Privacy Policy

Privacy Code and Policies of Heal A’Peel Lifestyle Centre (HAPLC)
Personal Information Protection and Electronic Documents Act (PIPEDA)

What is PIPEDA and what does it imply for HAPLC:

The Code was developed by business, consumers, academics and government under the auspices of the Canadian Standards Association. It lists 10 principles of fair information practices, which form ground rules for the collection, use and disclosure of personal information. These principles give individuals control over how their personal information is handled in the private sector.

Complete information regarding PIPEDA can be found at: www.privcom.gc.ca

An organization is responsible for the protection of personal information and the fair handling of it at all times, throughout the organization and in dealings with third parties. Care in collecting, using and disclosing personal information is essential to continued consumer confidence and good will.

The 10 principles that businesses must follow are:

1. Accountability
2. Identifying purposes
3. Consent
4. Limiting collection
5. Limiting use, disclosure, and retention
6. Accuracy
7. Safeguards
8. Openness
9. Individual access
10. Challenging compliance

A. The responsibilities of any organization included under PIPEDA:

i. Comply with all the above 10 principles.
ii. Appoint an individual (or individuals) to be responsible for the organization's compliance.
iii. Protect all personal information held by the organization or transferred to a third party for processing.
iv. Develop and implement personal information policies and practices.

B. How the organization fulfills these responsibilities

1. Give the designated privacy official senior management support and the authority to intervene on privacy issues relating to any of the organization's operations.

2. Communicate the name or title of this individual internally and externally (e.g. on web sites and in publications).

3. Analyze all personal information handling practices including ongoing activities and new initiatives, using the following checklist to ensure that they meet fair information practices:
i. What personal information do we collect?
ii. Why do we collect it?
iii. How do we collect it?
iv. What do we use it for?
v. Where do we keep it?
vi. How is it secured?
vii. Who has access to or uses it?
viii. To whom is it disclosed?
ix. When is it disposed of?

4. Develop and implement policies and procedures to protect personal information:
x. define the purposes of its collection,
xi. obtain consent,
xii. limit its collection, use and disclosure,
xiii. ensure information is correct, complete and current,
xiv. ensure adequate security measures,
xv. develop or update a retention and destruction timetable,
xvi. process access requests, and
xvii. respond to inquiries and complaints.

5. Include a privacy protection clause in contracts to guarantee that the third party provides the same level of protection as your organization does.

6. Inform and train staff on privacy policies and procedures.

7. Make information available explaining these policies and procedures to clients and customers (e.g. in brochures and on web sites).

B.1 As of January 1, 2002

The Act extends to personal health information for the organizations and activities covered in the first stage. Personal health information is defined as information about an individual's mental or physical health, including information concerning health services provided and information about tests and examinations.

B. 2 As of January 1, 2004

The Act extends to the collection, use or disclosure of personal information in the course of any commercial activity within a province. However, the federal government may exempt organizations and/or activities in provinces that have adopted substantially similar privacy legislation.

The Act will also apply to all personal information in all interprovincial and international transactions by all organizations subject to the Act in the course of their commercial activities.

B. 3 Privacy Commissioner of Canada

The Act establishes the Privacy Commissioner of Canada as the ombudsman for complaints under this Act. The Commissioner investigates complaints, conducts audits, promotes awareness of and undertakes research about privacy matters.

Please refer to the Guide for Businesses and Organizations to Canada's Personal Information Protection and Electronic Documents Act (PIPEDA) for more information.

C. Under PIPEDA the following are required by this Centre:

1) Appointment of a Privacy Information Officer (PIO). The PIO is the public contact person for HAPLC to whom all questions and concerns regarding this Privacy Code and Policies (from here on in referred to Code) are directed. The PIO is also responsible for ensuring compliance of the policies of this Code by HAPLC staff (which includes reception staff, therapists, volunteers, independent contract workers etc), informing and, if necessary, training the members of HAPLC staff of the policies and procedures to comply with the Code, and carrying out the process to deal with complaints of misconduct or violations of the Code.

2) Development and public access of the Code. A copy of this Code must be made available to the public. Clients and patients can access this Code upon request. In turn, clients and patients of HAPLC must read, understand and consent to HAPLC's collection, use and disclosure of personal information (Appendix 1). All members of HAPLC staff must have read and agreed to comply with all terms of the Code. It may be necessary to make amendments to the Code, in which case all members of HAPLC staff will be informed and will be responsible for reading and complying with such amendments.

