Health Shared Services Ontario (HSSOntario) believes in the basic right of individuals to their privacy. We use the Canadian Standards Association Model Code to guide us in safeguarding personal health information.
HSSOntario is committed to respecting personal privacy, safeguarding confidential information and ensuring the security of personal health information within its custody. HSSOntario meets this commitment through its Privacy Program This Program is overseen by the Chief Privacy Officer, who reports directly to the HSSOntario Vice-President, Finance and Administration.
Key components of the HSSOntario's Privacy Program include:
- Privacy policies and procedures
- An employee privacy training, communications and awareness program
- A privacy audit and compliance program
- Privacy impact assessments and threat and risk assessments
As a Health Information Network Provider (HINP), HSSOntario is not responsible for identifying the purposes for which your personal health information is being used. This would be done by the Health Information Custodian collecting your information.
Should HSSOntario be asked to collect your personal health information as an Agent of a Health Information Custodian, HSSOntario will identify the purposes for which the information would be used. The HSSOntario does not use or disclose your information other than with the explicit authorization of the Health Information Custodian.
Your health care provider will let you know the purpose for which your personal health information is required prior to collection, use or disclosure of the information.
HSSOntario, while acting as a HINP, does not collect consent from patients.
Your health care provider gets your knowledgeable consent prior to the collection, use or disclosure of information.
As a HINP, HSSOntario is responsible for operating and maintaining the systems in which your personal health information resides. HSSOntario never collects information directly from patients when acting in the capacity of a HINP.
Should HSSOntario be asked to collect your personal health information as an agent of a Health Information Custodian, explicit instructions will be provided by the Health Information Custodian on what information should be collected. The HSSOntario limits collection to the specific purposes provided by the Health Information Custodian.
LIMITING USE, DISCLOSURE AND RETENTION:
As a HINP, HSSOntario uses your information only to maintain and operate the electronic systems that process that information and does not disclose your information or decide on the retention of your information. The Health Information Custodian explicitly identifies to HSSOntario how they may disclose your information. Each Health Information Custodian determines the retention policy for the information they are the custodian for and HSSOntario applies that policy to your information.
Your personal information as well as your personal health information is not used or disclosed other than for those purposes for which it was collected without the consent of the individual, or as required by law. Personal information will be retained only as long as necessary for the purpose for which it was collected. Whenever possible, HSSOntario limits the amount of personal health information used in its business processes. HSSOntario uses de-identified information whenever it can be used to support the business of operating and maintaining the business systems of the health care providers HSSOntario supports.
As a Health Information Network Provider, HSSOntario has in place privacy and security standards as well as policies and procedures to ensure that our network and applications uphold the accuracy and integrity of the data processed within the systems. For example, we provide role-based access controls to specific types of information and segregation of duties.
HSSOntario is committed to having in place privacy and information security controls for personal health information or other personal information. HSSOntario adheres to the Personal Health Information Protection Act, 2004 (PHIPA).
Appropriate security controls for technology and staff are in place, and are maintained to safeguard unauthorized access, use or disclosure of personal health information. Examples of such controls include encryption of all mobile devices, access controls to all systems that contain personal health information, and data destruction procedures for electronic information.
Our privacy pages describe HSSOntario's commitment to the privacy of your information. If requested the HSSOntario will make readily available to individuals other policies and procedures that support our commitment to privacy.
As a Health Information Network Provider, HSSOntario does not provide you with access to your health records. HSSOntario is not authorized by Health Information Custodians to disclose these records to you. Individuals must make their request for access to their personal health information through their health care provider in writing.
If you send HSSOntario a request in writing for access to your patient record, we will redirect you to the applicable health care provider who can grant the request.
As a Health Information Network Provider, HSSOntario is not authorized to assist you in challenging compliance of your health record.
If a patient wishes to challenge compliance of a health care provider, they are be required to contact the applicable health care provider's Health Records Manager or Privacy Officer.