To outline the responsibilities of Oncidium Health Group [OHG] and all members of the workforce including employees, subcontractors and consultants – to secure and protect personal and personal health information in our possession.
All employees and contract consultants of the workforce of OHG.
Definition of Personal & Personal Health Information
Any information that is collected and linked to a specific individual including, but not limited to, specific information such as SIN, phone number and birth date, broader information such as financial information, employment records and health information and/or any information that allows the person to be identified. Personal information does not include any information that can be publicly found such as information in a phone book or on a business card. Personal health information is any information regarding the physical or mental health of an individual that is collected in the course of providing health services to an individual or obtained from a 3rd party following testing, examination or treatment of an individual. Personal and personal health information can be stored and/or transmitted in any form, whether electronically, on paper or through conversation.
Federal: Personal Information Protection and Electronic Documents Act (PIPEDA, or C-6), applicable to Oncidium Health Group, effective January 1, 2004.
Provincial: An Act Respecting the Protection of Personal Information in the Private Sector (Quebec), and all corresponding provincial legislation. Personal Health Information and Protection Act (PHIPA, or B 31), applicable to Oncidium Health Group, effective November 1, 2004.
RIGHTS & RESPONSIBLITIES
Oncidium Health Group will collect, use and may disclose employee personal and personal health information only as necessary for personnel and benefits management and performance of the “Work” of Oncidium Health Group. Collection of personal and personal health information from a third party regarding an employee or candidate will be obtained with the consent of the employee or candidate, except as permitted by law.
To protect the privacy and physical security of such personal information, personnel & business files will be maintained in a secure location in a locked filing cabinet at all times. Only individuals who need the information to carry out their job duties may have access to an employee’s personal and personal health information.
Appropriate measures will also be taken to ensure that personal and personal health information remains confidential. No one may disclose personal information to outsiders, or disclose it for other purposes unless the individual concerned consents, or except as permitted by law. References regarding an OHG employee may be provided only with the written consent of the employee to disclose such information and the name(s) of the party(ies) to whom the reference may be provided.
While most personal information is obtained when an employee joins OHG, the responsibility for updating personal information rests with each employee. Personal health information is acquired in the course of work in health & prevention and disability management services. Each employee who has personal or personal health information at OHG has the right to correct any inaccurate or incomplete information in his/her personnel or health file.
An OHG employee who wants to review his/her personnel file, or wants more information about this matter, should contact the Supervisor, Administration & Human Resources.
Every employee and contract member of OHG has a legal and ethical responsibility to safeguard the privacy and confidentiality of personal/health information, received in any form. When an employee or contract member in the course of his/her work collects personal information directly from an individual, he/she must ensure the individual has knowledge of all uses and disclosures regarding his/her personal information and informed consent is provided. In specific regard to personal health information, consent to collect, use, store information cannot be implied, but instead must be expressly given by the individual.
In the course of work with OHG, employees and members of the workforce may have access to, or observe, such personal/health information. All employees and contract members of the workforce must ensure that such information is maintained in the strictest confidence by implementing the following procedures:
Pursuant to privacy legislation, OHG has designated a Privacy Officer accountable for the organization’s compliance legislation.
The Privacy Officer is accountable for the following:
• Achieving and maintaining compliance with privacy legislation;
• Ongoing monitoring of compliance for all services, products and processes
• Responding to all inquiries including RFIs, RFPs, etc. regarding privacy compliance;
• Addressing all internal and external queries and complaints regarding privacy compliance;
• Reviewing marketing materials and service descriptions regarding privacy compliance;
• Updating corporate privacy procedures as needed;
• Ensuring employees are knowledgeable about their role in OHG ongoing commitment to protecting the privacy of personal/health information.
Limiting Use and Disclosure of Personal Information
When personal information must be discussed or otherwise shared with other OHG employees and members of the workforce, it must be on a “need-to-know basis” within the course of work. All employees and members of the workforce are to use their best judgment in determining if the person with whom they are sharing personal/health information has a business need-to-know about such information.
Employees and contract members of OHG are to use best efforts to ensure that others who do not have a need-to-know and are not directly involved in the matter cannot overhear such conversations and cannot see the personal/health information in question.
Electronic documents containing personal/health information will be stored in secure databases only accessible by employees with permission and passwords. Employees are responsible for ensuring that they do not share their personal user identification and passwords with others and take every reasonable precaution to protect the user ID and password from loss or theft.
When using, disclosing, or requesting personal information, reasonable care must be taken to limit information to the minimum amount necessary to accomplish the intended purpose. All employees and contract members of OHG are to use best judgment and consult their manager to determine if what is being requested is the minimal amount necessary.
Email must contain the following language: “The information contained herein, including any attachments, is proprietary and confidential and is intended for the exclusive use of the addressee. It may also contain privileged information and/or personal information subject to privacy legislation. Any dissemination or use of this information by a person other than the intended recipient is unauthorized and may be illegal. If you have received this email in error, please notify us immediately by reply email and destroy all copies. ”
The OHG fax sheets must contain the required confidentiality language and must be used for all correspondence containing personal/health information.
When providing personal information over the phone, all employees and contract members of OHG must use best efforts to validate the caller to be sure the caller is in fact an individual entitled to receive the personal information. The questions to be asked to determine validation are at the discretion of the business unit’s manager.
Upon becoming aware of an inappropriate use or disclosure of personal information in violation of these procedures, all are required to 1) notify the receiving party and instruct them to immediately destroy the information, and 2) notify the Privacy Officer of the situation.
Password protected screen savers are to be utilized to restrict visibility or computer screens when left unattended. All employees are to use their own passwords, which are to be changed regularly. Monitors are to be turned away from plain view, where practical.
Documents containing personal information are to be kept out of plain view and in locked cabinets or drawers when not in use.
No real, live data is to be used for service presentations and/or software demonstrations.
Collection of Personal Information
When collecting personal/health information, all purposes for which the personal information is to be used, disclosed, transmitted or reported by OHG must be communicated to the person from whom we are collecting the information.
Unless an exception is available, the Client [Employer, Agent, Broker] from whom OHG receives personal information must state in the initial contract that they have (will prior to submitting the personal information) obtained consent to disclose personal information for the intended purposes.
When OHG must disclose personal information to a third party to fulfill a contractual obligation (i.e., independent assessments, treatment providers), all such third-party contracts are to include language whereby OHG ensures that the third party receiving such information will administer safeguards to protect the personal information as mandated by privacy legislation.
Any internal or external complaints regarding the handling of personal information are to be brought to the attention of the Privacy Officer.
If a an individual requests access to his/her personal/health information that has been collected and maintained by OHG, the employee or contract member of the workplace has a responsibility to provide the individual with access to view the personal information for accuracy and completeness. OHG has 30 days to comply with a request to view.
Consequences for Non-Compliance
Violations of these procedures by an employee or contract member of OHG will result in disciplinary action, up to and including dismissal.
Non-compliance of OHG with the responsibilities as mandated by privacy legislation can result in financial penalties of $50,000 for individuals, $250,000 for corporations and other legal actions.