Privacy Policy

 
 

PURPOSE: To protect the privacy of Guest’s identities and any medical information gather by RESTORE in accordance with the HIPPA act of 1996.

POLICY

In the course of delivering its services and programs, RESTORE collects personal information from its Guests. Personal information means any information that could be used on its own, or with other information, to establish the identity of a Guest, the Guest’s service provider or the Guest’s substitute decision maker. Personal information also includes any other information about a Guest including information that is contained in a Guest record.

 

RESTORE collects, uses and shares Guest’s personal information for the following purposes:

·        Providing quality programs and services to Guests

·        Providing information to other people or organizations with Guest consent (for example, making a referral for service)

·        Conducting research to understand the kinds of issues our Guests are facing

·        Reviewing Guest files to ensure high quality of service and documentation

 

RESTORE may also collect, use and share personal information with consent or as permitted or required by law.

 

RESTORE is committed to protecting the privacy of its Guests and ensuring that:

·        the personal information it receives from Guests is kept safe, secure, confidential, accurate and up to date

·        patients understand why their personal information is collected by RESTORE

·        RESTORE obtains written Guest consent before collecting, using, sharing or releasing Guest information, except as set out in this policy or permitted or required by law

·        only the personal information necessary for the purposes listed above is collected from Guests, unless otherwise consented to by the Guest or permitted or required by law

·        access to Guest information is limited to the RESTORE employees, volunteers and students involved in delivering services to Guests

·        any external agents to whom RESTORE releases information have a need to know and only use and disclose Guest information for the purposes for which it was originally provided

·        patients can withdraw their consent at any time to the collection, use, and disclosure of their personal information

·        patients have access to their record, except where RESTORE is entitled to refuse an access request, and may copy or correct their record and ask questions about RESTORE privacy policies and procedures

·        complaints about RESTORE privacy policies and procedures are handled efficiently and effectively

·        all legal and regulatory requirements regarding Guest information are met and maintained

 

 

 

SCOPE

This policy applies to all RESTORE employees, students and volunteers.

 

PROCEDURES

1. Obtaining Consent

1.1 As RESTORE services often involve collaboration and consultation among employees, RESTORE employees will discuss the following with new Guests:

·   the nature and extent of consultation and collaboration in the RESTORE program or service which the new Guest is accessing

·   the personal information that RESTORE may collect

·   the purposes for which RESTORE collects, uses and shares personal information, as listed above

1.2 Guest’s rights and responsibilities including rights related to keeping Guest’s personal information private will be reviewed with all new Guests at their first appointment following intake

1.3 Guests will be asked to use a form indicating that the organization’s privacy policies have been discussed and that the Guest consents to the collection use and sharing of personal information for the purposes listed in this policy.

1.4 The signed forms will be maintained by the program (e.g., in the  Guest’s paper record, filed centrally within the program). A note will be made in the  Guest’s electronic record that the form has been signed.

1.5 In cases where it is not possible or practicable to obtain the Guest’s written acknowledgment (e.g., telephone only service), verbal acknowledgment that the organization’s privacy practices have been explained to, and accepted by, the Guest will be recorded in an activity note in the Guest’s record.

1.6 Consent will be that of the individual and must be knowledgeable, relate to the personal information and not be obtained through deception or coercion. A consent to the collection, use or sharing of personal health information about an individual is knowledgeable if it is reasonable in the circumstances to believe that the individual knows, (a) the purposes of the collection, use and/or disclosure, as the case may be; and (b) that the individual may give or withhold consent.

1.7 In the event employees are concerned that a Guest does not have the capacity to consent to the collection, use and disclosure of his or her personal information, employees should:

·        Consider whether the Guest understands the decision they are being asked to make

·        Question whether the person understands the reasonably foreseeable consequences of the decision or lack of decision

·        Consult with their supervisor

 

 

2. Guest Withholding, Limiting or Withdrawing Consent

2.1 Guests have the right to stipulate who will have access to their personal information. This means that they can withhold, limit or withdraw their consent to the collection, use or disclosure of personal information. The request may cover all or a specific part of a Guest’s record. When this happens, staff will implement the following “lock-box” procedure.

2.2 Electronic records: The RESTORE employee receiving the Guest’s request to withhold, limit or withdraw their consent will:

·        Record the verbal instructions by the Guest in an activity note in the Guest’s electronic record

·        Scan any written instructions by the Guest into the Guest’s electronic record

·        Notify all staff through immediate confidential e-mail and update a living document containing current consents and revocations.

