Disclaimer and Privacy Policy

PRIVACY, CONFIDENTIALITY AND DISCLOSURE POLICIES

 

Approved by: Board of Directors

Application: Board, Staff, Volunteers, Students, Clients

Contact: Chair of the Board

Date of Approval: 2005

Date of Last Review: June 2008, January 2011, March 2015, February 2016

 

PREAMBLE

The purpose of this policy is to specify to our clients, members, donors and the general public how we collect, use, store, protect and disclose personal and health information.  Whenever PPT is provided with personal or health information, whether in person, in writing, over the telephone, or online, a reference will be made to our privacy policy.  This policy is available to the public via our website, and is posted at our 36B Prince Arthur Avenue location. The public may request a copy of our privacy and confidentiality policy at any time by contacting our Privacy Officer.

 

DEFINITIONS

“Personal information” includes any information that can be used to distinguish, or identify a specific individual.  This information, recorded or not, includes an individual’s name, age, contact information, identification numbers/certificates, medical or financial records, race, ethnic origin, religious affiliation and education.  Business contact information and certain publicly available information, such as name, title/position, company address, email and fax is not considered to be personal information.

“Health information” includes any identifiable personal information, recorded or not, that relates to the physical or mental health of an individual including medical history, family medical history and health card number.

“Clients” refers to individuals who access PPT through its many programming areas and services.

“Members” refers to individuals who meet membership eligibility requirements and have paid annual membership fees in full.

“Donors” refers to individuals, organizations and/or corporations that have contributed a monetary or in-kind gift to PPT.

“General Public” refers to individuals, groups or institutions that may provide PPT with some form of personal information but do not fall into the category of a client, member or donor.

 

POLICY

Planned Parenthood Toronto (PPT) is committed to protecting the privacy of our clients, members, donors and the general public and to meeting the requirements of the Personal Health Information Privacy Act (PHIPA) and Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA).

 

PROCEDURES

Information Collected by PPT

PPT and its programming areas and services may collect some or all of the following personal and/or health information from clients, members and donors.

Clients

  • Name, address, e-mail address, telephone number
  • Gender
  • Date of birth
  • Health Card number
  • Emergency contact
  • Sexual orientation
  • Spiritual or religious affiliation
  • Racial, ethnic, cultural background
  • Immigration status
  • Education
  • Income
  • Living situation
  • Medical history and records

Donors and Members

  • Name, address, e-mail address, telephone number, fax number
  • Banking and credit card information
  • Communication and giving history
  • Additional information as appropriate for donor cultivation purposes

 

PPT does not trace phone calls or use Call Display services.

 

Use of Information

PPT uses the personal and health information of clients, members and donors for the following purposes:

Clients

  • To provide clients with medical and/or social services offered by PPT and appropriate agents.

Members

  • To correspond via mail, email or telephone about PPT activities including fundraising initiatives, special events, organizational development initiatives and the annual general meeting. Members are provided with ongoing opportunities to opt in or out of receiving such correspondence.

Donors

  • To correspond via mail, email or telephone about PPT fundraising initiatives including direct mail, special events, in-kind donations, planned giving , to provide charitable tax receipts and to seek permission for public recognition of contributions.  Donors are provided with ongoing opportunities to opt in or out of receiving such correspondence.

 

Disclosure and Non-disclosure of Information

PPT discloses personal and health information in the following circumstances:

Clients

  • For purposes of coordinating and/or transferring care among PPT agents and other health care custodians.
  • To comply with other authoritative bodies where ethical and/or legal obligations require.

Members

  • PPT does not disclose, sell, trade or share the personal information of our members.

Donors

  • PPT does not sell, trade, share or disclose the personal information of our donors.

In addition to the categories mentioned above, information may be disclosed to some third-party contractors for PPT business purposes only.  This includes financial audits, insurance and administrative purposes as necessary and appropriate.  In these cases, PPT collects the privacy statements of the third-party contractors and makes these available to clients, members and donors upon request.

