Updated: Dec 2012
Introduction
Bright Technology is committed to protecting privacy and takes steps to ensure that Personal Health Information is protected in accordance with applicable law. The Privacy Policy: Ontario Personal Health Information Protection Act (“PHIPA Privacy Policy”) has been developed to ensure the protection of Personal Health Information accessed by Bright Technology when providing services to Clients governed by Ontario’s Personal Health Information Protection Act, in a manner that will facilitate Bright Technology business operations and service delivery while protecting the rights and privacy of Bright Technology clients, personnel and members of the public.
Scope of Application
The PHIPA Privacy Policy applies to Personal Health Information accessed by Bright Technology in the course of providing information technology services to Clients governed by the Personal Health Information Protection Act, SO 2004, c 3, Sch A (“PHIPA”).
Other Policies
The PHIPA Privacy Policy should be read in conjunction with the Bright Technology privacy policies addressing the protection of Personal Information collected by Bright Technology directly from customers via its website and otherwise (the “Privacy Policy”), and the protection of Personal Information held by Clients who are subject to public sector privacy legislation, including the Federal Privacy Act and provincial freedom of information and protection of privacy Acts (the “Public Sector Privacy Policy”).
Purpose
PHIPA is Ontario legislation that regulates the management of Personal Health Information and the protection of the confidentiality and privacy of that information, while facilitating the effective delivery of health care services. PHIPA protects Personal Health Information by governing its collection, use or disclosure. PHIPA applies to: (a) the collection of Personal Health Information by a Health Information Custodian; (b) the use or disclosure of Personal Health Information by a Health Information Custodian or a person who is not a Health Information Custodian and to whom a Health Information Custodian disclosed the information. PHIPA also imposes certain obligations on Health Information Custodians and Health Information Network Providers when they use information technology service providers.
Bright Technology is not a Health Information Custodian, an agent to a Health Information Custodian, nor a Health Information Network Provider, but rather is a provider of information technology services. While Bright Technology is not directly subject to the PHIPA requirements, it will endeavour to assist its Clients who are subject to PHIPA to meet their privacy obligations, in accordance with this Privacy Policy and any additional requirements that may be reflected in contractual or other agreements between Bright Technology and the Client.
Definitions and Relevant PHIPA Sections
1. Health Information Custodian:
“Health Information Custodian” is defined in section 3 of PHIPA, as follows:
3(1) “health information custodian”, subject to subsections (3) to (11), means a person or organization described in one of the following paragraphs who has custody or control of personal health information as a result of or in connection with performing the person’s or organization’s powers or duties or the work described in the paragraph, if any:
1. A health care practitioner or a person who operates a group practice of health care practitioners.
2. A service provider within the meaning of the Home Care and Community Services Act,1994 who provides a community service to which that Act applies.
3. A community care access corporation within the meaning of the Community Care Access Corporations Act, 2001.
4. A person who operates one of the following facilities, programs or services:
i. A hospital within the meaning of the Public Hospitals Act, a private hospital within the meaning of the Private Hospitals Act, a psychiatric facility within the meaning of the Mental Health Act or an independent health facility within the meaning of the Independent Health Facilities Act.
ii. A long-term care home within the meaning of the Long-Term Care Homes Act, 2007, a placement co-ordinator described in subsection 40 (1) of that Act, or a care home within the meaning of the Residential Tenancies Act, 2006.
Note: On a day to be named by proclamation of the Lieutenant Governor, paragraph 4 is amended by adding the following subparagraph:
ii.1 a retirement home within the meaning of the Retirement Homes Act, 2010.
See: 2010, c. 11, ss. 128, 129 (2).
iii. A pharmacy within the meaning of Part VI of the Drug and Pharmacies Regulation Act.
iv. A laboratory or a specimen collection centre as defined in section 5 of the Laboratory and Specimen Collection Centre Licensing Act.
v. An ambulance service within the meaning of the Ambulance Act.
vi. A home for special care within the meaning of the Homes for Special Care Act.
vii. A centre, program or service for community health or mental health whose primary purpose is the provision of health care.
