MediCall Health Referral and Advisory Services Inc.
MediCall and the physicians who provide care to patients (the “Physician(s)”) are committed to patient privacy and to protecting the confidentiality of the personal health information they hold on behalf of patients.
Each Physician who provides care to patients registered through MediCall is a health information custodians (“Health Information Custodians”) under Ontario’s health privacy legislation, the Personal Health Information Protection Act, 2004 (“PHIPA”). In this Policy, “we” and “our” refers to the Physicians, and MediCall acting as their agent.
To that end, in order to fulfill their privacy obligations as Health Information Custodians, the Physicians and MediCall have entered into a legal agreement to make MediCall an agent of the physicians. In that role, MediCall has a variety of roles, including acting as privacy officer for each of the Physicians, and for running the overall privacy program on their behalf.
Principle 1 – Accountability for Personal Health Information
Dr. Karim Vellani
MediCall has also contracted with a third party vendor, InputHealth, as medical record (“EMR”) service provider (“InputHealth”) to support the Physicians and house patient information. MediCall also assumes a central role in privacy training for Physicians and their agents in relation to the work done through MediCall.
Principle 2 – Identifying Purposes for Collecting Personal Health Information
The Health Information Custodians collect personal health information for purposes related to direct patient care, administration and management of programs and services, patient billing, administration and management of the health care system, research, teaching, statistical reporting, and fundraising, marketing,meeting legal obligations and as otherwise permitted or required by law.
When personal health information that has been collected is to be used for a purpose not previously identified, the new purpose will be identified prior to use. Unless the new purpose is permitted or required by law, consent will be required before the information can be used for that purpose.
Principle 3 – Consent for the Collection, Use and Disclosure of Personal Health Information
Under PHIPA, Health Information Custodians require consent in order to collect, use, or disclose personal health information. However, there are some cases where we may collect, use or disclose personal health information without consent, as permitted or required by law.
Should a patient wish his/her lawyer, insurance company, family, employer, landlord or other third party individuals or agencies (non-health care providers) to have access to his/her health record, the patient must provide verbal or written consent to this effect. Access and correction requests are discussed further below.
Implied consent (Disclosures to other health care providers for health care purposes) – Circle of Care
Patient information may also be released to a patient’s other health care providers for health care purposes (within the “circle of care”) without the express written or verbal consent of the patient as long as it is reasonable in the circumstances to believe that the patient wants the information shared with the other health care providers. No patient information will be released to other health care providers if a patient has stated he/she does not want the information shared (for instance, by way of the placement of a “lockbox” on his/her health records).
A patient’s request for treatment constitutes implied consent to use and disclose his/her personal health information for health care purposes, unless the patient expressly instructs otherwise.
There are certain activities for which consent is not required to use or disclose personal health information. These activities are permitted or required by law. For example, we do not need consent from patients to (this is not an exhaustive list):
- Plan, administer and manage our internal operations, programs and services
- Get paid
- Engage in quality improvement, error management, and risk management activities
- Participate in the analysis, administration and management of the health care system
- Engage in research (subject to certain rules)
- Teach, train and educate our Team Members and others
- Compile statistics for internal or mandatory external reporting
- Respond to legal proceedings
- Comply with mandatory reporting obligations
If Team Members have questions about using and disclosing personal health information without consent, they can ask the Privacy Officer.
Withholding or Withdrawal of Consent
If consent is sought, a patient may choose not to give consent (“withholding consent”). If consent is given, a patient may withdraw consent at any time, but the withdrawal cannot be retroactive. The withdrawal may also be subject to legal or contractual restrictions and reasonable notice.
PHIPA gives patients the opportunity to restrict access to any personal health information or their entire health record by their health care providers or by external health care providers. Although the term “lockbox” is not found in PHIPA, lockbox is commonly used to refer to a patient’s ability to withdraw or withhold consent for the use or disclosure of their personal health information, but only for health care purposes. A lockbox does not affect the other uses and disclosures under PHIPA that are permitted or required, without consent, including the authority for a Health Information Custodian to disclose personal health information to reduce or eliminate a significant risk of serious bodily harm.
If a Physician no longer provides patient services through MediCall, his/her patients will be notified and will have a choice of whether and where to transfer their health records in accordance with the rules/guidelines set forth by the applicable health regulatory college.
