Skip to main content
University of Ontario Institute of Technology logo

Privacy Policy: Personal Health Information Collection, Use and Disclosure

Classification number LCG 1152
Framework category Legal, Compliance and Governance
Approving authority Board of Governors
Policy owner General Counsel
Approval date March 9, 2023
Review date March 2026

Purpose

The purpose of this Policy is to establish a standard for privacy and confidentiality of Personal Health Information to ensure compliance with the University’s obligations under Ontario’s Personal Health Information Protection Act. As a health information custodian, the University is responsible for ensuring that Personal Health Information is protected and treated with respect and sensitivity at all times.

Definitions

For the purposes of this Policy the following definitions apply:

“Agent” means any person who is authorized by the University to perform services or activities in respect of Personal Health Information on the University's behalf and for the purposes of the University. An agent includes a Health Care Practitioner, or another University employee or volunteer who supports Practitioners, and any member of the University Counselling Team.

“Chief Privacy Officer” means the member of SLT with delegated responsibility for addressing compliance obligations related to applicable privacy law.

“Health Care” means any observation, examination, assessment, care, service or procedure that is done for a health-related purpose and that:

  • is carried out or provided to diagnose, treat or maintain an individual’s physical or mental condition;
  • is carried out or provided to prevent disease or injury or to promote health;
  • is carried out or provided as part of palliative care, and includes:
  • the compounding, dispensing or selling of a drug, a device, equipment or any other item to an individual, or for the use of an individual, pursuant to a prescription; and
  • a community service that is described in subsection 2 (3) of the Long-Term Care Act, 1994 and provided by a service provider within the meaning of that Act.

“Health Care Practitioner” or “Practitioner” means:

  • A person who is a member of a health care professions within the meaning of the Regulated Health Professions Act, 1991 and who provides Health Care;
  • A person who is registered as a drugless practitioner under the Drugless Practitioners Act and who provides Health Care;
  • a person who is a member of the Ontario College of Social Workers and Social Service Workers and who provides health care; or

  • any other person whose primary function is to provide health care.

“Health Care Unit” means a unit or service acting for or on behalf of the University to provide Health Care or retain and protect Personal Health Information.

“Personal Heath Information” means oral or written information that is collected, used or disclosed by the University or anyone acting on behalf of the University, about an identifiable individual if the information:

  • Relates to the individual’s physical or mental health, including family health history;
  • Relates to the provision of Health Care, including the identification of a person as a provider of HealthCare to an individual;
  • Is a plan of service for individuals requiring long-term care;
  • Relates to payment or eligibility for Health Care or eligibility for coverage for Health Care;
  • Relates to the donation of body parts or bodily substances or is derived from the testing or examination of such parts or substances;
  • Is the individual’s health number;
  • Identifies an individual’s substitute decision-maker; or
  • Is included in a record containing Personal Health Information.

“Personal Information” means information about an identifiable individual.

“Privacy Breach” or “Breach” means an incident where Personal Information or Personal Health Information is collected, retained, used, disclosed, or disposed of in ways that do not comply with Ontario’s privacy laws.

“Privacy Impact Assessment” or “PIA” means a risk management tool used to identify the actual or potential effects that a proposed University project/initiative may have on an individual’s privacy or the University’s information privacy and security practices/procedures.

“University Counselling Team” means advisors and counsellors from Student Mental Health Services, Student Accessibility Services, the Career Centre and Indigenous Student Services, as well as graduate –level student trainees (e.g. internship and practicum students) and administrative staff.

Scope and authority

This Policy applies to Health Care Units and services of the University that support Health Care Practitioners and/or collect, use and disclose Personal Health Information to fulfil their mandate.

The University is the Health Information Custodian for records containing Personal Health Information created by Heath Care Units.

This Policy does not apply to Health Care services contracted by the University from a third party to be directly provided by the third party. Any contracts for such third party services must nonetheless comply with the Personal Health Information requirements under PHIPA.

The General Counsel, or successor thereof, is the Policy Owner and is responsible for overseeing the implementation, administration and interpretation of this Policy.

Policy

The University is committed to the privacy and security of Personal Information and Personal Health Information it collects, uses and discloses. It maintains privacy in compliance with the Personal Health Information Protection Act, 2004 and its regulations (PHIPA).