PPT may otherwise disclose personal and health information as necessary to meet legal, regulatory and security requirements as permitted or required by law.  This includes the following situations:

  • If a client indicates that they or another person may be a danger to themselves or others;
  • In the case of apparent, suspected or potential child abuse;
  • If a client reports sexual abuse by a Regulated Health Care Professional;
  • When the court issues a summons for records or testimony;
  • If a client receives a positive test result for a reportable communicable disease (This excludes anonymous HIV testing).
  • When required under Revenue Canada regulations

 

Online Information Collection

Web Sites

PPT operates and manages a number of websites. PPT does not track Internet provider addresses and does not disclose, sell, trade or share any personal information about visitors to our sites.

PPT does not collect identifiable personal or health information through our web sites.  Our web-based financial transactions are filtered through third-party secured sites or by downloadable documents that can be mailed, faxed or emailed to PPT.  PPT includes hypertext links to the privacy policies of the third-party secured sites.  However, PPT may from time to time or in the future collect personal information in the following ways and purposes:

  • Information surveys and feedback forms
  • Responding to “Contact Us” enquiries
  • Ordering and/or purchasing PPT resource materials, publications
  • Membership applications
  • Volunteer applications
  • Making donations

The collection and use of personal information for these purposes is covered under the “Use of Personal Information” section in this statement.

Other non-identifiable and statistical information is collected by our web sites through a log file generated by our site hosts and may be shared with funders and other health care custodians as required.

Cookies

PPT uses sessional ID cookies.  A cookie is a piece of data stored on the user’s computer tied to information about the user.  Usage of a cookie is not linked to any identifying personal information and once users close the browser, the cookie terminates.

Hypertext Links

PPT includes hypertext links on its web sites to third-party sites.  Generally, these links fall into three categories: 1) links to affiliates, funders and program partners; 2) links to related health web sites and 3) links to download browser enhancements which may be necessary for the enjoyment of the web sites.  Visitors to PPT web sites should be aware that these third-party sites operate beyond the scope of our privacy policy.  Please be sure to check the privacy statements of these third party sites.

Online Chat, Email and Social Media

Some information, such as an email address, is collected and used by PPT staff when responding to service and information requests through PPT’s Email a Question, MSN Chat services and other social media like Facebook and twitter.  In these cases, personal information is collected and used for the purposes outlined in this statement.

Emails, Facebook posts, chat logs, twitter posts etc are saved for liability and statistical purposes.  PPT does not disclose personal information collected online unless it is required to do so by law.  Only authorized staff have access to the information.

 

Consent

Consent to the collection, use and disclosure of personal information may be given in various ways.  Consent can be expressed[1] or implied[2].  Consent may also be given by an authorized representative such as a legal guardian or power of attorney.  For clients of PPT programs and services, an expressed consent form is used.  For donors and members, PPT will assume that, by providing personal information with their donation and/or completed membership form, they consent to our collection, use and disclosure of such information for the purposes identified in this policy.  However, PPT will also provide opportunities for donors and members to opt in or out of such information collection, use and disclosure.  As well, for purposes of donor recognition (i.e. annual report, PPT web site) PPT will seek explicit consent via telephone, mail or Internet.

Clients, members, and donors  may withdraw your consent to our collection, use and disclosure of personal information at any time by doing so in writing, however, PPT may no longer be able to provide certain clinical services if a client chooses to do so.

 

[1] Includes any oral, electronic or signed confirmation that allows PPT to collect, use and disclose personal information for purposes outlined in this statement.

[2] Includes when a client provides information necessary for a service they have requested or where a client has not withdrawn their consent for an identified purpose, such as by using an “opt out” clause provided.

 

Security

PPT uses the following security measures to protect personal and health information against loss, theft, unauthorized access and disclosure without consent:

Clients

Client medical records are stored and disposed of according to the protocols set by the College of Physicians and Surgeons of Ontario.

  • All client information is stored in professionally appropriate, lockable cabinets.
  • The cabinets are kept locked during non-operational hours.
  • The cabinets containing active client information are located in a separate room located away from the clinic waiting area.
  • Client information stored electronically is password protected.
  • Client information that is not legislatively required is promptly shredded.
  • Medical charts are kept in a secured location for 10 years after a client’s last visit and/or 10 years after their 18th birthday if greater than the last visit date.
  • Charts are disposed of in accordance to the protocols set by the College of Physicians and Surgeons of Ontario.
  • Charts that are shredded are done so by a contracted health Records Management disposal firm.

