Privacy Policy
Encompas Mental Health Wellness Program
Privacy and Confidentiality
Background
According to the first annual report issued by the Privacy Commissioner of Canada (1984), “Privacy is not simply a precious and often irreplaceable human resource; respect for privacy is the acknowledgement of respect for human dignity and of the individuality of [hu]man[ity].” Everyone has the legal right to have their privacy respected, and their personal health information protected, by the health practitioners from whom they are receiving healthcare services.
Therefore, Dalton Associates (on behalf of the Encompas Mental Health Wellness Program (“Encompas”)) has developed strict policies to ensure clients are receiving services through the Encompas program in a manner that protects their privacy, as well as their personal health information. Specifically, the Encompas policies incorporate all relevant privacy legislation set forth by Canada’s federal government, namely the Privacy Act and the Personal Information Protection and Electronic Documents Act (PIPEDA), as well as Ontario’s Personal Health Information Protection Act (PHIPA).
Privacy of personal information is a critically important principle to everyone at Encompas, the OPPA and Dalton Associates. We are committed to collecting, using and disclosing personal information responsibly and only to the extent necessary for the services we provide. We also try to be open and transparent as to how we handle personal information.
Personal Information: Personal information refers to information about an identifiable individual and includes information that relates to an individual’s personal characteristics (e.g., name, date of birth, home address and telephone number), their health (e.g., presenting problem, health history, health services received by the individual, social situation) or their activities and views (e.g., opinions expressed by an individual, an opinion or evaluation of an individual). Personal information is not the same as business information (e.g., an individual’s business address and telephone number), which is not protected by privacy legislation. Personal Health Information is defined by the Personal Health Information Protection Act, 2004, as such legislation may be amended, from time to time, and, for the purposes of these policies, is one component of “personal information”.
We use a number of consultants and agencies that may, in the course of their duties, have limited access to the personal information we hold. These consultants and agencies include bookkeepers and accountants, lawyers, third party service providers, computer consultants, credit card companies, financial institutions, marketing personnel and website managers. We restrict their access to any personal information we hold as much as reasonably possible. We also have a confidentiality agreement with them.
Use and Disclosure of Personal Information
No personal information will be communicated, directly or indirectly, to a third party without the informed and written consent of Encompas clients. Exceptions to this policy include the legal, and/or ethical obligations to:
- Inform a potential victim of violence of a client’s intention to harm them;
- Inform an appropriate family member, health care professional, or emergency services if necessary, of a client’s intention to end his or her life;
- Provide a copy of a record when there is a court order, warrant or subpoena to do so;
- Inform the Children’s Aid Society (CAS) / Family and Children’s Services (FACS) if there is suspicion of a child being at risk of, or in need of, protection due to neglect, or physical, sexual (inclusive of child pornography), or emotional abuse;
- Report a health professional who has sexually abused a client;
- Report elder abuse in long term care facilities; and,
- Share identifying information to relevant authorities (i.e., public health), if required, with respect to infectious disease control requirements for contact tracing procedures (i.e., should I, my therapist, or another client who receives services at my therapist’s office test positive for an infectious disease).
Additional exceptions to disclosure include the following:
REGULATORY COLLEGE REQUIREMENTS
The services provided by the Encompas program are regulated by the College of Psychologists and Behaviour Analysts of Ontario, the Ontario College of Social Workers and Social Service Workers, and the College of Registered Psychotherapists of Ontario, who may inspect our records and interview our mental health practitioners and administrative staff as part of their regulatory activities in the public interest, consistent with the Ontario Regulated Health Professions Act, 1991. Regulatory colleges have their own strict privacy obligations. College reports may include personal information about our clients, or other individuals to support the concern (e.g., improper services).
GOVERNMENT AGENCIES
Like all organizations, various government agencies (e.g., Canada Customs and Revenue Agency, Information Privacy Commissioner of Ontario, Human Rights Commission, etc.) have the authority to review our files and interview our mental health practitioners and administrative staff as part of their mandates. In these circumstances, we may consult with professionals (e.g., lawyers, accountants) who will investigate the matter and report back to us.
THIRD PARTY PAYERS
The cost of some goods/services provided by our practice to clients is paid for by third parties (e.g., WSIB, private insurance, motor vehicle insurance, EFAP companies, First Nations and Inuit Health Branch, etc.). These third-party payers often have your consent or legislative authority to direct us to collect and disclose to them certain information in order to demonstrate client entitlement to this funding.
Client Access to Records
It is the policy of Encompas that clients have a legal and moral right to know what information is contained about them in their record.
Clients or their legal designates shall have access to all information which can be identified as pertaining to them and which is stored in the client record, with the exception of information that is believed to be harmful or that is confidential about, or from, third parties. We will need to confirm a client’s identity and legal right to have access to the information prior to release of information from their record. In some cases, this may include producing identification and/or proof that another individual (e.g., substitute decision maker) has legal authority to make decisions on behalf of the client if the client is unable to do so themselves. We reserve the right to charge a nominal fee for such requests.
We may ask that all requests for records are made in writing to Encompas. If we cannot provide access to a record, we will inform the requesting individual/client within 30 days, and provide a reason, as to why we cannot provide access.