D. Policies and Procedures of HAPLC for Collecting, Using and Disclosing Personal Information:

1) Terms:

i) Personal Information: Any information that contributes to the identity of an individual. This includes, but is not limited to name, gender, age, ethnicity, religion, education, marital and financial status, employment, health history etc.
ii) Consent: Specific permission, written, verbal or implied, given by a client/patient (here on in referred to as "client"), where that client is agreeing to a request or exchange of information between 2 parties. For example, between the client and a therapist, between a staff member and insurance company etc. Implied consent arises where consent may be reasonably be inferred from the action or inaction of the individual. For example, the client tells the therapist about her arthritis and the resulting pain during the intake. Consent can be collected in person, by phone, by mail, by e-mail etc. For consent to be valid, the client must be aware of the nature and purpose of the information being requested/ exchanged.
iii) Client: Anyone who has established a professional healthcare relationship with any HAPLC therapist, who gives personal information which is recorded into a file and into the computer and financial records, who pays money in exchange for health services or health advice from any HAPLC therapist. A client may also be a HAPLC staff member and receives the same rights and protection regarding privacy of personal information as any other client.
iv) HAPLC staff member: Includes reception staff, therapists, volunteers, independent contract workers and anyone who enters into a contract with HAPLC for the purpose of providing goods and services and who has potential access to client information. Excluded from this are clients, patients, sales representatives, previous HAPLC staff members whose employment period or contract has expired or been terminated, family and friends of current HAPLC staff members or anyone who has not entered a employment contract with HAPLC, and anyone who is restricted from the premises due to legal reasons or reasons by the current owner of HAPLC or the owners of the building.

E) How the Heal A’Peel Lifestyle Centre Collects, Uses and Discloses Personal Patient Information

This centre will collect, use and disclose information about you for the following purposes:

1) For the purposes of delivering healthcare and health services:
i) Each therapist is governed by his/ her professional board which specifies regulations regarding collecting and maintaining client information. Therapists and clinical assistants collect and record information as part of their health assessment and maintenance of client files. Included in these records may be, but is not limited to: client contact information, administrative and assessment forms that a client has completed, information gathered by the therapist during the appointment, details about treatment given during an appointment, results of laboratory and diagnostic tests, of which the client has given consent for release, notes made by the therapist that contribute to his/ her overall clinical impression, diagnosis and care for the client. All this information may be required in order to properly assess that client's health needs, deliver safe and effective patient care, advice clients of treatment options, for follow-up for treatment, care and billing.
ii) In order to deliver complete care to the client, it may be necessary to communicate with other relevant health-care providers.
iii) In the event of an emergency or death, client information may be disclosed to notify or assist in notifying a family member or emergency contact person as specified by the client.
iv) Medical knowledge and advancement is built on clinical experience. Therefore, this centre may carry out activities for teaching, demonstration and research purposes. The information used may be extracted, after first obtaining consent, from client files and presented in an anonymous format (for example, identity may be represented as a number or as initials). Steps will be taken to obtain consent and preserve privacy of client identity.
v) The centre may need to contact, establish and maintain communication with clients for the purpose of following up treatment, booking and confirming appointments, distributing healthcare information and patient education via the HAPLC's newsletter. The centre may contact you by telephone or e-mail using the phone number(s) and e-mail address as provided by the client. Website Privacy Policy: The official website for HAPLC is www.healapeel.ca and it includes the online version of the privacy policy as well as a link to the full length corporate privacy policy. The website privacy policy is stated as, "Any personal information submitted through the website, such as your name, address, phone number, e-mail address and details of your health etc, is kept confidential. Any information provided in through this website will not be released, rented, sold nor be available to any parties other than Heal A’Peel Lifestyle Centre, unless we are required to do so by law or we are authorized to do so by you or your authorized representative. In the future, Heal A’Peel Lifestyle Centre may send you information regarding our service and offerings. You may opt out of receiving such communications.

We are continuously reviewing and updating our services and policies while striving to deliver a high standard of service to you. Heal A’Peel Lifestyle Centre is in the process of providing the most secure means of exchanging information via the internet. Until then, when sending information using the current patient forms, it is technically possible for the information to be intercepted by a third party. While we recognize that this is a possibility, it is very remote. Please also be aware that sending communications via e-mail using applications such as Outlook Express, Microsoft Outlook or AOL are also not considered secure formats. If you would prefer to submit your personal information by some other means, please contact us, 519-284-0123

vi) Appointment reminders: The centre may call the client's home or office prior to his/her scheduled appointment. If the client is not home, a reminder message may be left on the answering machine or with the person answering the telephone. No other personal health information is to be disclosed during this message other than the date, time and therapist of the scheduled appointment along with a request to call the centre if the client needs to cancel or reschedule his/her appointment.

vii) Open treatment areas: There are some open treatment areas at HAPLC in order to take advantage of space and natural light and to enhance the effect of the therapeutic environment. It is possible that personal health information may be inadvertently disclosed during a client's centre visit if he/ she is treated in these open areas. A client wishing to have privacy when discussing personal information may make such request prior to the scheduled appointment. Certain types of appointments that involve lengthy discussions, test results or other personal health information are conducted in a private room.

