Introduction

Health Unit agents disclose personal information including personal health information in the management and delivery of public health services for the following purposes:

• To conduct business and manage the daily operations of the health unit
• To assess current status in order to provide direct care, programs and services
• To respond to complaints about public health issues
• To provide public health interventions to clients
• To contribute to quality improvement processes or research; and
• To comply with legislative and professional requirements

Purpose

The purpose of this policy is to inform Simcoe Muskoka District Health Unit Board of Health members, employees, students, volunteers, contractors (collectively defined as Health Unit agents) and members of the public of:

1. the policies and procedures in place to guide the disclosure of personal information including personal health information and to protect the privacy and security of this information;
2. the policies and procedures in place to inform the public of how personal information including personal health information is protected by the Simcoe Muskoka District Health Unit.

While this policy focuses on disclosure of personal information including personal health information, it should be interpreted within the context of the PERSONAL INFORMATION INCLUDING PERSONAL HEALTH INFORMATION PRIVACY – PRINCIPLES policy and the related set of policies that collectively define the information practices of the Health Unit for the purposes of all applicable privacy legislation.

Policy Definitions & Interpretations

This policy and any specific terms used herein will be interpreted to ensure consistency with all applicable information privacy legislation, including MFIPPA, RHPA and PHIPA. This policy cannot fully describe how the legislation is to be applied in every instance by the Health Unit. As a result, there may be circumstances where the legislation itself should be referred to, or specialized advice regarding privacy should be obtained.

For the purposes of this policy statement:

“agent” means a person that, with the authorization of the Medical Officer of Health as a Health Information Custodian (HIC), acts for or on behalf of the HIC in respect of personal health information for the purposes of the HIC, and not for the agent’s own purposes, whether or not the agent has the authority to bind the HIC, whether or not the agent is employed by the HIC, and whether or not the agent is being remunerated;

“applicable privacy legislation” means MFIPPA, and PHIPA;

“health information custodian (HIC)” means a person or organization …who has custody or control of personal health information as a result of or in connection with performing the person’s or organization’s powers or duties or the work as a medical officer of health of a  board of health within the meaning of the Health Protection and Promotion Act , 1990

“Health Unit” means the Simcoe Muskoka District Health Unit

“MFIPPA” – means Municipal Freedom of Information and Protection of Privacy Act, 1991

“PHIPA” – means Personal Health Information Protection Act, 2004

 “personal health information” means identifying information about an individual in oral or recorded form, if the information:

• relates to the physical or mental health of the individual, including information that consists of the health history of the individual’s family,
• relates to the providing of health care to the individual, including the identification of a person as a provider of health care to the individual,
• is a plan of service within the meaning of the Long-Term Care Act, 1994 for the individual,
• relates to payments or eligibility for health care in respect of the individual,
• relates to the donation by the individual of any body part or bodily substance of the individual or is derived from the testing or examination of any such body part or bodily substance,
• is the individual’s health number, or
• identifies an individual’s substitute decision-maker.

“personal information” means recorded information about an identifiable individual, including:

• information relating to the race, national or ethnic origin, colour, religion, age, sex, sexual orientation or marital or family status of the individual,
• information relating to the education or the medical, psychiatric, psychological, criminal or employment history of the individual or information relating to financial transactions in which the individual has been involved,
• any identifying number, symbol or other particular assigned to the individual,
• the address, telephone number, fingerprints or blood type of the individual,
• the personal opinions or views of the individual except if they relate to another individual,
• correspondence sent to an institution by the individual that is implicitly or explicitly of a private or confidential nature, and replies to that correspondence that would reveal the contents of the original correspondence,
• the views or opinions of another individual about the individual, and
• the individual’s name if it appears with other personal information including personal health information relating to the individual or where the disclosure of the name would reveal other personal information including personal health information about the individual.
  

"record" is broadly defined to include any record of information however recorded.  This includes correspondence, minutes, reports, photographs, computer tapes and disks, files, and any other recorded information regardless of medium or format.  The definition also includes a record that does not yet exist but which can be created from existing data in a computer system.

“RHPA” – means Registered Heath Professions Act, 1991

Policy

Health Unit agents will hold in confidence personal information including personal health information about individuals and families, of which they become aware in the course of providing services to the public.

Health Unit agents may disclose personal information including personal health information to a third party with the express consent of the individual, client or substitute decision maker.

Health Unit agents may disclose personal information including personal health information to a third party without consent or consultation with management if, in the professional judgment of the agent, the risk of harm to self or others is imminent or if they are required to do so by law.

A record must be subpoenaed for use in a court of law. The subpoena should be directed to the appropriate Service Director.

In all other circumstances, personal information including personal health information may only be released without consent after consultation with the Service Director or Medical Officer of Health.

Documentation of the disclosure of personal health information with or without consent must be dated and maintained with the client’s health record.

Procedures for Disclosure of Information:

A. Disclosure of Personal  Information (under MFIPPA or PHIPA)

1. The individual requesting the information must do so in writing. Forms are available in each office, but their use is not mandatory. See Form A1.045 (F1) Access/Correction Request
2. The original request is sealed in an envelope marked "MIFIPPA/PHIPA Request" and is forwarded to Associate Director of Corporate Service (ADCS) immediately.
3. ADCS will determine if the request falls under MFIPPA or PHIPA. If it does, ADCS records the request and forwards it to the appropriate Service Director.
4. The Service Director locates the record requested and consults with ADCS and, if necessary, the Medical Officer of Health, to determine the course of action.
5. If the request can be met in accordance with the act, ADCS contacts the requester and arranges for either review of the record in person or to receive a copy of the record.
6. If ADCS determines the request does not fall under MFIPPA or PHIPA it is passed to the responsible Service Director for response within the parameters of the Service policies and procedures.

