Security & Confidentiality of Personal Health Information

Principle

Information systems exist to support the business of Queensway X-ray & Ultrasound Clinic and any access granted to the information systems is done at the discretion of the QA and management to facilitate the staff’s role within the workplace. Information systems may only be used for lawful purposes.

Transmission, distribution, or storage of any material in violation with any applicable law or regulation is not permitted.

Security of Information

All physical files and other hard copies containing personal health information must be kept in assigned secure areas.

Files can be viewed and removed from designated areas by authorized personnel only.

An assigned person must make sure that all personal health information (PHI) and computers are locked at the end of the day.

Any documents or items such as labels printed for day-to-day activities shall be shredded by the end of the day.

Any passwords assigned are for individual use only. Everyone is accountable for all activities performed under their assigned password. You may not permit others to use your password and will undertake all precautions necessary to ensure that no other person gains knowledge of them. All passwords should be at least 7 characters long containing both numbers and letters. Report any usual activity on any accounts to the clinic management immediately.

Before leaving a computer that has been signed into using passwords you must either sign-out or ensure the screen is locked. Personal use of clinic information systems is unacceptable and prohibited.

Report any expiry of Anti-Virus or other software to management.
All application systems must have built-in security features (logins, security locks, and back-up).
Only approved software can be installed on any computer workstation.
Complete an incident report in case of any security breaches, threats, weakness, malfunction or anything that leads you to suspect that the security of your password or any other aspect of the information system has been compromised. The patient must be notified as soon as possible if their personal health information is stolen, lost, or accessed by unauthorized persons.
Destroying health information must be done in accordance with the College of Physicians and Surgeons Policy.
Staff has clearly defined responsibilities related to the use of personal health information. Level of access to information is described in the employee’s job description.

Confidentiality of Information

Each employee has an obligation to keep confidential all information that is designated as confidential.
No one shall divulge any confidential information, either inside or outside the clinic, unless required in normal performance of duties, as expressly authorized by a physician, or required by law.
No one shall search or access any patient or employee information for any reason not related to the normal performance of duties. Information pertaining to your own personnel records must be obtained through the appropriate protocol.
Reasonable care and caution will be exercised in protecting printed or written confidential information from casual observation, unauthorized perusal, or other disclosure.
No confidential records can be removed either on a permanent or temporary basis from the premises without specific authorization from a physician.
Each employee must sign a Confidentiality Agreement. This agreement is kept in the employee’s personnel file.

Failure to comply with any statement made above may result in the termination of employment or affiliation with QXU and may also result in legal action being taken against the employee by the facility.

Electronic Health Records

QXU has the duty to develop and maintain electronic health records in accordance with PHIPA and the regulations made under the Act. The following guidelines have been implemented to ensure compliance with applicable legislation.

When dealing with electronic health records, QXU will:

Manage and integrate personal health information it receives from health information custodians.
Ensure the proper functioning of the electronic health record by servicing the electronic systems that support the electronic health record (Velox Imaging).
Ensure the accuracy and quality of the PHI by conducting data quality assurance activities on the PHI it receives from health information custodians.
Take reasonable steps to limit the PHI QXU receives to that which is reasonably necessary for developing and maintaining the electronic health record.
Prevent employees or any other person acting on behalf of QXU to view, handle, or otherwise deal with the PHI received from health information custodians, unless the employee or person acting on behalf of QXU agrees to comply with all applicable restrictions.

Notification of Loss, Theft, or Unauthorized Use or Disclosure

QXU will:

Notify, at the first reasonable opportunity, each health information custodian who provided PHI to QXU if the PHI that the health information custodian provided is stolen or lost or if it is collected, used, or disclosed without authority.
Notify the Commissioner, in writing, immediately after becoming aware that PHI that is accessible by means of the electronic health record:

Has been viewed, handled, or otherwise dealt with by the prescribed organization or a third party retained by the prescribed organization, other than in accordance with the Act or its regulations; or
Has been made available or released by the prescribed organization or a third party retained by the prescribed organization, other than in accordance with the Act or its regulations.

Reporting to the Commissioner

QXU will submit a notice to the Commissioner if the circumstances surrounding a theft, loss, or unauthorized use or disclosure of personal health information meet the prescribed requirements as defined in O. Reg. 329/04, section 6.3.

All notices to the Commissioner outlined above will contain the information as required by legislation

The Privacy Commissioner of Ontario can be contacted at:

2 Bloor Street East,
Suite 1400
Toronto, ON
M4W 1A8

Monday:	8:00 am to 9:00 pm
Tuesday:	8:00 am to 9:00 pm
Wednesday:	8:00 am to 9:00 pm
Thursday:	8:00 am to 9:00 pm
Friday:	9:00 am to 9:00 pm
Saturday:	9:00 am to 9:00 pm
Sunday:	9:00 am to 9:00 pm