Principle 4 – Limiting Collection of Personal Health Information
The amount and type of personal health information collected by the Physicians through MediCall (or by MediCall directly from the patient, e.g., the initial fee to MediCall to use their Services) is limited to that which is necessary to fulfill the purposes identified. Information is collected directly from the patient, unless PHIPA or another law permits or requires collection from third parties. Personal health information is only collected as needed to fulfill the health care role of individual staff.
Principle 5 – Limiting Use, Disclosure and Retention of Personal Health Information Use
Personal health information is not used for purposes other than those for which it was collected, except with the consent of the patient or as permitted or required by law. The Physicians (and their agents who assist in providing health care) use the information within the limits of their individual roles. They do not read, look at, receive or otherwise use personal health information unless they have a legitimate “need to know” as part of their role. If the agent is uncertain, the Privacy Officer will assist.
Personal health information is not disclosed for purposes other than those for which it was collected, except with the consent of the patient or as permitted or required by law.
Personal health information may only be disclosed within the limits of each Team Member’s role. The limitations described above relating to each agent’s role applies.
Health records are retained as required by law and professional regulations and to fulfill the purposes for which personal health information is collected.
For example, the standards of health regulatory Colleges and associations apply; e.g. the Canadian Medical Protective Association (CMPA) and College of Physicians and Surgeons of Ontario (CPSO) advise their members to retain health records for at least 10 years from the date of last entry or, in the case of minors, 10 years from the time the patient would have reached the age of majority (age 18). There may be reasons to keep records for longer than this minimum period.
Personal health information that is no longer required to fulfill the identified purposes is securely destroyed, erased, or made anonymous.
Principle 6 – Accuracy of Personal Health Information
We will take reasonable steps to ensure that information we hold is as accurate, complete, and up to date as is necessary to minimize the possibility that inappropriate information may be used to make a decision about a patient.
Principle 7 – Safeguards for Personal Health Information
We have put in place safeguards for the personal health information we hold, which include:
- Physical safeguards;
- Organizational safeguards (such as permitting access to personal health information by staff on a “need-to-know” basis only); and
- Technological safeguards (such as the use of passwords, encryption, and audits)
We take steps to ensure that the personal health information we hold is protected against theft, loss and unauthorized use or disclosure. For information related specifically to e-mail and text message communication, please see our “E-Mail and Text Message Communication Policy”.
We require anyone who collects, uses or discloses personal health information on our behalf to be aware of the importance of maintaining the confidentiality of personal health information. This is done through the signing of confidentiality agreements, privacy training, and contractual means.
Care is used in the secure disposal or destruction of personal health information, to prevent unauthorized parties from gaining access to the information.
Principle 8 – Openness about Personal Health Information
Information about our policies and practices relating to our management of personal health information are available to the public, including:
- Contact information for our Privacy Officer, to whom complaints or inquiries can be made;
- The process for obtaining access to personal health information we hold, and making requests for its correction;
- A description of the type of personal health information we hold, including a general account of our uses and disclosures; and
- A description of how a patient may make a complaint to MediCall about Physician privacy practices, or to the Information and Privacy Commissioner of Ontario.
Principle 9 – Patient Access to Personal Health Information
Patients may make written requests to have access to their records of personal health information.
We will respond to a patient’s request for access within reasonable timelines and costs to the patient, as governed by law. We will take reasonable steps to ensure that the requested information is made available in a format that is understandable.
Patients who successfully demonstrate the inaccuracy or incompleteness of their personal health information may request that we amend their information. In some cases, instead of making a correction, patients may ask to append a statement of disagreement to their file.
Please Note: In certain situations, we may not be able to provide access to all of the personal health information we hold about a patient, such as where the access could reasonably be expected to result in a risk of serious harm or the information is subject to legal privilege.
Patient Access to Information
With limited exceptions, we are required by law to give patients who make requests in writing
access to their records of personal health information within 30 days (subject to a time extension of up to an additional 30 days if necessary and with notice to the person making the request).
- Requests to Access
- Patient requests (or by a patient’s substitute decision-maker or with consent of the patient) for their own information should be made in writing.