2) In processing financial transactions:

viii) Information to complete and submit insurance claims for third party adjudication and payment may be disclosed to the insurance provider as required. This information may include itemized billing statements, medical information and diagnosis, date of condition and appointment, and description of health care services received and therapist(s) who administered those services.
ix) This centre produces invoices and receipts for goods and services, processes credit card payments, and collects unpaid accounts.
x) In the even that Heal A’Peel Lifestyle Centre is sold or merged with another organization, the entire collection of health information/ record of the centre will become the property of the new owner.

3) In complying with the law and regulatory standards:

xi) The personal information of the clients of HAPLC may be accessed when necessary by the legal and regulatory requirements of the board that governs each individual therapist, such as in a practice audit. The purpose of such an audit is to ensure that the therapist is in compliance with his/ her professional regulatory requirements in collecting, keeping and maintaining client information, appointment records and files.
xii) Client information may also be accessed to assist this centre in complying with all regulatory requirements, to comply with the law in general, such as, but not limited to, reporting child abuse or neglect, reporting problems with products and reactions to medications, identifying or locating a suspect, material witness or missing person, complying with a court order or subpoena, and other law enforcement purposes.
xiii) Public health: As required by law, a therapist of HAPLC may be required to disclose your health information to public health authorities in the case of reporting communicable disease or infection exposure. Public health Canada has a list of reportable diseases that health care providers are required to report. If you wish to be tested for any of the reportable diseases on an anonymous basis, the centre may be able to provide you with the name of a centre that provides such a service.

F. The procedures for ensuring privacy of client information

1) Only members of HAPLC staff who have read, understood and signed a Privacy Agreement (Appendix 2) can collect, use and disclose the personal information of clients.
2) Storage of files and records: Files are kept in a separate storage space that is inaccessible by the public. There is only one set of keys to the file storage area and only one person is designated access to this key. This space is locked after centre business hours. Electronic records are protected by password. Records containing personal information (such as files, invoices, schedule book etc) are to remain within HAPLC at all times. No member of the HAPLC staff is permitted to remove any records from the HAPLC premises. During their shift, HAPLC staff members are to prevent files and records from being accessed or inadvertently read by other clients.
3) No personal information, health or financial records (copies, written or verbal forms) from HAPLC are to be released to any third parties without first obtaining consent from the client. Information may be released to an emergency contact person specified by the client in the case of emergency or death of that client. "Emergency" is defined as an event that requires immediate ambulance, hospitalization, or legal action.
4) Schedule book: Only HAPLC staff members can access, record and change entries made in the schedule book. Information regarding any scheduled appointment cannot be released to anyone other than the client (for example, appointment information cannot be released to family members or co-workers inquiring about a client)
5) Messages: If the centre needs to contact a client at his/ her home or office, the phone number provided by the client is used. Telephone messages recorded on a machine or left with another person will provide minimal information regarding scheduled appointments and the name of HAPLC staff member. No other personal information will be given or recorded.
6) Other correspondence: The centre establishes and maintains correspondence via e-mail and fax. E-mail and faxes of a personal nature (such as assessment forms and treatment information) will be sent only after consent from the client is obtained
7) The centre does not sell any of its client information to any 3rd parties.

G. Grandfathering of information:

Personal information that has been collected at the HAPLC during the course of its commercial activities is also subject to PIPEDA. Since it has already been collected, there is no need to recollect it. However, in order to continue to use or disclose this information, consent is required (for example, upon the fist visit after the establishment of this Code within the clinic). Eventually, all active patients of HAPLC will be aware of the existence and accessibility of this Code and will be informed on what the centre does with their information, to whom it is disclosed and given the option to object to these ongoing uses or disclosures.

H. The procedure for retaining and destroying information:

1) The centre is required to keep client information and records for 7 years from the recorded date of the last appointment with a therapist.
2) Destruction of client information: When the 7 year period has ended, the centre destroys files by shredding the information and deleting electronic records so that is no longer accessible or identifiable.