Donors and Members

  • All donor information is stored in lockable cabinets
  • Donor and member information that is stored electronically is password protected
  • Donor information that is not legally required is shredded.

Only authorized employees of PPT who require access to personal information in order to fulfill their job requirements will have access to the personal information.  As well, all employees and volunteers of PPT sign a confidentiality agreement.

 

Access, Correction, Complaints and Contacting Organization

PPT may establish and maintain a file of personal and/or health information for the purposes described in this statement.  If a client, member or donor wishes to request access to or make a correction of their personal information in our custody or control, you may submit your request in writing to the following:

 

Privacy Officer

The Privacy Officer is appointed by the Executive Director (ED) from among the members of the Management Team. While reviewed by the ED annually, the Privacy Officer remains in the position until a new appointee is named.

 

PPT’s Privacy Officer is:

Winnie Fung

Director of Finance and Administration

Planned Parenthood Toronto

36B Prince Arthur Ave.,

Toronto, ON M5R 1A9

Tel: 416.961.0113 ext. 143

Email: privacy@ppt.on.ca

 

If someone believes that their privacy rights are not being respected, suspect their personal information has been improperly collected, used or disclosed, run into any difficulties obtaining access to your personal information or generally believe that PPT is not following the provisions of PIPEDA or the Ontario Health Information Privacy Act, they are entitled to file a complaint.  The Office of the Privacy Commissioner of Canada recommends that you first try to settle the matter directly with the organization they are filing a complaint against.  PPT does have a privacy complaints procedure.  A client, donor or member can find out about the procedure and file a complaint by contacting the Privacy Officer of PPT at the address provided above.  If a client, donor or member is not satisfied with PPT’s response to their complaint they may contact the Office of the Information and Privacy Commissioner/Ontario or the Office of the Privacy Commissioner of Canada at the following addresses:

 

The Office of the Information and Privacy Commissioner/Ontario

2 Bloor Street East, Suite 1400
Toronto, ON M4W 1A8

Tel: 416.326-3333

Toll-free: 1.800.387.0073

Fax: 416.325.9195

E-mail: info@ipc.on.ca

www.ipc.on.ca

 

The Office of the Privacy Commissioner of Canada

112 Kent Street

Ottawa, ON K1A 1H3

Tel: 613.995.8210

Toll-free: 1.800.282.1376

Fax: 613.947.6850

E-mail: info@privcom.gc.ca

www.privcom.gc.ca

 

Privacy Policy Revisions

This privacy statement may be revised from time to time.  If PPT intends to use or disclose personal information for purposes not outlined in this statement, we will make reasonable efforts to notify affected individuals in advance if necessary.

This privacy statement is available upon request and is also available at www.ppt.on.ca/privacy-policy.

 

Client Confidentiality and Disclosure Policy

Staff, volunteers, students and external agents must keep in strict confidence any information received, observed or otherwise acquired about a client of any of PPT’s programs.  Client-related information may be disclosed, discussed or made public only if authorized by the client, or as required by an overriding professional, legal or ethical obligation.  Staff, volunteers and students must also guard against client-related information being acquired by anyone unauthorized individual(s).

This policy applies to staff, students, volunteers and external agents and they are required to sign a Privacy and Confidentiality Contract upon commencement of their work or association with PPT.

In accordance with the Ontario Health Information Privacy Act and PIPEDA, the duties of privacy and client confidentiality continue beyond the termination of employment or association with PPT.

 

Preventing Unauthorized Access to Client Information

When registering as a client, new clients are asked for instructions regarding methods of contacting clients in the future including the use of code names to protect privacy.

Clients’ last names are not used in the course of service delivery except where necessary, and never where they may be overheard.  When calling clients from the waiting room, only first names are used.

Volunteers do not have access to the client’s medical record.

Clients wishing to limit access to elements of their personal health information may chose to utilize a “lock box”.  Clients can discuss this with the clinical provider.

Confidential matters are discussed with clients in private rooms or where the discussion cannot be overheard, and not at the front desk or in the waiting room.