 

2.3 Paper records: If the Guest also has a paper file:

The Guest’s file (either in whole or in part depending on the Guest’s instructions) to which access is to be limited will be placed inside an envelope that will be sealed with the instructions from the Guest stapled to the outside of the file. If the Guest’s request is to withdraw consent, the file will be safeguarded by RESTORE’s Privacy Officer. If the Guest’s request is to withhold or limit consent, the supervisor responsible for the program will determine how best to comply with the Guest’s request.

 

2.4 In cases where the withholding, limiting or withdrawal of consent will limit or prevent RESTORE from continuing to deliver services, employees will discuss with the Guest the consequences of their withholding, limiting or withdrawal of consent.

 

3. Higher Levels of Confidentiality (Use of Aliases)

3.1 RESTORE serves Guests periodically that require a higher level of confidentiality. For example: public figures; staff of RESTORE funder; former staff, students and volunteers, who may not wish it to be known that they are accessing RESTORE services.

3.2 In such situations, programs will provide Guests an opportunity to select and use an alias. The alias will be used in the Guest record and in the Guest’s interactions with RESTORE.

3.3 A list of the aliases, Guests’ real names and file numbers will be confidentially maintained by a designated person in each department with a copy to the RESTORE Privacy Officer.

3.4 A higher level of confidentiality designation does not invalidate the normal legal limits to confidentiality, which includes subpoenas, search warrants and the right of government funders to audit Guest records. Guests must be informed of these limitations on confidentiality.

3.5 The Human Resources Department will provide names of new staff members, volunteers and students to the RESTORE Privacy Officer so that a check of the Guest database can be completed. If the individual has received service from RESTORE in the past, an alias will be assigned to the record in order to maintain the privacy of the new staff member, volunteer or student.

 

4. Disclosure without Consent Including Responding to Summons/Subpoenas/Court Orders and Requests from Police

4.1 RESTORE will not disclose the personal information of Guests without their consent, except where:

·        It is believed the Guest or someone else is in imminent danger of serious physical harm (see Duty to Warn policy)

·        A child under the age of 16 is at risk of or has been abused or neglected (see Mandated Reporting policy)

·        RESTORE is subpoenaed or is otherwise served with a court order, summons, warrant or a similar requirement issued by a person who has jurisdiction to compel the production of information in a proceeding

·        It is otherwise permitted or required by law.

4.2 If a RESTORE employee, student or volunteer is served with a warrant, summons, subpoena, order or similar requirement issued in a proceeding, the individual must immediately notify their supervisor, who will provide advice and direction as to how to respond. RESTORE employees, students or volunteers should follow the same procedure in response to requests by police officers for Guest information.

4.3 In general, where an order, summons, warrant, subpoena or other requirement to produce documents has been served on RESTORE, RESTORE will:

·        Make every attempt to respond in a way that is respectful of the order or other requirement, while at the same time taking steps to preserve the Guest's right to confidentiality

·        Make an exact copy of the file to remain at RESTORE and deliver the documents to the court or other proceeding in a sealed enveloped marked “private and confidential”.

4.4 Where RESTORE discloses personal information without the Guest’s consent, the Guest will be notified of such disclosure as soon as reasonable, practical, safe and/or legally possible in the circumstances.

 

5. Release of Information with Guest Consent

5.1 Subject to Section 4, personal information, whether all or part of a Guest record, will not be released to third parties without the written consent of the Guest or the Guest’s substitute decision maker, where applicable. Guests are required to complete the RESTORE Authorization to Request or Release Information Form, depending on the nature of the request. Consents provided on these forms are valid for one year, unless otherwise limited or withdrawn by the Guest in advance of that date. RESTORE may disclose a Guest’s personal information, provided that the disclosure, to the best of RESTORE knowledge, is for a lawful purpose.

5.2 Reports from third parties contained in a Guest record may not be released without the written consent of the third party. Guests will be encouraged to pursue access to this information directly with the third party.

5.3 In exceptional circumstances, where written consent is not possible, the oral consent of the Guest to the release of personal information will be accepted and will be recorded in the Guest’s file.

5.4 In response to requests to release information to third parties, the RESTORE service provider will ensure that the Guest understands the purpose for which the information is being released and to whom the information is being released. The RESTORE service provider will also explain that RESTORE cannot guarantee the confidentiality of the information once it has been released.

 

6. Safeguarding of Personal Information

6.1 Guest information stored electronically is protected by password. Access to the RESTORE electronic database is limited on a need to know basis for added security.

6.2 Guest information collected in hard copy form is stored in locked cabinets accessible only by the counselors or other RESTORE employees, students and volunteers providing service to the Guest, and the relevant program managers.

