Privacy Policy
Health Information
Our clinic respects the privacy rights of our patients and is committed to protecting the health information that we collect from you. We have developed our privacy practices based on the HIA requirements. This legislation applies to health information we collected, used and disclosed to provide our patients with health services, before and after the HIA came into effect. While patient consent can be granted in an informal way, such as providing us with an individual insurance card to document your insurance provider, in some situations we must have formal consent to collect, use, and disclose your personal information.
Principles
Principle 1 – Accountability / Management
We are accountable for the health information that you give to us.
Our clinic is accountable for all health information in our possession or control, including any health information that we disclose to other custodians or that we are required to share with third parties in order to provide you with health services.
We have established policies and procedures aimed at maintaining the privacy of our patients. We have appointed a Privacy Officer to oversee privacy issues for our clinic. We have educated our employees about our Privacy Policy and their role in protecting your privacy. Patients with questions about our privacy practices are free to contact our Clinic Privacy Officer.
Principle 2 – Notice
We will explain why we collect individually identifying health information before we collect it. We have posted a notice explaining why we collect your individually identifying health information, and the legal authority that authorizes us to collect it. We will collect individually identifying health information only for the following purposes, or as otherwise permitted by law: - Provision of health services - Verify eligibility or obtain and process payment for health services - Health-Related Educational Communications (e.g. appointment reminders, providing information about treatment alternatives, or other health-related benefits and services that may be of interest to you). - Other Internal Management Purposes: Our clinic does use health information for planning, quality improvement, reporting, etc. within the clinic and disclose health information as per HIA.
– Health Service Provider Education: Our clinic trains custodians, nurses, etc. who will use your health information in providing service to you. - Research: Our clinic does conduct research, perform data matching or other services to facilitate others’ research. All research projects must be approved by a research ethics board (HIA s49 – 54).
Principle 3 – Collection
We limit the amount and type of health information we collect.
Our clinic will only collect health information for the purposes that we have identified or as otherwise permitted by law. In addition, we will only collect as much health information as is essential to carry out the purpose for which we are collecting it.
Your health information will be collected directly from you, except in the limited circumstances where we are authorized by the HIA to indirectly collect such information.
Principle 4 – Use and Disclosure
We will use and disclose your health information only for the reasons for which it was provided to us, unless otherwise permitted by law.
In providing health services to you, we may use your health information within the clinic or may disclose it to other custodians to provide you with health services on a need to know basis for the purpose it was collected. Any third party disclosure of information requires your written consent, unless otherwise permitted by law.
The HIA also identifies situations in which the disclosure is mandatory or discretionary. In all cases, we will only disclose as much information as is essential for the purpose it is being disclosed or per HIA requirements.
In the future, some of your health information will be deemed “prescribed health information” and we will be required to make it accessible to authorized custodians via the Alberta Electronic Health Record (EHR) [commonly called Alberta Netcare]. Consideration of expressed wishes of the patient will be considered when making your information accessible, and patients can ask for some of their health information to be “masked”. When authorized health service providers access health information in Alberta Netcare it is considered a use of health information, not disclosure.
Principle 5 – Consent
We may disclose your health information to a third party with your written consent to that disclosure. If you consent to disclosure of your health information, you may revoke that consent at any time per the requirements set out in HIA (s34). The consequences of withdrawal of consent will be discussed with you and documented.
Principle 6 – Access
You have a right to access your health information that is in our clinic’s custody or control within the provisions of HIA.
Patients own the health information in their medical record; the clinic owns the medical record. During the provision of health services, we will share your health information with you or your authorized representative verbally, and allow access to or provide copies of your health information records when practical (including information in Alberta Netcare).
As a patient you are entitled to a copy of your medical record but our clinic also has the right to refuse to disclose health information under some circumstances [HIA s11 (1) & (2)] and to make access subject to payment of fees as allowed per HIA regulations.
