Privacy Policy & Information Practices
General
Privacy of personal information is an important principle to Sanna Health (SH) and Sandra Schwerzmann when providing services. SH is committed to collecting, using and disclosing personal information responsibly and only to the extent necessary for the services we provide. We try to be open and transparent regarding how we handle personal information. This document describes our privacy policies, which reflect PHIPA, PIPEDA, and the laws and standards that govern health practice in Ontario. This document may be updated at any time.
What are Personal Information (PI) and Personal Health Information (PHI)?
Personal information (PI) is information that can be used to identify an individual. Examples include personal characteristics (eg, name, sex, gender, age, income, home address, phone number, e-mail address, ethnic background, family status), their health (eg, health history, health conditions, health services received by them, the names of health professionals providing treatment) or their activities and views (eg, religion, politics, opinions expressed by an individual, criminal history).
Personal health Information (PHI) is information about an identifiable individual. It includes information that relates to: the physical and mental health of an individual (including family history), the provision of health care to the individual (including the individual’s health care provider), community and home care services, payments or eligibility for health care or coverage for health care, the donation or testing of an individual’s body part or bodily substance, the individual’s health number, and the identification of the individual’s substitute decision-maker. Information that is related to a business (eg, company name, address, telephone number) is not included in privacy legislation.
What are PHIPA and PIPEDA?
PHIPA (2004) is the Provincial [Ontario] Personal Health Information Protection Act. This Act provides rules for the collection, use, and disclosure of PHI by a health information custodian. The legislation requires health information custodians to obtain consent before collecting, using or disclosing PHI. It also requires that individuals have the right to access and request correction of their own PHI.
PIPEDA (2004) is the federal-level Personal Information Protection and Electronic Documents Act. This Act provides rules for how private-sector organizations can collect, use/safeguard, and disclose PI. Similar to PHIPA, it requires that individuals provide consent to the use of PI and have the ability to access and correct information. The Digital Privacy Act (2018) is an amendment to PIPEDA, and requires corporations to notify individuals when their security is breached.
Why We Collect PI and PHI
We collect, use, and disclose personal information in order to serve our clients. For example, we collect information about a person’s demographic information as well as social, and physical health history and current situation to help us assess what their needs are, to advise them of their options and then to provide the health care they choose to have. A second primary purpose is to obtain baseline information so that in providing ongoing health services we can identify changes that are occurring over time.
Like most organizations, we also collect, use, and disclose information for related and secondary purposes, including but not limited to: (i) obtaining payment for health-related goods and services (eg, invoicing individuals or organizations, processing payments, and providing receipts), (ii) reviewing client files for quality improvement and risk management activities, including assessing the performance of our staff, (iii) promoting special events and opportunities like webinars (if we have your express consent to do so), (iv) complying with external regulators, and (v) educating our staff.
On our website, we only collect, with the exception of cookies, the personal information you provide and only use that information for the purpose you give it to us (eg, to contact us, to contact you). Cookies are only used to help users navigate our website and are not used to monitor individuals. Individuals may contact us through the website, email, telephone, or mail. This information will be collected and stored in order to provide appropriate communication and services.
Other Circumstances When PI and PHI Might Be Disclosed
SH recognizes the importance of confidentiality of information pertaining to mental health treatment. However, there are some limitations to confidentiality (that may lead to disclosure of PI and PHI) that are important to know:
Known abuse or danger. Due to ethical, legal and professional guidelines, including our goal to protect clients and other people, SH may disclose information in the following situations: (i) a client is in imminent danger of harming themself or someone else (ie, suicide or homicide), (ii) if there is information about physical, sexual, emotional abuse or neglect of a child, (iii) if abuse or neglect of an elderly or vulnerable person within a long-term care or retirement facility is reasonably suspected, or (iv) if a client reveals prohibited or dangerous conduct, including sexual abuse, by another registered health care professional.
Sharing information with other health care professionals. Under PHIPA, information may be shared with other practitioners for the provision of health care to the shared client (this is described as “within the circle of care”). However, we usually try first to obtain a signed release of information form.
