TABLE of CONTENTS
1. Who We Are
2. Accountability: Our Responsibilities and Commitment to
Protecting your Privacy
3. What Personal Information We Collect & Why
4.1. Placing Conditions on or Restricting Consent
4.2. Withholding or Withdrawing Consent
4.3. When an Individual is Unable or Incapable of Providing Consent
5. Limiting the Collection, Use, Disclosure and Retention of Personal Information
5.1. Limiting the Collection of Personal Information
5.2. Limiting the Use and Disclosure of Personal Information
6. Accuracy of Your Personal Information
7. Safeguards- How We Protect Your Personal Information
9. Individual Access to Personal Information about Themselves
9.1. Correcting Personal Information
The privacy of personal information is a valued and important principle to CMA Imagng, o/a
Canadian Diagnostic Network. We collect, use and disclose personal information according to the
regulations and guidelines established by the Personal Health Information Protection Act (PHIPA).
The standards of PHIPA are included as an integral component of our organization’s policies and
procedures, ensuring the individuals’ rights to privacy in regards to the obtainment and use of personal
information. In many ways PHIPA simply builds on our existing professional regulations, policies,
guidelines and practices.
1. WHO WE ARE
CMA Imaging, o/a Canadian Diagnostic Network is a privately owned, independent health service
facility providing a variety of medical services, examinations and procedures in order to assist in the
diagnosis and treatment of the patients of referring medical physicians. Because we provide a wide
range of health care services, we often deal with a number of other health care and health service
providers and third parties. These include hospitals, family physician practices, walk-in medical facilities,
specialists, laboratories, the Ministry of Health for Ontario, Cancer Care Ontario, and other
independent health facilities. In order to provide care and treatment for the patient, these affiliates and
third parties may require limited access to personal information. We restrict their access to only
the personal information that is required to provide the patient with an adequate level of health care,
service, diagnosis and/or treatment, with the patient’s authorization. Any affiliates or third parties we
work with have assured us that they follow privacy procedures according to their own established
policies under the Personal Health Information Protection Act and/or the Personal Information
Protection and Electronic Documents Act.
2. ACCOUNTABILITY- Our Responsibilities and Commitment to Protecting Your Privacy
We accept responsibility for collecting and handling any personal information of an individual. A specific
Privacy Officer has been appointed, in charge of ensuring our adherence to PHIPA and to handle any
questions or concerns raised by the public. The Privacy Officer has the support of other staff members
and has been given the authority to intervene in privacy issues. The Privacy Officer is responsible for
analyzing existing procedures and making sure they coincide with PHIPA at both the written stages of the
policy and the execution and implementation of the policy. Our Privacy Officer’s name as well as their
contact information is provided below.
Our staff have been informed and trained regarding our privacy and policy procedures. They know how to
respond to public inquiries, are able to explain the concept of consent, are able to provide information for
how an individual may go about requesting access to their personal information, understand that concerns
regarding privacy are to be dealt by the Privacy Officer and are aware of the security measures taken to
protect personal information.
Policies and procedures for our organization have been created and implemented to protect personal
information. Firstly, individuals are made aware what personal information is required and why we
website. We limit the collection, use and disclosure of personal information by only providing it to
the referring physician and other health care providers according to our professional standards of
practice and/or as authorized by the individual (the patient). We do our best to ensure that the personal
information collected is complete, accurate and up-to-date. Security measures have been
implemented to protect personal information from any potential external threats. We also try to be as
open and transparent as possible in regards to how we collect, handle, use and disclose personal
information. All these measures will be explained in greater detail throughout our Private Policy.
3. WHAT PERSONAL INFORMATION we COLLECT and WHY
Personal health information refers to identifiable personal information, which may be factual or
subjective. It is information about an individual’s health or healthcare history regarding an individual’s
physical or mental condition, including family medical history; the provision of healthcare to an
individual; long-term healthcare services; payment or eligibility for healthcare; and the identity of a
healthcare provider or substitute decision-maker for an individual.
In accordance with Regulations made under the Independent Health Facilities Act, our organization is
required to create and/or keep a health record relating to the health services provided in our facility for
each individual who is or was a patient. Upon arrival at the clinic, the patient will be asked to complete
the information on the requisition, or if they have had a previous visit, they will be asked to confirm their
personal information. If an individual is not comfortable disclosing this information, they should inform
the front desk and we will do our best to make other arrangements; however, if the patient does not
provide certain personal information, the provision of health services may be interrupted or denied.
