.
Personal health information also includes “identifying information” contained in a record of personal health information that would not otherwise fall within the definition of personal health information (i.e. a mixed record).
Principle 1- Accountability for Personal Health Information
We demonstrate our commitment to privacy and protecting the confidentiality of personal health information in a number of ways, including but not limited to the following:
- Establishing the Privacy Officer as the “contact person” required by PHIPA;
- Making a Privacy Statement available to the public, which sets out a general description of our personal health information practices and how to bring concerns to the attention of our Privacy Officer and the Information and Privacy Commissioner.
- Responding to requests for access or correction to a record of personal health information in a timely and appropriate manner, in accordance with PHIPA;
Principle 2 – Identifying Purposes for Collecting Health Information
BrightStar primarily collects personal health information to establish a relationship pursuant to which it can provide health and caregiving services. We obtain most of our information about an individual directly from such individual, or from other health providers that individual has seen and has authorized to disclose to us. BrightStar will identify the purposes for the collection of personal health information at or before the time the information is collected. The purposes for collection include, but are not limited to those set out in our Privacy Statement at www.brightstarcare.ca
The identified purposes are specified at or before the time of collection to the individual from whom the personal health information is collected. Depending upon the way in which the information is collected, this can be done orally or in writing. For example, when we make an initial at home assessment visit our Privacy Statement or brochure identifying the purposes may given to the individual.
When personal health information that has been collected is to be used or disclosed for a purpose not previously identified for which consent is required, the new purpose will be identified prior to use or disclosure. Unless the new purpose complies with the purposes identified, the consent of the individual will be obtained before the information will be used or disclosed for another purpose.
Persons collecting personal health information will be able to explain to individuals the purposes for which the information is being collected.
Where BrightStar is authorized to use personal health information for a purpose, it may provide the information to an agent who may use it for that purpose on behalf of BrightStar.
Principle 3 – Consent for the Collection, Use and Disclosure of Personal Health Information
As a general rule, the consent of the individual, or their substitute decision-maker, is required for the collection, use or disclosure of personal health information. In certain circumstances, however, PHIPA and other legislation provide that personal health information may be collected, used or disclosed without consent.
For a consent to be valid, it must be “knowledgeable”, meaning that it is reasonable to believe, in the circumstances, that the individual knows the purpose(s) of the collection, use or disclosure, as the case may be, and that the individual may provide or withhold consent. In addition, a consent must relate to the personal health information at issue and cannot be obtained through deception or coercion.
An individual is “capable” of consenting to the collection, use and disclosure of personal health information if the individual is able to:
- Understand information relevant to the decision of whether to consent to the collection, use or disclosure of personal health information; and
- Appreciate the reasonably foreseeable consequences of giving, not giving, withholding or withdrawing consent.
BrightStar will presume that an individual is capable of consenting to the collection, use and disclosure of personal health information, unless it would be unreasonable to do so.
Where an individual is incapable of consenting to the collection, use and disclosure of personal health information, a substitute decision-maker or other authorized person may consent on behalf of the individual.
Consent may be express or implied, although PHIPA requires express consent in certain circumstances, including in most instances where BrightStar discloses personal health information to:
- A person that is not a health information custodian; or
- Another health information custodian and the disclosure is not for the purposes of providing health care or assisting in providing health care.
When BrightStar receives personal health information from the individual, the individual’s substitute decision-maker, or another health information custodian for the purposes of providing health care, we will assume that we have the individual’s implied consent to collect, use and disclose the information as necessary for that purpose, unless the individual has expressly withheld or withdrawn the consent.
Typically, BrightStar will seek consent for the use or disclosure of personal health information at the time of collection. In certain circumstances, consent with respect to use or disclosure may be sought after the information has been collected but before use, for example, where BrightStar has collected information from a health care provider identifying a request to make an assessment regarding providing at home health care services to an individual.
In obtaining consent, the reasonable expectations of the individual are relevant. For example, an individual seeking services from BrightStar should reasonably expect that BrightStar, in addition to using the individual’s name and address for administration purposes, would also contact the individual to advise on the availability of services and scheduling an at home assessment visit. On the other hand, an individual would not reasonably expect that personal health information given to BrightStar would be given to a third-party company selling health care products, unless consent has been obtained for the disclosure. We do not obtain consent through deception.
