Healthcare Links
Ontario Health Card
Patient Care
Patient Education
Patient Information
Contacting a Patient
Patient Rights and Responsibilities
Release of Information-Fee Schedule
Your Hospital Stay
AMGH Mardi Gras Gala - Platinum Sponsor
The International Diabetes Federation estimates that approx. how many people have diabetes worldwide?
116 Million
382 Million
421 Million
The AMGH Foundation needs your help! Your gift will make a difference.
Home  >  Patients & Visitors  >  Patient Information  >  Privacy

Preamble Privacy Highlighted

Alexandra Marine and General Hospital is responsible for personal information under the organization's custody and control and is committed to a high standard of privacy for their information practices. Alexandra Marine and General Hospital has adopted the following 10 Principles set out in the National Standard of Canada Model Code for the Protection of Personal Health Information:

  1. Accountability
  2. Identifying Purposes
  3. Consent
  4. Limiting Collection
  5. Limiting Use, Disclosure and Retention
  6. Accuracy
  7. Safeguards
  8. Openness
  9. Individual Access
  10. Challenging Compliance

AMGH shares integrated information system with the Huron Perth Healthcare Alliance, which is comprised of hospitals in Stratford, Seaforth, St. Mary's and Clinton. To the extent that personal information is collected, used, disclosed, and retained within the shared service, the Hospitals recognize that each organization has both independent and joint obligations with respect to fair information practices.

This policy will apply to personal information and personal health information collected, used, disclosed and retained by AMGH, subject to legal requirements.

The Privacy Policy is the foundation for other policies and procedures, setting the principles upon which the Hospital will collect, use and disclose personal information and personal health information.

  1. Accountability for Personal Information

    • Accountability for AMGH's compliance with the policy rests with the Chief Executive Officer, and, ultimately the Board, although other individuals within the Hospital are responsible for the day-to-day collection and processing of personal information.
    • The hospital is responsible for personal information under its control and has designated Co-Privacy Officers who are accountable for compliance at the hospital.
    • The names of the Privacy Officers designated by the Hospital to oversee compliance with these principles is a matter of public record. Privacy Officers are Richard Bedard and Betsy Rivera.
    • The Hospital is responsible for personal information in its possession or custody, including information that has been transferred to a third party for processing. The Hospital will use contractual or other means to provide a comparable level of protection while the information is being processed by a third party.
    • The Hospital will: Privacy

      • implement policies and procedures to protect personal information, including information relating to patients, team members, and agents;
      • establish policies and procedures to receive and respond to complaints and inquiries;
      • train and communicate to team members and agents information about the Hospital's privacy policies and practices; and
      • develop plans and communicate to the public and key hospital stake holders' information to explain the Hospital's privacy policies and procedures.

  2. Identifying Purposes for the Collection of Personal Information

At or before the time personal information is collected, the Hospital will identify the purposes for which personal information is collected. The primary purposes for collecting personal information are the delivery of direct patient care, the administration of the healthcare system, research, teaching, statistics, and meeting legal and regulatory requirements.

    • Identifying the purposes for which personal information is collected at or before the time of collection allows the Hospital to determine the information they need to collect to fulfill these purposes.
    • The identified purposes are explained at or before collection (of the information) to the individual from whom the personal information is collected. Depending upon the way in which the information is collected, this explanation can be given orally or in writing: for example, an admission form, or posted notice, may give notice of the purposes. A patient who presents for treatment, and receives an explanation, is giving implied consent for the use of his or her personal information for authorized purposes. Patients will be given the option to accept or reject each such use.
    • When personal information, that has been collected, is to be used for a purpose not previously identified, the new purpose will be identified prior to use. Unless the new purpose is required by law, the consent of the individual is required before information can be used for that purpose.
    • Persons collecting personal information will be able to explain to individuals the purposes for which the information is being collected.
  1. Consent for the Collection, Use, and Disclosure of Personal Information

The knowledge and consent of the individual are required for the collection, use, or disclosure of personal information, except where inappropriate.

Note: In certain circumstances personal information can be collected, used, or disclosed without the knowledge or consent of the individual; for example, legal, medical, or security reasons may make it impossible or impractical to seek consent. When information is being collected for the detection and prevention of fraud or for law enforcement, seeking the consent of the individual might defeat the purpose of collecting the information. Seeking consent may be impossible or inappropriate when the individual is a minor, seriously ill, or mentally incapacitated. In addition, if the Hospital does not have a direct relationship with the individual, it may not be possible to seek consent.

