Your Personal Health Information and Privacy
This privacy document applies to the Centre for Mental Health Research and Treatment at the University of Waterloo.
At the Centre for Mental Health Research and Treatment, information is collected, used, and disclosed in a manner consistent with provincial legislation, such as the Freedom of Information and Protection of Privacy Act (FIPPA), R.S.O. 1990 and the Personal Health Information Protection Act (PHIPA), 2004, S.O. 2004.
Ontario legislation requires anyone who provides you with health care to protect your personal health information. Personal health information is information that identifies an individual, in oral or recorded form, that includes:
- the individual’s physical or mental health (including information about the health history of the individual’s family);
- the provision of health care to the individual (including the identification of a person as a provider of health care to the individual);
- payments or eligibility for health care or coverage for health care of the individual; or
- any other information that is included in a record containing personal health information and which is maintained for the purpose of providing health care or health services.
Individuals who work in the Centre for Mental Health Research and Treatment are required to advise you of how your personal health information is used, stored, and shared. In certain situations, we must ask your permission before we collect, use, or disclose it. We are not permitted to collect personal health information that is not relevant to your health needs or to collect, use, or disclose more information than is necessary. With some exceptions, privacy legislation also gives you the right to view your personal health information and to ask for it to be changed or corrected if you think it is inaccurate or incomplete.
This Privacy Statement is a key part of our privacy program. This Privacy Statement describes our privacy practices and tells you how you can exercise your rights. We also have a designated Privacy Contact Person. Contact information is provided at the end of this document.
Who can use and see your personal health information?
Implied consent to collect, use, and disclose your information
When you seek services from the Centre for Mental Health Research and Treatment (CMHRT), we assume that we have your permission to collect, use, and disclose your personal health information among individuals who provide or assist in providing health care to you here at the Centre. Although the primary purpose for collecting, using, and sharing personal health information is to provide care, we also use your information for administrative purposes, teaching, and CMHRT statistics, and to comply with our legal and regulatory requirements. With your permission, we may also use these data for research purposes.
For the purpose of providing direct care or assisting in providing care, your personal health information is stored securely by the Centre for Mental Health Research and Treatment in an Electronic Health Record. Personal health information in your Electronic Health Record is accessed only by authorized CMHRT clinicians, supervisors and administrative staff and only on a need-to-know basis, meaning that the information accessed is reasonably necessary to provide care at the Centre for Mental Health Research and Treatment. Those accessing your personal health information are required to abide by the applicable provisions of the following: Ontario privacy legislation; Centre for Mental Health Research and Treatment privacy, confidentiality, and security of information policies; the Standards of Professional Conduct (2009) of the College of Psychologists of Ontario; all other relevant national and provincial professional Associations.
The personal health information in your Centre for Mental Health Research and Treatment Health Record is accessible by individuals who provide direct care or who may be consulted as necessary in the provision of your care. As well, personal health information in your Health Record is accessible to support staff in order to perform authorized services such as scheduling appointments, facilitating referrals, and managing information security.
Ontario privacy legislation (i.e., Personal Health Information Protection Act - PHIPA) allows for your personal health information to be disclosed to health care providers outside of Centre for Mental Health Research and Treatment for ongoing care and follow-up. When such a decision is made, legislative requirements within PHIPA are followed. In general, however, information on your health care will not be shared with anyone outside the Centre without your explicit consent.
You should let us know if you do not want us to collect, use, or share some or all of your personal health information. This can be done when you sign your Consent Form at the Centre for Mental Health Research and Treatment. You are free to withdraw consent at any time for the collection, use, or disclosure of your personal health information by providing notice to us.
In addition, if you choose to limit how we give out some of your personal health information, you should be aware that when we give out your personal health information to others, we may be required to describe that the information is incomplete and we believe that the missing information is reasonably necessary for the provision of your health care or assisting in the provision of your health care. For example, we may be obliged to inform others that some personal health information is inaccessible as a result of it having been “locked” when that locked information is considered reasonably necessary for the provision of health care. Please note that any restrictions that you place on your personal health information do not apply to uses or disclosures required by law, professional, or institutional practice, or when disclosure of that personal health information is necessary for the purpose of eliminating or reducing a significant risk of serious bodily harm to an individual or group of persons.