Principle 7 – Safeguards
We will protect your health information from unauthorized access, use, disclosure or destruction. We have assessed the risks to your health information and implemented administrative, technical and physical safeguards to eliminate or minimize the risk. Examples of these safeguards include: office policies and procedures that ensure that health information cannot be seen by unauthorized persons, having employees sign oaths of confidentiality to ensure they understand the importance of confidentiality, electronic security mechanisms like firewalls and password protection, and securing the clinic when we are closed.
Principle 8 – Quality
We take efforts to ensure the health information in our custody or control is accurate and complete before using or disclosing that health information.
We update our registration and billing data as required. We ensure our clinic records are complete and accurate, and track additions and amendments. We correct inaccurate or incomplete factual information.
Subject to limited and specific exceptions in the HIA, individuals have a right of request corrections or amendments to this information whether in the Clinic patient charts or Alberta Netcare.
Principle 9 – Retention and Destruction of Records
We will retain your health information per applicable health care profession guidelines (as appropriate to types of custodians involved in the clinic), and securely destroy of your health information when it is no longer needed.
We will keep your health information as per CPSA and other applicable health profession record retention guidelines or as long as necessary to accomplish the purpose for which it was collected (whichever is longer). We also follow the ten year retention period per the HIA with regard to use and disclosure logs.
We destroy paper health information by shredding, and destroy or use professional disk wiping software to remove health information from computer hard drives and other media.
In the event our clinic changes in its provision of health care, patients will be contacted with information about the change and, when applicable, where information has been transferred. You will be free to continue to use that clinic or to have your information transferred to the clinic of your choice.
Principle 10 – Monitoring & Enforcement
We monitor compliance with our privacy policies and procedures, and have a process for handling complaints about handling of health information.
We regularly assess our health information safeguards, and ensure our custodians and staff know what they are and that they follow them. We have put in place sanctions for anyone who breaches or attempts to breach our safeguards to demonstrate the important we place on preserving privacy and confidentiality. We investigate all privacy complaints or suspected privacy breaches, and take appropriate remedial measures including amending our policies, disciplining staff, etc.
We have a process for handling requests for correction or amendments to health information. In the event that a complaint cannot be resolved, the Clinic Privacy Officer will advise the individual of the mechanism for referral of the complaint to the appropriate health profession licensing or association body, or the Office of the Information and Privacy Commissioner of Alberta (as appropriate).
Personal Employee Non-Health Related Information
Our clinic also respects the privacy rights of our employees and is committed to protecting the personal information that we collect from them.
As an employer, we will collect employee’s personal information specific to payroll requirements. We will use this information in a way that is reasonable to fulfill our obligations and abide by Personal Information Protection Act (PIPA) legislation in Alberta. The type of information may include: employee resume, letter of employment / contract, salary or wage history, performance related documents (including performance reviews, commendations, and disciplinary action), and tax forms. We will maintain this information securely. Employees have the right to review their own employee records by contacting the clinic Privacy Officer.
These clinic privacy principles were developed based on the “Generally Accepted Privacy Principles” as developed by the AICPA and the Canadian Institute of Chartered Accountants (CICA). Using GAPP, organizations can design and implement sound privacy practices and policies. The GAPP principles were developed using international privacy regulatory requirements and best practices.
Virtual Care
Our health service is offering virtual care to ensure we can continue to care for our patients safely and effectively. This means that we will be using video and audio technologies for some patient visits rather than in-person visits. We do our best to make sure that any information you give to us during virtual care visits is private and secure, but no video or audio tools are ever completely secure. There is an increased security risk that your health information may be intercepted or disclosed to third parties when using video or audio communication tools. To help us keep your information safe and secure, you can:
● Understand that video, emails, calls, or texts are not secure in the same way as a private in-person appointment; and
● Use a private computer/device (i.e. not an employer’s or third party’s computer/device), secure accounts, and a secure internet connection. For example, using a person and encrypted email account is more secure than an unencrypted email account, and your access to the Internet on your home network will generally be more secure than an open guest Wi-Fi connection.
By providing your information, you agree to let us collect, use, or disclose your personal health information through video or audio communications (while following applicable privacy laws) in order to provide you with better care. In particular, the following means of communication may be used: email, videoconferencing, text messaging, website/portal, etc.