The ways in which we seek consent may vary, depending on the circumstances and the type of information to be collected. Consent may be obtained orally or in writing. If consent is obtained orally, a notation would typically be made in the individual’s record of personal health information, noting the date, time, to what the consent relates, the purpose for the collection, use or disclosure and any other relevant details.
An individual may withdraw consent at any time, whether the consent is express or, by providing notice to BrightStar. In the event that consent is withdrawn orally, a notation will be made in the individual’s record of personal health information, noting the date, time, to what the withdrawal of consent relates, and any other relevant details. Where appropriate, we will inform the individual of the implications of such withdrawal.
Principle 4 – Limiting Collection of Personal Health Information
The collection of personal health information shall be limited to that which is necessary for the purposes identified by BrightStar. Information will be collected by fair and lawful means. We will:
- Only collect personal health information for lawful purposes permitted by PHIPA and other legislation;
- Not collect personal health information if other information can serve the purpose; and
- Not collect personal health information indiscriminately. Both the amount and the type of information collected will be limited to that which is necessary to fulfill the purposes identified.
Information may be collected indirectly without the consent of the individual in certain limited circumstances, including where the information is reasonably necessary for the provision of health care to the individual or assisting in the provision of health care to the individual and (i) it is not reasonably possible to collect from the information directly from the individual in a timely manner; or (ii) the information cannot be reasonably be relied upon as accurate.
Principle 5 – Limiting Use, Disclosure, and Retention of Personal Health Information
Personal health information shall not be used or disclosed for purposes other than those for which it was collected, except with the consent of the individual or as required by law. Personal health information will be retained as long as necessary for the fulfillment of the identified purposes and for at least the minimum period required by legislation. BrightStar will:
- Use and disclose personal health information for lawful purposes permitted or required by PHIPA and other legislation;
- Not use or disclose personal health information if other information can serve the purpose;
- Not use or disclose personal health information indiscriminately. Both the amount and the type of information used and disclosed will be limited to that which is necessary to fulfill the purposes identified; and
- Use and disclose personal health information for the purposes identified. If BrightStar uses or discloses personal health information for a new purpose, it will document this purpose (e.g. for promotional purposes) and obtain consent,
If personal health information is used or disclosed without an individual’s consent in a circumstance that requires consent, BrightStar will make a note of such use and/or disclosure, and inform the individual of the use or disclosure at the first reasonable opportunity. We will keep the note as part of the record about the individual or in a form that is linked to those records. BrightStar may disclose personal health information:
- To a health care provider if the disclosure is reasonably necessary for the provision of health care and it is not reasonably possible to obtain consent in a timely manner; and
- Where the disclosure is necessary for the purpose of eliminating or reducing a significant risk of serious bodily harm to an individual, a person or group of persons.
Principle 6 – Accuracy of Personal Health Information
BrightStar will take reasonable steps to ensure that personal health information is as accurate, complete, and up-to-date as is necessary for the purposes for which it is to be used. The extent to which personal health information shall be kept accurate, complete and up-to-date will depend upon our use of the information, taking into account the interests of the individual. Information will be kept sufficiently accurate, complete and up-to-date to minimize the possibility that outdated or inappropriate information may be used to make a decision about the individual. We do not routinely update personal health information, unless such a process is necessary to fulfill the purposes for which the information was collected.
Principle 7 – Safeguards for Personal Health Information
BrightStar has put in place safeguards for the personal health information we hold. The safeguards utilized by BrightStar protect personal health information against loss or theft, as well as unauthorized access, disclosure, copying, use, or modification. We will protect personal health information regardless of the format in which it is held, e.g., verbal, paper or electronic. The methods of protection include:
- Physical Measures, such as restricted access to offices or other areas where personal health information is kept, alarm systems, identification badges and other measures deemed to be appropriate in the circumstances;
- Administrative Measures, such as policies and procedures regarding the safeguarding of personal health information, privacy training, regular audits of our privacy practices, security clearances and limiting access to personal health information on a “need-to-know basis; and
- Technological Measures, such as the use of firewalls, passwords and encryption.