Express consent to disclose your information
Except as outlined above or as required by law, your personal health information in your Health Record at the Centre for Mental Health Research and Treatment will not be disclosed to people who do not provide you with health care, such as:
- your insurance company or your employer;
- a health care professional for reasons other than providing you with health care; or
- your academic advisors, professors, university administration, family, or friends.
In cases where you would like us to disclose personal health information about you to others, your express consent is required. This consent may be obtained verbally, in writing, or by electronic means.
Exceptions to consent requirements
There are certain situations in which personal health information can be disclosed without consent. The Centre may be legally required or professionally obligated to use and/or disclose some of your personal health information without consent in a limited number of situations including the following:
- If your clinician believes that you are an imminent danger to yourself or to someone else, he or she is required to contact the authorities or others who can intervene to help prevent harm to you or others, and any intended victims of harm;
- If your clinician learns that you have been sexually abused by another registered health provider (e.g., doctor, dentist, psychologist) he or she is required to contact that person’s College and report what he or she knows; however, the clinician will not give your name without your written permission;
- If your clinician suspects or is informed that a child is at risk of being harmed in any way (e.g., sexual or physical abuse, negligence) he or she must contact Child and Family Services and report all relevant information;
- If the contents of your CMHRT Health Record are ordered by a court of law, the Centre is required to release the file to the court;
- If the College of Psychologists of Ontario, as part of a random review, requests access to the Health Records for the purposes of assuring quality of care, we are obligated to allow them that access;
- If your clinician becomes aware of abuse (including financial abuse) of someone in care at a long-term care facility (e.g., nursing home) or retirement home, he or she is required to contact the Ministry of Health; or
- To assist health researchers for research, as long as strict privacy requirements are met.
Research, evaluation, and planning
From time to time, the Centre for Mental Health Research and Treatment may be involved in research projects designed to improve our service, and may invite you to consider participating in one of these. In such instances, it is our practice to follow guidelines adopted by the professional organizations overseeing the researchers. These guidelines could include the Canadian Code of Ethics for Psychologists (Canadian Psychological Association, 2000) and the Tri-Council Policy Statement for Ethical Conduct for Research Involving Humans (Canadian Institute of Health Research, Natural Sciences and Engineering Research Council of Canada, and Social Sciences and Humanities Research Council of Canada, 2014).
In addition, we abide by the guidelines for research involving human participants established by a University of Waterloo Human Research Ethics Committee. Any human research must first be reviewed and receive ethics clearance by a University of Waterloo Human Research Ethics Committee. Their review involves careful assessment of the goals and benefits of the research in relation to risks associated with the procedures; ensuring safeguards are in place to mitigate the risks; determining how the consent process is to occur (which includes considering whether obtaining consent directly is impracticable); confirming that the informed consent document (as applicable) is complete and understandable; and determining whether adequate safeguards are in place to protect the privacy of individuals and the confidentiality of their personal health information.
We will seek your consent to permit us to store and analyze, for research purposes, various types of information that we will collect as part of the standard and routine assessment and therapy processes you will undergo at the CMHRT. We will also seek your consent to allow CMHRT researchers to contact you in the future to invite you to participate in specific research studies at the Centre for which you may be eligible but for which data are not collected as a routine part of the services you receive here. Please be advised that researchers shall use your personal health information only for the purpose set out in the research plan, cannot publish information in a form that could identify you, and cannot contact you without your prior permission.
If you are invited to participate in research, you should keep in mind that it is voluntary. Your decision to take part or not take part in research will have no impact on the services you receive from us.
