Canadian Diagnostic Network

Privacy Policy

TABLE of CONTENTS

Section Title

1. Who We Are

2. Accountability: Our Responsibilities and Commitment to

Protecting your Privacy

3. What Personal Information We Collect & Why

4. Consent

4.1. Placing Conditions on or Restricting Consent

4.2. Withholding or Withdrawing Consent

4.3. When an Individual is Unable or Incapable of Providing Consent

5. Limiting the Collection, Use, Disclosure and Retention of Personal Information

5.1. Limiting the Collection of Personal Information

5.2. Limiting the Use and Disclosure of Personal Information

5.3. Retention

6. Accuracy of Your Personal Information

7. Safeguards- How We Protect Your Personal Information

8. Openness

9. Individual Access to Personal Information about Themselves

9.1. Correcting Personal Information

10. Changes to Our Privacy Policy & Privacy Officer Contact Information

The privacy of personal information is a valued and important principle to CMA Imagng, o/a

Canadian Diagnostic Network. We collect, use and disclose personal information according to the

regulations and guidelines established by the Personal Health Information Protection Act (PHIPA).

The standards of PHIPA are included as an integral component of our organization’s policies and

procedures, ensuring the individuals’ rights to privacy in regards to the obtainment and use of personal

information. In many ways PHIPA simply builds on our existing professional regulations, policies,

guidelines and practices.

1. WHO WE ARE

CMA Imaging, o/a Canadian Diagnostic Network is a privately owned, independent health service

facility providing a variety of medical services, examinations and procedures in order to assist in the

diagnosis and treatment of the patients of referring medical physicians. Because we provide a wide

range of health care services, we often deal with a number of other health care and health service

providers and third parties. These include hospitals, family physician practices, walk-in medical facilities,

specialists, laboratories, the Ministry of Health for Ontario, Cancer Care Ontario, and other

independent health facilities. In order to provide care and treatment for the patient, these affiliates and

third parties may require limited access to personal information. We restrict their access to only

the personal information that is required to provide the patient with an adequate level of health care,

service, diagnosis and/or treatment, with the patient’s authorization. Any affiliates or third parties we

work with have assured us that they follow privacy procedures according to their own established

policies under the Personal Health Information Protection Act and/or the Personal Information

Protection and Electronic Documents Act.

2. ACCOUNTABILITY- Our Responsibilities and Commitment to Protecting Your Privacy

We accept responsibility for collecting and handling any personal information of an individual. A specific

Privacy Officer has been appointed, in charge of ensuring our adherence to PHIPA and to handle any

questions or concerns raised by the public. The Privacy Officer has the support of other staff members

and has been given the authority to intervene in privacy issues. The Privacy Officer is responsible for

analyzing existing procedures and making sure they coincide with PHIPA at both the written stages of the

policy and the execution and implementation of the policy. Our Privacy Officer’s name as well as their

contact information is provided below.

Our staff have been informed and trained regarding our privacy and policy procedures. They know how to

respond to public inquiries, are able to explain the concept of consent, are able to provide information for

how an individual may go about requesting access to their personal information, understand that concerns

regarding privacy are to be dealt by the Privacy Officer and are aware of the security measures taken to

protect personal information.

Policies and procedures for our organization have been created and implemented to protect personal

information. Firstly, individuals are made aware what personal information is required and why we

require that personal information by accessing our entire Privacy Policy, which is readily available on our

website. We limit the collection, use and disclosure of personal information by only providing it to

the referring physician and other health care providers according to our professional standards of

practice and/or as authorized by the individual (the patient). We do our best to ensure that the personal

information collected is complete, accurate and up-to-date. Security measures have been

implemented to protect personal information from any potential external threats. We also try to be as

open and transparent as possible in regards to how we collect, handle, use and disclose personal

information. All these measures will be explained in greater detail throughout our Private Policy.

3. WHAT PERSONAL INFORMATION we COLLECT and WHY

Personal health information refers to identifiable personal information, which may be factual or

subjective. It is information about an individual’s health or healthcare history regarding an individual’s

physical or mental condition, including family medical history; the provision of healthcare to an

individual; long-term healthcare services; payment or eligibility for healthcare; and the identity of a

healthcare provider or substitute decision-maker for an individual.