BrightStar ensures that the records of personal health information in its custody or control are retained, transferred and disposed of in a secure manner. Care is taken in the disposal or destruction of personal health information, to prevent unauthorized parties from gaining access to the information.
BrightStar has established Privacy Breach Guidelines which adhere to PHIPA and are to be followed in the event of a privacy breach. BrightStar will notify an individual at the first reasonable opportunity if personal health information is lost, stolen or accessed, used or disclosed in an inappropriate manner.
Principle 8 – Openness about Personal Health Information
We recognize the importance of an individual’s right to keep personal health information private and we are committed to protecting those individual privacy rights. We are committed to being open about our policies and practices with respect to the protection of personal health information. This information shall be made available in a form that is generally understandable. The information we make available shall include:
- The contact information of our Privacy Officer, to whom inquiries and complaints can be made;
- How to file a complaint with the Information and Privacy Commissioner;
- The means of requesting access to and correction of personal health information held by us;
- A description of the type of personal health information held by us, including a general account of its use and disclosure; and
- A copy of any brochures or other information that explains our privacy policies, standards, or codes.
Principle 9 – Individual Access to Personal Health Information
An individual may make a written request to obtain access to their record of personal health information in the custody or control of BrightStar. If access to a record is provided, an individual may then request corrections to the record. BrightStar will make available a form to request access to a record of personal health information. As provided by PHIPA, we can take up to 30 days to respond to the request. BrightStar may charge a reasonable fee for accessing and/or copying a record of personal health information, provided that the charges are communicated in advance. In most cases, access to a record of personal health information will be provided, although BrightStar can deny access for a number of reasons, including the following:
- The person requesting the information is not legally authorized to obtain the record;
- The identity or authority of the person requesting the information cannot be proven;
- The record, or information in the record, is subject to a legal privilege that restricts disclosure;
- Granting access could reasonably be expected to result in a risk of serious harm to the treatment or recovery of the individual or a risk of serious bodily harm to the individual or another person;
- Granting access could result in serious harm to the recovery of the individual or to others;
- There are reasonable grounds to believe that the request is frivolous, vexatious or made in bad faith; or
- As otherwise provided by law.
If BrightStar has denied a request for access to record of personal information, it will provide written notice stating that it is refusing the request and that the individual is entitled to make a complaint about the refusal to the Information and Privacy Commissioner. Absent exceptional circumstances, reasons for the refusal will also be provided.
If BrightStar has granted an individual with access to their record of personal health information, the individual may then request that BrightStar correct the record, if the individual believes that the record is inaccurate or incomplete. BrightStar will make available a form to request correction to a record of personal health information. As provided by PHIPA, we can take up to 30 days to respond to the request.
If an individual successfully demonstrates the inaccuracy or incompleteness of their personal health information and provides the necessary information to make the correction, we will amend the information as required. Depending upon the nature of the challenged information, amendments may include the correction, deletion or the addition of information. If requested by the individual, we will then communicate the correction to persons whom the record was previously disclosed, except where the correction would not affect the provision of ongoing health care or other benefits to the individual.
BrightStar may deny a request for correction to a record of personal health information for the following reasons:
- BrightStar is not satisfied that the record is incomplete or inaccurate for the purposes for which it uses the information;
- It relates to a record that was not originally created by BrightStar and BrightStar does not have sufficient knowledge, expertise and authority to correct the record;
- It relates to a professional opinion or observation that a health information custodian has made in good faith about the individual; or
- It has reasonable grounds to believe that the request is frivolous, vexatious or made in bad faith.
If BrightStar has denied a request for correction to a record of personal information, it will provide written notice stating that it is refusing the request, provide reasons for the refusal and confirm that the individual is entitled to make a complaint about the refusal to the Information and Privacy Commissioner. In most circumstances, individuals will also be provided with an opportunity to attach a statement of disagreement to their record of health information.
Principle 10 – Challenging Compliance