Introduction

Health Unit agents collect, use and disclose personal information including personal health information in the management and delivery of public health services for the following purposes:

• To conduct business and manage the daily operations of the health unit
• To assess current status in order to provide direct care, programs and services
• To respond to complaints about public health issues
• To provide public health interventions to clients
• To contribute to quality improvement processes or research; and
• To comply with legislative and professional requirements

The Municipal Freedom of Information and Protection of Privacy Act, 1991 establishes the rights of access for individuals to the personal information about themselves that is held by the health unit.  The Personal Health Information Protection Act, 2004 establishes the rights of access for individuals to their personal health information.

Purpose

The purpose of this policy is inform Simcoe Muskoka District Health Unit Board of Health members, employees, students, volunteers, contractors (collectively defined as health unit agents) and members of the public of their rights and obligations regarding information access.

While this policy focuses on access to personal information including personal health information, it should be interpreted within the context of the PERSONAL INFORMATION INCLUDING PERSONAL HEALTH INFORMATION – PRINCIPLES policy and the related set of policies that collectively define the information practices of the Health Unit for the purposes of all applicable privacy legislation.

Policy Definitions & Interpretations

This policy and any specific terms used herein will be interpreted to ensure consistency with all applicable information privacy legislation, including MFIPPA, RHPA and PHIPA. This policy cannot fully describe how the legislation is to be applied in every instance by the Health Unit. As a result, there may be circumstances where the legislation itself should be referred to, or specialized advice regarding privacy should be obtained.

For the purposes of this policy statement:

“agent” means a person that, with the authorization of the Medical Officer of Health as a Health Information Custodian (HIC), acts for or on behalf of the HIC in respect of personal health information for the purposes of the HIC, and not for the agent’s own purposes, whether or not the agent has the authority to bind the HIC, whether or not the agent is employed by the HIC, and whether or not the agent is being remunerated;

“applicable privacy legislation” means MFIPPA, and PHIPA;

“health information custodian (HIC)” means a person or organization …who has custody or control of personal health information as a result of or in connection with performing the person’s or organization’s powers or duties or the work as a medical officer of health of a board of health within the meaning of the Health Protection and Promotion Act , 1990

“Health Unit” means the Simcoe Muskoka District Health Unit

“MFIPPA” – means Municipal Freedom of Information and Protection of Privacy Act, 1991

“PHIPA” – means Personal Health Information Protection Act, 2004

 “personal health information” means identifying information about an individual in oral or recorded form, if the information:

• relates to the physical or mental health of the individual, including information that consists of the health history of the individual’s family,
• relates to the providing of health care to the individual, including the identification of a person as a provider of health care to the individual,
• is a plan of service within the meaning of the Long-Term Care Act, 1994 for the individual,
• relates to payments or eligibility for health care in respect of the individual,
• relates to the donation by the individual of any body part or bodily substance of the individual or is derived from the testing or examination of any such body part or bodily substance,
• is the individual’s health number, or
• identifies an individual’s substitute decision-maker.

“personal information” means recorded information about an identifiable individual, including:

• information relating to the race, national or ethnic origin, colour, religion, age, sex, sexual orientation or marital or family status of the individual,
• information relating to the education or the medical, psychiatric, psychological, criminal or employment history of the individual or information relating to financial transactions in which the individual has been involved,
• any identifying number, symbol or other particular assigned to the individual,
• the address, telephone number, fingerprints or blood type of the individual,
• the personal opinions or views of the individual except if they relate to another individual,
• correspondence sent to an institution by the individual that is implicitly or explicitly of a private or confidential nature, and replies to that correspondence that would reveal the contents of the original correspondence,
• the views or opinions of another individual about the individual, and
• the individual’s name if it appears with other personal information including personal health information relating to the individual or where the disclosure of the name would reveal other personal information including personal health information about the individual.
  

"record" is broadly defined to include any record of information however recorded.  This includes correspondence, minutes, reports, photographs, computer tapes and disks, files, and any other recorded information regardless of medium or format.  The definition also includes a record that does not yet exist but which can be created from existing data in a computer system.

“RHPA” – means Registered Heath Professions Act, 1991

Policy:     

Except under special circumstances, clients have the right to access their personal information including personal health information held by the agency. 