5. An evaluator within the meaning of the Health Care Consent Act, 1996 or an assessor within the meaning of the Substitute Decisions Act, 1992.
6. A medical officer of health of a board of health within the meaning of the Health Protection and Promotion Act.
7. The Minister, together with the Ministry of the Minister if the context so requires.
8. Any other person prescribed as a health information custodian if the person has custody or control of personal health information as a result of or in connection with performing prescribed powers, duties or work or any prescribed class of such persons.
(2) Repealed: 2009, c. 33, Sched. 18, s. 25 (2).
Exceptions
(3) Except as is prescribed, a person described in any of the following paragraphs is not a health information custodian in respect of personal health information that the person collects, uses or discloses while performing the person’s powers or duties or the work described in the paragraph, if any:
1. A person described in paragraph 1, 2 or 5 of the definition of “health information custodian” in subsection (1) who is an agent of a health information custodian.
2. A person who is authorized to act for or on behalf of a person that is not a health information custodian, if the scope of duties of the authorized person does not include the provision of health care.
3. The Minister when acting on behalf of an institution within the meaning of the Freedom of Information and Protection of Privacy Act or the Municipal Freedom of Information and Protection of Privacy Act that is not a health information custodian.
Other exceptions
(4) A health information custodian does not include a person described in one of the following paragraphs who has custody or control of personal health information as a result of or in connection with performing the work described in the paragraph:
1. An aboriginal healer who provides traditional healing services to aboriginal persons or members of an aboriginal community.
2. An aboriginal midwife who provides traditional midwifery services to aboriginal persons or members of an aboriginal community.
3. A person who treats another person solely by prayer or spiritual means in accordance with the tenets of the religion of the person giving the treatment.
Multiple facilities
(5) Subject to subsection (6) or an order of the Minister under subsection (8), a health information custodian that operates more than one facility described in one of the subparagraphs of paragraph 4 of the definition of “health information custodian” in subsection (1) shall be deemed to be a separate custodian with respect to personal health information of which it has custody or control as a result of or in connection with operating each of the facilities that it operates.
Single custodian
(6) Despite subsection (5), the following persons shall be deemed to be a single health information custodian with respect to all the functions described in the applicable paragraph, if any:
1. A person who operates a hospital within the meaning of the Public Hospitals Act and any of the facilities, programs or services described in paragraph 4 of the definition of “health information custodian” in subsection (1).
2. A community care access corporation that provides a community service within the meaning of subsection 2 (3) of the Home Care and Community Services Act, 1994 and acts as a placement co-ordinator as described in subsection 40 (1) of the Long-Term Care Homes Act, 2007.
3. Health information custodians or facilities that are prescribed.
Application to act as one custodian
(7) A health information custodian that operates more than one facility described in one of the subparagraphs of paragraph 4 of the definition of “health information custodian” in subsection (1) or two or more health information custodians may apply to the Minister, in a form approved by the Minister, for an order described in subsection (8).
Minister’s order
(8) Upon receiving an application described in subsection (7), the Minister may make an order permitting all or some of the applicants to act as a single health information custodian on behalf of those facilities, powers, duties or work that the Minister specifies, subject to the terms that the Minister considers appropriate and specifies in the order, if the Minister is of the opinion that it is appropriate to make the order in the circumstances, having regard to,
(a) the public interest;
(b) the ability of the applicants to provide individuals with reasonable access to their personal health information;
(c) the ability of the applicants to comply with the requirements of this Act; and
(d) whether permitting the applicants to act as a single health information custodian is necessary to enable them to effectively provide integrated health care.