Clients are not discussed professionally, even without a name, where another client or individual may overhear the discussion.

Charts are located in secured cabinets that are in a separate room from the client waiting area. Charts may also be archived offsite with e certified third party storage facility. A list of documents stored offsite will be kept at PPT.  A process for retrieving the documents in a timely manner will also be available at PPT.

Charts, encounter forms and other documentation containing client information are placed in a manner so that other individuals cannot see the information (i.e. face-down on desks whenever not being worked on, computer screen off or viewing access limited), and are locked up or shredded at the end of each workday.

Electronic Information 

Electronic information kept on-site is stored on a server that has the most recent privacy protection software and hardware.  All workstations that connect to the network are password protected. The agency has a wireless network but this is also password protected to restrict access to the network to those individuals with network rights. All mobile storage devices used in the agency are password protected (ie. Laptops, USB storage devices)

Whenever possible, confidential or sensitive information will not be stored on agency laptops.  Client data is never transported or stored on mobile devices or taken out of agency. When it is necessary to store confidential information on a lap top, it will be downloaded onto the file server as soon as possible and then deleted from the laptop. When it is necessary to store confidential information on an External Storage Device (USBs) the device will be stored in a locked drawer on-site and the information will be downloaded to the file server as soon as possible and deleted from the laptop.

Staff, students and volunteers do not  provide service to  clients previously known to them outside of their role with PPT, unless the client agrees in a private discussion with a different staff member.

Clients seen in places other than PPT or program facilities are not acknowledged unless the client makes the first move.

Specific case histories are not used, even without a name, to illustrate one’s experiences in non-professional situations outside of the agency.

 

Privacy Audits

PPT monitors all activities in the electronic health record (NOD). All health care providers, employees, volunteers, and third parties are subject to the auditing of all of their activities in NOD. NOD has the ability to audit all users of the system. If a user is unsure of what constitutes authorized or unauthorized use or access in NOD, please speak with your Manager. Audit reports regarding client records are also made available to clients upon request.

Purpose of Auditing

  • Meet legal obligations as a health information custodian under PHIPA s.10,12
  • Monitor access to personal health information (PHI) in NOD
  • Facilitate investigations related to complaints about or known unauthorized access to PHI by authorized users and to identify potential privacy incidents
  • Conduct routine reviews of compliance with policies and procedures related to the protection of the privacy and confidentiality of PHI

Monitoring and Reporting

The Privacy Officer or designate is authorized to run regular audit reports at least quarterly or more frequently if it is deemed necessary. A list of potential trigger events is included in this procedure, the Executive Director or any Manager can request an audit related to a trigger event at any time.

The Privacy Officer or designate will keep track of all audits conducted and the associated reports (see Appendix C – Audit Tracking Form). Completed Audit Request Forms and any subsequent incident investigation will also be documented in accordance with the PPT Privacy Policy and an incident report will be completed and submitted to the Executive Director for filing. Reports requested by a client, administrator or provider will be shared within a reasonable timeframe.

Penalties

When access is deemed inappropriate or a privacy breach has been substantiated the Privacy Officer or delegate will notify the ED and it will be determined if the breach was will full or unintentional. Users who unintentionally access PHI inappropriately will be subject progressively to all or any of the following:

  1. Further privacy training
  2. Loss of privileges to use NOD
  3. Termination

Audit Schedule

Audits will be held during the second month of each quarter. The Privacy Officer will submit to the DMC an Request of Audit Form (Appendix B). However, when there is sufficient reason to believe that a more frequent audit is warranted, the Privacy Officer or designate can initiate a trigger audit.

The date range for all user audits will be for a one month period of time, unless otherwise requested/required, ending on date of audit request or by audit schedule date. Client audits will include the entire chart.

