Privacy Policy

Purpose

VHA Home HealthCare (“VHA”) respects an individual’s right to privacy concerning personal information, including personal health information, and is committed to ensuring that the personal information it collects remains appropriately private and secure. VHA recognizes its role in protecting personal information and takes steps to confirm that all VHA Personnel and clients understand the importance of their privacy rights as well as their legal and professional obligations. VHA’s commitment to privacy includes protecting the accuracy, confidentiality and security of personal information as well as allowing individuals to request access to, and correction of, their personal information, where appropriate. The purpose of this policy is to outline how VHA takes responsibility for privacy by establishing controls for the collection, use and disclosure of personal information to ensure that it is managed with the utmost responsibility and care and in compliance with all legal and contractual requirements.

Scope

This policy applies to all VHA employees, independent service providers, directors, officers, contractors, researchers, volunteers, agents and students (together, “VHA Personnel”) where they collect, disclose, process, access and/or use personal information and/or when they design operating or functional policies and systems regarding the collection, use, access and/or disclosure of personal information in any format (for example, oral, printed, or electronic/digital).

Policy Definitions

Capacity

refers to the ability of a person to a) consent to the collection, use or disclosure of PI/PHI b) to understand the information that is relevant when deciding whether or not to consent and c) understand the potential consequences of giving/not giving, withholding or withdrawing consent.

Identifying Information

means information that identifies an individual or could possibly be used either alone or with other information, to identify an individual.

Personal Information (PI)

means information that reveals something personal about an identifiable individual and is protected by law. Personal Information includes personal health information.

Personal Health Information (PHI)

means identifying information about an individual in oral or recorded form, if the information

  • relates to the physical or mental health of the individual, including information that consists of the health history of the individual’s family
  • relates to the providing of health care to the individual, including the identification of a person as a provider of health care to the individual
  • is a plan of service for the individual
  • relates to payments or eligibility for health care, or eligibility for coverage for health care, in respect of the individual
  • relates to the donation by the individual of any body part or bodily substance of the individual or is derived from the testing or examination of any such body part or bodily substance
  • is the individual’s health number, or
  • identifies an individual’s substitute decision-maker.

PHIPA

means Ontario’s Personal Health Information Protection Act, 2004 S.0.2004 c.3 Sch A

Privacy Breach

means loss of unauthorized access to, or unauthorized disclosure of PI/PHI and can occur when PI/PHI is stolen, lost or inappropriately shared, either accidentally or on purpose.

Responsibilities

All VHA Personnel are responsible for the protection of PI/PHI within their possession/access/control and are required to comply with the terms of this policy and its procedures, at all times. This includes always maintaining PI/PHI in strict confidence.

VHA Personnel shall inform all individuals providing PI/PHI to VHA of how and why VHA collects, uses and discloses their PI/PHI and shall obtain their consent.
Individuals have a right to know and determine who can access, view, use and disclose their PI/PHI for the stated purposes and they also have the right to change their mind and withdraw consent.
VHA personnel shall only collect information that is necessary to fulfil the stated purposes and shall ensure that all such information is recorded in a manner that is accurate, reliable, up-to-date and secure.

Only authorized VHA Personnel shall be given access to PI/PHI as needed to fulfill their roles/functions. In addition, PI/PHI shall not be collected, used or disclosed for any purposes other than those originally stated at the time it was obtained, except with the further consent of the individual or as permitted by law.

VHA Personnel shall only handle PI/PHI in compliance with the procedures outlined in this policy and the applicable related policies, including but not limited to,

  • Maintaining PI/PHI in the designated secure areas that are inaccessible to those who are not authorized;
  • Never leaving PI/PHI accessible or available for viewing by unauthorized persons;
  • Transporting PI/PHI in a way that ensures it is protected from viewing or interception by unauthorized persons;
  • Transmitting PI/PHI using only the secure means permitted by VHA and indicating that the information is strictly confidential, only for the use of the identified recipient, and only for the identified purpose;
  • Retaining PI/PHI only within the “circle of care”, unless otherwise specifically authorized; and
  • Returning PI/PHI to the designated secure areas following active use.

VHA Personnel shall report any known or suspected privacy breaches as soon as reasonably possible to VHA’s Privacy Officer at privacy@vha.ca or 416-482-8782.

Compliance

VHA Personnel must comply with all aspects of this Policy and its Procedures and support others in doing so. VHA Personnel who fail to comply or knowingly/negligently permit others to not comply, may be subject to the appropriate disciplinary action up to and including termination of employment/contract.

