Privacy and Confidentiality

Background

According to the first annual report issued by the Privacy Commissioner of Canada (1984), “Privacy is not simply a precious and often irreplaceable human resource; respect for privacy is the acknowledgement of respect for human dignity and of the individuality of [hu]man[ity].” Everyone has the legal right to have their privacy respected, and their personal health information protected, by the health practitioners from whom they are receiving healthcare services.

Therefore, Dalton Associates (on behalf of the Encompas Mental Health Wellness Program (“Encompas”)) has developed strict policies to ensure clients are receiving services through the Encompas program in a manner that protects their privacy, as well as their personal health information. Specifically, the Encompas policies incorporate all relevant privacy legislation set forth by Canada’s federal government, namely the Privacy Act and the Personal Information Protection and Electronic Documents Act (PIPEDA), as well as Ontario’s Personal Health Information Protection Act (PHIPA).

Privacy of personal information is a critically important principle to everyone at Encompas, the OPPA and Dalton Associates. We are committed to collecting, using and disclosing personal information responsibly and only to the extent necessary for the services we provide. We also try to be open and transparent as to how we handle personal information.

Personal Information: Personal information refers to information about an identifiable individual and includes information that relates to an individual’s personal characteristics (e.g., name, date of birth, home address and telephone number), their health (e.g., presenting problem, health history, health services received by the individual, social situation) or their activities and views (e.g., opinions expressed by an individual, an opinion or evaluation of an individual). Personal information is not the same as business information (e.g., an individual’s business address and telephone number), which is not protected by privacy legislation. Personal Health Information is defined by the Personal Health Information Protection Act, 2004, as such legislation may be amended, from time to time, and, for the purposes of these policies, is one component of “personal information”.

We use a number of consultants and agencies that may, in the course of their duties, have limited access to the personal information we hold. These consultants and agencies include bookkeepers and accountants, lawyers, third party service providers, computer consultants, credit card companies, financial institutions, marketing personnel and website managers. We restrict their access to any personal information we hold as much as reasonably possible. We also have a confidentiality agreement with them.

No personal information will be communicated, directly or indirectly, to a third party without your informed and written consent and we will never sell your information to third parties. If you opt-in to text messaging, we will not share your personal data (like your phone number) or any consent information (like who consented to receive text messages).

Use and Disclosure of Personal Information

Dalton Associates will never sell your information to a third party.

In addition, no personal information will be communicated, directly or indirectly, to a third party without the informed and written consent of Encompas clients. Exceptions to this policy include the legal, and/or ethical obligations to:

• Inform a potential victim of violence of a client’s intention to harm them;
• Inform an appropriate family member, health care professional, or emergency services if necessary, of a client’s intention to end his or her life;
• Provide a copy of a record when there is a court order, warrant or subpoena to do so;
• Inform the Children’s Aid Society (CAS) / Family and Children’s Services (FACS) if there is suspicion of a child being at risk of, or in need of, protection due to neglect, or physical, sexual (inclusive of child pornography), or emotional abuse;
• Report a health professional who has sexually abused a client;
• Report elder abuse in long term care facilities; and,
• Share identifying information to relevant authorities (i.e., public health), if required, with respect to infectious disease control requirements for contact tracing procedures (i.e., should I, my therapist, or another client who receives services at my therapist’s office test positive for an infectious disease).

Additional exceptions to disclosure include the following:

REGULATORY COLLEGE REQUIREMENTS

The services provided by the Encompas program are regulated by the College of Psychologists and Behaviour Analysts of Ontario, the Ontario College of Social Workers and Social Service Workers, and the College of Registered Psychotherapists of Ontario, who may inspect our records and interview our mental health practitioners and administrative staff as part of their regulatory activities in the public interest, consistent with the Ontario Regulated Health Professions Act, 1991. Regulatory colleges have their own strict privacy obligations. College reports may include personal information about our clients, or other individuals to support the concern (e.g., improper services).

GOVERNMENT AGENCIES

Like all organizations, various government agencies (e.g., Canada Customs and Revenue Agency, Information Privacy Commissioner of Ontario, Human Rights Commission, etc.) have the authority to review our files and interview our mental health practitioners and administrative staff as part of their mandates. In these circumstances, we may consult with professionals (e.g., lawyers, accountants) who will investigate the matter and report back to us.

