ISNA Cares Privacy Code
Introduction
ISNA Cares respects the privacy of clients’ personal health information. The ISNA Cares Privacy Code promotes responsible and transparent personal information management consistent with the Ontario Personal Health Information Protection Act, 2004.
This code outlines our privacy and information practices to protect personal health information. We will review and update the Privacy Code to ensure its relevance and alignment with changing industry standards, technologies, and laws.
Scope and Application
This Privacy Code applies to personal health information collected, used, or disclosed by ISNA Cares in the course of providing mental health and support services. Personal health information is information in any form that identifies an individual and that relates to an individual’s health and health care, such as name, address, gender, age, health history, health care programs and services, health care providers, substitute decision-makers, health card number, and other personal identification numbers.
The ISNA Cares Privacy Code in Detail
Collection of Personal Health Information
ISNA Cares collects personal information from and about our clients at the beginning of our involvement and every time clients visit us, for the following primary purposes: Direct Care of Client, Administration of Mental Health Services, Program Evaluation, Quality Improvement, Accreditation, Teaching, Statistics, Research, Fundraising, Volunteer Program and Legal and Regulatory Requirements.
Personal health information collected for the administration of direct clinical services includes, but is not limited to: name, contact information, date of birth, health card number and related mental health concerns and treatment.
By law, and in accordance with professional standards, ISNA Cares maintains a record of services to, and contact with, all clients. Client records include both an electronic and hard copy component and contain the following information:
- Intake Documentation
- Completed Clinical Reports, Treatment Plans and Service Summaries
- Contact Notes and any other Internal Clinical Documentation
- Any Agreements with, and Correspondence sent to, external sources
- Reports and Correspondence received from external sources
- Observation Log (Live In Treatment only).
ISNA Cares collects personal health information about clients directly from clients and/or their parents or from another person authorized to act on their behalf. Occasionally, we also collect personal health information about clients from other sources, including other care providers and schools, if we have obtained consent to do so or if the law permits. We will not collect personal health information if other information will serve the purpose. In addition, we will not collect more personal health information than is reasonably necessary to meet the purpose.
ISNA Cares maintains a website which is available to the public. ISNA Cares only collects personal information that is submitted voluntarily, such as address or other contact information that is provided to us via the website. The personal information we collect via the website is only used to respond to requests received via the website.
ISNA Cares specifies orally, electronically or in writing the identified purposes to the individual at or before the time personal health information is collected. Persons collecting personal health information will explain these identified purposes or refer the individual to a designated person within ISNA Cares who can explain the purposes.
When personal information that has been collected is to be used or disclosed for a purpose not previously identified, the new purpose shall be identified prior to use. Unless the new purpose is permitted or required by law, the consent of the individual will be acquired before the information can be used or disclosed for the new purpose.
Obtaining Consent for Collection, Use or Disclosure of Personal Health Information
ISNA Cares will only collect, use and disclose your personal health information with your consent or as required or permitted by law.
In obtaining consent, ISNA Cares uses reasonable efforts to ensure that an individual is advised of the identified purposes for which personal information will be used or disclosed. The identified purposes are broadly stated in a manner that can be reasonably understood by the individual, and further information will be provided upon request.
Generally, ISNA Cares seeks consent to use and disclose personal health information at the same time it collects the information. However, ISNA Cares may seek consent to use and/or disclose personal health information after it has been collected, but before it is used and/or disclosed for a new purpose.
For consent to be valid, it must:
- relate to the treatment;
- be informed;
- be given voluntarily; and
- not be obtained through misrepresentation or fraud.
In addition, consent is only valid if it is obtained from a capable person. To be capable of consenting, a person must be able to:
- understand the information relevant to make the decision; and
- appreciate the reasonably foreseeable consequences of giving, withholding or withdrawing consent.
If a person is not capable of making a decision about their information, it will be necessary to obtain consent from a substitute decision-maker, as determined by law.
Where ISNA Cares needs to collect, use, or disclose personal health information from a child under 16 years of age, a parent or other legal guardian may consent even if the child has the capacity, unless the information relates to counseling in which a child 12 years of age or older has participated on his/her own under the Child Youth and Family Services Act, 2017 pursuant to section 28. However, if there is a conflict between the child and the parent, the capable child’s decision prevails.