Roles and Responsibilities

  1. Chief Privacy Officer will:
    1. Ensure that secure information practices are in place that comply with the requirements of PHIPA, and that all Health Care Units are informed of and receiving training on their duties under PHIPA.
    2. Respond to requests of an individual for access to or correction of a record of Personal Health Information about the individual that is in the custody or under the control of the University.
    3. Ensure compliance with reporting obligations under PHIPA.
    4. Oversee the management and response to any potential or actual Privacy
      Breaches.
  2. Agents will:
    1. Conduct searches and review records in access to information requests involving clinical records related to their area of practice or duties on behalf of the University.
    2. Understand and comply with information privacy practices established to safeguard records containing Personal Health Information and other sensitive information.
    3. Report Privacy Breaches orsituations that could lead to potential Privacy Breaches to the Privacy Office.
    4. Maintain privacy and confidentiality of Personal Health Information created, collected or used in their role.
  3. Privacy Office will:
    1. Coordinate and respond to requests for access to records containing
      Personal Health Information under PHIPA and the Freedom of Information and Protection of Privacy Act (FIPPA) (see Access to Information and the Protection of Privacy Policy for the University’s FIPPA practices and procedures, [link]).
    2. Support compliance with PHIPA and FIPPA through education and advice on developing information practices that safeguard records containing Personal Health Information and other sensitive information.
    3. Respond to inquiries from the public about the University’s information
      privacy practices.
    4. Investigate and respond to potential Privacy Breaches.
    5. Ensure information is made publicly available regarding the University’s privacy policies and practices.
    6. Ensure compliance with reporting obligations under PHIPA and FIPPA.
    7. Monitor compliance with this Policy and PHIPA by whatever means are appropriate to the circumstances.
  4. Managers/Supervisors of Health Care Units will:
    1. Ensure awareness and enforcement of, and compliance with, applicable privacy policies, laws, procedures, protocols and practices.
    2. Ensure University staff and Agents are up to date and have completed
      appropriate privacy training and education.
    3. Immediately report all actual or suspected Privacy Breaches to the Privacy Office.
    4. At the request of, and in coordination with the Policy Office, support
      investigations into suspected Privacy Breaches.
    5. Assist the Privacy Office in responding to privacy queries and complaints.
    6. Receive and implement recommendations from the Privacy Office regarding necessary actions and/or remedial measures following a Breach, including actions to prevent a reoccurrence.
    7. Receive and implement recommendations from the Privacy Office regarding necessary actions following a Privacy Impact Assessment.
    8. In consultation with Human Resources, take appropriate remedial and/or disciplinary action to ensure incidents are addressed and not repeated.
    9. Where requested, assist with client/patient or an individual’s requests for access and correction and withdrawal of consent to the collection, use or disclosure of their Personal Health Information/Personal Information.

Application to members of regulated health professions

  1. This Policy applies to members of regulated health professions acting on behalf of the University, while they are performing within the scope of practice set out by enabling legislation, as well as performing authorized acts that constitute Health Care.

  2. Employees whose duties include acts that are not within their regulated scope of practice are not considered Practitioners while they are performing those duties, but are still bound by any applicable privacy and confidentiality requirements associated with the records and information used in performing those duties, including this Policy.

  3. Individual Health Professionals must differentiate between Health-Related Acts and other activities for the purpose of fulfilling obligations under PHIPA and their regulatory college. This determination will be made based on the Health Professional’s understanding of their obligations, guidance from the regulatory college, and the scope of practice as defined by the enabling legislation.

Right to Privacy and Access

  1. Individuals have a right to privacy and a right to control how their Personal Health Information is collected, used, disclosed, retained and disposed of, subject to limited exceptions in PHIPA.

  2. Individuals have a right of access to their own Personal Health Information.

Consent for collection and use of Personal Health Information

  1. The University will provide a notice of collection that describes the information it will collect or create, the purposes for collecting Personal Health Information or creating records, the uses for those records and how that information will be shared. The notice will include any exceptions to the expectation of confidentiality.

  2. Consent from individuals receiving Health Care will be obtained in writing at or before the time information is collected.

Disclosure of Personal Health Information

  1. Disclosure of Personal Health Information to an individual who is not an Agent will only be done with express consent of the individual to whom the Personal Health Information relates, except as permitted or required by legislation.

Retention and Disposal of Personal Health Information

  1. Records containing Personal Health Information will be retained and securely destroyed in accordance with the University’s Records Classification and Retention Schedule. Record destruction will occur in a manner that is in compliance with PHIPA and protects information until it is permanently destroyed.

Access and Correction to Record

  1. Individuals have a right to be informed of the existence, use and disclosure of their Personal Health Information. Under PHIPA, individuals can make a formal request to access their records, or to request a correction to their record.

Safeguards for Personal Health Information

  1. The University will establish appropriate technical and administrative safeguards to ensure secure storage and maintain confidentiality of Personal Health Information.

  2. Access rights to information systems with Personal Health Information will be granted only to authorized personnel. Access rights will be based on the role of the individual, and the level of access required to fulfil that role.

Breach of Privacy

  1. The University will investigate and respond to any potential or actual breach of privacy or loss of Personal Health Information in compliance with PHIPA.

Employee Awareness and Training and Mandatory Confidentiality Agreements

  1. Agents are expected to be knowledgeable of and abide by this policy and related privacy and security practices.

  2. The University will make its employees aware of the importance of maintaining the confidentiality of Personal Health Information.

  3. Health Care Unit Managers/Supervisors, in collaboration with the Privacy Office, will identify Health Care Practitioners and employees who support Health Care services and maintain a roster of Agents. Agents must sign the University confidentiality agreement and are subject to mandatory privacy training requirements.

Continuity of care

  1. To ensure the continuity of care and support for all individuals receiving Health Care, Agents may consult with each other. This occurs on a need-to-know basis, meaning that Personal Health Information will only be shared when warranted or required to provide support. Personal Health Information will be held in confidence, and will only be released with individual consent, or in accordance with applicable law.

Monitoring and review

This Policy will be reviewed as necessary and at least every three years. The General Counsel, or successor thereof, is responsible to monitor and review this Policy.

Relevant legislation

Personal Health Information Protection Act, 2004, S.O. 2004, as amended

Related policies, procedures & documents

Access to Information and the Protection of Privacy Policy
Health Record Access and Release Procedure
Records Management Policy
Records Disposition Procedure

Records Classification and Retention Schedule