THIRD PARTY PAYERS

The cost of some goods/services provided by our practice to clients is paid for by third parties (e.g., WSIB, private insurance, First Nations and Inuit Health Branch, etc.). These third-party payers often have your consent or legislative authority to direct us to collect and disclose to them certain information in order to demonstrate client entitlement to this funding.

Client Access to Records

It is the policy of Encompas that clients have a legal and moral right to know what information is contained about them in their record.

Clients or their legal designates shall have access to all information which can be identified as pertaining to them and which is stored in the client record, with the exception of information that is believed to be harmful or that is confidential about, or from, third parties. We will need to confirm a client’s identity and legal right to have access to the information prior to release of information from their record. In some cases, this may include producing identification and/or proof that another individual (e.g., substitute decision maker) has legal authority to make decisions on behalf of the client if the client is unable to do so themselves. We reserve the right to charge a nominal fee for such requests.

We may ask that all requests for records are made in writing to Encompas. If we cannot provide access to a record, we will inform the requesting individual/client within 30 days, and provide a reason, as to why we cannot provide access.

If a client believes there to be a mistake in the information contained in their record, they have the right to ask for it to be corrected. This applies to factual information and not to any professional opinions we may have formed. We may ask clients provide documentation that supports the notion that our files are incorrect. If changed, a statement of changed information is included in the record. If the request for a change is declined, the client may file a notice of disagreement in the record.

Storage and Transmission of Data

Personal information collected during the course of services with Encompas will be stored and transmitted in the following ways, consistent with regulatory college and legislative requirements:

STORAGE

• Electronic Case Management Record: A record of each client’s enrollment into the program, and information shared with their Encompas Care Manager, will be stored on a secure server, located in a Tier 4 facility. This is not a shared server, and the organization is SOC-certified. There are various protocols in place (e.g., back-up server, encryption, and firewalls) to ensure the safety and security of the data.
• Electronic Clinical Record: A record of each client’s clinical services (e.g., counselling) will be stored on a secure server, located in a Tier 4 facility. This is not a shared server and the organization is SOC-certified. There are various protocols in place (e.g., back-up server, encryption, and firewalls) to ensure the safety and security of the data.
• Encompas Portal: Enrollment in the Encompas Portal is entirely voluntary. In order to register with the Portal, the user must create an account and provide a name and email address. For the Care Manager Supported Portal, the user will need to share their information with the Care Manager in order to register for the Program. If the user chooses to register through the Self-Directed Portal, they can choose the name and email they wish to use – if the user would like to remain completely anonymous, we recommend using a name and email address that is not identifiable. For both Portals, personal information will remain confidential in accordance with the type of registration: in other words, with the Care Manager Supported Portal, those within the Encompas Care Team will have access to the results. None of a users’ personal health information will be shared with anyone outside the Care Management Team without the user’s consent – including the Association, employers, colleagues or therapists. Each Encompas Portal stores the name and email address under which the account was created and the results of self-assessments. In addition, the Care Manager Supported Portal stores the name of the user’s Encompas Care Manager (if working with a Care Manager), and some additional narrative information regarding their plan of care if a plan of care has been created and stored on the Portal. All of the information contained in the Encompas Portal (Care Manager Supported and Self-Directed) is stored on a platform hosted by Greenspace Health. Greenspace is a trusted service provider for many large hospitals, health authorities, and clinics across Canada. They have completed numerous privacy and security reviews and have never failed to successfully pass a review. Greenspace Health is compliant with all Canadian federal and provincial privacy legislation and Greenspace has implemented significant measures which exceed industry standards and best practices in order to safeguard users’ personal health information. Greenspace also has implemented many additional precautions to protect privacy including: requiring strong passwords, automatic logouts, automatic access logging, secured data backups, two factor authentication and restrictive data access procedures. The Greenspace system also conforms to digital and physical security protocols (including PHIPA), with SSL-secured access, AES encryption at the file-system level, and firewalls protecting all data. As part of Greenspace’s commitment to ensure best-in-class privacy and security standards, Greenspace has completed a SOC 2 Type II review by an independent AICPA auditing firm that has examined its control objectives and activities, and tested its controls to ensure operational excellence. Database traffic is encrypted both in transit and at rest using modern technology standards. The Greenspace system conforms to digital and physical security protocols (including PHIPA), with SSL-secured access, AES encryption at the file-system level, and firewalls protecting all data. Greenspace stores all data and information in Canada with a secure cloud storage provider called Aptible. Aptible is an industry leader in securely managing and storing confidential and highly sensitive healthcare information. Aptible has been tested and passed audits by Kaiser Permanente, MD Anderson, UnitedHealth Group, Johns Hopkins, Stanford, and many others. In addition, Aptible is certified for compliance with ISO 27001, SOC 2, and HITRUST CSF. Greenspace’s database runs in a private subnet (hidden from the outside internet) and access is restricted to Greenspace. Database traffic is encrypted in transit, and data is encrypted at rest using modern technology standards.