I. Complaints

1) An individual may complain to the PIO of this centre or to the Privacy Commissioner about any alleged breaches of the law. The Privacy Commissioner may also initiate a complaint.

i) Procedures for recourse for complaints made to the PIO:
a) Record the date a complaint is received and the nature of the complaint. The complainant is to be acknowledged of the receipt of his/ her complaint.
b) The PIO investigates the complaint by accessing all relevant records and HAPLC staff members who handled the information in question.
c) If the misconduct is the result of a violation of this Code, the person found responsible will be dealt with accordingly. If the misconduct is the result of following the procedures and policies of this Code or is the result of not having an existing procedure or policy, the appropriate amendments will be made to this Code and all HAPLC staff members notified of such an amendment.
d) The complainant will be notified of the outcome of investigations, informing them of any relevant steps taken. A report of the complaint, investigation and outcome is to be included in the individual's records.

2) Types of complaints:
An individual may complain to the Commissioner or the PIO regarding misconduct of privacy of personal information as outlined in this Code that includes but is not limited to allegations that this clinic:
i. denies an individual access to personal information
ii. improperly collects, uses or discloses personal information
iii. refuses to correct inaccurate or incomplete information
iv. fails to provide access to personal information in an alternative format to an individual with a sensory disability
v. does not use appropriate safeguards to protect personal information.
J. Offences
1) It is an offence to:
i) destroy personal information that an individual has requested
ii) retaliate against an employee who has complained to the Privacy Commissioner, or who refuses to contravene Sections 5 to- 10 of PIPEDA.
iii) obstruct a complaint investigation or an audit by the Privacy Commissioner or his delegate.

2) A person is liable to a fine of up to $10,000 on summary conviction or up to $100,000 for an indictable offence as determined by the result of a complaint investigation of a by the federal Information and Privacy Commissioner.

The Commissioner may initiate a complaint if there are reasonable grounds to believe that an investigation of a matter under PIPEDA is warranted.

3)To file a complaint:

Privacy Commissioner of Canada
112 Kent Street
Ottawa, Ontario
K1A 1H3

For general inquiries:
Phone: (613) 995-8210
Toll-free: 1-800-282-1376
Fax: (613) 947-6850
TTY: (613) 992-9190

You may also direct your inquiries via e-mail to info@privcom.gc.ca. Please do not make complaints or provide personal information by e-mail, as security cannot be ensured.

K. Time limits

1) There is no time limit for filing most types of complaints.
2) The only exception is a complaint that access to personal information has been denied. In this case, the complaint must be made within six months after the clinic's refusal to provide the information, or after the expiry of the time limit for responding to the request. However, the Commissioner may extend the time limit for an access complaint.
3) The Commissioner has one year from the date of the complaint to prepare a report.

L. Exceptions to Consent

1) This centre may collect, use and disclose personal information without the individual's knowledge or consent only:
i) if it is clearly in the individual's interests and consent is not available in a timely way
ii) if knowledge and consent would compromise the availability or accuracy of the information and collection is required to investigate a breach of an agreement or contravention of a federal or provincial law and/or the organization has reasonable grounds to believe the information could be useful when investigating a contravention of a federal, provincial or foreign law and the information is used for that investigation
iii) if it is publicly available
iv) to a lawyer representing the organization
v) to collect a debt the individual owes to the organization
vi) to comply with a subpoena, a warrant or an order made by a court or other body with appropriate jurisdiction to a government institution that has requested the information, identified its lawful authority, and indicates that disclosure is for the purpose of enforcing, carrying out an investigation, or gathering intelligence relating to any federal, provincial or foreign law; or suspects that the information relates to national security or the conduct of international affairs; or is for the purpose of administering any federal or provincial law
vii) to an investigative body named in the Regulations of the Act or government institution on the organization's initiative when the organization believes the information concerns a breach of an agreement, or a contravention of a federal, provincial, or foreign law, or suspects the information relates to national security or the conduct of international affairs
viii) 20 years after the individual's death or 100 years after the record was created
ix) if required by law.

M. The Personal Information Rights of the Client

All clients and staff of HAPLC have the right to:
1) Request restrictions on certain uses and disclosures of your health information
2) Access copies of his/ her own health information. The client must first sign a release form authorizing the copies and release of information and records from the centre and the account balance of the patient must be zero before a copy of his/ her files and records can be made.
3) Correct or amend current information
4) Access a copy of Heal A’Peel Lifestyle Centre Privacy Code

Heal A’Peel Lifestyle Centre is not required to agree to requests made to amend or restrict the use of personal health information if it is in conflict with legal and professional board regulation requirements of each therapist or it is in conflict with the therapist's ability to deliver safe healthcare.