Privacy of Personal Health Information

This policy applies to all Family Health Organization physician signatories to the EMR Joint Venture Agreement
and their staff members and agents; Barrie and Community Family Health Team staff and agents; and Barrie
Medical Clinics staff, physicians and agents; hereafter referred to as the Joint Venturers.

All the Joint Venturers are responsible for ensuring that all personal health information in their possession and
control is held in the strictest confidence and disclosed only on a need-to-know basis in accordance with the
Personal Health Information Protection Act of Ontario, 2004 (PHIPA), this policy, and legal requirements. All
personal health information collected, used, retained and disclosed by Joint Venturers will be treated in a manner
that follows the ten Principles of Privacy contained in this policy.
The Principles of Privacy do not replace statutory, ethical or contractual obligations that are in place with respect to
the collection, use, retention or disclosure of personal health information. Adherence to this policy is required by all
Joint Venturers.
The Barrie and Community Family Health Team will provide a Chief Privacy Officer to act on behalf of the Joint
Venturers, to facilitate each party’s compliance with PHIPA, and to ensure that each party and their agents are
appropriately informed of their duties under PHIPA. All clinic locations will appoint a Privacy Officer for their local
clinic needs.

Principle 1: Accountability for Personal Health Information
Ultimate responsibility and custodianship for personal health information protection rests with the party that collects
and retains it. Each of the parties hereto acknowledges their statutory and regulatory responsibilities for the
custodianship and control of personal information and personal health information that each may collect, use and/or
disclose in the course of their operation.

Principle 2: Identifying Purposes for the Collection of Personal Health
The physicians, staff and agents of the Joint Venturers must not collect, use or disclose patients’ personal health
information unless:
–   They have the patients’ consent, and their collection, use or disclosure is, to the best of their knowledge,
    necessary for a lawful purpose, or
– The collection, use or disclosure is permitted or required by PHIPA.
When personal health information is used for a purpose not previously identified, the new purpose will be identified
prior to use. Unless the new purpose is required by law, the consent of the individual is required before information
can be used for that purpose.

Principle 3: Consent for the Collection, Use and Disclosure of Personal
Health Information
The knowledge and consent of the individual is required for the collection, use or disclosure of personal health
information, except where inappropriate.
When you collect, use and disclose personal health information for health care purposes, you can usually rely on
implied consent. If the purpose is something other than health care, you must often obtain express consent.
The type of consent (whether implied or express, verbal or in writing) sought by Joint Venturers may vary,
depending on the circumstances and the type of information. In determining the form of consent, Joint Venturers
will consider the sensitivity of the information.

An individual may withdraw consent at any time, subject to legal or contractual restrictions and reasonable notice.
The Joint Venturers will inform the individual of the implications of such withdrawal.

Principle 4: Limiting Collection of Personal Health Information
The Joint Venturers will limit the collection of personal health information to that which is necessary for the
purposes identified. Information will be collected by fair and lawful means.

Principle 5: Limiting Use, Disclosure and Retention of Personal Health
Personal health information will not be used or disclosed for purposes other than those for which it was collected,
except with the consent of the individual or as required by law. Personal health information will be retained only as
long as necessary for the fulfillment of those purposes.

Principle 6: Accuracy of Personal Health Information
Personal health information will be as accurate, complete and up-to-date as is necessary for the purposes for which it
is to be used. The extent to which personal health information will be accurate, complete and up-to-date will depend
upon the use of the information, taking into account the interests of the individual. Information will be sufficiently
accurate, complete and up-to-date to minimize the possibility that inappropriate information may be used to make a
decision about the individual.

Principle 7: Safeguards for Personal Health Information
A health care information custodian shall take steps that are reasonable in the circumstances to ensure that personal
health information in the custodian’s custody or control is protected against theft, loss and unauthorized use or
disclosure, and to ensure that the records containing the information are protected against unauthorized copying,
modification or disposal.

Principle 8: Openness about Privacy Policy
The Joint Venturers will make readily available to individuals specific information about its policies and procedures
relating to the management of personal health information. The Joint Venturers will be open about their policies and
procedures with respect to the management of personal health information. Individuals will be able to acquire
information about its policies and procedures without unreasonable effort. This information will be made available
in a form that is generally understandable.

Principle 9: Individual Access to Personal Health Information
Upon request, an individual will be informed of the existence, use and disclosure of his or her personal health
information and will be given access to that information. An individual is able to challenge the accuracy and
completeness of their personal health information and have it amended as appropriate.

Principle 10:          Challenging Compliance with the Privacy Policy
Individuals shall be able to address a challenge concerning compliance with the above principles to a designated
individual or individuals accountable for the each party’s compliance. The Joint Venturers, through the designated
Privacy Officer, shall put procedures in place to receive and respond to complaints or inquiries about their policies
and practices relating to the handling of personal health information.


To top