Privacy Policy

Policy Statement: 

Hospice West Parry Sound (HWPS) acknowledges the requirement to comply with the terms and conditions of the Personal Health Information Protection Act (PHIPA).

HWPS is committed to the principles set out in PHIPA, which requires that Personal Health Information (PHI) is protected.

Information will be collected, stored, used, and shared responsibly and securely.  We will only collect information that is necessary and sharing of this information will be with individuals responsible for providing care and with other staff, students, and volunteers, for the purposes directly related to their duties.  

HWPS collects, uses, shares, and retains personal health information for the following purposes:

  • To provide quality services
  • To deliver safe and efficient client care
  • To communicate with and make referrals to other care providers (circle of care)
  • To comply with legal and regulatory requirement
  • Research, teaching, and statistics

This policy applies to all HWPS staff, volunteers, and students.

Documentation:

  • Confidentiality Agreement

Purpose: 

To protect the privacy of all clients, caregivers, staff, and volunteers within all considered reasonable measures.

Procedure: 

The following 10 privacy principles are followed:

Principle 1 – Accountability

  • HWPS is responsible for keeping personal health information secure, accurate, and up to date
  • The Executive Director (ED) is accountable for compliance with these principles
  • Privacy complaints and inquiries can be made to the Hospice Office at: 705-746-4540 ext. 1416 
  • All HWPS team members receive privacy training during their orientation and privacy refresher sessions are provided yearly

Principle 2 – Identifying Purposes

  • HWPS will identify the purposes for which information is collected at or before the time the information is collected
  • HWPS will only collect information necessary for the provision of care, services, and programs
  • Persons collecting personal information must be able to explain to individuals the purposes for which the information is being collected

Principle 3 – Consent for Collection, Use and Disclosure of Personal Information

  • Knowledgeable consent of the individual is obtained for the collection, use or disclosure of personal information
  • This principle requires “knowledge and consent”.  HWPS will make a reasonable effort to ensure that the individual (or SDM where appropriate) is advised of the purposes for which the information will be used.  To make the consent meaningful, the purposes must be stated in such a manner that the individual can reasonably understand how the information will be used or disclosed
  • Individuals can consent in many ways:
    • Completing and signing a consent form
    • Consent may be given orally when information is collected over the telephone; or
    • Implied consent may be given at the time that individuals receive services
  • An individual (or SDM where appropriate) may withdraw consent at any time by contacting the Hospice office

Principle 4 – Limiting Collection

  • HWPS will limit the collection of personal information to that which is necessary for the purposes identified.  Information will be collected by fair and lawful means

Principle 5 – Limiting Use, Disclosure and Retention of Personal Information

  • Personal information is not used or disclosed for purposes other than those for which it was collected, except with the consent of the individual (or SDM) or as required by law.  Personal information is retained only as long as necessary for the fulfillment of those purposes

Principle 6 – Accuracy

  • HWPS keeps personal information as accurate, complete, and up to date as is necessary for the purposes for which it is to be used

Principle 7 – Safeguards

  • Personal information is protected by security safeguards, which include electronic and physical, appropriate to the sensitivity of the information
  • The security safeguards protect personal information against loss or theft, as well as unauthorized access
  • The methods of protection include:
    • Physical measures, e.g., locked filing cabinets and restricted access to offices
    • Organizational measures, e.g. confidentiality agreements and limiting access on a “need-to-know” basis; and
    • Technology measures e.g., use of passwords and access controls
  • HWPS ensure all team members are aware of the importance of maintaining the confidentiality of personal information.  All staff, student and volunteers have a signed confidentiality agreement and have received training on the policies and procedures to protect personal information
  • Care is used in the disposal or destruction of personal information, to prevent unauthorized parties from gaining access to the information

Principle 8 – Openness

  • HWPS will make readily available to individuals specific information about its policies and practices relating to the management of personal information that support our commitment to privacy
  • Individuals are able to acquire information about policies and practices without unreasonable effort.  Please contact the Hospice office for more information.  Come in person to Room 1421 at the West Parry Sound Health Centre or call 705-746-4540 ext. 1416

Principle 9 – Individual Access

  • Upon request an individual is informed of the existence, use and the disclosure of his or her personal information and is given access to that information with the Executive Director

Principle 10 – Challenging Compliance

  • An individual is able to address a challenge concerning compliance with the above principles to the Executive Director by contacting the Hospice office at: 705-756-4540 ext. 1416
  • HWPS responds to enquiring in a fair, accurate and timely manner
  • HWPS will investigate all complaints.  If a complaint is found to have merit, HWPS will 
  • take appropriate measures, including, if necessary, amending its policies and procedures
  • All staff, volunteers and students will follow the Privacy Policy and maintaining confidentiality as related to PHIPA.  Violations of this policy may result in disciplinary action, up to and including termination

Managing a Privacy Breach

Privacy breaches refer to unauthorized access to or collection, use, disclosure, or disposal of personal information.  Such activity is “unauthorized” if it occurs in contravention of PIPEDA.  An example of a privacy breach would be personal information becoming lost or stolen or personal information being mistakenly emailed to the wrong person.

