Privacy Policy

INTRODUCTION

The Madawaska Valley Family Health Team holds personal information about its patients. This information is sensitive and valuable and we are obliged by law to treat it carefully. All team members (physicians, learners, staff, volunteers and interdisciplinary health professionals) are required to follow the best practices described within this policy as well as in the MVFHT Privacy Policy in order to protect the personal health information of our patients.

POLICY

This policy provides guidelines aimed at protecting the personal information that the Madawaska Valley Family Health Team as well as its associated Family Health Organization holds about its patients. These guidelines apply equally to our electronic medical record, paper copies of health records, reports, test results and emails and any other ways patient information can be recorded. Following the guidelines in this policy will minimize the risk of patient information falling into the wrong hands, which could cause harm and distress to patients and legal consequences to the Madawaska Valley Family Health Team as well as its associated Family Health Organization.

PROCEDURES

1. Privacy Breach

A privacy breach happens whenever a person contravenes or is about to contravene a rule under the Personal Health Information Protection Act, 2004. The most obvious privacy breaches happen when patient information is lost, stolen or accessed by someone without authorization.

All privacy breaches must be reported immediately to the Privacy Officer using the guidelines outlined in the Madawaska Valley Family Health Team Privacy Breach Policy and Procedure.

2. Restricted Access to Patient Information

Access to patient information is provided on a need-to-know basis as appropriate to the staff members’ role and purpose for access.

Staff members must not access any health records unless authorized – which means only for legitimate reasons. Team members may not access health records of their spouses, children, parents, friends, neighbors or work colleagues. They may only access their own health record (if applicable) through the normal patient access channels and not directly. A staff member may access a family members chart with documented express consent from that family member. Consent should be documented in the family member’s chart in the comment section of the demographic screen as well as having the consent scanned in as a special note in the EMR.

Team members must not:

• Access patient information for “self-education” or out of personal interest
• Edit, cut and paste, delete from or otherwise change any health records except for legitimate reasons.

Team members should be aware that all access to the electronic medical record is logged and audited.

3. Accounts and Passwords

Our information technology systems are protected by the use of personal accounts and passwords. Individual accounts are given access to information required by the account holder. We require all staff to:

• Use only their own user account and password
• Not permit anyone else to use their account
• Help maintain security by choosing hard to guess passwords
• Contact the Privacy Officer if they suspect any kind of computer misuse

An unauthorized person trying to gain access to our health records may not be obvious. Data breaches have occurred when individuals unknowingly reveal passwords or other information to intruders. Never tell anyone your password no matter who they say they are. If anyone you do not know requests information from you, you must verify their identity and their reason for asking for it first. If you are left in any doubt contact the Privacy Officer immediately.

4. Physical Security On-Site

We hold a large amount of patient information in printed format – on paper, in files and binders. Day timers, schedules and notebooks may also contain patient information and are confidential just like patient files.

Access to patient information is permitted by individuals who require the information to do their authorized jobs. If patients or visitors are in areas where patient information is kept or in other private areas, politely challenge them as to their business. If there is any doubt as to someone’s purpose, they should be asked to leave.

Patient information in paper format should be kept in a locked cabinet, container or room. If a filing cabinet or room where patient information is stored is not inconstant use, it should be locked.

Where records are on desks or in tray, they should be turned over so someone nearby cannot read them. Labels on files should not be visible to visitors.

Patient information that is being stored before secure destruction will be kept separate and clearly marked.

5. Patient Information in Transit

Because of the serious risk of loss or theft, patient information will only ever be removed from the premises by those staff members who have a real need to do so to carry out their duties. This applies to electronic files, paper copies, and information on laptops, smart phones, disks and memory stick (USB keys) and any other formats.

For electronic files, remote access to patient information should be through a secure server, where we can protect it. Every time patient information is saved to a laptop, disc or memory stick there is a chance that it may be lost or stolen. Therefore, we will do this only when absolutely necessary to carry out our jobs.

Where there is no choice but to take information off-site, patient information will be de-identified if possible. Otherwise, if staff members are ever required to copy patient information onto a laptop, memory stick or other portable device strong encryption must be used. If you are not sure how to do this the Privacy Officer will guide you. For paper files, keep papers in a locked box for transport. Lap top computers, disks or files must not be left on the seat or in the trunk of an unattended car, even for just a few minutes. When transporting patient information, go directly to the destination, making the journey as short as practicable.

Patient information should not be stored at home. Staff should not make printouts from remote access at home.

6. Sending Patient Information

Special care must be taken when sending correspondence about a patient or containing patient information to anyone outside of the Madawaska Valley Family Health Team – including to another health care provider, to a third party, or to the patient.

In addition to this policy, physicians and integrated health providers need to follow their own regulatory College’s directives on confidentiality, security of personal health information and communicating with patients to ensure privacy is protected.

7. External Emails and Text Messages

Because of the insecure nature of emails, team members are not permitted to include patient information in any email.

At no time will email be used to communicate a diagnosis, provide information about test results or transmit other personal health information that will require a follow up visit to the Madawaska Valley Family Health Team.

