Privacy

E-Learning Home Page
M1 - Introduction to Privacy & Confidentiality
M2 - 10 Principles
M3 - Patient Rights
M4 - Maintaining Confidentiality
M5 - Scenario-Based Learning
 


Module 2: 10 General Principles for Using Information

Privacy legislation is based on 10 principles:

Accountability - An organization is responsible for personal health information under its control, including information transferred to a third party.

Identifying purposes - Patients have the right to know what information is collected about them, how it is used, with whom it is shared/disclosed, how long it is retained, and how it is disposed of. The purpose for the information must be identified at, or before the time of collection. The patient has the right to accept or reject the use or disclosure unless the use or disclosure is required or permitted by law.

Consent - Informed consent is required from the patient to collect, use, share, and retain information.

  • Implied consent can be relied on if the purpose of the collection, use and disclosure of the information is for the purpose of providing or facilitating health care to the patient.
  • Express written consent is required for other purposes.

Similar to Consent to Treatment, consent is based on the patient's capacity to understand the reason for the collection, use, and disclosure of information. There is no age of consent.

Limiting collection - Collect only the information that is necessary to accomplish the intended, informed purpose.

Limiting use, disclosure, and retention - Information must not be used or disclosed for purposes other than those for which it was collected (except with the consent of the patient or if the use of the information is permitted or required by law) and must be retained only as long as required for the intended purpose.

Accuracy - Patients have the right to request correction or amendments to their information, if they feel it is inaccurate or incomplete.

Safeguards - Organizations must implement appropriate safeguards to protect personal information against loss, theft, unauthorized access, use, disclosure, and copying.

Examples of the types of strategies required include:

  • Physical measures, e.g.:
    • locked doors and filing cabinets,
    • secure destruction of hard copy information, i.e. confidential waste bins or department-owned cross cut shredders
  • Technology measures, e.g.:
    • user-specific passwords to network systems,
    • availability of systems to encrypt information stored outside the hospital’s secure network, and
  • Organizational measures, e.g.:
    • policies setting the standard for maintaining the confidentiality and security of the information
    • education informing employees and affiliates about their obligations for the confidentiality and security of information.

Openness - To be open and honest with patients regarding our information management practices.

  • Information for patients is available:
    • on the Privacy Internet site for LHSC, including Frequently Asked Questions.
    • on posters and brochures in registration points and public areas

Individual access - With limited exceptions, patients have the right to access their information, including viewing or requesting a copy of their health record. (See Health Record Services website for more information).

Provide recourse - Patients have the right to express their concerns regarding our information practices, including their right to take their concerns directly to the Information and Privacy Commissioner of Ontario.

Next (Patient Rights)

back to top

LHSC home page