Published On: January 28, 2019
Millions of people are unaware of and uninformed about how their personal information is being used, collected or shared in our digital society. Data Privacy Day aims to inspire dialogue and empower individuals to take action. The date commemorates the Jan. 28, 1981, signing of Convention 108, the first legally binding international treaty dealing with privacy and data protection.
St. Thomas Elgin General Hospital is committed to protecting the privacy of its patients. STEGH values each patient’s personal health information (PHI) and manages it with respect and sensitivity.
The Privacy Office operates under two main laws: the Personal Health Information Protection Act and the Freedom of Information and Protection of Privacy Act. There are 10 important privacy principles that form the basis of the legislation.
The Privacy Office at STEGH manages how personal health information is collected, used, disclosed, and protected.
Below are some frequently asked questions related to privacy:
What information does the hospital collect?
The hospital collects both personal and health information. Information like a patient’s name, date of birth, address, health card number and extended health insurance numbers are examples of personal information. Information relating to previous health problems, the record of visits to the hospital, and the health care provided during those visits are examples of health information.
Why does the hospital need this information?
The information we collect from a patient is used:
- To provide quality health care and follow-up care in the community. We need personal information to make sure we can make the appropriate diagnosis and provide treatment.
- To release very limited information to family and friends who may call e.g. what room a patient is in. We may provide generalized condition reports such as “good, fair, serious or critical” to other individuals who are not immediate family. If a patient does not wish for their name to be included in the Patient Information list, he/she should notify Patient Registration when they arrive or inform their healthcare provider. This would mean that if someone asks about a patient who is not on the Information List, they would be informed that there is no one by that name on the patient list.
- To carry out quality assurance to help make improvements.
- To follow up with patients e.g. surveys
- To comply with the law. The law requires hospitals to turn over patients’ personal health information if there is a legal investigation. We also use the information to obtain funding for health services from the Ministry of Health.
- For fundraising. Patients’ contact information (name and address) are provided to the hospital Foundation so they can contact a patient to see if they wish to make a donation. Donations raise money for equipment and facilities to provide patients with modern health care services. The hospital does not provide the Foundation with the names of patients who have sensitive procedures or diagnoses.
- For research. Some research is conducted using only non-identifiable, statistical information; other forms of research require permission to participate. A patient is under no obligation to agree to this research, and the decision to participate does not impact care received in any way.
How does the hospital protect a patient’s information?
- Educating and reminding staff, physicians, volunteers and students the importance of respecting patients’ privacy rights and the importance of maintaining confidentiality.
- Requiring that all staff wear photo identification at all times while on hospital property to protect against unauthorized individuals accessing information.
- Applying additional security measures to all electronic health records e.g. usernames and passwords, firewall and antivirus software.
- Locked doors and security personnel.
- Mandatory training, orientation and review of hospital policies regarding privacy of personal health information.
Does the hospital share a patient’s information with anyone?
The hospital shares some or all of patients’ information with:
- Health care providers at other hospitals, nursing homes or other health care agencies who become part of a patient’s health care team.
- Agencies that fund the hospital e.g. OHIP, extended health insurance companies, Workplace Safety and Insurance Board, Ministry of Health.
- Other agencies as required by law e.g. public health surveillance.
Where is health information stored and for how long?
Hospitals are required to keep health records for at least 10 years past the date of admission. In some cases (e.g. health records for children and records maintained for the purpose of research), health records are kept for much longer. Most health records are maintained in the Health Record Services department, but some departments, including Diagnostic Imaging and Laboratories, maintain their own specific records.
Can all hospital staff access a patient’s health information?
The only people authorized to access a patient record are the staff and physicians involved in a patient’s circle of care, or staff who need information from a patient record to conduct the business of the hospital, e.g., Finance department staff that bills a patient’s extended health insurance company.
All staff and hospital affiliates are bound by hospital policies and practices related to Privacy and Confidentiality. These policies aim to ensure that staff only access information on a need-to-know basis. Regulated Health Professionals are also bound by privacy and confidentiality requirements from their professional Colleges.
For more information about your health privacy rights in Ontario: https://www.ipc.on.ca/health/your-health-privacy-rights-in-ontario/