Last updated: June 25, 2019
Privacy of personal information is an important principle to me [Yulia Khayat, RD], as a Registered Dietitian. I am committed to collecting, using and disclosing personal information responsibly and only to the extent necessary for the goods and services I provide. I try to be open and transparent about how I handle personal information. This document describes how I collect, use, share, and protect the personal information you provide to me when you access my websites, purchase my goods or services, or engage with me on social media, as well as your own rights to the information being collected collect.
What is Personal Health Information?
Personal health information is information about an identifiable individual. Personal health information includes information that relates to:
- the physical, nutritional or mental health of the individual (including family health history);
- the provision of health care to the individual (including identifying the individual’s health care provider(s));
- a plan of service under the Home Care and Community Services Act, 1994;
- payments or eligibility for health care or coverage for health care;
- the donation or testing of an individual’s body part or bodily substance;
- the individual’s health number; or
- the identification of the individual’s substitute decision-maker.
My practice – Yulia Khayat, Registered Dietitian – includes at the time of writing of this policy only myself. As a part of my private practice, I may use several consultants and agencies that may, in the course of their duties, have limited access to personal health information I hold. These include computer consultants, office security and maintenance, bookkeepers and accountants, lawyers, credit card companies, and website managers. I restrict their access to any personal information I hold as much as is reasonably possible. I will also request their assurance that they follow appropriate privacy principles, before providing access to this type of information.
Why I Collect Personal Health Information
I collect, use and disclose personal information in order to serve my clients. For my clients, the primary purpose for collecting personal health information is to provide nutrition services. For example, I collect information about a client’s health history, including their family history, physical condition and function and social situation in order to help me assess what their nutrition care needs are, to advise them of their options and then to provide the nutrition care they choose to have. A second primary purpose is to obtain a baseline of health and social information so that in providing ongoing health services I can identify changes that are occurring over time.
I also collect, use and disclose personal health information for purposes related to or secondary to my primary purposes. The most common examples of my related and secondary purposes are as follows:
- To obtain payment for services or goods provided. Payment may be obtained from the individual, OHIP, WSIB, private insurers or others.
- To conduct quality improvement and risk management activities. I review client files to ensure that I provide high quality services. External consultants (e.g., auditors, lawyers, practice consultants, voluntary accreditation programs) may conduct audits and quality improvement reviews on my behalf.
- To promote my practice, new services, special events and opportunities (e.g., a seminar or conference) that I have available. I will always obtain express consent from the client prior to collecting or handling personal health information for this purpose.
- To comply with external regulators. My profession is regulated by the College of Dietitians of Ontario, who may inspect my records and interview me as a part of its regulatory activities in the public interest. The College of Dietitians of Ontario has its own strict confidentiality and privacy obligations. In addition, as a professional, I will report serious misconduct, incompetence or incapacity of other practitioners, whether they belong to other organizations or my own. Also, I believe that I should report information suggesting illegal behaviour to the authorities. In addition, I may be required by law to disclose personal health information to various government agencies (e.g., the Ministry of Health, and Long-Term Care, children’s aid societies, Canada Customs and Revenue Agency, Information and Privacy Commissioner, Ontario, etc.).
Protecting Personal Information
I understand the importance of protecting personal information. For that reason, I have taken the following steps:
- Paper information is either under supervision or secured in a locked or restricted area.
- Electronic hardware is always either under supervision or secured in a locked or restricted area. In addition, strong passwords are used on all computers and mobile devices.
- Personal health information is only stored on mobile devices if necessary. All personal health information stored on mobile devices is protected by strong encryption.
- If I need to take personal health information outside my office (such as when conducting client home visits), I transport, use and store the personal health information securely.
- Paper information is transferred through sealed, addressed envelopes or boxes by reputable companies with strong privacy policies.
- Electronic information is either anonymized or encrypted before being transmitted.
- I do not post any personal information about my clients on social media sites.
- External consultants and agencies with access to personal information must enter into privacy agreements with me.
Openness about the Personal Information Process
Procedures I follow:
Right to Access Personal Information
- I may require the request to be in writing (verbal request can be answered);
- I am available to help a person make an access request if asked (for which I am a Health Information Custodian);
- I will provide access upon request within 30 days unless grounds of refusal exist;
- I will normally provide access not only to personal information on record, but also to how the I have used and disclosed it;
- I will keep reasonable records of any unusual uses or disclosure of personal information (e.g., systematically filing a cover letter, fax sheet or email in the relevant file);
- I will confirm the identity of the individual requesting the information before disclosing it;
- I will take reasonable and necessary steps to ensure that the individual requesting information can understand it (e.g., explain short forms or codes, provide it in an alternative format where the requester has a sensory disability);
- Access must be provided, despite a ground for refusal (except law enforcement) where the individual’s life, health or security is threatened. Grounds for refusal to access personal information would include:
- It is quality of care information or information generated for the College’s quality assurance program;
- Raw data from standardized psychological tests or assessments;
- There is a risk of serious harm to the treatment or recovery of the individual or of serious bodily harm to another person; or
- Access would reveal the identity of a confidential source of information.
