Privacy Policy

Policy Statement

The Kemptville District Hospital is responsible for personal information and personal health information under its custody or control and through the Chief Executive Officer, has designated an individual, the Chief Privacy Officer, who is accountable for the Kemptville District Hospital’s compliance with the following principles:

  • The name of the Chief Privacy Officer is a matter of public record.
  • The Hospital is responsible for personal information and personal health information in its possession or custody, including information that has been transferred to a third party for processing. Vendors and contractors must sign the hospital’s Confidentiality Agreement #217.
  • In order to ensure compliance the hospital will:
    1. Implement procedures to protect personal information and personal health information.
    2. Establish procedures to receive and respond to complaints and inquiries regarding privacy.
    3. Educate and communicate to staff about the privacy policies and practices.
    4. Ensure that all staff understand the policies and procedures and know where to access them.

Identifying Purposes for the Collection of Personal Information

At or before the time personal information and personal health information is collected, the Hospital will identify the purposes for which information is collected, primarily direct patient care delivery, the administration of the health care system, to conduct research and compile statistics and to comply with legal and regulatory requirements.

  • The identified purposes are specified at or before the time of collection to the individual from whom the information is collected.
  • When information that has been collected is to be used for a purpose not previously identified, the new purpose will be identified prior to use and patient consent will be secured.
  • Persons collecting information will be able to explain to individuals the purposes for which the information is being collected.

Consent for the Collection, Use and Disclosure of Personal Information

Consent must be provided by the patient or legal designate in order for the hospital to use personal information and personal health information. The act of seeking and requesting treatment provides sufficient consent to use personal information and personal health information.

Personal information and personal health information can be collected, used or disclosed without the individual’s knowledge and/or consent in the following circumstances:

  • consent cannot be obtained for legal, medical or security reasons
  • the information is being collected for the detection and prevention of fraud or for law enforcement
  • the individual is a minor, seriously ill, mentally incapacitated or otherwise unable to give consent
  • the Hospital does not have a direct relationship with the individual, who is therefore not available to give consent

Where feasible, consent will be requested at the time of collection of information. Exceptions may include circumstances, for example, where the hospital needs to use information for a purpose not previously identified.

The way in which the hospital seeks consent may vary, depending on the circumstances and type of information collected.

    1. An admission form may be used to seek consent, collect infonnation and inform the individual of potential uses. By signing the fonn, the individual is consenting to the specified uses.
    2. Check-off boxes may be used to restrict disclosure of names and addresses to other organizations. Individuals not checking off the box are assumed to consent to transfer of information to third parties.
    3. Written consent may be provided at the time of admission or treatment.
    4. Verbal consent may be provided when information is collected by telephone.
    5. Implied consent would generally be appropriate when the information is less sensitive.

An individual may withdraw consent at any time, subject to legal restrictions and reasonable notice and at that time will be informed of the implications of such withdrawal.

Limiting Collection of Personal Information

The collection of personal information and personal health information will be limited to that which is necessary for the purposes identified by the Hospital. Information will be collected by fair and lawful means.

  • The Hospital will not collect personal information or personal health information indiscriminately. Both the amount and type of information collected will be limited to that which is necessary to fulfill the purposes identified.
  • The Hospital will not collect information by misleading or deceiving individuals about the purpose for which information is being collected. This requirement implies that consent with respect to collection must not be obtained through deception.

Limiting Use, Disclosure and Retention of Personal Information

Personal information and personal health information will not be used or disclosed for purposes other than those for which it was collected, except with the consent of the individual or as required by law. Personal information and personal health information will be retained only as long as necessary for the fulfillment of those purposes.

  • If using information for a new purpose, the Hospital will document this purpose.
  • The Hospital will develop guidelines and implement procedures with respect to the retention of personal information and personal health information, including minimum and maximum retention periods.

Ensuring Accuracy of Personal Information

Personal information and personal health information will be as accurate, complete and up-to-date as is necessary for the purposes for which it is to be used.

Information that is used on an ongoing basis, including information that is disclosed to third parties, will generally be accurate and up-to-date, unless limits to the requirement for accuracy are clearly set out.

Ensuring Safeguards for Personal Information and Personal Health Information

Security safeguards appropriate to the sensitivity of the information will protect information.

  • The security safeguards will protect personal information and personal health information in all formats against loss or theft, as well as unauthorized access, disclosure, copying, use, or modification. These methods of protection will include:
    1. Physical measures, for example, locked filing cabinets and restricted access to offices;
    2. Organizational measures, for example, limiting access on a “need-to-know” basis, including limiting access, and
    3. Technological measures, for example, the use of passwords, encryption, and electronic security audits.
  • The Hospital will inform employees of the importance of maintaining the confidentiality of personal information and personal health information. As a condition of employment, all employees/agents (e.g., employee, clinician, physician, allied health, volunteer, researcher, student, consultant, vendor, or contractor) must sign the Hospital’s Confidentiality Agreement.

Openness about Personal Information Policies and Practices

The Hospital will make readily available to individuals specific information about its policies and practices relating to the management of personal information and personal health information.

  • The Hospital will make information about its privacy policies available to the public. This information will include:
    1. The means to contact the Chief Privacy Officer, or designate, to whom complaints or inquiries can be forwarded;
    2. The means of gaining access to personal information and personal health information held by the Hospital;
    3. A description of the type of personal information and personal health information held by the Hospital, including a general account of its use;
    4. Documentation that explains the Hospital’s policies, standards, or codes, and
    5. The type of personal information is made available to related organizations.

Individual Access to their own Personal Information and Personal Health Information

Upon request, an individual will be informed of the existence, use and disclosure of his or her personal information and personal health information and will be given access to that information. An individual will be able to challenge the accuracy and completeness of the information and have it amended as appropriate.

  • In certain situations, the Hospital may not be able to provide access to all the information it holds about an individual. Exceptions to this include cases where information is prohibitively costly to provide, contains references to other individuals, or when disclosure is prohibited for legal, security, or commercial proprietary reasons.
  • Upon request, the Hospital will inform an individual whether or not it holds information about the individual. The Hospital will provide an account of the use that has been made of this information.
  • The Hospital will respond to an individual’s request within a reasonable time and cost. The requested information will be made available in a form that is generally understandable.
  • When an individual successfully demonstrates the inaccuracy or incompleteness of the information, the Hospital will amend the information as required.
  • When a patient’s challenges cannot be resolved to the satisfaction of the individual, the Hospital will record the substance of the unresolved challenge.

Challenging Compliance with the Kemptville District Hospital’s Privacy Policies and Practices

An individual will be able to address a challenge concerning compliance with the above principles to the Chief Privacy Officer.

  • The Hospital will maintain an easily accessible procedure for receiving and responding to complaints or inquiries about its policies and practices relating to the handling of personal information and personal health information.
  • The Hospital will inform individuals who make inquires or lodge complaints of the existence of relevant complaint procedures.
  • The Hospital will investigate all complaints. If a complaint is found to be justified, the Hospital will make appropriate measure, including, if necessary, amending its policies and practices.

The preceding is Kemptville District Hospital Privacy Policy #V-3. See also Policy #II-38 Access to Information under the Freedom of Information and Protect of Privacy Act.