The Nisga’a Valley Health Authority (NVHA) is responsible for protecting the privacy of personal information of its employees, clients, and patients under the BC Freedom of Information and Protection of Privacy Act (FOIPPA); BC Personal Information Protection Act (PIPA); and the federal Personal Information Protection and Electronic Documents Act (PIPEDA).
Personal Information – means information about a person in identifiable form, including name, age, gender, home address, phone number, social insurance number, personal health number, religion, marital status, First Nations ancestry and membership, income, personal health information (see below), education, and employment information. Personal information does not include Contact Information (see below) or Work Product Information (see below).
Personal Health Information – with respect to an individual, whether living or deceased, means
(a) information concerning the physical or mental health of the individual;
(b) information concerning any health service provided to the individual;
(c) information concerning the donation by the individual of any body part or any bodily substance of the individual or information derived from the testing or examination of a body part or bodily substance of the individual;
(d) information that is collected in the course of providing health services to the individual; or
(e) information that is collected incidentally to the provision of health services to the individual.
Contact Information – refers to information that would enable a person to be contacted at a place of employment or business and includes name, position name or title, business phone number, business address, business email, or business fax number.
Freedom of Information and Protection of Privacy Act (“FOIPPA”) – FOIPPA is provincial privacy legislation governing collection, use and disclosure of personal information by public body organisations in BC.
Personal Information Protection Act (“PIPA”) – PIPA is provincial privacy legislation governing the collection, use and disclosure of personal information by private sector organisations in BC.
Personal Information Protection and Electronic Documents Act (PIPEDA) – PIPEDA is federal privacy legislation that governs employee personal information collected, used, disclosed, accessed, and retained by NVHA (i.e. management employment information).
Privacy Officer – means the person responsible manager designated with the responsibility for overseeing the implementation of this Policy and NVHA’s compliance with applicable privacy legislation for the protection of personal information.
Work Product Information – means information prepared or collected by an individual or group of individuals as a part of the individual’s or group’s responsibilities or activities related to the individual’s or group’s employment or business but does not include personal information about an individual who did not prepare or collect the personal information.
a) NVHA physicians and staff, including contractors, students, and volunteers providing services on behalf of NVHA
b) Information, in whatever form or medium (paper, digital, audio, visual, graphic, verbal) created or received in the course of carrying out NVHA ’s mandated functions and activities
c) All facilities and equipment required to collect, manipulate, transport, transmit, or keep NVHA information
1 NVHA staff shall protect the confidentiality of personal information in their custody or control, and the privacy of the individuals who are the subjects of that information. This includes protection against unauthorized use, disclosure, modification, or access to the information.
2 The clinic(s) collects, uses and discloses only the least amount of personal information necessary to carry out the intended purpose, and only by staff who require the information to perform their assigned duties.
3 All employees shall be educated about health information principles and practice relating to health information issues, confidentiality and security.
4 Individuals have a right to request access to any information about them that is in the custody or control of NVHA subject to limited and specific exceptions.
5 Individuals who believe there is an error or omission in their personal information have a right to request to correct or amend the information.
6 When collecting personal information directly from an individual, the individual shall be informed of the purpose for which the information is collected, the legal authority for the collection, and the title, business address and telephone number of a NVHA staff member who can answer questions about the collection.
7 Personal information shall only be used and disclosed in accordance with the purpose for which it was collected, unless alternate use or disclosure is authorized or required by law, or with the knowledge and consent of the subject individual.
8 Individuals have the right to request the appropriate Provincial or Federal Information and Privacy Commissioner to review access, privacy, and correction decisions made by the NVHA
9 Failure to comply with NVHA Privacy and Security policies and procedures may result in disciplinary action, up to and including termination of employment or contract.
NVHA is responsible for managing and safeguarding personal information of employees, clients, patients and others under its custody and control.
1.1 NVHA recognizes the right of privacy of individuals with respect to their personal information.
1.2 NVHA will only collect, use or disclose personal information in the furtherance of NVHA purposes and obligations in accordance with this Policy.
1.3 NVHA is accountable for protecting the privacy of personal information and for ensuring that reasonable and adequate safeguards are in place to protect personal information under the control of NVHA.
1.4 In the event of a privacy breach or security incident involving the unauthorized disclosure of personal information, NVHA is responsible for investigating and ensuring appropriate actions are undertaken to rectify the situation.
1.5 All users of NVHA’s information must take responsibility for, and accept the duty to, actively protect the confidentiality of personal information they may have access to through the performance of job duties.
1.6 Individuals deemed responsible for violations of this policy may be subject to penalty or sanction up to and including termination of employment, cancellation of contract or services, termination of the relationship with NVHA, withdrawal of privileges and/or legal action.