We only collect personal information that is important to the creation of a health file and in the function
and operation of our facility. The personal information that is collected is meant enhance the efficiency
and quality of care we provide. Personal health information includes the following:
The patient’s full name as it appears on the health card or any health insurance documents (i.e.
federal health insurance)
Date of birth
Sex and salutation
Information regarding the method of payment (i.e. OHIP number, federal health coverage
information, other provincial/territorial coverage or private billing information)
Physical attributes like weight and height
A written record of the order for examination(s) or test(s) (requisition)
Any clinical information in relation to the specific procedure the individual is having (this is
filled out by the referring physician on the requisition)
Previous medical examinations
Medical history, including family medical history
The identification of a substitute decision-maker
Any results, tests or imaging media from examinations Previous diagnostic reports from other
health facilities (i.e. mammography films and reports)
This information is entered into our own, secure patient database and is used to compile a patient’s
confidential health file at our facility. This database of individual personal information is not shared with
anyone outside of our organization and our affiliates. We require this information for the following:
To deliver effective, efficient and high quality health services to our patients
To create a health file at our facility
To identify our patients
For billing and reimbursement purposes, to collect unpaid accounts and process payments in
In order to perform the various administrative functions of our facility
Security reasons to prevent false and fraudulent identification
In order to perform the procedure or examination accurately and effectively
For contact information in order to communicate with our patients. This may be needed if the
patient is having a special procedure which requires a scheduled appointment or needs additional
views, and/or to book and confirm appointments
Provides a means of communication between physicians and other healthcare professionals
involved in providing health care to the patient
To provide accurate information and findings to health care providers involved in the care of a
To meet audit regulations and to comply with the law (e.g. Canada Health Act, Independent
Health Facilities Act) and regulatory requirements of the College of Physicians and Surgeons of
Generally, the personal health information is collected, used and disclosed in order to provide the
individual with an adequate level of health service and to ensure accurate medical diagnosis.
Our organization believes that consent is extremely important when collecting, handling and
disclosing personal information of an individual. According to the guidelines established by PHIPA,
we must obtain an individual’s “knowledgeable consent” to collect, use and disclose personal
information. Knowledgeable consent means that an effort must be made to make an individual aware of
what personal information is being collected by our organization, how we plan to use it, and how it will
be disclosed. An individual must be informed of their rights to withhold and withdraw consent. Under
PHIPA, consent is considered valid if it is knowledgeable, voluntary, related to the information in
question, and is given by the individual or an authorized decision-maker. Consent can be implied
for the collection, use or disclosure of personal health information in order to provide healthcare or
assisting in providing care A patient’s circle of care refers to individuals, activities and services
provided, which are related to the care and treatment of a particular patient. Subsequently, it includes
health care providers such as doctors, as well as other related activities, such as diagnostic imaging.
More simply, it refers to all health-related people, procedures and services provided to adequately
diagnose and treat a particular patient. This means personal health information might need to be shared
with other healthcare providers for the purpose of providing care. Other healthcare providers may
include, but are not limited to hospitals, specialists, surgeons, and other diagnostic imaging facilities.
Consent can be implied through a
patient’s conduct and behavior with our facility. For example, consent is implied for the collection, use
and disclosure of personal health information for purposes related to an individual’s healthcare (as
mentioned above), if you attend our facility for any health-related services.
PHIPA also outlines various circumstances where express consent of an individual is required.
Express consent is explicit and direct and may be given verbally, in writing or electronically.
