On November 1, 2004, the Personal Health Information Protection Act (PHIPA) became law. PHIPA is Ontario’s health-specific privacy legislation. It governs the manner in which personal health information may be collected, used and disclosed within the health-care system. It also confirms a patient’s right to access one’s own personal health information.
The Heart Institute collects, uses, discloses and retains personal health information:
- To provide you with care
- To monitor and evaluate the quality of care we provide
- To administer and manage the operations of the Heart Institute
- To do research, educate and collect statistics
- To comply with legal and regulatory requirements
- As part of shared Electronic Health Records programs
We also disclose your contact information to our Foundation, so that they may conduct fundraising to improve our healthcare facilities, services and programs.
Access and Correction
The Heart Institute has an electronic and paper copy of your health record. There are other healthcare providers outside of the Heart Institute who can access your electronic health record but they or their team must be involved in your care and they must sign an agreement with the Heart Institute.
You may obtain access to or request a correction of your personal health information by contacting the Health Records Department.
We take steps to protect your personal health information from theft, loss and unauthorized access, copying, modification, use, disclosure and disposal. We conduct audits and complete investigations to monitor and manage our privacy compliance. We take steps to ensure that everyone who performs services for us protects your privacy and only uses your personal health information for the purposes you have consented to.
Privacy Level Code
Unless you tell us differently, we may let visitors or callers know your location in the hospital and your general health status. We use different privacy level codes to restrict or minimize who knows you are at the hospital. If you do not want anyone to know you are in hospital, you, or your substitute decision-maker on your behalf, may request that a Privacy Level Code be placed in our patient registration system.
If you have concerns about your personal health information being accessed inappropriately, you can request that a Warning Flag be placed on your personal health information in the Heart Institute’s electronic health record system. Accesses to Warning Flag files are investigated.
For more information about our privacy practices, please refer to our Patient Privacy Information Booklet (pdf) or contact:
Director Privacy and Data Analytics
Phone: 613-696-7000 ext 13575
Information and Privacy Commissioner/Ontario
2 Bloor Street East, Suite 1400
416-326-3333 or 1-800-387-0073
Collection of Personal Health Information
We collect information about our patients so that you can be accurately identified each time you visit the Heart Institute. Information about the type of tests or procedures you have during your visit is also collected and included in your chart.
Personal health information that is collected is only available to hospital staff who are involved in your care either directly (such as physicians, nurses, technologists, technicians, therapists and other health professionals) or in a supporting role such as Health Records and Financial Services.
Your personal health information may also be used for the following purposes:
- To quickly and accurately identify your health record each time you visit the hospital.
- To provide you with the most effective and appropriate health services or treatment(s). Your visit to the hospital may include assessments of your health condition, surgical and medical procedures and other treatments. All of this information is recorded in your health record and made available to those involved in your care, including healthcare providers, who are partners in your care. The Heart Institute keeps the history of your health information, so that your caregivers have a complete summary of your health status.
- To comply with legal and regulatory requirements. For example, we collect your health insurance number because it is required for the processing and funding of healthcare services.
- To improve the quality and efficiency with which we provide healthcare services.
- To facilitate leading edge research at the Heart Institute. Researchers working on studies approved by the Research Ethics Board may have access to health information, provided that privacy and confidentiality issues have been addressed with you.
- To support the hospital’s educational activities through our partnership with the University of Ottawa. Health information is available for teaching purposes, provided that measures are taken at the Heart Institute to adequately protect your privacy and confidentiality.
Access or Correction to your Personal Health Information
To request access to your Health Record, contact The Ottawa Hospital Health Records.
Release of Information
Phone: 613-798-5555 x18720
Disclosure of Personal Health Information
In addition to your paper based health record, the Heart Institute has an electronic health record. Other healthcare providers, who are partners in your care, may access your electronic health record if they have signed an agreement with the hospital.
Personal health information may be disclosed to the following persons or agencies:
- A care provider within your circle of care
Your personal health information will be disclosed only to care providers involved in your personal care unless you have expressly withheld or withdrawn your consent to do so. Examples of care providers may include your attending doctor, nurses, family doctor, pharmacists, laboratory technicians, etc. Your personal health information will never be disclosed to any care providers who are not involved in your personal care without your consent to do so.
- You or your legal representative
Your personal information can be disclosed to someone that you have designated to act on your behalf in the event that you are unable to do so (e.g., Power of Attorney for Personal Care, Substitute Decision-Maker).
- Any person or agency to whom the disclosure is required by law
- A health regulatory agency (such as Ministry of Health and Long-Term Care, Health Canada), if health regulations or laws require health information. For example, hospitals are required to provide health information for billing, statistical reporting, and healthcare management purposes.
- Any third party (such as your private insurance company or lawyer) provided you have consented to the disclosure (by signing the Consent to Release of Information), or law requires the disclosure.
At the Heart Institute, we are committed to protecting the privacy of our patients and the confidentiality and security of all personal health information.
What is a privacy breach?
A privacy breach happens when personal health information has been lost or stolen; or accessed, disclosed or disposed of inappropriately.
What happens when a privacy breach occurs?
As soon as the Heart Institute learns of a privacy breach, the Privacy Office takes the following steps:
- Identifies the extent of the breach and takes steps to contain it.
- Investigates the cause of the breach and works to eliminate the risk of it happening again.
- Notifies the patient(s) whose privacy was breached.
How does the Heart Institute prevent privacy breaches?
The Heart Institute has taken a variety of steps to prevent privacy breaches. They include:
- Creating and enforcing policies that clearly limit access to personal health information.
- Providing education sessions for all employees, physicians and physician residents.
- Asking all new employees, physicians and physician residents to sign a confidentiality agreement which outlines their obligations.
- Displaying an automatic notice reminding employees, physicians and physician residents of their obligations when they log-in and access personal health information.
- Performing random audits of the hospital’s database for electronic records to ensure employees, physicians and physician residents are not accessing more patient information than is necessary to do their jobs.
- Providing employees and physicians with locked offices, filing cabinets and secure methods to dispose of documents.
- Restricting patient information to only those employees, physicians and physician residents who need to know.
- Ensuring all relevant computers are password-protected and all memory sticks are encrypted to protect confidential information.