Scope of order
(9) In an order made under subsection (8), the Minister may order that any class of health information custodians that the Minister considers to be situated similarly to the applicants is permitted to act as a single health information custodian, subject to the terms that the Minister considers appropriate and specifies in the order, if the Minister is of the opinion that it is appropriate to so order, having regard to,
(a) the public interest;
(b) the ability of the custodians that are subject to the order made under this subsection to provide individuals with reasonable access to their personal health information;
(c) the ability of the custodians that are subject to the order made under this subsection to comply with the requirements of this Act; and
(d) whether permitting the custodians that are subject to the order made under this subsection to act as a single health information custodian is necessary to enable them to effectively provide integrated health care.
No hearing required
(10) The Minister is not required to hold a hearing or to afford to any person an opportunity for a hearing before making an order under subsection (8).
Duration
(11) Subject to subsection (12), a health information custodian does not cease to be a health information custodian with respect to a record of personal health information until complete custody and control of the record, where applicable, passes to another person who is legally authorized to hold the record.
Death of custodian
(12) If a health information custodian dies, the following person shall be deemed to be the health information custodian with respect to records of personal health information held by the deceased custodian until custody and control of the records, where applicable, passes to another person who is legally authorized to hold the records:
1. The estate trustee of the deceased custodian.
2. The person who has assumed responsibility for the administration of the deceased custodian’s estate, if the estate does not have an estate trustee.
2. Personal Health Information:
“personal health information” is defined in section 4 of PHIPA as follows:
Personal Health Information
4.(1) “personal health information”, subject to subsections (3) and (4), means identifying information about an individual in oral or recorded form, if the information,
(a) relates to the physical or mental health of the individual, including information that consists of the health history of the individual’s family,
(b) relates to the providing of health care to the individual, including the identification of a person as a provider of health care to the individual,
(c) is a plan of service within the meaning of the Home Care and Community Services Act, 1994 for the individual,
(d) relates to payments or eligibility for health care, or eligibility for coverage for health care, in respect of the individual,
(e) relates to the donation by the individual of any body part or bodily substance of the individual or is derived from the testing or examination of any such body part or bodily substance,
(f) is the individual’s health number, or
(g) identifies an individual’s substitute decision-maker.
Identifying information
(2) In this section,
“identifying information” means information that identifies an individual or for which it is reasonably foreseeable in the circumstances that it could be utilized, either alone or with other information, to identify an individual.
Mixed records
(3) Personal health information includes identifying information that is not personal health information described in subsection (1) but that is contained in a record that contains personal health information described in that subsection.
Exception
(4) Personal health information does not include identifying information contained in a record that is in the custody or under the control of a health information custodian if,
(a) the identifying information contained in the record relates primarily to one or more employees or other agents of the custodian; and
(b) the record is maintained primarily for a purpose other than the provision of health care or assistance in providing health care to the employees or other agents.
3. Providers to Custodians:
“providers to custodians” are defined in section 10(4) of PHIPA as follows:
10(4) A person who provides goods or services for the purpose of enabling a health information custodian to use electronic means to collect, use, modify, disclose, retain or dispose of personal health information shall comply with the prescribed requirements, if any.
In addition, section 6 of the Ontario Regulation 329/04 to PHIPA sets out the following requirements with respect to health information network providers:
Persons who provide to custodians
6. (1) Except as otherwise required by law, the following are prescribed as requirements for the purposes of subsection 10 (4) of the Act with respect to a person who supplies services for the purpose of enabling a health information custodian to use electronic means to collect, use, modify, disclose, retain or dispose of personal health information, and who is not an agent of the custodian:
1. The person shall not use any personal health information to which it has access in the course of providing the services for the health information custodian except as necessary in the course of providing the services.
2. The person shall not disclose any personal health information to which it has access in the course of providing the services for the health information custodian.
3. The person shall not permit its employees or any person acting on its behalf to be able to have access to the information unless the employee or person acting on its behalf agrees to comply with the restrictions that apply to the person who is subject to this subsection.
(2) In subsection (3),
“health information network provider” or “provider” means a person who provides services to two or more health information custodians where the services are provided primarily to custodians to enable the custodians to use electronic means to disclose personal health information to one another, whether or not the person is an agent of any of the custodians.