Procedures

Collection

VHA collects PHI about its clients for the purpose of providing nursing, personal support, homemaking, rehabilitation services and extreme cleaning services, as well as evaluating, quality monitoring, improvement and auditing (including accreditation surveys and professional college audits) and risk management with respect to those services.
VHA collects PI from its employees, independent contractors and volunteers for the purpose of fulfilling legal and contractual obligations as well as management requirements within the employer/contractor relationship and for the protection of the clients that it serves.

VHA Personnel responsible for the collection of PI/PHI shall identify, before or at the time of collection, the purpose for collecting the information.

If PI/PHI is necessary to a research project, the guidelines set out by the Information Privacy Commissioner will be followed, i.e., an application or proposal must be submitted and reviewed by an ethics panel or research ethics board and, if approved, the researchers must sign confidentiality agreements and no identifiable PI/PHI will be included in the research report or article.
If PI/PHI is to be subsequently used for any other purposes (i.e., outreach, public advocacy) those purposes will be specifically communicated to the individual and consent obtained prior to that use.
VHA shall not collect PI/PHI without legitimate purpose. Except as otherwise required by law, both the amount and type of information collected will be limited to what is reasonably necessary to fulfill the purposes for collection.
A summary notice with respect to an individual’s privacy rights at VHA, including the collection, use and disclosure of information, shall be posted on VHA’s website. The website shall also include available contact information for VHA’s Privacy Officer as well as the Information Privacy Commissioner of Ontario.

Complete copies of VHA’s policies and procedures regarding privacy shall be posted on VHA’s intranet, The ‘Loop’.

Consent

VHA Personnel responsible for the collection of PI/PHI must ensure that each individual understands and consents to the collection, use, disclosure and dissemination of their PI/PHI.

Consent may be communicated either in writing or verbally and may be express or implied depending on the circumstances and as prescribed by law. In all instances, consent regarding the collection, use and disclosure of PHI must be documented. VHA’s current templates and forms should be used, as appropriate.

If assuring knowledge and acquiring consent is impossible or inappropriate because the individual to whom the information pertains lacks capacity, the appointed substitute decision-maker must give consent. If there is no substitute decision-maker or the substitute is unavailable, direction must be obtained from an appropriate VHA manager or the Privacy Officer.

At no time shall consent be forced or obtained through deception.

Withdrawal of Consent

An individual can withdraw their consent at any time as long as doing so meets all legal or contractual obligations and the individual provides reasonable notice. VHA Personnel shall refer any request to withdraw to the appropriate manager who will handle withdrawals of consent in consultation with the Privacy Officer. The manager is responsible for explaining to the individual the implications of the withdrawal of consent. In the case of a client withdrawing consent, VHA may or may not be able to continue service to the client without collection of, access to, or communication of the PHI at issue.

Where at all possible and reasonable, withdrawal of consent should be in writing and signed by the individual or substitute decision-maker.

Any withdrawal of consent applies to future situations and consent may not be withdrawn retroactively.

Confidentiality

All VHA Personnel shall sign a confidentiality agreement at the start of their employment/term with VHA and shall annually re-confirm this agreement and their commitment to continue following VHA’s Confidentiality, Non-Solicitation, and Conflict of Interest Policy with respect to all confidential information at VHA, including PI/PHI.

All contractors/agents/suppliers to VHA who will have access to personal information will sign a confidentiality agreement as part of their contract with VHA, and before commencing any work for VHA, that confirms that the confidentiality of VHA information will be maintained and securely stored, at all times. VHA’s Privacy Officer may conduct privacy audits of suppliers/contractors and independent contractors, as necessary, to ensure ongoing compliance with their obligation to confidentiality.

Access and Disclosure

VHA Personnel shall only have access to PI/PHI on a “need-to-know” basis and system controls are in place to ensure that access is only granted based on the individual’s medical/paramedical/therapeutic and administrative duties as assigned. Accessing information for any other purpose will be deemed a disclosure, access or use that requires prior approval or attention and response by the Privacy Officer.

Clients and employees asking to obtain copies of their client/employee records must submit a formal access request in writing. Client requests are to be submitted to the Records Management Coordinator and employee requests are to be submitted to the attention of the Human Resources (HR) Manager. All such requests must contain appropriate information to positively identify the client/employee and be signed by the client/employee and/or substitute decision maker.