Circumstances where express consent is required:
When disclosing personal health information to an individual or organization outside the circle of
care (e.g. an insurance provider)
When information is disclosed by our organization to another for any reason other than providing
or assisting in providing healthcare
If we collect, use or disclose personal health information other than an individual’s name and
mailing address for fundraising purposes, for marketing research or activities and/or for research
purposes, unless certain conditions and restrictions have been met
PHIPA permits certain disclosures of personal health information without consent. These include:
When it is necessary to provide healthcare and is not possible to collect information directly from
the patient, either in a timely manner or when there are reliability issues
When contacting a friend or relative
When confirming the patient is in the facility
When there is a risk bodily harm
When there are audits and accreditations
4.1 PLACING CONDITIONS ON or RESTRICTING CONSENT
An individual has the right to restrict our organization from sharing all or any part of his/her
personal information. This means the individual has the right to tell our organization not do disclose
certain personal health information to another custodian. It should be noted that if an individual instructs
our organization not to disclose part of their personal health information to another health information
custodian, we are required to inform the receiving health information custodian that some personal
health information is unobtainable. More simply, a patient has the right to exercise the restriction of
sharing or disclosing personal information at any time, albeit pre or post. However, when a patient
exercises this, it is our legal obligation to tell the third party that information has been “locked” by the
patient. Moreover, there is significant chance that the medical report of the patient will be incomplete.
incomplete. It was affected by the patient’s right to withhold information from other parties. The
information that is being withheld is only available from the patient.”
Our policy requires a patient wishing to restrict/limit access to his/her personal health information
to complete, sign and date a form, which instructs them of their specific rights, and outlines the
limitations of this right in this particular area. We are permitted to disclose any information to a recipient
custodian when in our professional opinion, the disclosure is needed to eliminate or reduce this risk of
bodily harm to an individual or group of people. Also, an individual’s conditions or restrictions may not
impede the collection, use or disclosure of personal health information that is required by other laws such
as the Canada Health Act, the Independent Health Facilities Act and/or professional or institutional
practices as outline by the College of Physicians and Surgeons of Ontario.
4.2 WITHHOLDING or WITHDRAWING CONSENT
An individual can withdraw his/her consent at any time for the collection, use or disclosure of
his/her personal health information by providing notice to our organization. Withdrawal of consent
applies to both implied and express consent. It should be noted that withdrawing consent is not
retroactive. More simply, if information has been disclosed based on implied or express consent, we are
not required to recover the information that has already been disclosed.
In the case of an individual refusing or withholding or withdrawing consent, our organization’s
protocol is determined by professional standards of practices. Our policy is to refuse health services if a
patient withholds and refuses to disclose personal health information that we require in the function and
operation of our facility. This means, in some situation, depending on the information the patient
withholds or withdraws, the provision of the health service may be denied.
If a patient withdraws consent, the patient will be informed of the consequences. In some
situations, this could result in the interruption or denial of certain health services. The existing records of
the patient in question will be retained as required by the regulations and standards of practice established
under the Independent Health Facilities Act. This maintains patient safety and ensures that audit and
regulatory requirements have been met. We will record the withdrawal of consent as part of the patient’s
existing file and will inform those to whom the personal information had been disclosed.
4.3 WHEN an INDIVIDUAL IS UNABLE or INCAPABLE of PROVIDING CONSENT
In general, PHIPA assumes that individuals are capable of making decisions pertaining to the
collection, use and disclosure of their own personal health information, if they are able to comprehend the
consequences of providing, withholding or withdrawing their consent. If we believe an individual is
incapable of providing consent, PHIPA allows a substitute decision-maker like a relative, spouse, child’s
parent, or Public Guardian and Trustee.
5. LIMITING the COLLECTION, USE, DISCLOSURE and RETENTION of PERSONAL
5.1 LIMITING the COLLECTION of PERSONAL INFORMATION
The personal information collected is necessary for the function and day-to-day operations of our
organization. Personal information is collected with discretion and confidentiality. The collection of
personal health information is limited to that which is necessary for the purposes outlined in section 3 of
Facilities has established regulations in regards to what personal information can be and needs to be
collected to compile a health record within the facility. Personal information collected is typically used
for administrative and billing purposes, to perform the examination, and to ensure accurate diagnosis and
communication among the health care providers for the particular patient. More specific and detailed
Personal information that is not essential to the purposes of collection, use or disclosure need not be
provided and will not be collected as part of the patient’s health record at our facility.
Although PHIPA requires the collection of personal health information to be directly from the patient,
there are certain circumstances where our facility may be able to collect personal information indirectly.