During each audit the DMC will randomly select one chart of a client who has visited PPT in the preceding quarter and one user.  The DMC will also pull an audit report that identifies specific high risk charts, these high risk charts will also be audited. This includes:

  • Any client with a positive HIV diagnosis
  • Clients with the same last name as staff or board member
  • Masked charts
  • Deceased client charts
  • Charts accessed more than 10 times in the last quarter

Audit Trigger Events

Trigger audits will be performed on an as needed basis and can be requested by the Privacy Officer, designate or any Manager when there are enough grounds to believe that it is necessary. Trigger events may include (but is not limited to):

  • VIP clients at PPT (board members family, celebrities, community figures, relatives or partners of staff members)
  • A client is involved in a high-profile event
  • Terminated employee does not return FOB to PPT
  • Client is involved with police or court system (such as domestic abuse reports etc)

Audit Reports

Audit log reports or examined in conjuction with other available information to identify and investigate unexplained or potentially inappropriate access to PHI. An NOD user may have had a good reason for an out-of-the-oridinary access, even though the initial review indicates otherwise. The audit reports and therefore inquire based and a quality improvement tool.

Client Audit

  1. DMC randomly selects a client record from a client who had one visit during the past quarter
  2. Privacy Officer or designate reviews and interprets the audit log and follows up with users to verify appropriate access and/or to identify all inappropriate or suspicious accesses.
  3. Initiate general incident report if any suspicious access is identified

User Audit

  1. DMC randomly selects a user from the user list
  2. Privacy Officer or designate generates an audit report covering a one month period ending the day of the report
  3. Privacy Officer or designate reviews and interpres the audit log to identify any inappropriate or suspicious accesses. Follow up with the user to verify if access was appropriate
  4. Initiate general incident report if any suspicious access is identified

Other

A client may request an audit of their chart that is either general or within a time that the specified. The client should complete a Request for Audit Form. The results should be provided to the client in a timely manner.

A Director or ED can request an audit when a trigger event is identified. They should complete a Request for Audit Form.

Things to look out for in an audit

Examples include but are not limited to:

  • Was the user(s) access to the chart appropriate?
  • Did the NOD user(s) access parts of a record that have been masked without the consent of the client
  • Access not corresponding the user’s role. i.e. Did they access information they did not “need to know” to complete their work?
  • NOD user accessed a record from an unexpected location (e.g. non-authorized IP address)
  • Did anyone access client information at irregular hours outside of normal working hours
  • Did the user access the record of a client with whom the user does not have an established client-provider relationship, internal referral, or lab follow up?
  • Did a user unnecessarily view a record with a highly sensitive diagnosis
  • Other unusual patterns of behaviour

 

Release of Records/Information to Clients

Clients are entitled to access all information respecting their health status and their contact with PPT, and are entitled to share this information as they may see fit.  Clients are entitled to review their clinical records in the presence of a staff member, and are entitled to copies of all documentation in their clinical records.  Without detracting from clients’ right to their records, it is recommended to clients that records be reviewed with the assistance of a staff member to ensure full understanding of the contents. Client requests to review their clinical records will be responded to as soon as possible within 30 days.

Telephone calls from clients regarding any client-related matter (appointment scheduling, test results, information from clinical record, and authorizing disclosure to another person) will proceed only if the staff, volunteer, or student confirms the client’s name and birth date.

Telephone calls and mailings to clients follow the client’s selected method of contact on the Intake Form (which may include a code name, contact through an address or phone number other than home, handwritten letters without a return address, etc).  Where there is a serious threat to a client’s health and the client’s selected method of contact has failed after three charted attempts, the client will be contacted at her or his home as follows: 3 telephone calls to the home number utilizing “call block” and without leaving a message, followed by 1 mailing of a handwritten letter sent without a return address (all charted/copied).

 

Professional Obligations to Disclose Information

Staff, students and volunteers have a professional obligation to discuss client-related matters with professional colleagues and/or supervisors as necessary to ensure the highest quality of service provision to clients.  While details of the client’s situation may be revealed, the client’s name and identifying information may not be disclosed unless absolutely necessary.

In addition, the organization has an obligation to maintain records and statistics respecting services to clients.  Consequently, for these purposes, administrative personnel may access clinical records.

 

Legal and Ethical Obligation to Disclose

In certain circumstances, staff, students and volunteers are required or entitled to report client-related information despite the general relationship of confidentiality. In these situations, the breach of confidentiality must be strictly limited to that required or allowed, and confidentiality must be maintained with respect to all other client information.