The NVHA Board of Directors will appoint a Privacy Officer to oversee the implementation of this Policy and NVHA’s compliance with applicable privacy legislation (FOIPPA, PIPA, PIPEDA) for the protection of personal information.
1.7 The Privacy Officer is responsible for the following:
- Providing oversight for the collection, use, access, disclosure, retention and disposition of personal information in the custody and control of NVHA;
- Developing, reviewing, and maintaining up-to-date and relevant privacy, security and confidentiality policies and procedures;
- Monitoring organisational compliance with privacy policies and procedures;
- Collaborating with legal counsel, reviewing contractual terms and conditions to ensure they satisfactorily meet privacy requirements under legislation and best practices;
- Receiving and responding to privacy questions, queries and complaints;
- Facilitating correction to individual personal information upon request;
- Facilitating individual information access requests;
- Supporting investigation of privacy breaches including preparation of a report to the Board on every occurrence involving a breach of privacy and what actions were taken to rectify; and
- Cooperating with the Provincial and Federal Information and Privacy Commissioners on investigations, complaints, or formal inquiries.
NVHA is responsible for personal information in its possession or custody, including information that has been transferred to a third party for processing or use.
1.8 NVHA will use contractual or other means to provide a comparable level of protection while the personal information is being processed or accessed by a third party.
Compliance by Employees and Contractors
NVHA employees and contractors are responsible for ensuring appropriate and secure handling of personal information collected, used, disclosed, retained and disposed, for the purposes of administration and management of NVHA programs and services.
1.9 NVHA employees and contractors are required to comply with this Policy for the collection, retention, use or disclosure of Personal information.
1.10 All NVHA staff, volunteers, and contracted personnel that collect, use or disclose confidential information as part of the performance of their duties for the NVHA shall be required to sign the NVHA Confidentiality Agreement (see Privacy and Security Procedures)
1.11 All authorized staff who are given access to the electronic medical record (EMR) shall be required to sign an additional User Confidentiality and Acceptable Use Acknowledgement (See Privacy and Security Procedures) to accept specific obligations regarding electronic access to personal information
1.12 NVHA employees and contractors must understand the importance of maintaining the confidentiality of personal information and must affirm their understanding through a confidentiality agreement or a clause respecting confidentiality within an agreement.
1.13 Any individual who reports a breach, potential or actual, will not face consequences as a result of reporting.
2. Identifying Purposes
NVHA shall clearly identify the purposes for which personal information is collected.
2.1 NVHA will communicate the purposes for which personal information is being collected, either orally or in writing before or at the time of collection (i.e. Patient Privacy Notice).
2.2 NVHA must document the purposes for which personal information is collected and must only collect information necessary for the identified purposes.
2.3 NVHA employees should be able to explain to individuals the purposes for which the information is being collected.
2.4 If personal information that has been collected is to be used for a purpose not previously identified, the new purpose shall be identified by NVHA and disclosed to the individual prior to use. The consent of the individual is required before information can be used for that purpose, unless legislation requires the new purpose.
2.5 NVHA collects, uses, discloses, and retains personal information for the following purposes:
- To enrol clients in programs or services;
- To understand the service needs of clients;
- To provide health and healing services;
- To meet regulatory requirements;
- For administration and management of employees;
- For administration and management of health and healing programs and services;
- For provision of funding for non-insured health benefits for clients; and
- Conducting program and service reviews aimed at improving services and programs
2.6 NVHA will only collect personal information necessary to fulfill the following purposes:
- To verify patient/client identity
- To identify patient/client preferences
- To understand the health and insurance needs to patients/clients and employees
- To deliver requested services
- To make travel arrangements
- To provide health and healing services
- To enrol the client in a program
- To ensure a high standard of service to patients/clients
NVHA will obtain knowledgeable, informed consent of patients, clients and employees, to collect, use or disclose personal information except where, as noted below, NVHA is authorized to do so without consent. Consent can be provided in writing or it can be implied where the purpose for collecting, using or disclosing the personal information would be considered obvious and the individual voluntarily provides personal information for that purpose. The individual must also be given a reasonable opportunity to opt-out.
3.1 NVHA will seek consent for the use or disclosure of personal information at the time of collection. In certain circumstances, consent with respect to use or disclosure may be sought after the information has been collected but before use (for example, when NVHA wants to use information for a purpose not previously identified).
3.2 NVHA will not require an individual to consent to the collection, use or disclosure of personal information beyond that required to fulfill the specified and legitimate purposes.
3.3 An individual’s decision to withhold or withdraw their consent to certain uses of personal information may restrict NVHA’s ability to provide a particular service. NVHA must explain the situation to assist the individual in making the most appropriate decision.