Exceptions to the direct collection of personal health information are as following:
When the individual consents
When the collection is necessary for providing healthcare and it is not possible to obtain the
information directly from the individual in a timely manner
When we collect personal information for research purposes (provided that certain conditions are
When the indirect collection is required or permitted by law
When the indirect collection is required for the purpose of health planning for a particular patient
Risk and error management
Processing claims for payment under any other Act or program administered by the Minister
When the Information and Privacy Commissioner authorizes the indirect collection
5.2 LIMITING the USE and DISCLOSURE of PERSONAL INFORMATION
Personal information collected will not be used or disclosed for any purposes other than those for which it
was originally collected. More specifically, personal information will only be used or disclosed for the
for any reason other than the purposes outlined in section 3, the individual in question must consent to the
use or disclosure of their personal information, or the use or disclosure must be authorized under the
Personal Health Information and Protection Act.
Consent for the use and disclosure of an individual’s personal information is not necessary when/if:
There is an emergency situation where the patient is physically or mentally unable to consent, or
consent cannot be attained quickly, and it is in the best interest of the patient to use or disclose
Information is discussed for the care and treatment of the patient without circle of care (i.e. if a
health professional receives a request from another health professional to access an individual’s
personal information in order to adequately provide that individual with health care or assist in
providing the individual with healthcare/treatment)
Our retention policies for patient records coincide with the guidelines established under the Independent
Health Facilities Act. Maximum and minimum retention periods have been established based on these
guidelines. When a patient’s health record is purged, imaging media is destroyed, paper records or
documents are shredded and electronic computer files containing information are erased from the
computer’s hard drive. Information that does not have a specific purpose or no longer fulfills its intended
purpose will be destroyed or disposed accordingly. Instructions for the retention of personal information
in the patient’s health record, as well as the proper way to dispose or discard the personal information is
included in our policy and procedures manual for employees. Following these guidelines and regulations
ensure that an individual’s personal information is not stored or kept unnecessarily, and protects the
patient’s privacy rights.
6. ACCURACY of YOUR PERSONAL INFORMATION
We will do our best to ensure that personal information is as accurate, complete and up-to-date as
possible. This will reduce the chances of incorrect personal information being used or disclosed to third
parties. However, personal information will only be up-dated based on necessity and only to fulfill the
required purposes. Certain personal information such as the patient’s name, address, phone number and
OHIP or other billing information (commonly referred to as “factual information”) will be up-dated
directly on our secured patient database when the patient comes in for an examination. Because our
patient database is separate and for our facility’s use only, certain personal information is not
automatically up-dated when an individual up-dates their information with OHIP. Also, when we receive
personal information from third parties, we will make sure that the information is complete. The patient
cannot demand that their record be changed instantly; instead, they can seek correction and change, which
will then be taken into consideration and reviewed by the Privacy Officer who will determine whether or
not the change should be made.
7. SAFEGUARDS- How We Protect Your Personal Information
Given the sensitive nature of the personal information we collect and use, confidentiality has always been
a strong pillar of our organization’s set of values. Privacy and confidentiality have always been an
important value in the provision of health services and our organization is no exception. We believe in
protecting and securing an individual’s personal information from unauthorized and inappropriate access.
Information will be safeguarded from unauthorized access, use, disclosure, copying or modification.
Personal information, regardless of the format will be protected. We have implemented a variety of
security safeguards to protect personal information. These security measures seek to ensure no
unauthorized parties dispose, obtain access to, modify or destroy an individual’s personal information.
This is a brief summary of the security measures we have taken:
Physical Measures: Physical measures are taken to protect and secure personal
information. These include, but are not limited to physical barriers
separating patient areas and employee areas, locked filing cabinets and
storage facilities, restricting access to certain areas of the facility and the
use of burglar alarm system.
Technological Measures: Technological tools are also used to protect personal
information. These include passwords for all computers used to
enter and store personal information, passwords for certain
software programs used for the collection and retention of
personal information and firewalls to restrict access and prevent
unauthorized and inappropriate use and disclosure. In addition,
computers are kept in designated “employee-only” areas.
Organizational Controls: Organization controls are used to protect an individual’s
personal information. Access to personal information is limited and
restricted, based on “need-to-know” basis for employees and any third
parties involved in the care and treatment of an individual. Staff is
trained to collect, use and disclose personal information only to complete
outlined purposes. Employees must agree to the terms of a
confidentiality agreement, which clearly instructs that the personal
information of patients is confidential, and must be protected from
unauthorized access, use, disclosure, copying and modification.