Requests for access under the legislation must be in writing and must provide sufficient detail to enable an experienced agent of the health unit, upon reasonable effort, to identify the records. 

A substitute decision-maker can request access on a client’s behalf. Substitute decision-makers will follow the same process to obtain access to the personal information including personal health information as the client.

The two Acts do not prevent health unit personnel from informally communicating with clients or their substitute decision-makers and sharing personal information on request.  This policy and procedure applies when an individual wishes to invoke the rights and procedural requirements set out in privacy legislation.

Procedure:

A. Receiving Requests

1. Forms are available for use by the public in requesting access to their personal information. A request can also be in the form of a letter provided that the letter specifically cites the Act in the request and includes the information required to identify the records.  See Form A1.045 (F1) Access/Correction Request
2. Requests will be received by reception at all Health Unit offices.
3. Questions regarding the Health Unit’s personal information practices will be directed to the Associate Director of Corporate Services (ADCS).

B. Processing Requests

1. The employee receiving the request will create a record of the request in the appropriate log indicating the date of receipt, the requester, and the disposition.
2. Within one business day, the request is placed in a sealed envelope marked Personal Information Request and forwarded to the ADCS.
3. Upon receipt of the request ADCS will record the request and assign it a number.
4. Within three business days, the ADCS will pass the request on to the appropriate Service Director.
5. Within ten business days, the record requested will be procured and reviewed by the appropriate Service Director in consultation with ADCS.
6. If there is disagreement between the Service Director and the ADCS as to the exemptions or release of the information this will be passed to the Medical Officer of Health for decision.
7. Within 30 days of receipt of the request:
   1. if the request can be acted upon, the ADCS will arrange for the requester to either obtain a copy or review the record at a predetermined location in the presence of a Health Unit employee.
   2. if the request is deemed to be covered by the statute exceptions provided for under the Acts the ADCS will provide a written response to the requestor summarizing the reasons.
   3. if replying to the request within 30 days would reasonably interfere with Health Unit activities because locating the record requires a complex search, or the time required to undertake the necessary consultations would make it reasonably impractical to reply within 30 days, the ADCS will provide a written notice of extension with explanation and anticipated timelines for response to the requestor.  The maximum extension is 30 days.

C. Refusing a Request for Access

1. Where a legal exception applies the ADCS will:
   1. provide an explanation to the requestor in writing citing the legal exception.  In some circumstances, the ADCS may be prohibited from indicating if a record even exists;
   2. cause the record to be severed and provide access to the part of the record where no legal exception applies; and/or
   3. inform the requestor about the Health Unit’s complaints procedure, and review their rights and the process for complaints to the Privacy Commissioner.

D. Documentation of a Request for Access:

1. The ADCS or Service Director will document the date of the request for access and include with the client’s record.

E. Fees for Processing Requests for Access

1. The Health Unit may charge a fee to cover the cost to the Health Unit of complying with a request for information to cover the following:
   1. the costs of a manual search required to locate a record;
   2. the costs of preparing the record for disclosure;
   3. computer and other costs incurred in locating, retrieving, processing and copying a record;
   4. shipping costs; and
   5. any other costs incurred in responding to a request for access to a record. 

 
Related Policies:
Policy A1.041  Personal Information Including Personal Health Information Privacy – Principles
Policy A1.042  Personal Information Including Personal Health Information Privacy – Accountability
Policy A1.043  Personal Information Including Personal Health Information Privacy – Consent
Policy A1.044  Personal Information Including Personal Health Information Privacy – Collection & Use
Policy A1.045  Personal Information Including Personal Health Information Privacy – Disclosure
Policy A1.046  Personal Information Including Personal Health Information Privacy – Access
Policy A1.047  Personal Information Including Personal Health Information Privacy – Correction
Policy A1.048  Personal Information Including Personal Health Information Privacy – Privacy Breach

Policy
Final Approval Signature: __________________________________
                                                            Board of Health
Review/Revision History:
2006-09-20 Revised

Procedure
Final Approval Signature: __________________________________
                                                            Executive Committee
                                                           
Review/Revision History:
2006-10-02 Revised