(3) The following are prescribed as requirements with respect to a health information network provider in the course of providing services to enable a health information custodian to use electronic means to collect, use, disclose, retain or dispose of personal health information:
1. The provider shall notify every applicable health information custodian at the first reasonable opportunity if,
i. the provider accessed, used, disclosed or disposed of personal health information other than in accordance with paragraphs 1 and 2 of subsection (1), or
ii. an unauthorized person accessed the personal health information.
2. The provider shall provide to each applicable health information custodian a plain language description of the services that the provider provides to the custodians, that is appropriate for sharing with the individuals to whom the personal health information relates, including a general description of the safeguards in place to protect against unauthorized use and disclosure, and to protect the integrity of the information.
3. The provider shall make available to the public,
i. the description referred to in paragraph 2,
ii. any directives, guidelines and policies of the provider that apply to the services that the provider provides to the health information custodians to the extent that these do not reveal a trade secret or confidential scientific, technical, commercial or labour relations information, and
iii. a general description of the safeguards implemented by the person in relation to the security and confidentiality of the information.
4. The provider shall to the extent reasonably practical, and in a manner that is reasonably practical, keep and make available to each applicable health information custodian, on the request of the custodian, an electronic record of,
i. all accesses to all or part of the personal health information associated with the custodian being held in equipment controlled by the provider, which record shall identify the person who accessed the information and the date and time of the access, and
ii. all transfers of all or part of the information associated with the custodian by means of equipment controlled by the provider, which record shall identify the person who transferred the information and the person or address to whom it was sent, and the date and time it was sent.
5. The provider shall perform, and provide to each applicable health information custodian a written copy of the results of, an assessment of the services provided to the health information custodians, with respect to,
i. threats, vulnerabilities and risks to the security and integrity of the personal health information, and
ii. how the services may affect the privacy of the individuals who are the subject of the information.
6. The provider shall ensure that any third party it retains to assist in providing services to a health information custodian agrees to comply with the restrictions and conditions that are necessary to enable the provider to comply with this section.
7. The provider shall enter into a written agreement with each health information custodian concerning the services provided to the custodian that,
i. describes the services that the provider is required to provide for the custodian,
ii. describes the administrative, technical and physical safeguards relating to the confidentiality and security of the information, and
iii. requires the provider to comply with the Act and the regulations.
(4) A health information custodian who uses goods or services supplied by a person referred to in subsection 10 (4) of the Act, other than a person who is an agent of the custodian, for the purpose of using electronic means to collect, use, modify, disclose, retain or dispose of personal health information shall not be considered in so doing to make the information available or to release it to that person for the purposes of the definition of “disclose” in section 2 of the Act if,
(a) the person complies with subsections (1) and (3), to the extent that either is applicable, in supplying services; and
(b) in the case of a person supplying goods to the health information custodian, the custodian does not, in returning the goods to the person, enable the person to access the personal health information except where subsection (1) applies and is complied with.
Responsibilities
Primary responsibility for ensuring that Bright Technology meets the requirements of Clients who are subject to PHIPA resides with:
Alvin Shin, Chief Operating Officer, 647-478-8619, [email protected]
All Bright Technology employees who access Personal Health Information in the course of providing services to Clients subject to PHIPA are required to confirm that they have reviewed the PHIPA Privacy policy, and to adhere to the principles established within it, as applicable to the employees’ functions.
Bright Technology’s agents and subcontractors who access Personal Health Information when performing services on behalf of Bright Technology are contractually obligated to review and adhere to the PHIPA Privacy Policy.
Principles
1. Bright Technology’s access to Personal Health Information in the course of providing information technology services to a Client will not be considered a “disclosure” of the Personal Health Information to Bright Technology by the Client, so long as certain requirements prescribed by the PHIPA and its Regulations are met.