B. Disclosure of Personal Information with Consent

Health Unit agents receive requests for the disclosure of personal information from individuals, families or other agencies. 

1. In response to requests from individuals or families:
   1. Verify in writing that the client or substitute decision-maker has consented to the disclosure of the personal health information to whom and for what purposes.  See Form A1.045 (F2) Relase of Client Information
   2. Place a signed copy of the consent form on file.  A copy of the signed consent is sent with any written information.
   3. Verbal client consent is considered valid when obtained within the same parameters as written consent. When verbal consent is obtained, this is clearly documented in the client record along with documentation of the information discussed when verbal consent was obtained.
   4. Confirm the identity of the person(s) to whom the information is being released.
   5. Clarify the purpose for which the personal health information is being requested.
   6. Disclose only personal information for which you have consent to disclose and that serves the purpose for which the disclosure is requested.
   7. Document the date of the request and the disclosure of the personal health information and attach to the client record where appropriate.
2. In response to requests from other agencies:
   1. Request that the agency provide a signed consent form to authorize the release of the information. A facsimile copy of this consent is acceptable.
   2. Once a signed consent form is on file, pertinent information may be released. A copy of the signed consent is sent with any written information.
   3. Verbal client consent is considered valid when obtained within the same parameters as written consent. When verbal consent is obtained, this is clearly documented in the client record along with documentation of the information discussed when verbal consent was obtained.
   4. Disclose only personal information for which you have consent to disclose and that serves the purpose for which the disclosure is requested.
   5. Document the date of the request and the disclosure of the personal health information and attach to the client record where appropriate.

C. Disclosure of Personal Information - Risk of Harm to Self or Others:

Upon occasion agents may be faced with a situation in which they believe that the need to share information outweighs the individual right to privacy and confidentiality. An unsuccessful attempt to obtain consent may lead to a professional judgement that the information must be shared in the best interests of the individual or society. Examples of such instances include evidence that indicates the person may be a danger to self or others or mental competency is impaired.   If risk to self or others is considered imminent:

1. Information may be released without consent or consultation if consultation is not immediately available.

If the risk to self or others is not considered imminent:

1. Consult with the Program Manager prior to initiating the release of information without consent.
2. If the Program Manager is unavailable, the Service Director or the Medical Officer of Health is consulted.
3. Detailed, dated and signed records of the circumstances and subsequent actions must be retained on file.

D. Disclosure of Personal Information to Children’s Aid Society:

1. Health Unit agents provide direct service to clients who fall within the definition of a child for the purposes of child protection (under the age of sixteen or older and in the care of CAS).
2. When an agent has reason to suspect that a child is in need of protection, there is an obligation to report this to the Children’s Aid Society. See Report to Children’s Aid Society policy C5.020.

E.  Health Unit Seeking or Receiving Personal Information

Consent for the disclosure of information is required when the Health Unit is requesting or receiving information or referrals from parties unless the collection of the information is governed by provincial statutes.

1. When a Health Unit agent requests or receives information, it is the responsibility of the Health Unit agent to provide a signed consent form A1.045 (F2) to the agency/person from whom information is sought . The original consent is sent with the request for information and a copy is kept on file.
2. When the health unit receives information or referrals from a third party, it is the responsibility of the agent receiving the information to ensure a signed consent form A1.045 (F2) accompanies the information.
3. A signed consent should be obtained from the individual. For a child, or an individual unable to consent because of mental or physical disability, the parent, legal guardian or next of kin may provide consent. The specific information being requested and the reason should be reviewed with and understood by the person and any potential consequences discussed. The completed consent form will include a description of the information to be obtained/released. Generally this would relate to the issue(s) being addressed by the individual and the agent. Some situations may dictate a need for a more specific description of information to be obtained/released (e.g. when only some information is pertinent). The consent is signed by the individual and witnessed. The consent is considered in effect while the specified issue and the individual or agency being consulted remains the same.

F. Other Situations:

1. In any situations other than those described above, information may only be released without consent after consultation with the Service Director or Medical Officer of Health.
2. A record must be subpoenaed for use in a court of law. The subpoena should be directed to the appropriate Service Director. Individuals will be subpoenaed directly.

Related Policies:
Policy A1.041  Personal Information Including Personal Health Information Privacy – Principles
Policy A1.042  Personal Information Including Personal Health Information Privacy – Accountability
Policy A1.043  Personal Information Including Personal Health Information Privacy – Consent
Policy A1.044  Personal Information Including Personal Health Information Privacy – Collection & Use
Policy A1.045  Personal Information Including Personal Health Information Privacy – Disclosure
Policy A1.046  Personal Information Including Personal Health Information Privacy – Access
Policy A1.047  Personal Information Including Personal Health Information Privacy – Correction
Policy A1.048  Personal Information Including Personal Health Information Privacy – Privacy Breach

Policy
Final Approval Signature: __________________________________
                                                            Board of Health

Review/Revision History:
2006-09-20 Revised, replaces A1.040 Release of Information, A1.045 Release of Client Information

Procedure
Final Approval Signature: __________________________________
                                                            Executive Committee
                                                           
Review/Revision History:
2006-10-02 Revised Replaces A1.040 Release of Information, A1.045 Release of Client Information