Every breach of confidentiality occurring with justification as outlined in this policy must be detailed in the client’s medical chart.  If the duty to report is a non-clinical situation and does not apply to a Health Services client, then an Incident Report must be completed and submitted to the Executive Director

Staff, students and volunteers seeing clients must ensure that clients are aware in advance of these limitations on confidentiality (as may be applicable to their circumstances), so that clients have the opportunity to omit information or refuse testing if so desired.  Such discussions must be charted.  For example, prior to discussing abuse issues, clients under 16 must be informed of the circumstances in which a report must be made; prior to testing for reportable diseases, clients must be informed that positive results must be reported; prior to beginning counselling, clients must be informed that risk of self-harm or harm to others may result in action being taken to protect the client or others.

Details of the most commonly encountered legal obligations to disclose otherwise-confidential information follow. In addition, physicians have duties under the Highway Traffic Act and the Aeronautics Act to report individuals who are unfit to operate a vehicle or airplane, in certain circumstances.

 

Court Order

Staff, students and volunteers may be required to disclose client-related information pursuant to a court Summons, Subpoena or Order.  In appropriate circumstances, PPT will oppose such court-imposed breach of confidentiality to the extent possible. Police requests for information will be immediately reported to the Executive Director and will not be granted unless a valid subpoena or client consent can be produced. PPT will seek legal advice when necessary.

 

Duty to Report Abuse of Children

Ontario’s Child and Family Services Act imposes a duty on all persons to report to a Children’s Aid Society a belief, based on “reasonable grounds”, that a child (anyone under 16) is in need of protection, and to report the information upon which the belief is based.  “In need of protection” refers to a range of circumstances respecting actual or risk of physical, sexual, emotional, developmental harm, or abandonment, by a parent or person in charge of the child, or by another person where the parent fails to protect the child.  Staff members who engage in front-line service have an additional, more onerous duty to report based upon a reasonable suspicion of past or current abuse.

The Child and Family Services Act must be referred to, to assess the duty to report in any particular circumstance; the situation at hand must come within a relevant section of the Act (ss. 72 and 37(2)) in order for a report to be made.  Students and volunteers must discuss any situation giving rise to a possible duty to report with their supervisor immediately; staff must discuss the situation with at least one other member of the Team before reporting.  In circumstances of uncertainty, an anonymous call may be made to a children’s aid society for an opinion on the need to report and the section relied upon; however, this opinion is not binding, and staff may engage in discussion with other Team members, the Manager, the Executive Director, and/or counsel, as appropriate and practicable.  Refer to: Part 24 Recognizing and dealing with Child Abuse.

 

Duty to Report Sexual Abuse by a Health Professional

Ontario’s Regulated Health Professions Act imposes a duty on all regulated health professionals (at PPT, this may include nurses, nurse practitioners, physicians and psychologists) to report a named regulated health professional to their College where there are reasonable grounds, obtained in the course of professional practice, to believe that that health professional has sexually abused a client.  In addition, the Board and/or the Executive Director must file a report if there are reasonable grounds to believe that a regulated health professional practising at PPT has sexually abused a client.  However, in either case, the report cannot include the client’s name without her or his written consent; consequently confidentiality is overridden only with respect to the details of the alleged sexual abuse and the name of the abuser.  Reference should be had to Schedule 1 of the RHPA for a complete list of applicable professions and to sections 1, 85.1-85.6 of Schedule 2 for further details of the duties imposed. Similarly, as an internal policy all staff, students and volunteers are required to report in writing to the Executive Director a belief that any other individual associated with PPT has sexually abused a client.  The report cannot include the client’s name without her or his written consent; confidentiality is overridden only with respect to the details of the alleged sexual abuse and the name of the abuser. Refer to the Act in the Health Services Manual.

 

Duty to Report Communicable Diseases

Ontario’s Health Protection and Promotion Act imposes a duty on regulated health professionals to report all “reportable diseases”, including most sexually transmitted infections, to the Department of Public Health, Communicable Diseases Unit.  All regulated health professionals at PPT must fulfill their statutory duty to report a professional opinion that a client has a reportable disease.