3.4 NVHA may collect, use or disclose personal information without an individual’s consent in the following limited circumstances:
- When the collection, use or disclosure is permitted or required by law
- In an emergency that threatens an individual’s life, health or personal security
- When the personal information is available from a public source (e.g. telephone directory)
- When NVHA requires legal advice from a lawyer
- For the purposes of debt collection
- To protect NVHA from fraud
- To investigate a real or perceived breach of an agreement or a contravention of law
3.5 When consent is required for purposes beyond what was originally identified, consent for release of information form must be completed. This consent must be in writing, and include the following information:
a) an authorization for the disclosure
b) the purpose for which the information is disclosed
c) the identity of the person to whom the information is disclosed
d) an acknowledgement that the individual providing the consent is aware of the reasons why the information is needed and the risks and benefits of consenting or refusing to consent
e) the date the consent is effective and the date, if any, on which the consent expires
f) a statement that the consent may be revoked at any time by the individual providing it.
4. Limiting Collection
The collection of personal information shall be limited to that which is necessary for the purposes identified by NVHA. Information shall be collected by fair and lawful means.
4.1 NVHA will only collect information necessary to fulfill the purposes identified.
4.2 NVHA will specify the type of information collected as part of its information handling policies and practices.
4.3 Personal information should be collected directly from the individual who is the subject of the information, or his / her authorized representative, unless
a) the individual consents to the indirect collection of the information
b) direct collection would compromise the interests of the individual, the purpose of collection, the accuracy of the information, or the safety of any other person
c) direct collection is not reasonably practicable
d) the information is collected for the purpose of assembling a family or genetic history in order to provide a health service to the individual
e) the information is collected to determine or verify the eligibility of the individual to participate in a program, or receive a benefit, product or health service
f) the information is collected to inform the Public Trustee or Public Guardian about clients or potential clients
g) the information is available to the public
4.4 When collecting personal information directly from an individual, NVHA must inform the individual of the purpose for which the information is collected, the legal authority for the collection, and the title, business address and telephone number of the individual who can answer questions about the collection. A patient privacy notice will be the main method of communication (see Privacy and Security Procedures).
5. Limiting Use, Disclosure and Retention
NVHA will not use, disclose, or retain personal information for purposes other than those for which it was collected except with the consent of the individual or as required by law.
5.1 NVHA will retain personal information as long as necessary for the fulfillment of those purposes.
5.2 NVHA will only use personal information where necessary to fulfill the purposes identified at the time of collection.
5.3 Individually identifying personal health information shall only be used to
a) provide health services
b) determine or verify the eligibility of an individual to receive a health service
c) conduct investigations, discipline proceedings, practice reviews or inspections
d) conduct research (with the approval of an appropriate ethics committee)
e) provide for health service provider education
f) carry out a purpose authorized or required by provincial or federal legislation (e.g. Public Health Act, Child Welfare Act)
g) facilitate internal management purposes, including planning, resource allocation, policy development, quality improvement / quality assurance, monitoring, audits, evaluation, reporting
h) obtain or process payment for health services
i) manage human resources
5.4 NVHA will not use or disclose identifiable personal information for any other purposes (e.g. secondary use such as research) unless NVHA obtains consent to do so.
5.5 NVHA will disclose individually identifying personal information only to the individual who is the subject of the information or to his / her authorized representative.
5.6 The right of access to personal information is subject to the payment of any fee required by the Fee Schedule in the NVHA Privacy and Security Procedures.
5.7 Individually identifying personal information may be disclosed to a person other than the subject individual, if the individual has consented to the disclosure.
5.8 NVHA may disclose individually identifying health information without the consent of the subject individual:
a) to a person who is responsible for providing continuing care and treatment to the individual
b) to family members of the individual, or a close personal friend, if the information is provided in general terms and concerns the presence, location, and condition of the individual on the day on which the information is disclosed
c) to contact family members or a close personal friend of the individual, if the individual is injured, ill or deceased
d) to comply with a subpoena, warrant or court order
e) to a law enforcement officer for the purpose of investigating an offence involving a life-threatening personal injury to the individual
f) if the disclosure is authorized or required by provincial or federal legislation (e.g. Public Health Act, Child Welfare Act)
5.9 In addition to the above, individually identifying information about health service providers may be disclosed, without consent, to a health professional body that requests the information for the purpose of an investigation, a discipline proceeding, a practice review, or an inspection.
5.10 Only the least amount of personal information at the highest level of anonymity possible should be disclosed.
5.11 If NVHA uses personal information to make a decision that directly affects the individual NVHA will retain that personal information for at least one year so that the individual has an opportunity to request access to it. NVHA will develop and implement procedures with respect of the retention of personal information.