In accordance with Regulations made under the Independent Health Facilities Act, our organization is

required to create and/or keep a health record relating to the health services provided in our facility for

each individual who is or was a patient. Upon arrival at the clinic, the patient will be asked to complete

the information on the requisition, or if they have had a previous visit, they will be asked to confirm their

personal information. If an individual is not comfortable disclosing this information, they should inform

the front desk and we will do our best to make other arrangements; however, if the patient does not

provide certain personal information, the provision of health services may be interrupted or denied.

We only collect personal information that is important to the creation of a health file and in the function

and operation of our facility. The personal information that is collected is meant enhance the efficiency

and quality of care we provide. Personal health information includes the following:

The patient’s full name as it appears on the health card or any health insurance documents (i.e.

federal health insurance)

Date of birth

Sex and salutation

Address

Phone number

Information regarding the method of payment (i.e. OHIP number, federal health coverage

information, other provincial/territorial coverage or private billing information)

Physical attributes like weight and height

A written record of the order for examination(s) or test(s) (requisition)

Any clinical information in relation to the specific procedure the individual is having (this is

filled out by the referring physician on the requisition)

Previous medical examinations

Medical history, including family medical history

The identification of a substitute decision-maker

Any results, tests or imaging media from examinations Previous diagnostic reports from other

health facilities (i.e. mammography films and reports)

Prescription medicines

Referring Physician

This information is entered into our own, secure patient database and is used to compile a patient’s

confidential health file at our facility. This database of individual personal information is not shared with

anyone outside of our organization and our affiliates. We require this information for the following:

To deliver effective, efficient and high quality health services to our patients

To create a health file at our facility

To identify our patients

For billing and reimbursement purposes, to collect unpaid accounts and process payments in

general

In order to perform the various administrative functions of our facility

Security reasons to prevent false and fraudulent identification

In order to perform the procedure or examination accurately and effectively

For contact information in order to communicate with our patients. This may be needed if the

patient is having a special procedure which requires a scheduled appointment or needs additional

views, and/or to book and confirm appointments

Provides a means of communication between physicians and other healthcare professionals

involved in providing health care to the patient

To provide accurate information and findings to health care providers involved in the care of a

particular patient

To meet audit regulations and to comply with the law (e.g. Canada Health Act, Independent

Health Facilities Act) and regulatory requirements of the College of Physicians and Surgeons of

Ontario

Generally, the personal health information is collected, used and disclosed in order to provide the

individual with an adequate level of health service and to ensure accurate medical diagnosis.

4. CONSENT

Our organization believes that consent is extremely important when collecting, handling and

disclosing personal information of an individual. According to the guidelines established by PHIPA,

we must obtain an individual’s “knowledgeable consent” to collect, use and disclose personal

information. Knowledgeable consent means that an effort must be made to make an individual aware of

what personal information is being collected by our organization, how we plan to use it, and how it will

be disclosed. An individual must be informed of their rights to withhold and withdraw consent. Under

PHIPA, consent is considered valid if it is knowledgeable, voluntary, related to the information in

question, and is given by the individual or an authorized decision-maker. Consent can be implied

for the collection, use or disclosure of personal health information in order to provide healthcare or

assisting in providing care A patient’s circle of care refers to individuals, activities and services

provided, which are related to the care and treatment of a particular patient. Subsequently, it includes

health care providers such as doctors, as well as other related activities, such as diagnostic imaging.

More simply, it refers to all health-related people, procedures and services provided to adequately

diagnose and treat a particular patient. This means personal health information might need to be shared

with other healthcare providers for the purpose of providing care. Other healthcare providers may

include, but are not limited to hospitals, specialists, surgeons, and other diagnostic imaging facilities.

Consent can be implied through a

patient’s conduct and behavior with our facility. For example, consent is implied for the collection, use

and disclosure of personal health information for purposes related to an individual’s healthcare (as

mentioned above), if you attend our facility for any health-related services.

PHIPA also outlines various circumstances where express consent of an individual is required.

Express consent is explicit and direct and may be given verbally, in writing or electronically.

Circumstances where express consent is required:

When disclosing personal health information to an individual or organization outside the circle of

care (e.g. an insurance provider)

When information is disclosed by our organization to another for any reason other than providing

or assisting in providing healthcare

If we collect, use or disclose personal health information other than an individual’s name and

mailing address for fundraising purposes, for marketing research or activities and/or for research

purposes, unless certain conditions and restrictions have been met

PHIPA permits certain disclosures of personal health information without consent. These include:

When it is necessary to provide healthcare and is not possible to collect information directly from

the patient, either in a timely manner or when there are reliability issues

When contacting a friend or relative

When confirming the patient is in the facility

When there is a risk bodily harm

When there are audits and accreditations

4.1 PLACING CONDITIONS ON or RESTRICTING CONSENT

An individual has the right to restrict our organization from sharing all or any part of his/her

personal information. This means the individual has the right to tell our organization not do disclose

certain personal health information to another custodian. It should be noted that if an individual instructs

our organization not to disclose part of their personal health information to another health information

custodian, we are required to inform the receiving health information custodian that some personal

health information is unobtainable. More simply, a patient has the right to exercise the restriction of

sharing or disclosing personal information at any time, albeit pre or post. However, when a patient

exercises this, it is our legal obligation to tell the third party that information has been “locked” by the

patient. Moreover, there is significant chance that the medical report of the patient will be incomplete.

According to our Privacy Policy, the report will include the clause, “The information contained in this

report is

incomplete. It was affected by the patient’s right to withhold information from other parties. The

information that is being withheld is only available from the patient.”

Our policy requires a patient wishing to restrict/limit access to his/her personal health information

to complete, sign and date a form, which instructs them of their specific rights, and outlines the

limitations of this right in this particular area. We are permitted to disclose any information to a recipient

custodian when in our professional opinion, the disclosure is needed to eliminate or reduce this risk of

bodily harm to an individual or group of people. Also, an individual’s conditions or restrictions may not

impede the collection, use or disclosure of personal health information that is required by other laws such

as the Canada Health Act, the Independent Health Facilities Act and/or professional or institutional

practices as outline by the College of Physicians and Surgeons of Ontario.

4.2 WITHHOLDING or WITHDRAWING CONSENT

An individual can withdraw his/her consent at any time for the collection, use or disclosure of

his/her personal health information by providing notice to our organization. Withdrawal of consent

applies to both implied and express consent. It should be noted that withdrawing consent is not

retroactive. More simply, if information has been disclosed based on implied or express consent, we are

not required to recover the information that has already been disclosed.

In the case of an individual refusing or withholding or withdrawing consent, our organization’s

protocol is determined by professional standards of practices. Our policy is to refuse health services if a

patient withholds and refuses to disclose personal health information that we require in the function and

operation of our facility. This means, in some situation, depending on the information the patient

withholds or withdraws, the provision of the health service may be denied.

If a patient withdraws consent, the patient will be informed of the consequences. In some

situations, this could result in the interruption or denial of certain health services. The existing records of

the patient in question will be retained as required by the regulations and standards of practice established

under the Independent Health Facilities Act. This maintains patient safety and ensures that audit and

regulatory requirements have been met. We will record the withdrawal of consent as part of the patient’s

existing file and will inform those to whom the personal information had been disclosed.

4.3 WHEN an INDIVIDUAL IS UNABLE or INCAPABLE of PROVIDING CONSENT

In general, PHIPA assumes that individuals are capable of making decisions pertaining to the

collection, use and disclosure of their own personal health information, if they are able to comprehend the

consequences of providing, withholding or withdrawing their consent. If we believe an individual is

incapable of providing consent, PHIPA allows a substitute decision-maker like a relative, spouse, child’s

parent, or Public Guardian and Trustee.

5. LIMITING the COLLECTION, USE, DISCLOSURE and RETENTION of PERSONAL

INFORMATION

5.1 LIMITING the COLLECTION of PERSONAL INFORMATION

The personal information collected is necessary for the function and day-to-day operations of our

organization. Personal information is collected with discretion and confidentiality. The collection of

personal health information is limited to that which is necessary for the purposes outlined in section 3 of

our Privacy Policy. The Ministry of Health for the province of Ontario, under the Independent Health

Facilities has established regulations in regards to what personal information can be and needs to be

collected to compile a health record within the facility. Personal information collected is typically used

for administrative and billing purposes, to perform the examination, and to ensure accurate diagnosis and

communication among the health care providers for the particular patient. More specific and detailed

purposes for collecting personal information can be found in our Privacy Policy under the section 3.

Personal information that is not essential to the purposes of collection, use or disclosure need not be

provided and will not be collected as part of the patient’s health record at our facility.

Although PHIPA requires the collection of personal health information to be directly from the patient,

there are certain circumstances where our facility may be able to collect personal information indirectly.