- If a request for access is made directly to the Physician, he/she should direct the patient to MediCall’s usual process for release of records. MediCall may assist the patient with locating the desired information/document in the record. Because records may be difficult to read and interpret and may mislead or alarm a patient, patients will be encouraged to review the records with MediCall (or a delegate) so the information can be explained.
- If a patient wishes to read the original health record, someone must be present to ensure the records are not altered or removed. Patients may not make notes on the original health record or remove originals from the health record or otherwise alter their health records. If a patient requests a copy of a health record, copies may be given and fees may be applied.
- The original of the written request for access will be placed with the patient’s records and must contain the following:
- A description of what information is requested
- Information sufficient to show that the person making the request for access is the patient or other authorized person
- The signature of the patient or other authorized person and a witness to the signature
- The date the written request was signed
- A notation shall be made in the record (e.g. a handwritten note) stating:
- What information or records were disclosed
- When the information or records were disclosed
- By whom the information or records were disclosed
- Denying Patient Access to Health Records
In certain situations, we may refuse a patient’s request for access to all or part of a health record. Exceptions to the right of access requirement must be in accordance with law and professional standards. Reasons to deny access to a health record (or part of a health record) may include:
- The information is subject to a legal privilege that restricts disclosure to the individual
- The information was collected or created primarily in anticipation of or for use in a proceeding (and that proceeding and any appeals have not been concluded)
- The information was collected or created in the course of an inspection, investigation or similar procedure authorized by law or undertaken for the purpose of the detection, monitoring or prevention of a person’s receiving or attempting to receive a benefit to which the person is not entitled under law (and the inspection or investigation have not been concluded)
- If granting access could reasonably be
- Result in a risk of serious harm to the treatment or recovery of the individual or a risk of serious bodily harm to the individual or another person
- Lead to the identification of a person who was required by law to provide information in the record
- Lead to the identification of a person who provided information explicitly or implicitly in confidence (if it is appropriate to keep that source confidential)
Patients must be told if they are being denied access to their own health records. In such cases, patients have a right to complain to the Information and Privacy Commissioner of Ontario, and must be told of this right and how to reach the Commissioner’s office.
Correction of Health Records
We have an obligation to correct personal health information if it is inaccurate or incomplete for the purposes it is to be used or disclosed.
Patients may request that their health information be corrected if it is inaccurate or incomplete. Such requests must be made in writing and must explain what information is to be corrected and why.
We must respond to requests for correction within 30 days (or seek an extension of up an additional 30 days but only if we have let the patient know, in writing). Corrections are made in the following ways:
- Striking out the incorrect information in a manner that does not obliterate the record or
- If striking out is not possible:
- Labelling the information as incorrect, severing it from the record, and storing it separately with a link to the record that enables MediCall or the Health Information Custodians to trace the incorrect information, or
- Ensuring there is a practical system to inform anyone who sees the record or receives a copy that the information is incorrect and directing that person to the correct information.
The record will not be corrected if:
- The record was not originally created by the Health Information Custodians and the Health Information Custodians does not have the knowledge, expertise or authority to correct the record, or
- The record consists of a professional opinion which was made in good faith.
If we choose not to correct a record, the patient must be informed in writing. The patient will have the choice to submit a statement of disagreement, which will be scanned onto the health record and released any time the information that was asked to be corrected is released. In these cases, patients have a right to complain to the Information and Privacy Commissioner of Ontario.
Principle 10 – Challenging Compliance with MediCall’s Privacy Policies and Practices
Any person may ask questions or challenge our compliance with this policy or with PHIPA by contacting our Privacy Officer or the Health Information Custodian that provided care to you.
We will receive and respond to complaints or inquiries about our policies and practices relating to the handling of personal health information. We will inform patients who make inquiries or lodge complaints of other available complaint procedures.
We will investigate all complaints. If a complaint is found to be justified, we will take appropriate measures to respond.
The Information and Privacy Commissioner of Ontario oversees compliance with privacy rules and PHIPA. Any individual can make an inquiry or complaint directly to the Information and Privacy Commissioner of Ontario by writing to or calling:
2 Bloor Street
East, Suite 1400
Toronto, Ontario M4W 1A8 Canada
Phone: 1 (800) 387-0073 (or (416) 326-3333 in Toronto)