The HR Manager/Records Department will provide a response to the access request within a reasonable period of time, depending on the circumstances, but not more than 10 business days. The HR Manager/Records Department may exercise discretion not to permit review/release of portions of the record if releasing it may harm the physical or mental well-being of the client/employee. The HR Manager/Records Department will not deny access without first consulting with the Privacy Officer. The client/employee may appeal the denial of access to the Privacy Officer and then further to the President/CEO, if necessary.

For copies of client records/employee files to be sent externally, for example, requests by lawyers, insurance companies and other third parties, authorization and consent in writing by the client/employee must first be obtained. Upon confirming consent, any copied records to be sent to external parties must be sent using appropriately secure means and indicate that the information being sent is strictly confidential, only for the use of the identified recipient, and only for the identified/requested purpose. VHA may charge a reasonable fee to lawyers, insurance companies and other third parties requesting photocopies of client/employee files.

The release of original client records is permitted only under special circumstances (i.e., court subpoena) upon approval from VHA’s Privacy Officer.

No PHI/PI will be released without the written consent of the client/employee except as required by law or in the event of an emergency threatening the health or safety of the client/employee or the health and safety of the public, or in accordance with the exceptions outlined in PHIPA.

Any access to PI/PHI via patient portals or employee self-serve portals made directly by patients/their delegates or employees, respectively, are not considered formal access requests. Such access is not required to follow the procedures described above nor is such access tracked or reported within VHA.

PI/PHI shall never be disclosed or shared via social media. VHA Personnel shall always follow VHA’s Social Media policy when dealing with social media platforms.

Transmission

PHI/PI must always be sent and received securely. When PI/PHI is transmitted electronically it must only be sent using secure means as described below.

PHI/PI must never be transmitted through text messaging at any time for any reason.

By facsimile

  • PHI/PI sent or received via facsimile shall be through approved VHA internet fax provider “efaxds.ca” where possible and, where that is not possible, from and to secure machines that are monitored and used by authorized persons only.
  • Where “efaxds.ca” is not used, the sender will notify the receiver that the PHI/PI is being transmitted so that the receiver can ensure its security and proper receipt.
  • The sender will seek confirmation of receipt of the transmission.
  • The sender will indicate that the transmission is confidential and is intended only for the identified recipient and solely for the intended purpose.

By  email

  • PHI/PI sent or received by email to/from VHA Personnel shall be sent through VHA’s secure system using the “@vha.ca” email of the sender.
  • All PHI/PI sent or received via e-mail from or to third parties outside of the VHA secure email system shall be sent encrypted.
  • Although it is not secure, clients may wish to communicate with VHA by email. VHA Personnel must advise clients of the risk of communicating by email (i.e., security of PHI sent over the internet cannot be guaranteed) before confirming the client’s consent to use email communication. A template written consent to communicate PI/PHI via email that sets out the risks associated with email transmission can be found on the ‘Loop’ intranet and within VHA’s electronic medical records system.
  • Client PHI received via e-mail must be transferred to the electronic or hard-copy client record and, when appropriate, erased from the network and e- mail server.
  • The VHA sender shall indicate that the transmission is confidential and is intended only for the identified recipient and solely for the intended purpose.
  • No PHI/PI contained within e-mails shall be downloaded to hard drives and/or stored, held or retained in an unencrypted form, at any time.

By VHA Approved Secure Portal/Platform

From time to time, VHA, its funders or other client program participants may implement secure portals/platforms that meet all the privacy and security requirements of PHIPA and have been designed or established for the purpose of sharing PI/PHI in a secure, electronic manner. Upon review of the portal/platform by VHA’s privacy and security teams and upon receipt of formal approval by VHA’s Privacy Officer, such secure portals and platforms may be used based on the parameters of the approval given.

Parameters of approval may be limited, for example, such portals/platforms may be restricted to specific uses, certain programs, particular data types or other controls.

Generative Artificial Intelligence

VHA recognizes that generative artificial intelligence (AI) is an emerging technology that will evolve over time. If VHA uses generative AI tools in connection with the PI/PHI it holds, it shall only use such tools that comply with PHIPA requirements and meet all aspects of VHA’s rigorous privacy and security programs and IT Acceptable Use policy. Until legislation is enacted to address generative AI tools, or a funder/contract establishes specific requirements, VHA will voluntarily comply with Canada’s Voluntary Code of Conduct on the Responsible Development and Management of Advanced Generative AI Systems.

At no time shall any PI/PHI be input to an external AI tool.