Exceptions to the direct collection of personal health information are as following:

When the individual consents

When the collection is necessary for providing healthcare and it is not possible to obtain the

information directly from the individual in a timely manner

When we collect personal information for research purposes (provided that certain conditions are

met)

When the indirect collection is required or permitted by law

When the indirect collection is required for the purpose of health planning for a particular patient

or management

Risk and error management

Processing claims for payment under any other Act or program administered by the Minister

When the Information and Privacy Commissioner authorizes the indirect collection

5.2 LIMITING the USE and DISCLOSURE of PERSONAL INFORMATION

Personal information collected will not be used or disclosed for any purposes other than those for which it

was originally collected. More specifically, personal information will only be used or disclosed for the

purposes outlined in section 3 of our Privacy Policy. If personal information needs to be used or disclosed

for any reason other than the purposes outlined in section 3, the individual in question must consent to the

use or disclosure of their personal information, or the use or disclosure must be authorized under the

Personal Health Information and Protection Act.

Consent for the use and disclosure of an individual’s personal information is not necessary when/if:

There is an emergency situation where the patient is physically or mentally unable to consent, or

consent cannot be attained quickly, and it is in the best interest of the patient to use or disclose

personal information

Information is discussed for the care and treatment of the patient without circle of care (i.e. if a

health professional receives a request from another health professional to access an individual’s

personal information in order to adequately provide that individual with health care or assist in

providing the individual with healthcare/treatment)

Other circumstances previously outlined in section 4 of our Privacy Policy

5.3 RETENTION

Our retention policies for patient records coincide with the guidelines established under the Independent

Health Facilities Act. Maximum and minimum retention periods have been established based on these

guidelines. When a patient’s health record is purged, imaging media is destroyed, paper records or

documents are shredded and electronic computer files containing information are erased from the

computer’s hard drive. Information that does not have a specific purpose or no longer fulfills its intended

purpose will be destroyed or disposed accordingly. Instructions for the retention of personal information

in the patient’s health record, as well as the proper way to dispose or discard the personal information is

included in our policy and procedures manual for employees. Following these guidelines and regulations

ensure that an individual’s personal information is not stored or kept unnecessarily, and protects the

patient’s privacy rights.

6. ACCURACY of YOUR PERSONAL INFORMATION

We will do our best to ensure that personal information is as accurate, complete and up-to-date as

possible. This will reduce the chances of incorrect personal information being used or disclosed to third

parties. However, personal information will only be up-dated based on necessity and only to fulfill the

required purposes. Certain personal information such as the patient’s name, address, phone number and

OHIP or other billing information (commonly referred to as “factual information”) will be up-dated

directly on our secured patient database when the patient comes in for an examination. Because our

patient database is separate and for our facility’s use only, certain personal information is not

automatically up-dated when an individual up-dates their information with OHIP. Also, when we receive

personal information from third parties, we will make sure that the information is complete. The patient

cannot demand that their record be changed instantly; instead, they can seek correction and change, which

will then be taken into consideration and reviewed by the Privacy Officer who will determine whether or

not the change should be made.

7. SAFEGUARDS- How We Protect Your Personal Information

Given the sensitive nature of the personal information we collect and use, confidentiality has always been

a strong pillar of our organization’s set of values. Privacy and confidentiality have always been an

important value in the provision of health services and our organization is no exception. We believe in

protecting and securing an individual’s personal information from unauthorized and inappropriate access.

Information will be safeguarded from unauthorized access, use, disclosure, copying or modification.

Personal information, regardless of the format will be protected. We have implemented a variety of

security safeguards to protect personal information. These security measures seek to ensure no

unauthorized parties dispose, obtain access to, modify or destroy an individual’s personal information.

This is a brief summary of the security measures we have taken:

Physical Measures: Physical measures are taken to protect and secure personal

information. These include, but are not limited to physical barriers

separating patient areas and employee areas, locked filing cabinets and

storage facilities, restricting access to certain areas of the facility and the

use of burglar alarm system.

Technological Measures: Technological tools are also used to protect personal

information. These include passwords for all computers used to

enter and store personal information, passwords for certain

software programs used for the collection and retention of

personal information and firewalls to restrict access and prevent

unauthorized and inappropriate use and disclosure. In addition,

computers are kept in designated “employee-only” areas.

Organizational Controls: Organization controls are used to protect an individual’s

personal information. Access to personal information is limited and

restricted, based on “need-to-know” basis for employees and any third

parties involved in the care and treatment of an individual. Staff is

trained to collect, use and disclose personal information only to complete

outlined purposes. Employees must agree to the terms of a

confidentiality agreement, which clearly instructs that the personal

information of patients is confidential, and must be protected from

unauthorized access, use, disclosure, copying and modification.