If a client believes there to be a mistake in the information contained in their record, they have the right to ask for it to be corrected. This applies to factual information and not to any professional opinions we may have formed. We may ask clients provide documentation that supports the notion that our files are incorrect. If changed, a statement of changed information is included in the record. If the request for a change is declined, the client may file a notice of disagreement in the record.
Storage and Transmission of Data
Personal information collected during the course of services with Encompas will be stored and transmitted in the following ways, consistent with regulatory college and legislative requirements:
STORAGE
- Electronic Case Management Record: A record of each client’s enrollment into the program, and information shared with their Encompas Care Manager, will be stored on a secure server, located in a Tier 4 facility. This is not a shared server, and the organization is SOC-certified. There are various protocols in place (e.g., back-up server, encryption, and firewalls) to ensure the safety and security of the data.
- Electronic Clinical Record: A record of each client’s clinical services (e.g., counselling) will be stored on a secure server, located in a Tier 4 facility. This is not a shared server and the organization is SOC-certified. There are various protocols in place (e.g., back-up server, encryption, and firewalls) to ensure the safety and security of the data.
- Encompas Portal: The Encompas Portal has each member’s name, the Encompas Care Manager assigned, the status of file (e.g., open or closed), and some additional narrative information regarding the Encompas client’s plan of care. This is stored on a secure server, located in a Tier 4 facility. This is not a shared server and the organization is SOC-certified.
- Encompas Member Portal: This platform, powered by Greenspace Health, is used to monitor client progress, outcomes, and satisfaction. It is compliant with Canadian privacy legislation, is accessible via computer, tablet or cellphone, and ensures ease of monitoring symptoms. The Greenspace system conforms to digital and physical security protocols (including PHIPA), with SSL-secured access, AES encryption at the file-system level, and firewalls protecting all data. Greenspace stores all data and information in Canada with a secure cloud storage provider called Aptible. Aptible is an industry leader in securely managing and storing confidential and highly sensitive healthcare information. Aptible has been tested and passed audits by Kaiser Permanente, MD Anderson, UnitedHealth Group, Johns Hopkins, Stanford, and many others. In addition, Aptible is certified for compliance with ISO 27001, SOC 2, and HITRUST CSF. Greenspace’s database runs in a private subnet (hidden from the outside internet) and access is restricted to Greenspace. Database traffic is encrypted in transit, and data is encrypted at rest using modern technology standards.
- ChatBeacon Live Chat: This is Encompas’ virtual chat feature, and is meant to be an easy resource for program information or intakes for clients. ChatBeacon is compliant with Canadian privacy legislation and is accessible via computer, tablet or cellphone. You are not required to share personal information through Live Chat, although ChatBeacon automatically collects user IP address. Live Chat inherits the control environment of Microsoft Azure, and they abide by the Microsoft Shared Responsibility SaaS model. Microsoft Azure undergoes rigorous independent third-party SOC 2 Type 2 audits conducted by a reputable, certified public accountant (CPA) firm. Information provided through ChatBeacon is stored for 3 days before being securely deleted from the system, although it may be added to a client’s electronic case management record, if appropriate.
TRANSMISSION
- OnCall Health: This platform provides PHIPA-compliant encrypted videoconferencing. Consent forms are securely shared, but not stored through this platform.
- Live Chat: This platform provides SSL-encryption for transmissions. No personal information is required to be provided while communicating using Live Chat.
- Communication via email: Transmission of personal information via email is only permitted when using password-encrypted PDF documents.
- Communication via mail: Transmission of personal information via mail is only permitted when sent via trusted post or courier service (e.g., Canada Post, Purolator, UPS), is registered for tracking with the service, and is only delivered once a signature of the intended recipient is received by the service.
- Communication via fax: Transmission of personal information via fax is only permitted if the fax is not a shared service (such as those at a Staples or another public/shared fax machine), and if the intended recipient has been notified via telephone prior to the fax being sent, and confirms via telephone once it has been received.
Protecting Personal Information
We understand the importance of protecting personal information. For that reason, we have taken the following steps in the storage and maintenance of our client’s personal information and personal health information, consistent with PHIPA and PIPEDA requirements:
- Paper information is stored either under supervision or secured in a locked or restricted area.
- Electronic hardware is either under supervision or secured in a locked or restricted area at all times.
- Passwords are used on computers accessing personal health information.
- Paper information is transmitted through sealed, addressed envelopes or boxes by reputable companies (e.g., Canada Post, Purolator, UPS, etc.). All paper information that is transmitted through mail or courier is to be expediated and registered for tracking, with a signature required by the recipient upon delivery.
- Information is transmitted electronically (e.g., email) if it is completely anonymized/de-identified, and/or contained in a password-encrypted PDF document attached to the electronic/email transmission.
- Any files or electronic hardware being transported are required to be stored in a double-locked area (e.g., car trunk, carrying case with a locking mechanism).
- Mental health practitioners and Encompas/OSI/Dalton staff are trained to collect, use and disclose personal information only as necessary to fulfil their duties and in accordance with our privacy policy.