TRANSMISSION

• OnCall Health: This platform provides PHIPA-compliant encrypted videoconferencing. Consent forms are securely shared, but not stored through this platform.
• Communication via email: Transmission of personal information via email is only permitted when using password-encrypted PDF documents.
• Communication via mail: Transmission of personal information via mail is only permitted when sent via trusted post or courier service (e.g., Canada Post, Purolator, UPS), is registered for tracking with the service, and is only delivered once a signature of the intended recipient is received by the service.
• Communication via fax: Transmission of personal information via fax is only permitted if the fax is not a shared service (such as those at a Staples or another public/shared fax machine), and if the intended recipient has been notified via telephone prior to the fax being sent, and confirms via telephone once it has been received.

Protecting Personal Information

We understand the importance of protecting personal information. For that reason, we have taken the following steps in the storage and maintenance of our client’s personal information and personal health information, consistent with PHIPA requirements:

• Paper information is stored either under supervision or secured in a locked or restricted area.
• Electronic hardware is either under supervision or secured in a locked or restricted area at all times.
• Passwords are used on computers accessing personal health information.
• Paper information is transmitted through sealed, addressed envelopes or boxes by reputable companies (e.g., Canada Post, Purolator, UPS, etc.). All paper information that is transmitted through mail or courier is to be expediated and registered for tracking, with a signature required by the recipient upon delivery.
• Documents are transmitted electronically (e.g., email) only if they are completely anonymized/de-identified, and/or contained in a password-encrypted PDF document attached to the electronic/email transmission.
• Any files or electronic hardware being transported are required to be stored in a double-locked area (e.g., car trunk and carrying case with a locking mechanism)
• Mental health practitioners and Encompas/Dalton staff are trained to collect, use and disclose personal information only as necessary to fulfil their duties and in accordance with our privacy policy.
• External consultants and agencies with access to personal information must comply with legal requirements to protect confidential information (in the case of health information custodians) or enter into agreements to preserve the confidentiality of the information they receive.

Retention and Destruction of Personal Information

We are required to retain personal information for a period of time to ensure that we can answer any questions clients might have about the services provided and for our own accountability to regulatory colleges.

As required by our regulatory colleges, Encompas retains personal information for 10 years following the client’s last contact or, if the client was less than 18 years of age at the time of last contact, for 10 years following the day the client would have turned 18.

Once a file has been retained for the time outlined above, it may be destroyed, consistent with PHIPA guidelines. To safeguard the privacy of Encompas clients, we cross-shred paper files containing personal information. We destroy electronic information by securely deleting or over-writing it and when the hardware is discarded, we ensure the hard-drive is physically destroyed.

Encompas Portal: Specific to the Encompas Portal, information is retained by Greenspace in accordance with their records retention policy, which means that Greenspace will store personal information for only so long as is necessary to fulfill its original purpose. At any point, for any reason, users are entitled to delete their account. Once the request is received, Greenspace ensures that all electronic and hard copies of the user’s information are securely destroyed and irreversibly deleted from Greenspace’s live systems within 7 days.

Privacy Breach Policy

If there is a suspected or actual breach of a client’s private and confidential information, Encompas must:

1. Implement the privacy breach protocol;
2. Contain the breach;
3. Notify the clients affected by the breach;
4. Investigate and remediate the breach; and,
5. If applicable, report the breach to the Information and Privacy Commissioner of Ontario (IPC) and/or the appropriate regulatory/governing