Personal information is retained only for the time period required by the regulations made under the

Independent Health Facilities Act; this ensures that personal information is not kept unnecessarily. When

discarding personal information, we are guaranteed that it is done responsibly. For example, personal

information recorded on paper is shredded so personal information of a patient is no longer

comprehensible.

Our security measures have been developed and implemented based on the nature and sensitivity of the

personal information we collect, use and disclose, the amount of information we collect and retain, to

whom we disclose the information to, the form of the information (electronic, imaging media, paper, files,

etc.) and how we store the information. Our Privacy Officer and senior levels of management will

periodically review our security measures and up-date and modify them if necessary.

8. OPENNESS

We want patients, referring physicians, third parties and employees to be informed of our policies and

practices for the management and use of personal information. We try our best to make our privacy

policies and procedures as transparent as possible. There are a number of ways we ensure openness and

transparency in regards to our privacy policy and practices:

By posting our entire privacy policy on our web page. This makes our privacy policy readily

available to the public.

Staff trained specifically to deal with public inquiries, concerns, questions and complaints

Contact information of the Privacy Officer is posted on the website and can also be obtained from

our office to deal with any other inquiries

Our policies regarding how we collect use and disclose personal information are understandable,

consistent and readily available to the public. We strongly believe that our patient should know about

their privacy rights. Therefore, we try to be as open and as transparent in regards to Privacy practices.

9. Individual Access to their Personal Information

Under PHIPA, patients have the general right to access their personal health information. Laws explicitly

state that the original documents are to be retained by us; however, having copies is your right. A patient

can request access to their personal health information by putting their request in writing. A patient’s right

to personal information is not unconditional (see below). According to PHIPA, we as health information

custodians have 30 days to respond to the written request. Extensions beyond 30 days are allowed if

fulfilling the request in 30 days obstructs the operation of our facility or when consultations with outside

sources are required in order to meet the terms of the patient’s request. If this is the case, it is our policy to

inform the patient, in writing, that we have received their request, but there will be a delay and outline the

reasons for the delay.

Our policy also requires that the patient requesting access fill out two access forms within our facility.

These forms are needed for administrative purposes and so requests for access to and release of personal

health information are properly recorded and documented as part of the patient’s health record. It should

also be noted that requesting access to personal health information and the release of such information is

not covered under the Ontario Health Insurance Program (OHIP).

A patient’s rights to access their personal information are not unconditional. We can refuse access in

limited situation, such as:

Providing access would mean disclosing information about another individual, unless the other

individual has consented

When the information in question is subject to legal privilege

When providing information could threaten the life or security of another individual

Another law prohibits the disclosure of the information

If providing access to personal information would reveal confidential commercial information

If we deny your request for access to personal information, we will explain why.

9.1 Corrections to Personal Health Information

If a patient believes that their personal health information is incomplete or erroneous, the individual has

the right to request that we correct their file.

A patient who wants to correct his/her personal health information must submit a written request to us.

We will look into the request and respond within 30 days of receiving any such request. If replying within

30 days interferes with our daily operation, or if we need time to investigate the request and consult with

third parties regarding the request we will inform the patient that we need more time and why we need

more time.

We will change and correct personal information after the individual has demonstrated to our satisfaction

that the record is inaccurate or incomplete and provides us with the relevant information needed to correct

the record. We will correct information responsibly and based on our existing standards of professional

practice. Requests to correct personal information are limited to factual personal information and do not

apply to professional opinions developed by our healthcare professionals. If correction is refused on such

a basis, we will inform the patient of the refusal and the reasons for the refusal.

10. Changes to our Privacy Policy and Our Privacy Officer’s Contact Information

We will periodically review our privacy policies and procedures. We reserve the right to make

amendments to our Privacy Policy in the future.

Any specific inquiries and concerns can be directed to our appointed Privacy Officer. Written inquiries,

concerns or requests can be in the form of a mailed letter, an e-mail or fax. Please direct the written

request to our Privacy Officer. Our Privacy Officer can be contacted at:

Attention: Mrs. Lisa Simpson

Email: [email protected]

CDN Imaging

1 Centrepointe Dr

Nepean, ON K2G 6E2

We take your privacy inquiries, concerns and requests very seriously. We will respond to you in a timely

manner and to the best of our ability. If you are not satisfied with our response, the Information and

Privacy Commissioner of Ontario can be reached at:

2 Bloor Street East, Suite 1400

Toronto, Ontario, M4W1A8

(416) 326-3333

1-800-387-0073

Website: www.ipc.on.ca