The recommended privacy breach incident protocol has five steps.  Step 1 is the responsibility of the individual or individuals who first become aware of the potential breach.  The second through fifth steps are the responsibility of the Executive Director, working in cooperation with the Board of Directors, as necessary.

Step 1:  Reporting the Breach

Any employee who becomes aware of a possible breach of privacy involving personal information in the custody or control of Hospice West Parry Sound will immediately inform his or her immediate supervisor.  The supervisor will inform the Executive Director and will verify the circumstances of the possible breach.  As soon as the breach has been confirmed to have or have not occurred, the supervisor will inform the Executive Director.  This confirmation will occur within 24 hours of the initial report.

When a breach has been conformed, the Executive Director will implement the remaining four steps of the breach incident protocol.

Step 2: Containing the Breach

Hospice West Parry Sound’s Executive Director will take the following steps to limit the scope and effect of the breach.  These steps will include:

  • Work within the organization to contain the breach by, for example, stopping the unauthorized practice, recovering the records, shutting down the system that was breached, or correcting weaknesses in security, and
  • In consultation with the Board of Directors, notify the police if the breach involves, or may involve, any criminal activity

Step 3:  Evaluating the Risks Associated with the Breach

To determine what other steps are immediately necessary, Hospice West Parry Sound’s Executive Director, working with other staff as necessary, will assess the risks associated with the breach.  The following factors will be among those considered in assessing the risks:

  1. Personal Information Involved:
  • What data elements have been breached?  Generally, the more sensitive the data, the higher the risk.  Health information, social security numbers and financial information that could be used for identity theft are examples of sensitive personal information
  • What possible use is there for the personal information?  Can the information be used for fraudulent or otherwise harmful purposes?
  1. Cause and Extent of the Breach:
  • What is the cause of the breach?
  • Is there a risk of ongoing or further exposure of the information?
  • What is the extent of the unauthorized collection, use or disclosure, including the number of likely recipients and the risk of further access, use or disclosure, including in mass media or online?
  • Is the information encrypted or otherwise not readily accessible?
  • What steps have already been taken to minimize the harm?
  1. Individuals Affected by the Breach:
  • How many individuals are affected by the breach?
  • Who was affected by the breach: Employees, students, volunteers, public, clients, service providers, other individuals/organizations?
  1. Foreseeable Harm from the Breach:
  • Is there any relationship between the unauthorized recipients and the data subject?
  • What harm to the individuals will result from the breach?  Harm that may occur includes:
    • Security risk (e.g., physical safety)
    • Identity theft or fraud
    • Loss of business or employment opportunities
    • Hurt, humiliation, damage to reputation or relationships

5) What harm could result to Hospice West Parry Sound as a result of the breach?  For 

example:

  •   Loss of trust in Hospice West Parry Sound
  •   Loss of assets
  •   Financial exposure
  •   What harm could result to the public as a result of the breach? For example
  •   Risk to public health
  •   Risk to public safety

Step 4:  Notification

Notification can be an important mitigation strategy in the right circumstances.  The key consideration overall in deciding whether to notify will be whether the notification is necessary in order to avoid or mitigate harm to an individual that personal information has been inappropriately collected, used or disclosed.  Hospice West Parry Sound’s Executive Director will work with appropriate staff to decide the best approach for notification.

Notifying Affected Individuals:

Some considerations in determining whether to notify individuals affected by the breach include:

  • Contractual obligations require notification.
  • There is a risk of identity theft or fraud
  • There is risk of physical harm 
  • There is a risk of hurt, humiliation or damage to reputation (for example, when the information lost includes medical or disciplinary records)

When and How to Notify

When:  Notification of individuals affected by the breach will occur as soon as possible following the breach.  However, if law enforcement authorities have been contacted, those authorities will assist in determining whether notification will be delayed in order not to impede a criminal investigation.

How:  The preferred method of notification is direct –by phone, letter or in person – to affected individuals.  Indirect notification- website information, posted notices, media-will generally occur only where direct notification could cause further harm, is prohibitive in cost or contact information is lacking.  Using multiple methods of notifications in certain cases may be the most effective approach.

What will be included in the notification?

  • Date of the breach
  • Description of the breach
  • Description of the information inappropriately accessed, collected, used, or disclosed.
  • The steps taken to mitigate the harm
  • Next steps planned and any long-term plans to prevent future breaches
  • Steps the individual can take to further mitigate the risk of harm
  • Contact information for Hospice West Parry Sound’s Executive Director.

Others to Contact:

Regardless of what obligations are identified with respect to notifying individuals, notifying the following authorities or organizations will also be considered:

  • Police:  If theft or crime is suspected
  • Insurers or others
  • Professional or other regulatory bodies: If professional standards require notification

Step 5:  Prevention

Once the immediate steps are taken to mitigate the risks associated with the breach, Hospice West Parry Sound’s Executive Director will investigate the cause of the breach.  If necessary, this will include a security audit of physical, organizational, and technological measures.  As a result of this evaluation, the Executive Director will assist staff to put in effect adequate long-term safeguards against further breach.  Polices will be revised and updated to reflect the lessons learned from the investigation and regularly after that.  The resulting plan will also include audit recommendations, if appropriate.

May 2003

REVISED: May 2008; July 2009; January 2017; October 2017, February 2020, January 2021, November 2022

Skip to content