2. Bright Technology will comply with the requirements prescribed for information technology service providers and any additional requirements that are agreed to by the Client and Bright Technology.
3. Bright Technology employees, agents and subcontractors with access to Personal Health Information are expected to have some basic knowledge of the general principles underlying PHIPA, which include as follows:
1. Accountability
An organization is responsible for personal health information under its control and shall designate an individual or individuals who are accountable for the organization’s compliance with the following principles.
2. Identifying Purposes
The purposes for which personal health information is collected shall be identified by the organization at or before the time the information is collected.
3. Consent
The knowledge and consent of an individual are required for the collection, use, or disclosure of personal health information, except where appropriate.
4. Limiting Collection
The collection of personal health information shall be limited to that which is necessary for the purposes identified by the organization. Information shall be collected by fair and lawful means.
5. Limiting Use, Disclosure and Retention
Personal health information shall not be used or disclosed for purposes other than those for which it was collected, except with the consent of the individual or as required by law. Personal health information shall be retained only as long as necessary for the fulfillment of those purposes.
6. Accuracy
Personal health information shall be as accurate, complete and up-to-date as is necessary for the purpose for which it is used.
7. Safeguards
Personal health information shall be protected by security safeguards appropriate to the sensitivity of the information.
8. Openness
An organization shall make readily available to individuals specific information about its policies and practices relating to the management of personal health information.
9. Individual Access
Upon request, an individual shall be informed of the existence, use, and disclose of his or her personal health information, and shall be given access to that information. An individual shall be able to challenge the accuracy and completeness of the information and have it amended as appropriate.
10. Challenging Compliance
An individual shall be able to address a challenge concerning compliance with the above principles to the designate individuals accountable for the organization’s compliance.
1. Bright Technology will not use any Personal Health Information to which it has access in the course of providing services to a Client, except as necessary in the course of providing the services.
2. Bright Technology will not disclose any Personal Health Information to which it has access in the course of providing services to a Client.
3. Bright Technology will ensure that all employees, agents or subcontractors who have access to Personal Health Information in the course of providing services to the Client agree to comply with the applicable restrictions and conditions of the use and disclosure of Personal Health Information as required by PHIPA and other applicable laws.
4. Bright Technology will use reasonable measures to prevent unauthorized access to Personal Health Information by Bright Technology employees, agents, and subcontractors and to assist its Client to prevent unauthorized use and disclosure of Personal Health Information.
5. Where required by the Client, Bright Technology will establish protocols for, and maintain electronic records of its access to Personal Health Information in the course of providing services, including who accessed the information, the date and time of access, and the purpose of access.
6. Where required by the Client, Bright Technology will assist in assessing threats, vulnerabilities, and risks to the security and integrity of Personal Health Information held by the Client.
7. Bright Technology will use reasonable safeguards including technological measures to protect Personal Health Information accessed by Bright Technology from theft, loss, unauthorized access, use, disclosure, modification or destruction. Security safeguard measures used by Bright Technology include threat risk assessments, password policies, user identify verification and access controls, tracking access and attempted access to Personal Health Information, monitoring of potential and actual system security breaches, firewall and virus protection, system management, logging and monitoring, staff security clearance policies and procedures, and other physical, technical, operational and administrative controls and procedures. Bright Technology will make available to the Client a description of the specific safeguards upon request.
8. Bright Technology will notify the Client at the first reasonable opportunity if Bright Technology becomes aware that Bright Technology employees, agents or subcontractors accessed, used, disclosed or disposed of Personal Health Information other than as necessary in the course of providing the Bright Technology services, or if Bright Technology becomes aware that an unauthorized person accessed the Personal Health Information.
Requests for Release of Information
Bright Technology is not a Health Information Custodian and therefore does not provide release of Personal Health Information to patients or third parties.
Contact
If you have any questions or concerns with respect to this PHIPA Privacy Policy or Bright Technology’s privacy practices, please direct your questions and comments to Alvin Shin, Chief Operating Officer, at [email protected]