Under our parent company Canadian Addiction Treatment Centres, 1000 Islands Addiction Treatment Centre is committed to protecting the privacy, confidentiality, and security of all personal health information with which it is entrusted and to ensuring that staff and agents of the organization uphold this obligation.
Purpose: This policy details the regulatory requirements related to the collection, use, and disclosure of Personal Health Information (PHI).
Policy: 1000 Islands collects, uses, and may disclose personal health information and is, therefore, a health information custodian (HIC) as defined by the relevant provincial Personal Health Information Protection Act. A Health Information Custodian (HIC) is defined as an individual or organization that as a result of its power or duties has custody or control of Personal Health Information (PHI).
“A health information custodian is not free to disclose personal health information about an individual without the express consent of the individual, or incapable individual’s substitute decision maker, or as required or permitted by law, for example, pursuant to a warrant or court order (PHIPPA [s.43(1)]).”
Accountability for Personal Health Information:
Accountability for overseeing compliance with this policy rests with each person that works for 1000 Islands. While the designated Privacy Officer for 1000 Islands has ultimate accountability, each team member will need to work together to ensure our patients’ information is kept confidential and secure.
All staff and care providers that work in our clinics are responsible for maintaining the privacy, confidentiality, and security of a patient’s PHI at all times and are asked to sign a Confidentially Agreement that details our expectations when they start working with us.
Guiding Principles:
A care team member should only access a patients’ medical record if they are directly providing care to that patient or asked to consult on the care of a patient. In other words, it would be inappropriate to view a patient’s medical file because you are interested in how they are doing at another clinic or because you used to know them in high school. If you are not sure if you should be accessing the patient’s EMR, you can always ask your manager for guidance.
A care team member should not disclose information about a patient to another patient, a family member, or any other third party without written consent from the patient. In other words, the information that you learn about a patient by caring for them should never be shared outside of the circle of care. The circle of care is defined as those individuals who are permitted to rely on the patient’s implied consent for collecting, using, or disclosing personal health information for the purpose of providing health care or assisting in providing health care.
If you feel that you may have inadvertently breached a patient’s privacy, you must report it to your manager as soon as possible to mitigate any impacts of the potential breach.
Protecting our Patients
It is important that our patients know and understand why we collect their PHI and are confident that we will keep their information safe and secure. Canadian Addiction Treatment Centres (partner company of 1000 Islands) has designed a Privacy Practices Summary that is available to be provided to all patients upon request. The Privacy Practices Summary details the purposes for which the personal health information may be collected, used, and disclosed, the steps we take to safeguard patients’ privacy.
At 1000 Islands, we protect Personal health information by utilizing:
- Physical measures– including keeping personal health information in locked filing cabinets, restricting office access to authorized people; and installing a security system in every clinic.
- Administrative measures– limiting access to records on a need-to-know basis; staff training and education on privacy and security issues; regular audits of our practices to ensure compliance with our policies; and confidentiality agreements.
- Technological measures– including the requirement for passwords and user IDs for access to all computers, encryption, and firewalls and anti-virus software, etc.
Consent for the collection, use, and disclosure of personal health information:
PHIPA permits 1000 Islands to rely on patients’ implied consent for the collection, use, or disclosure of PHI for the delivery of health services within a patient’s circle of care. This means that the 1000 Islands will assume that the patient consents to the disclosure of information to, and receipt of information from, all members of the patient’s circle of care (i.e. all of the providers of health care services to the patient), unless a patient tells explicitly removes his/her consent.
1000 Islands staff are considered part of the circle of care of a patient, if they are actively involved in providing care for that patient, or if they are asked to consult on the care of a patient being treated in one of our clinics by another care team member.
1000 Islands MUST obtain the patient’s expressed consent before disclosing PHI to any third party. In certain rare circumstances, legal and regulatory requirements may compel the 1000 Islands to disclose PHI without a patient’s consent, for example, disclosures to the relevant provincial Ministry of Health for billing purposes or disclosures to support a legal investigation/proceeding. If you have a request for information and you are unsure, please contact your manager.
All steps outlined in the Release of Personal Health Information SOP must be adhered to prior to the release of ANY patient information.
Electronic Privacy
Only authorized 1000 Islands employees are able to access information to provide client care. 1000 Islands’ Information Technology department upgrades the security capabilities of our information systems on an ongoing basis. Access controls to client records for our employees are based on each employee’s job title and granted on a need-to-know basis. The organization’s system uses passwords and encryption to protect the system and electronic devices from inappropriate access.
Website Privacy
We do not solicit or keep any information when you browse the public-access areas of our website. We use “cookies” and Google Analytics, only to rapidly display pages you have already consulted and to make our website more user-friendly for you. We never use cookies to compile personal information about you without your knowledge.
Call and email follow-ups
You may receive an email or phone call follow-up from a 1000 Islands staff member about the services that you inquired about. The purpose of this follow-up is to help you make the right decision about substance use disorder treatment and/or for the sharing of admission documents. This communication will be sent from an official CATC (parent company of 1000 Islands) or 1000 Islands email address.
Anti-spam and Email Privacy
1000 Islands will not send you commercial electronic messages without your consent and we will not share or provide third parties access to email addresses that have been collected from 1000 Islands email opt-in pages. Users can unsubscribe from 1000 Islands email program at any time. All email marketing sent by 1000 Islands includes information and clear details on how to opt-out of email communication.We remind our Users that no collection or transmission of information such as email addresses over the Internet or other publicly accessible communications networks is guaranteed to be 100% secure, and therefore, we cannot ensure or warrant the security of any such information.
Blog and Social:
Please note that our blog and social media comments are posted publicly. If users post a comment 1000 Islands reserves the right the keep that information. Please be aware of what exactly you are posting and where you are posting it.
If you are concerned about a comment you posted on our blog or social media channels please email us at info@addictions.ca and we will be happy to speak with you about removing it if need be.
Requests for Records
Upon request, we will inform you of the existence, use and disclosure of your personal information. We will provide access to your personal information in accordance with applicable law. Access may not be provided when, for example, doing so would reveal personal information about a third party or could reasonably be expected to threaten the life or security of another individual.
Requesting Personal Information to be Sent to Others
Your personal information may be sent to others only if the request is accompanied by your written consent, or as directed by law. Your consent must direct 1000 Islands specifically to release information, be recently signed by yourself and your signature be witnessed, and the consent must clearly identify to whom the information is to be released. To protect your privacy, 1000 Islands will only release information sufficient to fulfill the request and you may limit or withdraw your consent at any time. Disclosures which have already occurred cannot be rescinded or limited. We may request that you confirm or renew your consent for subsequent requests in order to ensure that your circumstances have not changed.
Request for Records Contact Information
We are pleased to answer any questions you may have regarding requests for records. Please direct all requests or questions to:
Requests for Records
Canadian Addiction Treatment Centres
175 Commerce Valley Drive West
Suite 300
Markham, Ontario L3T 7P6