Personal information is retained only for the time period required by the regulations made under the
Independent Health Facilities Act; this ensures that personal information is not kept unnecessarily. When
discarding personal information, we are guaranteed that it is done responsibly. For example, personal
information recorded on paper is shredded so personal information of a patient is no longer
Our security measures have been developed and implemented based on the nature and sensitivity of the
personal information we collect, use and disclose, the amount of information we collect and retain, to
whom we disclose the information to, the form of the information (electronic, imaging media, paper, files,
etc.) and how we store the information. Our Privacy Officer and senior levels of management will
periodically review our security measures and up-date and modify them if necessary.
We want patients, referring physicians, third parties and employees to be informed of our policies and
practices for the management and use of personal information. We try our best to make our privacy
policies and procedures as transparent as possible. There are a number of ways we ensure openness and
available to the public.
Staff trained specifically to deal with public inquiries, concerns, questions and complaints
Contact information of the Privacy Officer is posted on the website and can also be obtained from
our office to deal with any other inquiries
Our policies regarding how we collect use and disclose personal information are understandable,
consistent and readily available to the public. We strongly believe that our patient should know about
their privacy rights. Therefore, we try to be as open and as transparent in regards to Privacy practices.
9. Individual Access to their Personal Information
Under PHIPA, patients have the general right to access their personal health information. Laws explicitly
state that the original documents are to be retained by us; however, having copies is your right. A patient
can request access to their personal health information by putting their request in writing. A patient’s right
to personal information is not unconditional (see below). According to PHIPA, we as health information
custodians have 30 days to respond to the written request. Extensions beyond 30 days are allowed if
fulfilling the request in 30 days obstructs the operation of our facility or when consultations with outside
sources are required in order to meet the terms of the patient’s request. If this is the case, it is our policy to
inform the patient, in writing, that we have received their request, but there will be a delay and outline the
reasons for the delay.
Our policy also requires that the patient requesting access fill out two access forms within our facility.
These forms are needed for administrative purposes and so requests for access to and release of personal
health information are properly recorded and documented as part of the patient’s health record. It should
also be noted that requesting access to personal health information and the release of such information is
not covered under the Ontario Health Insurance Program (OHIP).
A patient’s rights to access their personal information are not unconditional. We can refuse access in
limited situation, such as:
Providing access would mean disclosing information about another individual, unless the other
individual has consented
When the information in question is subject to legal privilege
When providing information could threaten the life or security of another individual
Another law prohibits the disclosure of the information
If providing access to personal information would reveal confidential commercial information
If we deny your request for access to personal information, we will explain why.
9.1 Corrections to Personal Health Information
If a patient believes that their personal health information is incomplete or erroneous, the individual has
the right to request that we correct their file.
A patient who wants to correct his/her personal health information must submit a written request to us.
We will look into the request and respond within 30 days of receiving any such request. If replying within
30 days interferes with our daily operation, or if we need time to investigate the request and consult with
third parties regarding the request we will inform the patient that we need more time and why we need
We will change and correct personal information after the individual has demonstrated to our satisfaction
that the record is inaccurate or incomplete and provides us with the relevant information needed to correct
the record. We will correct information responsibly and based on our existing standards of professional
practice. Requests to correct personal information are limited to factual personal information and do not
apply to professional opinions developed by our healthcare professionals. If correction is refused on such
a basis, we will inform the patient of the refusal and the reasons for the refusal.
We will periodically review our privacy policies and procedures. We reserve the right to make
Any specific inquiries and concerns can be directed to our appointed Privacy Officer. Written inquiries,
concerns or requests can be in the form of a mailed letter, an e-mail or fax. Please direct the written
request to our Privacy Officer. Our Privacy Officer can be contacted at:
Attention: Mrs. Lisa Simpson
Email: [email protected]
1 Centrepointe Dr
Nepean, ON K2G 6E2
We take your privacy inquiries, concerns and requests very seriously. We will respond to you in a timely
manner and to the best of our ability. If you are not satisfied with our response, the Information and
Privacy Commissioner of Ontario can be reached at:
2 Bloor Street East, Suite 1400
Toronto, Ontario, M4W1A8