Protecting Your Privacy (Freedom of Information)

Protecting Your Privacy

Privacy Q&As | Access to Information | How to Make a Request for Information | FIPPA Q&As | Forms and Documents

 

WDMH is committed to protecting your privacy and your personal health information. We do in accordance with the Personal Health Information Protection Act (PHIPA) and other applicable laws.


Privacy Q&As

Please review these Q&As to help answer any questions you may have:


Can I find out who has viewed my WDMH patient health record?

Yes. If you wish to know who accessed your health record, you can make a request to the Chief Privacy Officer, to obtain an audit report. The Chief Privacy Officer, Sean O'Brien, may be contacted at 613-774-2420 extension 6150. The Chief Privacy Officer will provide the information to you in a timely fashion (usually within 30 days). If you have further concerns upon receipt of your audit report, you may make a complaint to the Chief Privacy Officer, who will pursue your concerns on your behalf.


Where are my WDMH records and for how long?

All patient records may be stored electronically on computers, on microfilm, or the original paper documents are maintained. Currently records are stored on site for those encounters that have taken place within the last 4 years. For all other records considered not active (> 4 years with no visit to the hospital), they are maintained and secured by an external agency - Iron Mountain.

 

WDMH meets all legal requirements for record retention periods – the Public Hospitals Act requires health records to be maintained for 10 years from the last encounter/visit to the organization. In the case of persons under the age of 18, records are kept for a period of 10 years from their 18th birthday for a total of 28 years.

 

Due to the limited space to house all of our patient records, WDMH’s storage practice for health records is currently under review. As we move forward with our new Clinical Information System, records currently stored off site will be scanned into our system and available for future access when required.


I have noticed that many areas of the hospital are open and I can sometimes overhear staff talking to patients or family about health information. Is this not a breach of patient privacy?

There are inherent limitations to the Hospital’s physical environment. Many areas, such as nursing stations, are in public spaces. Despite these physical limitations and the pressures of an acute care hospital setting, staff will take precautions and make every effort to discuss health information confidentially.


When I called the hospital to see how my family member was doing; the WDMH staff would not describe what the problem with my family member was or their condition. Why is that?

The Hospital receives many phone calls from concerned family members and friends regarding our patients. As hospital staff cannot verify who the caller is, hospital staff can only provide limited information to the caller. This policy is in place so that we can protect the private health information of our patients.

 

Only the following information will be given to a person over the phone:

  • Confirmation whether or not you are a patient at the Hospital;

  • Your general health status (e.g., stable, critical); and,

  • Your location in the Hospital.

If you do not wish for this information to be disclosed, please inform hospital staff. We will respect your rights to complete confidentiality.

 

In some circumstances, the above information will not be released to anyone. For example, patients that are being treated for sexual assault or domestic violence are treated as completely confidential in order to ensure the personal safety of the patient.


How is my health information protected?

There are three components to protecting patient information at WDMH:

  1. Administrative Safeguards: The WDMH Privacy Policy governs the manner in which all WDMH care providers and staff manage patient information. Furthermore, all WDMH staff (employees, physicians and volunteers) must sign a confidentiality agreement as a condition of employment.

  2. Physical Safeguards: WDMH has a number of physical safeguards which range from locked doors to staff wearing photo identification to identify themselves as WDMH employees.

  3. Technical Safeguards: WDMH’s Information Technology Department upgrades the security capabilities of the patient information systems on an ongoing basis. Also, WDMH has implemented access controls for staff, which are based on the staff member’s job role. This access control helps limit the staff members’ access to electronic files on a need-to-know basis to perform their job duties.

The WDMH patient information system also uses passwords to protect the system from inappropriate access from within the Hospital. Finally, a firewall is in place to protect our information systems from external unauthorized access.


Is my health information available on the Internet?

No, health information is not publicly available on the Internet. WDMH may use the Internet to transfer unidentifiable health information securely through a Virtual Private Network or e-mail system. These systems are secured by a combination of authentication and encryption.


Can my family physician access my WDMH health information?

WDMH releases discharge summaries to family physicians as directed by the most responsible physician during your stay at Hospital. WDMH will release other information to your family physician with your consent.

 

Can all WDMH staff access my patient record?

Only WDMH staff involved in your care may access your patient record. All WDMH staff are bound by a strict confidentiality agreement, which is signed as a condition of employment. This agreement seeks to ensure staff only access information on a need-to-know basis to do their work.


What if I am unable to give consent for another person to access my health record?

If you are unable to give consent for a friend or family member to access your chart due to reasons of competency or consciousness, the consent decision falls to the appointed substitute decision maker such as a parent or guardian. This person is bound by law to act on your behalf, who must make decisions based on their belief of what you would wish done if you were able to decide.


Can my family see my health information?

We require your express consent to share any of your health information with a friend or family member.


How can I get a copy of my patient record?