  • Consent is required for the collection of personal information and the subsequent use or disclosure of this information. Typically, the Hospital will seek consent for the use or disclosure of the information at the time of collection. In certain circumstances, consent with respect to use or disclosure may by sought after the information has been collected, but before use (for example, when the Hospital wishes to use information for a purpose not previously identified).
  • The principle requires "knowledge and consent". The Hospital will make a reasonable effort to ensure that the individual is advised of the purposes for which the information will be used. To make the consent meaningful, the purposes must be stated in such a manner that the individual can reasonably understand how the information will be used or disclosed.
  • The Hospital will not, as a condition of the supply of a product or service, require an individual to consent to the collection, use, or disclosure of information beyond that required to fulfil the explicitly specified and legitimate purposes.
  • The form of the consent sought by the Hospital may vary, depending upon the circumstances and the type of information. In determining the form of consent to use, the Hospital will take into account the sensitivity of the information.
  • In obtaining consent, the reasonable expectations of the individual are also relevant. The Hospital can assume that an individual's request for treatment constitutes consent for specific purposes. On the other hand, an individual would not reasonably expect that personal information given to the Hospital would be given to a company selling healthcare products.
  • The way in which the Hospital seeks consent may vary, depending on the circumstances and the type of information collected. The Hospital will generally seek express consent when the information is likely to be considered sensitive. Implied consent would generally be appropriate when the information is less sensitive. An authorized representative such as a substitute decision maker if the patient is not capable, a legal guardian or a person having power of attorney can also give consent.
  • Individuals can give consent in many ways, for example:

    • Consent may be given orally when information is collected over the telephone,or
    • Consent may be given at the time that individuals use a health service.
    • An admission form may be used to seek consent, collect information, and inform the individual of the use that will be made of the information. By completing and signing the form, the individual is giving consent to the collection and specified uses.

  • An individual may withdraw consent at any time, subject to legal or contractual restrictions and reasonable notice. The Hospital will inform the individual of the implications of such withdrawal.
  1. Limiting Collection of Personal Information

The collection of personal information will be limited to that which is necessary for the purposes identified by the Hospital. Information will be collected by fair and lawful means.

  • The Hospital will not collect personal information indiscriminately. Both the amount and the type of information collected will be limited to that which is necessary to fulfil the purposes identified.
  • The requirement that personal information be collected by fair and lawful means is intended to prevent the Hospital from collecting information by misleading or deceiving individuals about the purpose for which information is being collected. This requirement implies that consent with respect to collection must not be obtained through deception.
  1. Private and ConfidentialLimiting Use, Disclosure, and Retention of Personal Information

Personal information will not be used or disclosed for purposes other than those for which it was collected, except with the consent of the individual or as required by law. Personal information will be retained only as long as necessary for the fulfillment of those purposes.

    • If using personal information for a new purpose, the Hospital will document this purpose.
    • The Hospital will develop guidelines and implement procedures with respect to the retention of personal information. These guidelines will include minimum and maximum retention periods. Personal information that has been used to make a decision about an individual will be retained long enough to allow the individual access to the information after the decision has been made. The Hospital is subject to legislative requirements with respect to retention periods.
    • Personal information that is no longer required to fulfil the identified purposes will be destroyed, erased, or made anonymous. The Hospital will develop guidelines and implement procedures to govern the destruction of personal information in accordance with applicable legislative requirements.

  1. Ensuring Accuracy of Personal Information Checkmark

Personal information will be as accurate, complete and up-to-date as is necessary for the purposes for which it is to be used.

  • The extent to which personal information will be accurate, complete and up-to-date will depend upon the use of the information, taking into account the interests of the individual. Information will be sufficiently accurate, complete and up-to-date to minimize the possibility that inappropriate information may be used to make a decision about the individual.
  • The Hospital will not routinely update personal information, unless such a process is necessary to fulfil the purposes for which the information was collected.
  • Personal information that is used on an on-going basis, including information that is disclosed to third parties, will generally be accurate and up-to-date, unless limits to the requirement for accuracy are clearly set out.
  1. Ensuring Safeguards for Personal Information

    Security safeguards appropriate to the sensitivity of the information will protect personal information.

    • The security safeguards will protect personal information against loss, theft, unauthorized access, disclosure, copying, use, or modification. The Hospital will protect personal information regardless of the format in which it is held.
    • The nature of the safeguards will vary depending on the sensitivity of the information that has been collected, the amount, distribution, and format of the information, and the method of storage. A higher level of protection will safeguard more sensitive information, such as health records.
    • The methods of protection will include:

      • Physical measures, for example, locked filing cabinets and restricted access to offices;
      • Organizational measures, for example, limiting access on a "need-to-know" basis, and
      • Technological measure, for example, the use of passwords, encryption and audits.

    • The Hospital will make their team members and agents aware of the importance of maintaining the confidentiality of personal information. As a condition of employment, appointment, or agency, all hospital team members and agents must sign the Hospitals' Confidentiality Agreement. In addition, those with access to clinical, non-clinical, computerized or manual hospital records must provide a signed User Agreement / Third Party Contract containing a privacy/confidentiality clause.

Care will be taken in the disposal or destruction of personal information, to prevent unauthorized parties from gaining access to the information.