6.3 Access to Guest information will be limited to those who need to know the information for the purposes set out in the Guest’s consent or as otherwise permitted or required by law.

6.4 RESTORE employees will never leave Guest personal information, in paper or electronic form, unattended or exposed to anyone other than the Guest.

6.5 RESTORE will not send confidential personal information to Guests by email without the Guest’s prior consent. Personal information sent to Guests or about will employ secure email. (Note that secure e-mail ensures messages are encrypted. RESTORE regular e-mail program is not secure email.)

6.6 Web-based counseling will use an encrypted website to protect Guest privacy and confidentiality.

6.7 RESTORE requires external agents, such as third-party auditors, to maintain the confidentiality of Guest information and to refrain from using Guest information for any purpose other than the purposes for which consent was provided by the Guest. Where appropriate and necessary, RESTORE will obtain the consent of the Guest to disclosure of information to external agents. (External agents are persons or companies with which RESTORE has contracts and that may come into contact with personal information.)

6.8 When disposal is permitted or required, records of Guest personal information will be disposed of in a secure manner such that reconstruction of the records is not reasonably foreseeable in the circumstances.

 

7. Notice to Guests of Theft, Loss, Unauthorized Access, Use or Disclosure of Personal Information

7.1 Employees are required to report to their supervisor and to the RESTORE Privacy Officer any theft, loss, unauthorized access, use or disclosure of personal information of RESTORE Guests. In programs where funders require it, managers will file a serious occurrence report in this situation.

7.2 In the event of such theft, loss, unauthorized access, use or disclosure of personal information of a RESTORE Guest, RESTORE will notify the Guest as soon as possible.

7.3 Oral contact with the Guests will be logged in the Guest record and will be followed up by a letter, which will be included in the Guest record.

7.4 In the case of former Guests, contact will be made orally, if possible, and also in writing, at the last known address for the Guest recorded in RESTORE database.

 

8. Guest Access to and Correction of Personal Information

8.1 Guests wishing to review their records should contact the RESTORE service provider, relevant program manager or Privacy Officer.

8.2 Within 30 days of any such request, an appointment will be made for the Guest to review his/her personal information in a confidential manner on RESTORE premises, in the presence of a RESTORE employee, unless RESTORE is entitled to refuse the request, in which case written notice will be given. Guests may bring a support person to this appointment if they wish. Up to 60 days may be required in the case of complex searches for records. In exceptional circumstances (e.g., a Guest is unable to come to the RESTORE office due to health issues), a copy of the record may be sent to the individual with consent.

8.3 RESTORE is required to retain Guest personal information that is the subject of a request for access for as long as necessary to allow the Guest to exhaust any recourse under the Personal Health Information Protection Act, 2004 that he or she may have with respect to the request. This may require RESTORE to maintain the record for longer than the typical Guest record retention period.

8.4 Guests who wish an explanation of their records may contact their RESTORE service provider, the relevant program manager or the RESTORE Privacy Officer.

8.5 Guests will not be permitted to access third party records without the consent of the third party. In such cases, the RESTORE service provider will direct the Guest to obtain the requested information directly from the third party.

8.6 Guests wishing to correct information in their file shall provide the correction in writing to RESTORE. The written correction will be included in the Guest’s record and, within three weeks of receipt, RESTORE will notify the Guest of its response to the correction.

 

9. Appointment of Privacy Officer

9.1 The Privacy Officer for RESTORE is the Clinical Director.

9.2 The name and contact information for the Privacy Officer is available on the RESTORE website, in the Guest Rights and Responsibilities Statement and in the RESTORE Employees Directory.

9.3 The duties of the Privacy Officer include:

·        Maintaining knowledge of privacy legislation and regulations

·        Ensuring that all employees and volunteers have training on the privacy policy

·        Monitoring employee compliance with RESTORE privacy policy

·        Responding to privacy-related complaints and concerns

·        Responding to requests for access and correction

·        Responding to inquiries from the public about RESTORE privacy practices

·        Liaising with other organizations, the public and government, as necessary, on privacy-related issues

 

10. Inquiries and Complaints

10.1 Questions, comments or complaints about the RESTORE privacy policies and procedures or about the collection, use or disclosure of personal information will be directed to the Privacy Officer.

10.2 The Privacy Officer will follow the procedures set out in the Guest and Community Member Complaints policy in responding to, resolving and recording privacy-related complaints.

10.3 If the Guest is not satisfied with the response provided by the Privacy Officer, the Guest may follow the grievance and complaint procedure outlined in TS-01.