For youth over 16 years of age who have the capacity to consent, consent to the collection, use or disclosure of personal health information must be obtained from the youth. In addition, for children 12 years of age or older who have sought or are receiving counselling on their own, as per the Child, Youth and Family Services Act, 2017 s. 28, consent for the collection, use or disclosure of personal health information must be obtained from the child.
For children who do not have the capacity to consent, the parents or authorized substitute decision maker including the properly appointed custodial parents may give consent. Properly appointed custodial parents are those set out in a separation agreement or court order or guardian appointed under the Children’s Law Reform Act, 1990.
In determining the appropriate form of consent, ISNA Cares takes into account the sensitivity of the personal health information and the reasonable expectations of the individual.
Where we are collecting, using or disclosing personal health information for health care purposes, the law normally permits us to rely on implied consent. Implied consent can be determined where the surrounding circumstances allow us to make a reasonable determination that the client or a person authorized to act on their behalf would agree to the collection, use or disclosure.
If the purpose for which we are collecting, using or disclosing information is something other than health care of our client or involves the disclosure of personal health information to someone other than a health information custodian, we will normally obtain express consent.
Unless we receive instructions to the contrary, we may disclose our clients’ personal health information to other health care providers in their “circle of care”, who need to know certain information to help provide our clients with ongoing care. The “circle of care” includes health care professionals, pharmacies etc. who provide ongoing care to our clients and are part of the client’s direct care team.
An individual may withdraw consent at any time, subject to legal or contractual restrictions and reasonable notice. Individuals may contact ISNA Cares for more information regarding the implications of withdrawing consent.
In addition, specific instructions may be provided that certain personal health information in a client’s record of personal health information is not to be used or disclosed. If we believe that the withdrawal or limiting of consent may compromise client care, we will convey our concerns to the client or a person authorized to act on their behalf.
ISNA Cares may collect or use personal health information without knowledge or consent if it is clearly in the interests of the individual and consent cannot be obtained in a timely way, such as when the individual is seriously ill or mentally incapacitated.
ISNA Cares may collect, use or disclose personal health information without knowledge or consent in some circumstances, such as:
- in the case of an emergency where the life, health or security of an individual is threatened;
- where we suspect certain types of abuse (i.e., abuse of a minor or abuse by a healthcare professional);
- to reduce a significant risk of bodily harm to a person or to the public
- to assist professionals who do health research, as long as strict privacy requirements are met;
- for a legal proceeding, or to obey a court order or another legal requirement.
Limiting Use, Disclosure, and Retention of Personal Health Information
Only an ISNA Cares employee with a business “need-to-know”, or whose duties reasonably so require, are granted access to personal health information about individuals. ISNA Cares does not disclose personal health information without an individual’s consent unless it is permitted or required by law.
ISNA Cares keeps personal health information only as long as it remains necessary or relevant for the identified purposes or as required by law. Depending on the circumstances, where personal health information has been used to make a decision about an individual, ISNA Cares retains, for a period of time that is reasonably sufficient to allow for access by the individual, either the actual information or the rationale for making the decision.
ISNA Cares maintains reasonable and systematic controls, schedules and practices for information and records retention and destruction which apply to personal information that is no longer necessary or relevant for the identified purposes or required by law to be retained. Such information is destroyed, erased or made anonymous.
Where personal health information is to be disposed of, we will take reasonable steps to ensure that it is permanently destroyed. For paper records, permanent destruction means cross-cut shredding, pulverization or incineration. For electronic records, permanent destruction means either physically damaging the storage device to the point that it is not re-usable or utilizing wiping utilities that irreversibly remove all data from the storage device.
ISNA Cares also uses contracts and other instruments to ensure that agents, contractors, and third-party service providers, who may come into contact with personal health information in the course of performing their duties to ISNA Cares, provide a comparable level of protection while the information is being processed by them.
Accuracy
ISNA Cares is committed to keeping your personal health information accurate, complete and up-to-date, as is necessary for the purposes for which it is to be used. The extent to which personal health information shall be accurate, complete and up-to-date will depend upon the use of the information, taking into account the interests of the individual. We routinely update personal information about clients only in cases where this process is necessary to fulfill the purposes for which the information was collected, or upon notification by the individual.