Privacy Officer

VHA has appointed a Privacy Officer who is responsible for developing policies and procedures on privacy matters, training all VHA Personnel regarding privacy, receiving questions and complaints on privacy matters, conducting regular privacy audits, overseeing compliance with VHA’s legislative requirements, and ensuring the development and maintenance of VHA’s privacy program is consistent with best practices.

The Privacy Officer shall confirm that VHA’s policies, procedures and practices regarding the collection, use and disclosure of PHI/PI meet with VHA’s contractual obligations and that all parties sub-contracted by VHA have comparable levels of privacy protection within their respective organizations.

The Privacy Officer shall be responsible for ensuring that all VHA Personnel understand their obligations with respect to privacy/confidentiality through orientation, training and signing agreements when hired or beginning service to VHA. The Privacy Officer shall also provide annual refresher training for all VHA Personnel to ensure their understanding remains current and to obtain a re- certification of their commitment to their privacy obligations. Additional ad hoc training will be provided to individuals and teams, as appropriate.

The Privacy Officer receives suspected or actual privacy breach report from VHA Personnel and shall maintain a log of all such incidents. The Privacy Officer will provide advice regarding the handling and prevention of privacy breaches. The Privacy Officer will report privacy breaches to the relevant authorities and shall ensure notice is provided to any affected individuals, accordingly. All privacy breaches shall be addressed in accordance with VHA’s Privacy Breach Protocol.

Reporting

VHA Personnel are responsible for promptly reporting suspected or actual violations of this Policy and any suspected or actual breaches, to the Privacy Officer so that the situation can be appropriately investigated, addressed and resolved.

VHA takes every report seriously and will investigate each such report to identify the facts, respond to the situation and, where necessary, implement improvements to its practices and procedures.

Privacy Impact Assessments

To ensure privacy principles are being taken into account during the design, implementation and evolution of VHA’s programs, initiatives, processes and systems that include PI/PHI, the Privacy Officer or delegate shall conduct privacy reviews and/or privacy impact assessments (PIAs), as appropriate. When conducting reviews and/or PIAs, the Privacy Officer shall develop measures to mitigate, and wherever possible eliminate, any identified privacy risks.

PIAs will be conducted, reviewed and updated as necessary, in the following circumstances:

  • On existing programs, initiatives, processes and systems when substantive changes relating to the collection, use or disclosure of PI/PHI are being implemented.
  • In the design of new programs, initiatives, processes and systems that involve the collection, use or disclosure of PI/PHI or otherwise raise privacy issues; and
  • On any other programs, initiatives, processes and systems with privacy implications, as appropriate.

Complaints, Challenges and Enquiries

All client/employee complaints related to PHI/PI, including VHA’s compliance with privacy legislation or the accuracy of PHI/PI as well as general enquiries about VHA’s policies and procedures related to the handling of information shall be referred to the Privacy Officer. An individual may also challenge the accuracy and completeness of their PI/PHI and make a request to the Privacy Officer to have it revised.

The Privacy Officer is authorized to investigate and respond to complaints, challenges and enquiries regarding privacy matters. The Privacy Officer will explain to enquiring individuals the process VHA uses to investigate and respond to enquiries, challenges or complaints relating to personal information. All complaints and challenges will be thoroughly investigated. The Privacy Officer shall inform the client/employee of the outcome of any investigation or challenge.

If a complaint is found to be valid, VHA will take appropriate measures, including as necessary, revising its policies and procedures. If a request to amend or correct an individual’s record has sufficiently demonstrated that the record was incomplete or inaccurate for the purposes for which VHA uses the information, VHA shall make the correction by recording the corrected information and striking out the incorrect information.

Destruction

PHI/PI shall be securely stored and then destroyed according to specific funder/contractual requirements or by default after 10 years post discharge (in the case of clients under the age of 18, ten years beyond the date upon which they reach or would have reached age 18), whichever is greater.

Periodic destruction of inactive or outdated PHI/Pi will be conducted in a formal manner following all legal requirements and applicable VHA Policies relating to records retention and disposal.

PHI/PI shall be destroyed by shredding, burning or erasure and reformatting. Records will be kept by the Records Management Coordinator that will clearly document what was destroyed and when.

Any incidental destruction of PHI/PI must be carried out under the specific direction of a Manager and must be documented by the Manager. Records of such destruction shall be retained by the Records Management Coordinator.

Related Policies

  • Client Information and Records Management
  • Confidentiality, Non-Solicitation, and Conflict of Interest
  • Human Resources Files and Release of Information
  • Information Security
  • Privacy Breach
  • Retention and Disposal of Client Records
  • Social Media

Resources