 

Harm to Self or Others

Ontario’s Mental Health Act allows physicians to facilitate an involuntary detention of a person in a psychiatric facility for up to 72 hours, for the purpose of a psychiatric assessment.  Where a physician has examined a person and determines that the person has threatened or engaged in self-harmful or violent behaviour, and is suffering from a mental disorder likely to result in self-harm or harm to others, the physician may complete a “Form 1″ application for psychiatric assessment, overriding client confidentiality to the extent necessary to provide the particulars and have the client taken (usually by police) to an appropriate facility.  Refer to section 9 of the Act

While only physicians may act pursuant to this legislation, other front-line staff, students and volunteers who suspect that the criteria may be met must consult with a physician, who may then examine the client.  However, clients refusing examination by a physician effectively avoid an involuntary psychiatric assessment, since physicians are precluded from acting without having personally examined the client.

Whether or not a Form 1 is completed, staff, students and volunteers may have additional ethical and/or legal obligations to breach client confidentiality in circumstances of self-harm or harm to others:

PPT accepts the judicially asserted health professional’s “duty to inform” as a circumstance overriding client confidentiality.  Consequently, where a client expresses an intention to do serious harm to another individual and there is a likely risk of serious harm, staff, students and volunteers must take all reasonable steps to warn the individual(s) against whom the threat has been made.  These steps will generally include contacting the police, contacting the individual(s) directly where possible, and any other appropriate action.  The breach of client confidentiality will be limited to the information necessary for the police and/or threatened individual to reasonably understand the risk to her or him.  Action in this regard will always be implemented by a staff member, discussed with at least one other Team member, and thoroughly documented.

The “duty to inform” is expected to be incorporated into a standard of the College of Physicians and Surgeons, at which time the above policy may be adjusted to ensure consistency.

Where a client makes a serious suicidal threat and a Form 1 is not applicable, staff, students and volunteers must take action to ensure the safety of the client where such action is ethically prescribed, overriding client confidentiality only to the extent absolutely necessary. Action in this regard will always be implemented by a staff member, discussed with at least one other Team member, and thoroughly documented.

In clinical matters, PPT’s Incident Report will only be completed if any of the situations detailed above present any legality, risk or liability to PPT.  In this case only information pertinent to the liability is reported to ensure understanding of the legal concerns.  The Incident Report is submitted directly to the Executive Director in this situation.

 

Age of Consent

Staff and students are obligated to report the following:

Youth aged 14 or 15 that is involved sexually with their partner who is 5 years or older than the 14 or 15 year old.  A youth aged 12 or 13 that is involved sexually with their partner who is 2 years or older than the 12 or 13 year old.

 

Unauthorized Access, Use, Theft, Loss or Disclosure of Client Information

In the case of unauthorized access, use, theft, loss, or disclosure of client information, the Executive Director will be notified immediately and an incident report will be completed.   PPTs response to this type of situation will be determined by the Executive Director and may involve an investigation and or legal action.  In all instances the client(s) will be notified immediately.

 

Enforcement Visits Protocol

This protocol outlines procedures to follow in the event of a visit by enforcement authorities to PPT offices or a phone call from an enforcement authority regarding a client.  Enforcement authorities include Toronto Police, RCMP, Office of the Chief Coroner, and Children’s Aid Society workers.

PPT will make every reasonable effort to cooperate with enforcement authorities so long as a warrant, court order or subpoena is presented.  If a warrant, court order or subpoena is not presented, PPT has no legal obligation to disclose information about or provide access to anyone who is on our property including clients, staff and volunteers.

PPT is committed to protecting the information of our clients, volunteers and staff and in accordance with PPT’s Confidentiality Agreement and federal and provincial rights and privacy laws.

In dealing with visits from law enforcement authorities, PPT will make every effort to minimize the impact that such a visit may have on clients and services.