A Release of Patient Record form is required which includes questions to help us search for your record. These questions include: Name, Date of Birth, and Reason for Request etc. There is a service fee, depending on the nature of your request and size of the file. The amount of the service fee will be discussed prior to the processing of your request.


Do I have access to my health information? If so, how can I access my health information at the hospital?

When you are a patient at WDMH, you can ask your health care provider for your health information. The health care providers will work together with you to answer your questions, and provide access to your health information.

 

After you have left the Hospital, you are welcome to contact the Health Records Department at 613-774-2420 ext. 6360. You will be asked to sign a consent form for the release of information.

 

Our standard practice is to send a copy of your health record to your family doctor. Your family doctor will then review the health record with you and answer your questions. This process has worked well for patients.


When I am a patient at WDMH, a lot of information is collected about me. What is the information used for?


The information collected is used for the following purposes:

  • Your patient care and treatment;
  • Administration of the hospital, including internal studies for quality assurance and patient satisfaction surveys;
  • Administration of the health care system, where your information is submitted to the Canadian Institute of Health Information (CIHI) and the provincial Ministry of Health and Long-Term Care;
  • Meeting legal and regulatory requirements;
  • Responding to general enquiries about your location within the Hospital and your general health status (e.g., stable, critical).

WDMH is required by law to report certain pieces of information about our patients to health care agencies, including the following: the provincial Ministry of Health (billing information), the Canadian Institute for Health Information (coded discharge abstracts), Public Health and Health Canada (public health surveillance), and Cancer Care Ontario (pathology reports). This is done to ensure the health care system is running optimally, and to conduct statistical comparisons of population health characteristics over a broad geographical range.


Does WDMH ever sell patient information to drug companies, or anyone else?

No, WDMH does not sell patient information to drug companies or to anyone else.

 

Access to Information


The Freedom of Information and Protection of Privacy Act (FIPPA), R.S.O. 1990 (the "Act") is provincial legislation that came into effect on January 1, 1988. On January 01, 2012, Hospitals in Ontario were added to the list of public bodies to which the Act applies.


The Act has two main purposes:

  • To make public bodies more open and accountable by providing the public with the right of access to records; and
  • To protect personal information from unauthorized collection, use or disclosure by public bodies.

The Act applies to records in the custody or control of the Hospital. Upon request, certain records must be made available, subject to limited exemptions as provided for in the Act.

 

How to Make a Request for Information

Step 1: Find out if a FIPPA request is necessary

You do not always need to submit a formal freedom of information request to access information from the Hospital.

  • A lot of information is posted on our website.
  • If you cannot find the information that you seek online, consider requesting the information informally. This means requesting information from the department or area of the hospital that you think may have what you are looking for. You will be assisted with your request and told whether the information can be provided to you informally, or whether you will have to submit a freedom of information request.


Step 2: Make a formal written request

You may request access to information by making a written request through the Freedom of Information (FOI) Coordinator. For this purpose, an Access/Correction Request form is available on our website (see below). However, any request made in writing will be accepted, as long as the following information is included:

  • date of request
  • identification of the specific record(s) to which you are requesting access
  • statement that you are making this request through FIPPA
  • $5 application fee
  • your contact information
  • An original signature of requester.


Please remember the more specific your request, the more quickly and more accurately it can be answered.

Please note that requests received by electronic mail are not accepted since the legislation requires that requests be authenticated by an original signature.

Step 3: Pay the application fee

Once the Access or Correction Request form is completed, return it to the Finance department, along with a $5 application fee. Processing of the request will commence once the completed form and the receipt of payment are both received by the FOI Coordinator. If the total cost of completing your request exceeds $100, you will be provided with a fee estimate before processing begins and you will be required to pay a deposit of 50% of the total estimate before the Hospital will begin to process your request.

Step 4: Your request is reviewed

Your request will be reviewed by the FOI Office in accordance with FIPPA. The Hospital will then send you an acknowledgment letter and notify you of an estimate of any fees that may apply. Every effort will be made to resolve the request within 30 days. However the Hospital may advise you of the need for a time extension. Once a determination has been made, a decision letter will be sent to the requestor. This letter will outline all the details of the decision, including any exemptions that may apply, a calculation of any incurred fees, and if applicable, a schedule of disclosure, and directions regarding the actual access to the identified records. Records to which exemptions apply may be withheld entirely or be "severed" (i.e. portions blacked-out). A decision letter will explain in detail the exemptions applied and give reasons. If you request access to records containing personal information about yourself the Hospital may ask you to present yourself in person to the FOI Office with one piece of picture ID before the records are disclosed to you.


All decisions made by WDMH, including the final determination and any fees or time extensions, may be appealed to the Information and Privacy Commissioner (IPC) of Ontario. You have thirty-days (30) from the date of the Hospital's decision letter to request a review by Ontario’s IPC.