5.12 Patient health information, in any format (hard copy or electronic), is retained for a minimum of 10 years following the last documented contact with the patient or, in the case of a minor patient, for 10 years after the patient reaches the age of majority.
5.13 Personal information that is no longer required to fulfill the identified purposes will be securely destroyed, erased or made anonymous. NVHA will develop and implement procedures to govern the appropriate and secure destruction of personal information with reference to any minimum retention periods required by law or regulations.
5.14 NVHA will not sell personal information to other parties.
NVHA will ensure that personal information is accurate, complete, and up-to-date as necessary for the purposes for which it is to be used.
6.1 NVHA will make reasonable efforts to ensure that personal information is accurate and complete where it may be used to make a decision about an individual or disclosed to another organisation.
6.2 Individuals may request correction to their personal information in order to ensure its accuracy and completeness. A request must be made in writing to the NVHA Privacy Officer providing sufficient detail to identify the individual and the information to be corrected.
6.3 NVHA will amend the information, as appropriate, and send the corrected information to any organisation to which NVHA disclosed the personal information in the previous year. If the correction is not made, NVHA will record that the correction was requested but not made.
6.4 NVHA will not routinely update personal information unless such a process is necessary to fulfill the purposes for which the information was collected.
7. Safeguards (See NVHA Security Policy)
NVHA will ensure that personal information is protected by security safeguards appropriate to the sensitivity of the information.
7.1 NVHA must ensure the security of personal information and protect it from unauthorized access, use, collection, disclosure, copying, modification or disposal.
7.2 NVHA will protect personal information regardless of the format in which it is held.
7.3 The following security measures will be used by NVHA to ensure that personal information is appropriately protected:
ž Using locked filing cabinets
ž Securing offices where personal information is stored
ž Using technical security measures such as usernames, passwords, encryption, firewalls, two-factor authentication, audit trails
ž Restricting employee access to personal information (e.g. roles based access controls so that only those who ‘need to know’ have access to personal information)
ž Requiring any service provider to meet privacy and security requirements defined by NVHA through contractual agreements
ž Auditing accesses made to personal health information in the electronic medical record for compliance monitoring
7.4 NVHA will use secure and appropriate methods to destroy personal information regardless of the format in which it may be stored.
7.5 NVHA will continually review and update its security policies, procedures and controls to ensure they reflect the ongoing needs for personal information security.
NVHA will make available to individual specific information about it policies, procedures, and practices relating to its handling of personal information.
8.1 NVHA shall be open about its policies and procedures relating to the management of personal information.
8.2 NVHA will make available, the name, title and contact information of the individual accountable for NVHA’s privacy compliance including to whom requests for access to information may be directed, and to whom complaints or inquiries can be forwarded.
9. Individual Access
Upon request, NVHA will inform individuals of the existence, use and disclosure of personal information about the individual and will provide the individual with access to that information upon request.
9.1 Individuals have the right to access their personal information subject to limited exceptions as follows:
- The information is protected by solicitor-client privilege
- The disclosure could reasonable be expected to threaten the safety or physical or mental health of an individual other than the individual who made the request
- The disclosure can reasonably be expected to cause immediate or grave harm to the safety or to the physical or mental health of the individual who made the request
- The disclosure would reveal personal information about another individual
- The disclosure would reveal the identity of an individual who has provided personal information about another individual and the individual providing the personal information does not consent to disclosure of his or her identity
- For other reasons as set out under FOIPPA, PIPA and PIPEDA
9.2 A request to access personal information must be made in writing to the NVHA Privacy Officer providing sufficient detail to identify the individual and the information being sought. NVHA may choose to make sensitive medical information available through a medical practitioner associated with NVHA.
9.3 NVHA will, upon request, inform individuals of the source of the personal information, how NVHA uses personal information, and to whom personal information has been disclosed.
9.4 NVHA will make the personal information available within 30 business days or provide written notice of an extension where additional time is required to fulfill the request.
10. Challenging Compliance
An individual may challenge NVHA’s compliance with this policy and applicable privacy legislation. Individuals may submit this challenge directly to the NVHA Privacy Officer; to the Provincial Office of the Information and Privacy Commissioner; or the Federal Office of the Information and Privacy Commissioner.
10.1 NVHA will respond to complaints or inquiries about its policies and practices relating to the handling of personal information.
10.2 NVHA will acknowledge, record, and investigate each complaint it receives.
10.3 The NVHA Privacy Officer will cooperate with the Provincial Information and Privacy Commissioner and/or the Federal Information and Privacy Commissioner on any complaints, investigations, or inquiries.