  1. Openness About Personal Information Policies and Practices

The Hospital will make readily available to individuals specific information about their policies and practices relating to the management of personal information.

  • The Hospital will be open about their policies and practices with respect to the management of personal information. Individuals will be able to acquire information about their policies and practices without unreasonable effort. This information will be made available in a form that is generally understandable.

The information made available will include:

  • The contact information to reach the Privacy Officer who is accountable for the Hospital's privacy policies and practices, and to whom complaints or inquiries can be forwarded;
  • The means of gaining access to personal information held by the Hospital;
  • A description of the type of personal information held by the Hospital, including a general account of its use;
  • A copy of any brochures or other information that explains the Hospital's policies, standard, or codes, and
  • What personal information is made available to related organizations.

The Hospital will provide information on policies and practices available in a variety of ways to address varied information needs and to ensure accessibility to information: for example, the Hospital may choose to make brochures available in their places of business, mail information to their clients, post signs, provide online access, or through the Internet and Intranet.

  1. Individual Access to Own Personal Information

Upon request, an individual will be informed of the existence, use and disclosure of his or her personal information and will be given access to that information. An individual will be able to challenge the accuracy and completeness of the information and have it amended as appropriate.

Note: In certain situations, the Hospital may not be able to provide access to all the personal information they hold about an individual. Exceptions to the access requirement will be limited and specific. The reasons for denying access will be provided to the individual upon request. Exceptions may include information that is prohibitively costly to provide, information that contains references to other individuals, information that cannot be disclosed for legal, security, or proprietary reasons, and information that is subject to solicitor-client or litigation privilege.

Upon request, the Hospital will inform an individual whether or not they hold personal information about the individual. The Hospital will seek to indicate the source of this information and will allow the individual access to this information. However, they may choose to make sensitive health information available through a medical practitioner. In addition, the Hospital will provide an account of the use that has been made or is being made of this information and an account of the third parties to which IT has been disclosed.

An individual will be required to provide sufficient information to permit the Hospital to provide an account of the existence, use and disclosure of personal information. The information provided will only be used for this purpose.

In providing an account of third parties to which they have disclosed personal information about an individual, the Hospital will attempt to be as specific as possible. When it is not possible to provide a list of organizations to which they have actually disclosed information about an individual, the Hospital will provide a list of the organizations to which they may have disclosed information about the individual.

The Hospital will respond to an individual's request within a reasonable time and at a reasonable cost to the individual. Fees will be established on a cost recovery basis. The requested information will be provided or made available in a form that is generally understandable. For example, if the Hospital uses abbreviations or codes to record information, an explanation will be provided.

  • When an individual successfully demonstrates the inaccuracy or incompleteness of personal information, the Hospital will amend the information as required, in accordance with professional standards of practice. Depending upon the nature of the information challenged, amendment may involve the correction, deletion, or addition of information. Information contained within health records will not be deleted, but rather, the original must be maintained, with any amendments or corrections being made in a transparent manner. Where appropriate, the amended information will be transmitted to third parties having access to the information in question.
  • When a challenge is not resolved to the satisfaction of the individual, the Hospital will record the substance of the unresolved challenge. When appropriate, the existence of the unresolved challenge will be transmitted to third parties having access to the information in question.
  1. Challenging Compliance with the Hospitals' Privacy Policies and Practices

An individual will be able to address a challenge concerning compliance with this policy to the Chief Executive Officer.

  • The Hospital will put procedures in place to receive and respond to complaints or inquiries about their policies and practices relating to the handling of personal information. The complaint procedures will be easily accessible and simple to use.
  • The Hospital will inform individuals who make inquiries or lodge complaints of the existence of relevant complaint procedures. A range of these procedures may exist.
  • The Hospital will investigate all complaints. If a complaint is found to be justified, the Hospital will take appropriate measures, including, if necessary, amending their policies and practices.

Agent - a person who acts on behalf of the organization in exercising powers or performing duties with respect to personal/private information whether or not employed (or remunerated) including volunteers, students, physicians, consultants, nurses, vendors and contractors.

Patients - includes inpatients, outpatients, residents and clients.

Personal Health Information (PHI) - personal information with respect to an individual, whether living or deceased and includes:

  1. information concerning the physical or mental health of the individual;
  2. information concerning any health service provided to the individual;
  3. information concerning the donation by the individual of any body part or any bodily substance of the individual;
  4. information derived from the testing or examination of a body part or bodily substance of the individual;
  5. information that is collected in the course of providing health services to the individual; or
  6. information that is collected incidentally to the provision of health services to the individual;

Personal Information - information about an identifiable individual, but does not include the name, title or business address or telephone number of a team member of an organization.

Privacy - the right of every individual to have control of the collection, use and sharing/disclosure, of their personal information.

<March 2015>
Patients & Visitors  |  Programs & Services  |  News and Events  |  Partners  |  Careers  |  About Us Copyright Alexandra Marine & General Hospital 2015