Information/Privacy Commissioner of Ontario at:
2 Bloor Street East, Suite 1400, Toronto, Ontario, M4W 1A8.
Tel: (416) 326-3333, or 1-800-387-0073
Email: info@ipc.on.ca
Web: http://www.ipc.on.ca/


FIPPA FAQ's

Can other people access my personal information?

Personal information must not be disclosed to anyone other than the individual to whom it relates, except:

  • where prior written request or consent of the individual, if the record is one to which the individual is entitled to have access
  • in compelling circumstances affecting the health or safety of an individual
  • personal information collected and maintained specifically for the purpose of creating a record available to the general public
  • under an Act of Ontario or Canada that expressly authorizes the disclosure
  • for a research purpose if specific conditions are met
  • the disclosure is consistent with the conditions or reasonable expectations of disclosure under which the personal information was provided, collected or obtained,
  • if the disclosure does not constitute an unjustified invasion of personal privacy


What is the difference between a request for ‘general information’ and a request for ‘personal information’?

Personal Information is defined as recorded information about an identifiable individual such as information relating to the race, national or ethnic origin, colour, religion, age, sex, sexual orientation or marital or family status of the individual, information relating to the education or the medical, psychiatric, psychological, criminal or employment history of the individual or information relating to financial transactions in which the individual has been involved, any identifying number, symbol or other particular assigned to the individual, the address, telephone number, fingerprints or blood type of the individual, the personal opinions or views of the individual except where they relate to another individual, correspondence sent to an institution by the individual that is implicitly or explicitly of a private or confidential nature, and replies to that correspondence that would reveal the contents of the original correspondence, the views or opinions of another individual about the individual, and the individual’s name where it appears with other personal information relating to the individual or where the disclosure of the name would reveal other personal information about the individual.

Personal information does not include the name, title, business address, and business contact numbers of an employee. The personal information for individuals deceased more than 30 years is no longer protected by the Freedom of Information and Protection of Privacy Act (FIPPA).

General information relates to all other information that is not considered personal information as defined above.

 

Why can I not have access to certain records?

FIPPA stipulate that every person has a right of access to a record in the custody or under the control of the Hospital. However certain records are excluded from the purview of the Act (i.e. labour relations (s. 65(6)), research and teaching materials (s.65 (8.1))). Also, there are mandatory and discretionary exemptions for other types of records that apply and determine the disclosure of the records (i.e. third party information (s. 17), economic interests (s. 18), solicitor-client privilege (s. 19), and personal privacy (s. 21)).


Is there a cost to make a request? How much?

There is an initial fee of $5 to make a request under FIPPA. Other fees may follow. Costs can be It is possible to reduce the costs of a request by being very specific with your request. An example that could help reduce fees would be to include in your request to eliminate all information sent or received by you.


How do you calculate the estimates and final fees?

The fees are calculated in accordance to the FIPPA regulation 460 R.R.O. 1990. The fee breakdown is as follows:


Action

Fees

Making an access request $5 fee must accompany written request
Change in personal information
No fee required besides the $5 request fee and photocopy fees
Photocopies and computer printouts $0.20 per page
CD ROMs  
$10 per disk
Encrypted USB Drive $50/ usb
Manually searching a record $30 per hour ($7.50 for each 15 minutes) spent by any person
Preparing a record for disclosure, including severing part of the record 
$30 per hour ($7.50 for each 15 minutes) spent by any person
Developing a computer program or other method to produce a record from a machine-readable record $60 per hour($15 for each 15 minutes) spent by any person
Cost, including computer costs, incurred to locate, retrieve, process and copy record(s) as specified in an invoice received by the hospital Actual costs

Can I obtain an electronic copy of the records requested?

Yes, the Hospital can provide an electronic copy of the records on a CD-ROM. Please note that a $10.00 fee will be charged in accordance with the FIPPA regulation.

Who do I make my cheque payable to?

Cheques for the initial application fee may be made payable to Winchester District Memorial Hospital. All further fees must be paid by cash, certified cheque or money order to Winchester District Memorial Hospital.

Can my request form be faxed or emailed?

Since the request must be accompanied by a $5.00 application fee before the searches can begin, the request must be sent by mail, courier, or may be dropped off in person.

How specific do I need to be with my request?

Please be as specific as possible in describing the information you are seeking. The more specific your request, the quicker and more accurately it can be answered. This includes adding details such the area the information should be searched in, the key words that you find appropriate to conduct the search and the period of the request (date). Please note that the search dates of a request ends on the day that the request has been received.


If you are requesting your own personal information, please be sure that you give: your full name; any other names that you have previously used; and any identifying number that relates to the records, such as your employee or student number, or other identification number.

Where can I find the form to make a formal request?

You may find the form to make a formal request below


Directory of Records and Personal Information Banks

Pursuant to the Freedom of Information and Protection of Privacy Act (FIPPA), section 35, The Winchester District Memorial Hospital has made available this Directory of Records

 

Forms and Documents

WDMH FIPPA Request Form
Directory of Records