Safeguards
ISNA Cares shall protect personal health information against loss or theft, as well as unauthorized access, disclosure, copying, use, or modification, regardless of the format in which it is held. We use a variety of physical, administrative and electronic measures to safeguard personal information and ensure it is secure.
All employees with access to personal health information shall be required to sign a written agreement confirming their understanding of, and willingness to comply with, this Privacy Code.
Depending on the sensitivity of the information, ISNA Cares uses appropriate security measures to protect the information. A higher level of protection is used to safeguard more sensitive information.
Methods of protection include physical measures (e.g., locked filing cabinets and restricted access to offices), administrative measures (e.g., employee security clearances and limiting access on a “need-to-know” basis), and technological measures (e.g., the use of passwords and encryption).
All ISNA Cares employees with access to personal information shall be required as a condition of employment to respect the confidentiality of personal information.
ISNA Cares will protect personal health information disclosed to third parties by contractual agreements stipulating the confidentiality of the information and the purposes for which it is to be used.
Openness Concerning Policies and Practices
ISNA Cares is open about its policies and practices with respect to the management of personal health information. We make this information available in a form that is generally understandable, and which can be obtained by contacting us directly. This Privacy Code is available to the public.
Individuals making inquiries to ISNA Cares about their personal health information will be informed of the existence of the Privacy Code as well as the means of obtaining a copy of this Privacy Code and any other relevant information.
Individual Access to Personal Health Information
Upon written request, and with reasonable notice, an individual will be informed of the existence, use, and disclosure of their personal health information, and shall be given access to that information.
If we need to deny a request for access to your personal health information, we will explain the reasons for this, with reference to legislation and policies. We will only refuse access where authorized or required by law to do so.
If we are unable to provide access to all or part of the personal health information requested, we shall provide the reasons for denying access upon request. For example, some information may not be provided if it would:
- be too costly to retrieve;
contain references to other individuals; - be subject to legal, investigative, or other restrictions;
- or be subject to solicitor-client or litigation privilege.
We will also inform the individual of the steps that they can take to ask for a review of our decision about access. If the information is demonstrated to be inaccurate or incomplete, ISNA Cares will amend the information as required. Where appropriate, the amended information shall be transmitted to third parties having access to the information in question.
ISNA Cares will respond to the written request for access to information within 30 days or we will notify the individual of an extension to the timeframe needed to respond.
Clients of ISNA Cares and their parents (if the child is under the age of 12 or does not have the capacity to make their own decisions) are entitled to have access to the following information:
- information in the record compiled and maintained by ISNA Cares with respect to the child and their treatment;
- treatment information compiled and maintained by another agency with whom we have consulted in respect of the child’s treatment, and which the other agency has shared with ISNA Cares, if the other agency reasonably considers that it would be appropriate to disclose that information to the individual;
- the names and titles of persons to whom ISNA Cares has disclosed information contained in the child’s record of personal health information.
Clients and parents seeking access to their records of personal health information must submit a completed Records Request Form to the Privacy Officer.
Compliance and Complaints
All ISNA Cares employees and volunteers are expected to be familiar with, and follow, the policies and practices described in this Privacy Code.
Any complaints, concerns or questions regarding this Privacy Code should be directed to our Privacy Officer, or in writing to:
Privacy Officer
ISNA Cares
2200 South Sheridan Way, Mississauga, ON, L5J 2M4
Telephone: (905) 855-7514
Fax: (905) 855-2033
Email: privacy@isnacares.com
Our Privacy Officer is responsible for the implementation of this Privacy Code, including the education of employees and the monitoring of compliance.
All complaints will be investigated by the Privacy Officer in a timely manner. If a complaint is found to be justified, ISNA Cares will take appropriate measures to address the complaint, including, if necessary, amending our policies and practices. In addition, where appropriate, ISNA Cares will communicate the outcome of the investigation to the individual in a timely manner.
If you are not satisfied with the response of ISNA Cares, you may contact the Information and Privacy Commissioner of Ontario.
This Privacy Code is subject to applicable laws and regulations, including the Personal Health Information Protection Act, 2004, and the standards of the Information and Privacy Commissioner of Ontario.