We, at Melissa Cutler Therapy (“MCT”) are committed to maintaining the privacy and confidentiality of all personal health information that we collect, use and disclose. We strive to protect the privacy rights of our clients at MCT by meeting or exceeding the standards established by law, including the Personal Health Information Protection Act, 2004 (“PHIPA”).
The types of PHI that MCT collects, uses and stores may vary depending upon the individuals involved and the nature of their relationship with MCT. The information we collect may include, for example:
With limited exceptions, we obtain PHI directly from our clients or their authorized representative(s). Occasionally, we may collect information about our clients from other sources, including other health care providers, where we have obtained their consent to do so or if the law permits.
We will not collect PHI if other information we have will serve the purpose of the collection. In addition, we will not collect more PHI than is reasonably necessary to meet the purpose of the collection.
MCT will identify the purposes for which PHI is being collected, in advance, and will inform clients of these purposes. We will only collect, use and store information that is necessary for these purposes.
If we intend to use our clients’ information for any other purposes, we will ask for their consent before doing so, unless otherwise permitted to do so by law without their consent.
MCT will not collect, use or disclose PHI without the consent of a client or, if the client is not capable of giving or refusing consent, without the consent of his or her substitute decision-maker, unless otherwise required or permitted by law. Consent to the collection, use or disclosure of PHI may be express or implied.
For most healthcare purposes, consent is implied as a result of consent to treatment. However, in some circumstances, express and sometimes written consent may be required.
Unless the law requires such disclosure, we will always ask for a client’s express consent before:
A client may withdraw or limit their consent at any time, unless doing so prevents us from recording the information required by law or under professional standards. A client may also give express (written) instruction that specific information is only to be used or disclosed by certain individuals or to certain individuals or for certain purposes. The Privacy Officer will assist them with this process.
We may collect, use or disclose a client’s information without their consent in certain limited circumstances that are expressly permitted by PHIPA. For example, some laws require disclosure of their information in certain circumstances, such as the Child and Family Services Act, the Health Protection and Promotion Act and the Workplace Safety and Insurance Act, 1997.
In order for consent to be valid, it must be knowledgeable and obtained voluntarily (i.e., without deception or coercion) from an individual with the capacity to consent. Knowledgeable consent means that it is reasonable in the circumstances to believe that the individual knows the purposes for which MCT is collecting, using or disclosing the information and knows that they have the right to give or withhold their consent.
If a client is found to be incapable of making decisions about their information, we will consult their substitute decision maker, as determined by law. There is no age of consent in Ontario. As such, all children may provide consent to the collection, use and disclosure of their own PHI if they are capable of doing so.
A person is capable to consent to the collection, use or disclosure of their PHI if the person is:
Where a child is under 16 years of age, a parent or guardian may consent to the collection, use or disclosure of a capable child’s personal health information, unless the information relates to treatment sought by the child on their own. However, where a child is capable of consenting to the collection, use or disclosure of their personal health information, the child’s consent will be sought wherever practicable.
Generally, we will not share a client’s personal health information with anyone else without their consent.
The only exception to this is that we may be required or permitted by law in certain instances to disclose personal health information without consent.
In addition, unless instructed otherwise, we may disclose a client’s personal health information without express consent to other health care providers in the “Circle of Care” who need to know this information in order to help provide care to the person. We rely on assumed implied consent for these disclosures.
MCT recognizes the importance of safeguarding PHI and will take all steps that are reasonable in the circumstances to ensure that PHI in our custody is protected against theft, loss or unauthorized access, use, or disclosure. We will also ensure that the records containing this information are protected against unauthorized copying, modification or disposal.
The personal health information records we maintain are kept in electronic format. In order to protect our clients’ information, we have taken steps to meet the need for physical security, technological security and administrative controls.
The measures we have taken for the physical security of personal health information include:
MCT’s PHI records which are maintained in electronic form are protected through technological security measures we have taken, including the use of:
We have also implemented administrative controls to safeguard the personal health information records we maintain, including:
Due to the significant risks to the protection of clients’ privacy and confidentiality that are associated with the use of e-mail and text messaging, MCT does not collect or disclose personal health information through these means of electronic communication except through the use of a secure email server or in very limited circumstances.
Clients will be informed of the risks associated with electronic communication of their personal health information at the outset of their interaction with MCT. Consent will be obtained from clients in advance if there is a need to communicate in this manner other than as described above.
Where personal health information is provided to MCT through e-mail or text, a copy of the e-mail or the text message will kept as part of the client’s record.
Our policy is to retain personal health information records for the later of: at least ten (10) years from the date of the last entry in the record; ten (10) years following the eighteenth (18th) birthday of the client to whom the record relates; or in accordance with any minimum retention period that is established by law.