If email is to be used for the authorized purposes, the following steps must be undertaken:

• The patient must sign a MVFHT consent and release for email communication
• Patient has joined the MVFHT portal and has agreed to can be communicated with using secure messaging
• There must be a disclaimer message at the end of the email message being sent
• Before sending, the clinician must check the email address carefully to confirm that it is going to the correct recipient
• The clinician should avoid using the “reply-all” feature if responding to an email from a patient and limit the number of recipients to the minimum necessary;
• The email message itself, or documentation of the clinically relevant information from the email must be charted
• The email may only include the minimum amount of personal health information necessary for the purpose.

Accessing Email on a Mobile Device

If a Madawaska Valley Family Health Team address is to be accessible on a mobile device the following steps must be undertaken:

• The device must be password protected
• The device contents must be able to be erased remotely
• Any loss of the device must be reported immediately to the Privacy Officer to assess exposure and remotely delete the contents of the device if necessary

Facsimile (Faxes)

If possible, remove personal identifiers such as names and addresses from information that is to be faxed.

Misdirected faxes are early to send and difficult to correct. They can contribute significantly to the number of privacy breaches, Therefore, when sending patient information by fax, carefully check the FAX number – multiple times to ensure that it is correct. Include a cover sheet stating for whom the fax is intended. The cover sheet must a recipient to call if the information is received in error

After sending a fax, collect and keep a confirmation receipt. If there are any questions about a wrong number being used the receipt will make it much easier to check and to retrieve information sent to the wrong place.

Social Media

Team members are advised to avoid posting information about patient-specific cases or providing medical or other clinical advice online. Regulatory colleges and professional liability indemnity providers recommend that clinicians avoid posting comments in internet discussion forums or other online groups to avoid the perception of providing medical or health care advice. While it may be acceptable to provide general health related information for public or professional educational purposes, those purposes should be clearly identified and clearly marked as not providing advice.

Telephone

Patients may ask us to relay their own health information to them by telephone. Calling a patient at home or at work or leaving messages carries a real risk to our patients’ privacy. It may be difficult to verify the identity of the person who answers or control who hears a message.

To minimize these risks, ask patients every time they register for an appointment to check that their contact information is up to date so we have their most recent telephone numbers. Ask if we can leave a message with someone or on an answering machine and confirm the number.

If we have the patient’s consent to leave a message and a machine answers you, listen for clues that you have misdialed before leaving a message. If you are in any doubt leave a message only to say to call the office.

If a patient calls us, we must take steps to confirm the caller’s identity before providing information. If we are in doubt as to the identity of the caller, we can confirm the caller’s identity by asking questions such as:

• When was your last appointment with us?
• What medications are you currently taking?
• What allergies do you have?
• What is your health card number?

Mail

Sometimes it may be necessary to send patient information by mail or courier. When sending information in the mail, check the address to make sure it is correct. Also, mark

the envelope or package “Attention <name>” on the outside to increase the likelihood that it is opened by the intended recipient.

Make sure that no health information can be read through the envelope or window. Obtain a tracking number and follow up with the patient to ensure that it was received.

8. Destroying Patient Information

When patient information is no longer needed, we must make sure it is destroyed securely. Different methods of destruction are appropriate depending upon how the data is stored.

Material	Appropriate Method of Destruction
Paper (faxes, letters, labels, results, etc)	Cross-cut shredding
Pictures or slides	Cross-cut shredding
Medication containers (bottles, bags) with ID labels	Shredding of label, return to pharmacy, or supplier along with unused medications.
CDs, DVDs, disks, USB keys	Russ-cut shredding, or breaking into pieces
Electronic devices with memory storage (laptops, PCs, printers, photocopiers)	Data wiping prior to redeployment or return to vendor.

 

Never recycle any paper or media, which contains patient information. Never treat any paper, which has been printed with patient information as reusable for scrap. When patient information is no longer needed, it should be securely destroyed.

Retention and Destruction of Medical Records

All patient records must be retained in accordance with current legislative guidelines and on advisement of the CMPA. Currently, records are to be retained for at least 10 years from the time the patient would have reached the age of majority (19 years). Records must be kept in a secured and protected environment either physically or electronically including locked cabinets. Once the retention period has ended then records should be destroyed in a way that ensures that the record cannot be reconstructed (cross cut shredding). Each primary care provider is responsible for the notification of the Privacy Officer when records are going to be destroyed in order that a log be maintained.

9. Third Party Vendors

When the Madawaska Valley Family Health Team an outside contractor to do data entry or provide information systems or to store, transport or destroy patient information we only use those that are bonded and insured and maintain a verifiable commitment to confidentiality. We make sure that the contractor uses the methods documented in the contract we have with them.

We only select contractors who commit under contract to:

• Agree to be a PHIPA agent of the applicable FHT
• Hold and follow written privacy policies and procedures saying how material is to be kept safe in transit, storage and destruction as applicable.
• Require their own personnel to sign confidentiality agreements
• Have appropriate training for their personnel on privacy policies and procedures to implement them.

10. Breach of Privacy Safeguards

Failure by staff members to adhere to the privacy safeguards and guidelines set out above may result in disciplinary measures, up to and including termination of employment or contract.