If you have any comments or concerns resulting from your participation in a CMHRT research study, please contact the Chief Ethics Officer in the Office of Research Ethics at 1-519-888-4567, Ext. 36005 or firstname.lastname@example.org.
Evaluation and planning
The Centre for Mental Health Research and Treatment is continually seeking to improve the quality of the psychological services offered to its clients. In order to help us improve, we invite feedback, both orally and/or in writing, from those who access our services. Any information gathered, including ratings and/or written comments, is used only for administrative, statistical, or report-writing purposes. At no time will identifying personal health information be used, shared, or given out without your explicit consent.
Protecting personal health information
We have taken the following steps to ensure that your records (paper or electronic) are secure and protected against theft, loss, unauthorized use or disclosure and unauthorized copying, modification or disposal:
- Paper records containing personal health information are either under supervision or secured in a locked or restricted area;
- Electronic information is stored on a server dedicated to CMHRT information. This server is secured in a locked and restricted area at all time. Access to this information is restricted to your clinician, her/his supervisor, and CMHRT administration. In addition, electronic records containing personal health information on any mobile device (e.g., laptop, cell phone, USB flash drive) are encrypted;
- If paper or electronic records containing personal health information are removed from the office (e.g., for purposes of supervision, report writing) they are transported via secure means and are under the constant control of the clinician or are secured in a locked or restricted area at all times;
- Each staff member in Centre for Mental Health Research and Treatment services is trained to collect, use, and disclose personal health information only as necessary to fulfill their duties and in accordance with privacy legislation; and
- In the event of any unauthorized use or disclosure of personal health information: individuals will be informed at the first reasonable opportunity, a note will be made in the individual’s record of personal health information, and the note will be kept as part of the health record.
Retention and destruction of personal health information
The Centre for Mental Health Research and Treatment is required to retain personal health information for a specified period of time to ensure that we can answer any questions you might have about the services provided and for our own accountability to the College of Psychologists of Ontario. However, in order to protect your privacy, we do not keep personal health information indefinitely.
In accordance with Standards of Professional Conduct of the College of Psychologists of Ontario, your Health Record at the Centre for Mental Health Research will be destroyed after 10 years following your last contact with us. If the person receiving services from the Centre is less than eighteen years of age at the time of his/her last contact, the file will be destroyed 10 years following the day the person became or will have become 18.
The exception to these procedures is when there is a case of known or suspected physical or sexual abuse. In such situations, the files will be securely stored indefinitely.
We destroy confidential paper files and electronic information securely according to the University of Waterloo guidelines (confidential shredding and media disposal) as well as according to guidelines set out by the Information and Privacy Commissioner of Ontario (“Fact Sheet: Secure Destruction of Personal Information” and “Get rid of it Securely to keep it Private: Best Practices for the Secure Destruction of Personal Health Information”)
Your rights and choices
Seeing your information
You have the right to view and to receive a copy of the personal health information that is in your Centre for Mental Health Research and Treatment Health Record. In most cases, you need simply ask (verbally or in writing) and confirm your identity. The Centre for Mental Health Research and Treatment will follow requirements for access as outlined within PHIPA and in accordance with University of Waterloo guidelines and policies. We will identify what records we might have about you and help you understand information that is unclear (short forms, technical language, etc.). In order to cover the costs of retrieving and copying your information, we may need to charge a nominal fee. This fee will be based on the fee schedule described by the Office of the Information and Privacy Commissioner of Ontario for reasonable cost recovery.
There may be situations in which we are unable to provide you with access to some or all of your Health Record. For example, when the information relates to another individual, law enforcement, or legal proceedings you may not be able to view or receive a copy of the record. Similarly, when the personal health information could reasonably be expected to result in a risk of serious harm to the treatment or your recovery or releasing it could pose a risk of serious bodily harm to yourself or another person, you may not be able to have access to or to obtain a copy of some or all of the information in the record. Also, although you will be able to obtain copies of the raw data from standardized psychological tests and other test data, the Standards of Professional Conduct for the College of Psychologists of Ontario do not allow us to release copies of test material, such as test questions and stimuli, manuals, or test protocols.