A warrant, court order or subpoena can be provided in person, by email or fax. If the enforcement authority presents a warrant, court order or subpoena:

  • Contact the Executive Director or a Manager immediately.
  • Ask to see appropriate identification from the authority such as name, title, badge and precinct number etc.  Write it down and forward to the ED or Manager for documentation purposes and completing a General Incident Report (See Part 13: Occupational Health & Safety Policy and Procedures, Appendix C).
  • If possible, ask the enforcement authority to wait for the ED or Manager in an area that minimizes the impact on clients and services.
  • The ED or Manager will view and verify the warrant, court order and subpoena, assess the situation and cooperate with the enforcement authority while upholding as much privacy and confidentiality as possible and minimizing the impact on clients and services.
  • The ED or Manager will fill out a General Incident Report with input from staff if necessary.
  • If there is not a Manager in the building, refer to the Emergency Contact phone list kept at the reception area of Health Services and PPT and in the Teen Programming office, and contact the ED or first available Manager.  The ED or Manager will advise staff of what to do and make their way to PPT.
  • While waiting for the ED or Manager to arrive, cooperate with the enforcement authority and document the details.
  • If you are unable to contact the ED or a Manager at home, cooperate with the enforcement authority and fill out a General Incident Report in detail documenting the event.

 

If the enforcement authority does not present a warrant, court order or subpoena:

  • Contact the Executive Director or a Manager immediately.
  • Ask to see appropriate identification from the authority such as name, title, badge and precinct number etc.  Write it down and forward to the ED or Manager for purposes of filling out a General Incident Report.
  • If possible, ask the enforcement authority to wait for the ED or Manager in an area that minimizes the impact on clients and services.
  • The ED or Manager will ask for a warrant, court order or subpoena.  If a warrant, court order or subpoena is not presented, the ED or Manager will inform the enforcement authority that PPT cannot disclose any information until such documentation is presented.
  • If the enforcement authority persists or does not leave PPT premises, the ED OR Manager will contact our lawyer for further instruction.
  • The ED or Manager will fill out a General Incident Report.
  • If there is not a Manager in the building, refer to the Emergency Contact phone list kept at Health Services and Teen Programming office and contact the ED or the first available Manager.  The ED or Manager will advise staff of what to do and make their way to PPT.
  • While waiting for the ED or Manager to arrive, cooperate with the enforcement authority and document the details.
  • If you are unable to contact the ED or a Manager at home, cooperate with the enforcement authority and fill out a General Incident Report.

The PPT office is private property and law enforcement authorities should present a warrant, court order or subpoena to enter the building and request information.  PPT, however, does not have jurisdiction, rights or liabilities regarding public areas around our building. If the enforcement authority chooses to wait outside PPT property, they are legally entitled to do so.  Managers, volunteers and staff should not become involved in enforcement activity by warning individuals that authorities may be waiting for them.

 

Organizational Confidentiality

Staff, students, volunteers and external agents at PPT may have access to personal information concerning others, contained in personnel or volunteer files.  Such information may be disclosed only (a) to those within PPT who require the information to perform their job duties, (b) to relevant regulatory, judicial, or government bodies, or (c) to others with authorization of the individual.

Staff, students, volunteers and external agents may also have access to confidential organizational information.  Internal documents and decisions in draft form or otherwise still in process, and any document or situation stated to be confidential, must not be disclosed or discussed outside of PPT.

The duties of organizational confidentiality continue beyond the termination of employment or association with PPT.

 

Conflict of Interest

A conflict of interest is a situation in which a staff, student or volunteer’s private or professional interest may affect their judgement (in a real or perceived way). Staff, students and volunteers must operate free from real or perceived conflict of interest.

The following procedures should be applied to avoid this situation:

  • Staff, students and volunteers must declare a conflict of interest as soon as it becomes known (for example, participation on Hiring Committee, attendance at meetings, etc.)
  • Disclosure should be made to the supervisor or most appropriate person depending on the situation giving rise to the conflict of interest (example, Chair of Hiring Committee if conflict of interest arises due to participation on a Hiring Committee).
  • Any declared conflict should be minuted, or noted, including particulars.
  • When a staff, student or volunteer has declared and disclosed a conflict of interest, she/he may be asked to withdraw from participation as appropriate (for example, leave the discussion of the item that gave rise to the conflict of interest in a meeting). Alternatively, the staff, student or volunteer may continue to participate, but may not participate in decision on the issue.

 

Appendix

Appendix A – Client Confidentiality Contract

Appendix B – Audit Request Form

Appendix C – Audit Tracking Form