- External consultants and agencies with access to personal information must enter into privacy agreements with Encompas.
Retention and Destruction of Personal Information
We are required to retain personal information for a period of time to ensure that we can answer any questions clients might have about the services provided and for our own accountability to regulatory colleges.
As required by our regulatory colleges, Encompas retains personal information for 10 years following the client’s last contact or, if the client was less than 18 years of age at the time of last contact, for 10 years following the day the client would have turned 18.
Under our general correspondence, we keep any personal information relating to people who are not clients contained in newsletters, seminars and marketing activities for six months after the newsletter ceases publication or a seminar or marketing activity is over.
Once a file has been retained for the time outlined above, we destroy it consistent with PHIPA guidelines. To safeguard the privacy of Encompas clients, we cross-shred paper files containing personal information. We destroy electronic information by securely deleting or over-writing it (whichever is more secure) it and when the hardware is discarded, we ensure the hard-drive is physically destroyed.
Privacy Breach Policy
If there is a suspected or actual breach of a client’s private and confidential information, Encompas must:
- Implement the privacy breach protocol;
- Contain the breach;
- Notify the clients affected by the breach;
- Investigate and remediate the breach; and,
- If applicable, report the breach to the Information and Privacy Commissioner of Ontario (IPC) and/or the appropriate regulatory/governing
PROCEDURE:
As the organization that powered Encompas, Dalton Associates’ Privacy Officer will implement the following Privacy Breach Protocol in the case that a privacy breach has been reported and/or suspected:
Note: It is the role of the Encompas team to cooperate with the Privacy Officer during the privacy breach protocol process, per direct instruction from the Privacy Officer.
- As soon as possible, convene a team meeting including the Encompas staff member (Care Manager) involved (if applicable), clinician (if applicable), Chief Executive Officer, Chief Clinical Officer, and Quality Assurance Officer to document the details of the breach, and determine a plan of action;
- Open a file on the Dalton Associates secure server, in which to compile, organize, and save all relevant information pertaining to the breach;
- Review “Reporting a Privacy Breach to the Commissioner” (if unclear as to whether the suspected breach constitutes an actual breach, contact the IPC at 1-800-387-0073);
- If the suspected breach does not constitute an actual breach, save the information and close the case;
- If the suspected breach constitutes an actual breach, contact the IPC and make a verbal report based on the information gleaned from discussions with the team (1-800-387- 0073);
- In the case of a confirmed breach of privacy:
- Communicate with the clients affected by the breach, including detailed specifics of what informationwas breached, within one (1) week of verbally reporting the breach to the IPC;
- If the breach was due to an oversight by the administrative staff team at Encompas or Dalton Associates, the Privacy Officer will draft detailed, dated, and signed letters to the affected clients, reporting the breach;
- The letter(s) must be approved by the Encompas team member, clinician (if applicable), Chief Executive Officer, Chief Clinical Officer, and Director of Quality Assurance prior to being sent to the affected clients;
- The letter(s) must be sent via registered post or secure email transmission to the clients;
-
-
- Should any letter be returned to Dalton Associates due to an outdated client address, the Privacy Officer will contact the client via telephone to report the breach and obtain a corrected address to which the registered letter will be sent.
-
-
- If the breach was due to an oversight by a clinician, the clinician is responsible for drafting a detailed, dated, and signed letter to the affected clients, reporting the breach;
- The letter(s) must be approved by the clinician, Supervising Psychologist (if applicable), Chief Executive Officer, Chief Clinical Officer, and Quality Assurance Officer prior to being sent to the affected clients;
- The letter(s) must be sent via registered post or secure email transmission to the clients;
- If the breach was due to an oversight by a clinician, the clinician is responsible for drafting a detailed, dated, and signed letter to the affected clients, reporting the breach;
-
-
- Should any letter be returned to the clinician due to an outdated client address, the clinician will contact the client via telephone to report the breach and obtain a corrected address to which the registered letter will be sent;
-
-
-
- The clinician will keep the Privacy Officer informed of the clinician’s progress in communicating the breach to clients.
-
-
- The Privacy Officer must compose a report for the IPC detailing the details of the breach (a template of said report is available on the Dalton Associates secure server);
- After the report is drafted, the report (along with any relevant supporting documentation) must be reviewed by the Encompas team member (as necessary) and approved by the clinician (if applicable), Chief Executive Officer, Chief Clinical Officer, and Director of Quality Assurance prior to being sent to the IPC
- The report, and all relevant/supporting documentation, must be sent to the IPC (via email, fax, or mail) by the deadline they set
- The Privacy Officer must compose a report for the IPC detailing the details of the breach (a template of said report is available on the Dalton Associates secure server);
5. Await the response from the IPC;
6. Make any necessary changes to Encompas’ policies and procedures to avoid future breaches of a similar nature from occurring;
7. Report the breach and any lessons learned (excluding all identifying information of the Encompas team member(s) and the clients involved) via a memo to all staff at Encompas and Dalton Associates within one (1) month of receiving a response from the IPC;
8. In some situations, the breach will need to be reported to the regulatory college of a clinician involved (should the clinician have caused the breach).