When PHI is disposed of, MCT will take reasonable steps to ensure secure and permanent destruction of these records, whether physical or electronic. Where a third party is retained to dispose of PHI, we will enter into a written agreement with the third party that sets out the requirements for secure disposal and require the third party to confirm in writing that secure disposal has occurred. MCT keeps a record of all PHI that has been destroyed, including the date and manner in which the PHI was disposed of.
In the event that a client’s PHI has been stolen, lost or subject to unauthorized use, access, disclosure, copying or modification, our first priority will be to identify and contain the breach, and then to take steps to correct it and to minimize the chance of similar breaches in the future. We will notify any client whose PHI may have been stolen, lost or accessed in an unauthorized manner, at the first reasonable opportunity. We will also advise clients of their right to contact the Information and Privacy Commissioner.
In the event a privacy breach occurs, MCT will take the following steps:
Step 1: Report breach to Privacy Officer and Implement Privacy Breach Protocol
Sept 2: Stop and contain the breach
Step 3: Investigate the breach
Step 4: Notify those affected by the breach
Step 5: Conduct a review and remediation of the breach
Step 6: Consideration of reporting to the Privacy Commissioner
These steps may need to be carried out simultaneously and in quick succession.
Clients and their authorized representatives have a general right to access all of their PHI in MCT’s custody or control. Where a client is not capable to consent to the collection, use or disclosure of their PHI, the client’s substitute decision-maker may access information on the client’s behalf. Clients may also request a copy of this information.
If a client would like to request access to or a copy of his or her PHI, he or she must make a written request to any staff member, who will forward the request to the Privacy Officer. The Privacy Officer will make arrangements to provide the client or their substitute decision-maker with a copy of records requested or will make an appointment to review the records with the client or substitute decision-maker. A staff person will always be present when original records are reviewed by a client or substitute decision-maker.
A client’s right to access his or her personal information is not absolute. MCT may deny an access request where:
All requests for access to PHI will be addressed as soon as possible, but no later than 30 days from the date of the request. If the Privacy Officer refuses a client access to their records, there will be a reason provided to the client as to why we are not able to do so. The client will also be notified of their right to make a complaint about the refusal to the Information and Privacy Commissioner of Ontario.
MCT will ask for verification of the individual’s identity before providing access. MCT may charge a reasonable cost recovery fee for making information available and/or providing copies of PHI records. If we choose to do so, we will provide notice of the fee in advance of processing the request.
We take all reasonable steps to ensure all PHI is as accurate, complete and up to date as necessary for the purpose the information is being used.
We will not routinely conduct updates on information in our control unless routine updates are necessary to fulfil the purposes for which the information was collected.
We use advanced technology and well-defined practices to ensure PHI is processed promptly, accurately, and completely. We ask that our clients advise us of any changes to their PHI in a timely manner so that we may ensure our information is accurate.
If a client believes that his or her PHI is not accurate or complete, he or she may make a written request to the Privacy Officer to have the information corrected.
MCT will correct PHI where it is demonstrated that the information in the client’s record is, in fact, inaccurate or incomplete and necessary information is provided to correct the record. Where a correction is made, the original information will still be maintained in the client’s record.
However, MCT may refuse to correct PHI where:
All requests for correction of PHI will be addressed as soon as possible, but no later than 30 days after receiving the request. Where a correction request is denied, clients will be notified of the reasons for the refusal and will be informed that they are entitled to prepare a short statement of disagreement to have appended to their PHI record. In addition, clients are entitled to make a complaint about the refusal to the Information and Privacy Commissioner of Ontario.
Any breach of this Policy or the confidentiality agreements by our agents may result in disciplinary action, including:
All agents must notify the Privacy Officer at the first reasonable opportunity if a client’s personal health information is lost, stolen or accessed without authorization.
If clients have any questions or concerns about the collection, use, disclosure or protection of their PHI at MCT, they should speak with our Privacy Officer @ (647) 933-5506
MCT takes the privacy of its clients seriously and will investigate all written privacy concerns. If a concern is found to have merit, we will take appropriate measures, including, if necessary, taking disciplinary action against our agents and/or amending our policies and practices relating to the collection, use and disclosure of the client’s PHI.
If we are not able to address a client’s concerns, or if a client requires further information regarding privacy in Ontario, they may contact the Information and Privacy Commissioner of Ontario:
Information and Privacy Commissioner of Ontario
2 Bloor Street East, Suite 1400
Toronto, ON M4W 1A8
MCT reviews our privacy policies and procedures on an annual or as-needed basis and may revise these from time to time. If these revisions significantly change how we collect, use or disclose previously collected PHI, we will inform our clients and obtain consents where required.