- Even if I refuse the request, I am aware that I cannot destroy the information until the individual has had a chance to challenge the refusal.
- Additional procedures for handling access requests:
- I will must notify the individual of his or her right to complain to the Information and Privacy Commissioner of Ontario if the request for access is refused (along with the reasons for the refusal) and the burden of justifying the refusal is on me;
- I can refuse frivolous, vexatious and bad faith requests for access; and
- I am aware that I can only charge a reasonable cost recovery fee for access and must provide an estimate of the fee in advance. The Information & Privacy Commissioner’s Office of Ontario suggests a charge of $30.00 for the first twenty pages of records and 25 cents for each additional page.
Clients have the right to request a correction of erroneous information held by the organization. The purpose is to maintain appropriate and accurate information on clients.
Procedures I follow:
- In my processes for handling correction requests I strive to be fair to the individual.
- Correction requests are restricted to factual information. Professional observations and opinions are not generally subject to correction requests.
- Corrections are made without obliterating the original entry.
- A notice of the disagreement is filed with the record where I cannot not agree that the information is incorrect. Any notice of refusal will advise the individual of his or her right to complain to the Information and Privacy Commissioner about the refusal.
- Corrections or notice of the disagreement are sent to third parties who have received the erroneous information unless doing so is not appropriate. However, there are limits that may include the following:
- the individual must request it;
- the notification need only be made where reasonably possible; and
- the HIC can refuse to give the notification if the correction cannot reasonably be expected to have an effect on the ongoing provision of health care or some other benefit to the individual.
- The individual is given a timely response (usually within 30 days) to a request to correct, along with reasons for any refusal to do so and notice of any recourse.
- Grounds to refuse correction may include requests where:
- the request is frivolous, vexatious or made in bad faith; or
- I not create the record and do not have sufficient knowledge, expertise or authority to make the correction.
Retention and Destruction of Personal Information
I need to retain personal information for some time to ensure that I can answer any questions you might have about the services provided and for my own accountability to external regulatory bodies.
I keep my client files for at least ten years from the date of the last client interaction or from the date the client turns 18.
I destroy paper files containing personal health information by cross-cut shredding. I destroy electronic information by deleting it in a manner that it cannot be restored. When hardware is discarded, I ensure that the hardware is physically destroyed, or the data is erased or overwritten in a manner that the information cannot be recovered.
If there is a Privacy Breach
While I will take precautions to avoid any breach of your privacy, if there is a loss, theft or unauthorized access of your personal health information I will notify you.
Upon learning of a possible or known breach, I will take the following steps, as applicable:
- Consider whether the Commissioner must or should be notified;
- Assess what and how much information was breached and in what manner (e.g., paper format, electronic format).
- Determine whether copies were made.
- Implement any necessary action to contain further unauthorized access (e.g., change passwords, identification numbers and/or temporarily shut down a system).
- Notify all individuals whose personal health information has been compromised in the most appropriate way possible in light of the sensitivity of the information (e.g., by phone, in writing, at your next appointment, etc.).
- Inform all individuals of the steps that have or will be taken to address the privacy breach and that the Information and Privacy Commissioner’s Office, Ontario has been informed.
- Provide the individuals with the organization’s and the Information and Privacy Commissioner’s Office of Ontario contact information in case individuals have further questions.
- Advise the individual of their right to make a complaint to the Commissioner (s. 12).
- Take the necessary steps to implement a plan that strives to avoid a similar privacy
breach from occurring in the future.
- I will advise the Information and Privacy Commissioner’s Office of Ontario of the investigation findings and proposed future prevention plan and work together to make any necessary changes.
- Report the results of investigation to the relevant regulatory College if appropriate or required.
I develop and maintain an internal complaint system and make external recourse publicly available in order to be able to receive, investigate and respond to complaints. Every effort is made to investigate and decide a simple complaint within 30 days. For more complex complaints, the person investigating or deciding the complaint will advise the person making the complaint within 30 days of how long it will likely take to investigate and decide it.
Procedures I follow:
- I am the individual who is designated to investigate complaints. I will:
- a) receive and promptly acknowledge receipt of a complaint;
- b) investigate the complaint;
- c) decide on the complaint;
- d) To ensure fairness, I may consult with other counselling Registered Dietitians in Ontario.
- I will inform the Complainant about the recourse to external bodies as follows:
- a) the regulatory body(ies) for the organization or members of the organization (e.g., College of Dietitian of Ontario);
- b) the Office of the Privacy Commissioner of Canada;
- c) the Information and Privacy Commissioner of Ontario to the extent that the Personal Health Information Protection Act, 2004
This policy is made under the Personal Health Information Protection Act, 2004, S.O. 2004, c. 3. It is a complex statute and provides some additional exceptions to the privacy principles that are too detailed to set out here.