We will respond to your request for access to your record as soon as possible. If we are not able to respond within 30 days, we will contact you and let you know in writing the reason for the delay. If we cannot give you access for reasons such as those outlined above, we will notify you within 30 days, if at all possible. A written notice will explain why we cannot give you access to some or all of your record.
Correcting your record
If you believe that your record of personal health information is inaccurate or incomplete, you have the right to ask for it to be corrected. Depending on the corrections you are requesting, a written request showing how our files are inaccurate or incomplete is typically required. We will respond to your request as soon as possible. If we are not able to respond within 30 days, we will contact you and let you know in writing the reason for the delay.
Requests for corrections apply to factual information and not to any professional opinions or observations made in good faith. We are obligated to correct personal health information where it is demonstrated, to our satisfaction, that the record is in fact inaccurate or incomplete and where the information necessary to correct the record is provided. Any changes will be done carefully so the original record remains visible or by ensuring that the corrected version is readily available.
In some situations (e.g., in matters of professional opinion and observation, or with respect to information created by others), we may not be able to make a correction and will let you know the reason. If you choose, you can attach a statement of disagreement to your record indicating any correction you requested that was not made. You can also ask to have this statement made available to those who see the record.
If there is a privacy breach
We take every precaution to avoid any breach of your privacy. However, if there is a loss, theft, or unauthorized access of your personal health information, we will notify you.
When we learn of a possible or known breach, we will take the following steps:
- We will contain the breach to the best of our ability, including the following:
- retrieving hard copies of your personal health information that have been disclosed,
- ensuring no copies have been made,
- taking steps to prevent further unauthorized access (e.g., change passwords, change keys), and
- reporting the breach to the office of the Information and Privacy Commissioner of Ontario.
- We will notify those affected by the breach including:
- providing our contact information in case you have any questions, and
- providing you with the contact information for the office of the Information and Privacy Commissioner of Ontario.
- We will investigate and remediate the problem by:
- conducting an internal investigation,
- determining what steps should be taken to prevent any further breaches, and
- ensuring all those who provide care and support staff are appropriately trained and conduct any further training as required.
Who you can talk to about your decisions or concerns?
If you have any questions or concerns, or if you would like to see or correct any of your personal health information, then please speak directly to the clinician who has been involved in the provision of your care. We want to resolve concerns directly with you.
Centre for Mental Health Research and Treatment privacy contact persons
If you are not satisfied with the response to your request, you may contact the Director of the Centre for Mental Health Research and Treatment. This individual is available to assist you with any concerns or decisions regarding privacy. Contact information is provided at the end of this document.
University of Waterloo privacy officer
Sometimes we may be unable to resolve all your concerns about how your personal health information has been handled, even after you have worked to resolve your concern with the staff involved in the provision of your care and the designated privacy contact person for the service with which you’re involved. In that case, you may choose to contact the University of Waterloo’s privacy officer. Contact information is provided at the end of this document.
The Information and Privacy Commissioner of Ontario
Alternatively, or in the event you are dissatisfied with how the University of Waterloo has responded, you can contact the Information and Privacy Commissioner of Ontario. The Commissioner is the person who has general responsibility for ensuring requirements of the Freedom of Information and Protection of Privacy Act, the Municipal Freedom of Information and Protection of Privacy Act, and PHIPA are followed.
You can contact the Commissioner about any decision, action, or inaction that you believe is not in compliance with the Act, including:
- if you are unable to resolve with us a concern about how your personal health information has been handled;
- if you are unable to see all of your personal health information, or have concerns about a delay in responding to your request;
- if you feel your personal health information in your record is incorrect and you have been unable to persuade us to correct the information; or
- if you disagree with the fee that we charged to see or get a copy of your personal health information.
You must express your concerns in writing within specific time frames designated by the Commissioner, who will try to resolve the matter through mediation. If your concerns cannot be resolved in this way, the Commissioner has the power to investigate and to make an order that sets out what must happen.