Insurance companies/third-party payors. If clients submit their receipts to insurance companies or third-party payers for reimbursement.
Legal reasons. SH might be required to disclose confidential information in legal situations including but not limited to the following: (i) a client waives their right to privilege or gives consent for the disclosure of confidential information, (ii) a subpoena or court order from a legal office directs the release of information, or (iii) a lawsuit is filed against us.
Unforeseen disruption in services. In the event of an unforeseen disruption in services, client information may be shared with another individual who has been delegated to communicate with SH clients in such a situation.
To facilitate the sale of our organization. If SH or its assets were to be sold, the potential purchaser would want to conduct a “due diligence” review of the organization’s records to ensure that it is a viable business that has been honestly portrayed. The potential purchaser must first enter into an agreement with the organization to keep the information confidential and secure and not to retain any of the information longer than necessary to conduct the due diligence. Once a sale has been finalized, the organization may transfer records to the purchaser, but it will make reasonable efforts to provide notice to the individual before doing so.
Protection of PI and PHI
SH takes several steps to protect information against theft, loss, and unauthorized use or disclosure including the following: (i) digital information is secured by encryption and strong passwords, (ii) email and communication through the website are encrypted.
Retention and Destruction of PI and PHI
We need to retain personal information for some time to ensure that we can answer any questions you might have about the services provided and for our own accountability to external regulatory bodies. However, in order to protect your privacy, we do not want to keep personal information for too long.
Information about individuals and/or organizations who are not clients but whom enter into a professional relationship with SH will be retained for the time period consistent with professional standards and Revenue Canada requirements.
How A Client May Review and/or Correct Their Information
With only a few exceptions, clients have the right to see what personal information we hold about them. Clients may request access to content of their clinical records by contacting SH. We can help clients understand what information we might have about them. We can also try to help clients understand any information they do not understand (eg, technical or scientific language). We would first need to confirm the client’s identity before providing this access. We reserve the right to ask that the request be made in writing and also to charge a nominal fee for such requests. We will respond to requests as soon as possible and generally within 30 days, if at all possible. If we cannot give you access, we will tell you the reason as best we can, as to why.
If a client believes there is a mistake in the information, they have the right to ask for it to be corrected This applies to factual information and not to any professional opinions we have have formed. We may ask you to provide documentation that our files are wrong. Where we agree that we made a mistake we will make the correction. At the client’s request and when it is reasonably possible, we will notify anyone to whom we sent this information (but we may deny your request if it would not reasonably have an effect on the ongoing provision of health care). If we do not agree that there has been a mistake, we will still agree to include in our file a brief statement from you on this point.
If There is a Privacy Breach
While we will take precautions to avoid any breach of privacy, if there is a loss, theft, or unauthorized access of PI or PHI we would notify the client(s). Upon learning of a possible or known breach, we will take the following steps: (i) We will contain the breach to the best of our ability (eg, retrieving hard copies of PHI that have been disclosed, ensuring no copies have been made, taking steps to prevent unauthorized access to electronic information such as changing passwords), (ii) We will notify affected individuals (we will provide our contact information in case the client has further questions and we will provide the Privacy Commissioner’s contact information and advise the affected individuals(s) of their right to complain to the Commissioner, and (iii) We will investigate and remediate the problem by conducting an internal investigation, determining what steps should be taken to prevent future breaches, and ensuring staff is appropriately trained and conduct further training if necessary.
Depending on the circumstances of the breach, we may notify and work with the Information and Privacy Commissioner of Ontario. We may also report the breach to the relevant regulatory College if we believe that it was the result of professional misconduct, incompetence, or incapacity.
Do You Have Questions or Concerns?
Sandra Schwerzmann is available to take your questions regarding these policies and answer those questions to the best of her ability.
Individuals also have the right to complain to the Information and Privacy Officer of Ontario if they have concerns about our privacy policies or how personal information has been handled. Contact Us - Information and Privacy Commissioner of Ontario
This policy was prepared in accordance with PHIPA, PIPEDA, and the Digital Privacy Act. These acts are complex and provide additional details and exceptions to privacy principles that are too detailed to include here.