Public Health Programs and Privacy Law
The Halton Region Health Department provides a range of accessible, affordable, and effective Public Health Programs. The Public Health Programs are designed to support the physical and mental health and well-being of Halton Region residents through various programs and services that aim to reduce health inequities, protect and promote health, and prevent disease and injury. In the course of providing health care services and programs personal health information is often collected, used and disclosed.
The Medical Officer of Health manages the Health Department and is subject to the Personal Health Information Protection Act, 2004 (PHIPA) (external link), which governs the collection, use and disclosure (sharing) of personal health information within the health care sector. The Medical Officer of Health and any person or organization acting on his/her behalf has a duty to comply with PHIPA when handling personal health information. Under PHIPA, you have privacy rights over the personal health information collected by the Health Department while the Health Department has privacy obligations to the individuals it serves. Below are details about why and how the Health Department collects and manages personal health information and how your rights over your personal health information are supported.
Collection, Use and Disclosure of Your Personal Health Information
To provide you with Public Health Programs, the Health Department may collect, use and disclose the following personal health information:
- name, address, telephone number and date of birth;
- health card number (if it’s needed for OHIP billing or as permitted by law);
- health information as relevant to the program/service being provided; and
- current and past health history including use of medications.
Typically, the Health Department attempts to collect personal health information directly from you or your substitute decision-maker. Other times, the Health Department may collect personal health information indirectly from other people such as family doctors, hospitals, or schools.
In addition to PHIPA, the Health Department is also subject to the Health Protection and Promotion Act (HPPA) (external link). Both HPPA and PHIPA permit the Health Department to collect, use and disclose your personal health information for other specific purposes. For example, HPPA requires the Health Department to collect personal health information from others such as laboratories to prevent the spread of communicable diseases and to promote and protect the health of our community. PHIPA also allows the Health Department to share personal health information to comply with other legislation, such as reporting child abuse.
Your Consent Rights
Your consent, or that of your susbstitute decision-maker, is often requested before collecting, using and disclosing your personal health information.
In some cases, the Health Department will rely on your implied consent. When you request or agree to receive our health care services or when we refer you to other health care follow up services, your implied consent gives the Health Department permission to collect, use and disclose your personal health information from or to relevant health care providers to streamline your care.
When the Health Department shares your personal health information with people who are not health care providers, such as family members or a community agency, we will obtain your express consent (verbal or written permission) to collect, use and disclose personal health information. When your express consent is required, the Health Department will provide you with information about why we need to use and disclose your personal health information and who the information will be shared with to help you make an informed decision.
Privacy Rights of Minors
The Health Department will often obtain consent from a custodial parent or legal guardian for the collection, use or disclosure of the personal health information of an individual that is under 16 years of age. However, minors may directly consent to the collection, use and disclosure of their information where they are capable to make such decisions. For example, a minor may use services from Public Health’s Sexual Health Clinic without requiring a parent’s/legal guardian’s knowledge or consent. In these situations, the parent/legal guardian would not be given access to information about the minor’s involvement in the program without the express consent of the minor.
Withdrawing Your Consent
You, or your substitute decision-maker, have the right to withdraw consent for the further collection, use and disclosure of your personal health information for health care services. Consent cannot be withdrawn for the use or disclosure of personal health information that has already occurred. Since withdrawing consent may have an impact on the health care you receive we will discuss those impacts with you to help you make a knowledgeable decision.
Safeguarding and Managing Your Personal Health Information
Protecting your personal health information and respecting your privacy rights is of high importance to the Health Department. The Health Department has implemented information management practices and a comprehensive privacy and security program to ensure the privacy and security of personal health information, including:
- assigning roles and responsibilities for managing and reporting on the Health Department privacy program and its compliance with PHIPA;
- maintaining a culture of privacy by holding mandatory and ongoing privacy training for staff;
- having policies and procedures to guide staff on obtaining an individual’s consent when required and appropriately handling personal health information;
- restricting access to personal health information to authorized staff on a need-to-know basis;
- ensuring privacy and security requirements are enforced in agreements with staff and third-party providers of electronic systems that manage and store personal health information for the Health Department;
- using security controls to safeguard personal health information and prevent security breaches such as firewalls on our computer network and encrypted mobile devices;
- logging and auditing staff access to personal health information in electronic systems; and
- implementing a privacy breach response protocol to ensure privacy breaches are contained, investigated and remediated as necessary and that affected individuals are notified.
Access to and Correction of Your Personal Health Information
Under PHIPA you have a right to request access to and a correction of your personal health information held by the Health Department, except in limited circumstances. You, or your substitute decision-maker, can make an informal request for access to the staff person or program you have been dealing with while receiving our services. Otherwise, you or your substitute decision-maker can make a formal, written request for access by completing the generic form (external link) and following the instructions provided. You may also make an access or correction request by contacting the staff person or program you have been dealing with or the Health Information and Privacy Analyst:
Health Information and Privacy Analyst
Halton Region Legal Services Division, Office of the Regional Clerk
1151 Bronte Road
Oakville, ON L6M 3L1
Toll Free: 1-866-4Halton (1-866-442-5866)
Fax: 905-825-8588 or 905-825-1444
Under PHIPA, you have a right to ask questions and file complaints about how the Health Department collects, uses, discloses and manages personal health information or how it supports your rights for consent, access and correction requests and complaints. To ask a privacy question or make a privacy complaint, please contact the staff person or program you have been dealing with or the Health Information and Privacy Analyst.
Information and Privacy Commissioners
You also have a right to formally complain about how the Health Department collects, uses, discloses and manages personal health information or how it supports your rights for consent, access and correction requests and complaints. These complaints are managed by the Information and Privacy Commissioner of Ontario (IPC) (external link), which is external to the Region and oversees compliance with PHIPA. The IPC can be reached at:
2 Bloor Street East, Suite 1400
Toronto, ON M4W 1A8
Toll Free: 1-800-387-0073
www.ipc.on.ca (external link)