Information and privacy contact persons
Centre for Mental Health Research and Treatment privacy contact person
- Dr. Marjory Phillips
email@example.com (519) 888-4567 ext. 33171
University of Waterloo Privacy Officer
- Kathy Winter
firstname.lastname@example.org (519) 888-4567 ext. 36101
If you have any comments or concerns resulting from your participation in a CMHRT research study, please contact the Chief Ethics Officer in the Office of Research Ethics at 1-519-888-4567, Ext. 36005 or email@example.com.
Information and Privacy Commissioner of Ontario
2 Bloor Street East, Suite 1400
Toronto, Ontario M4W 1A8
Visit the Information and Privacy Commissioner of Ontario website.
Phone: (416) 326-3333
Toll-free: 1-800-387-0073 (within Ontario)
Text Tel. (TTY)/Tel. Device for the Deaf (TDD): (416) 325-7539
Fax: (416) 325-9195
This document provides general information only and is not legal advice as to all rights and obligations under Ontario legislation.
This document is based on the following legislation:
- Freedom of Information and Protection of Privacy Act (R.S.O. 1990)
- Municipal Freedom of Information and Protection of Privacy Act (R.S.O. 1990)
- Personal Health Information Protection Act (2004)
- Personal Information Protection and Electronic Documents Act (PIPEDA, 2004)
- Psychology Act (R.S.O. 1991)
In conjunction with materials from the Information and Privacy Commissioner Ontario:
- Information and Privacy Commissioner Ontario (2005). Your Health Information and Your Privacy in Our Office (PDF)
- Information and Privacy Commissioner Ontario (2005). Frequently Asked Questions: Personal Health Information Protection Act (PDF)
- Information and Privacy Commissioner Ontario (2001). Guidelines for Protecting the Privacy and Confidentiality of Personal Information When Working Outside the Office (PDF)
- Information and Privacy Commissioner Ontario (2007). Fact Sheet: Encrypting Personal Health Information on Mobile Devices (PDF)
- Information and Privacy Commissioner Ontario (2010). Fact Sheet: Health-Care Requirement for Strong Encryption (PDF)
- Information and Privacy Commissioner Ontario (2012). Fact Sheet: The Secure Transfer of Personal Health Information (PDF)
- Information and Privacy Commissioner Ontario (2006). What to do When Faced with a Privacy Breach: Guidelines for the Health Sector(PDF)
- Information and Privacy Commissioner Ontario (2008). Practice Tool for Exercising Discretion: Emergency Disclosure of Personal Information by Universities, Colleges, and other Educational Institutions (PDF)
- Information and Privacy Commissioner Ontario (2005). Fact Sheet: Disclosure of Information Permitted in Emergency or Other Urgent Circumstance (PDF)
- Information and Privacy Commissioner Ontario (2009). Fact Sheet: Get Rid of it Securely: Keep it Private: Best Practices for the Secure Destruction of Personal Health Information (PDF)
- Information and Privacy Commissioner Ontario (2005). Fact Sheet: Secure Destruction of Personal Information (PDF)
University of Waterloo guidelines and policies:
- General Information and Privacy
- Security of personal health information: Policy 8 - Information Security
- Data encryption/electronic security
- Record retention and destruction of personal health information: Policy 12 - Records Management
- Confidential shredding procedures
- Electronic media disposal guidelines
And in conjunction with other relevant materials, such as:
- Canadian Institute of Health Research, Natural Sciences and Engineering Research Council of Canada, and Social Sciences and Humanities Research Council of Canada (2014). Tri-Council Policy Statement: Ethical Conduct for Research Involving Humans.
- Canadian Psychological Association (2000). Canadian Code of Ethics for Psychologists.
- Canadian Psychological Association (2001). Practice Guidelines for Providers of Psychological Services.
- College of Psychologists of Ontario (2009). Standards of Professional Conduct