| TotalEyeCare.ca
> Privacy Policy
STATEMENT OF POLICY
Privacy of personal information is an important principle
to Total Eye Care. We are committed to collecting, using
and disclosing personal information responsibly and only
to the extent necessary for the optometric services and
products that we provide. Employees who have access to information
(oral, written or computerized) regarding patients will
take reasonable steps to ensure the security of personal
health information during its collection, use, disclosure,
storage and destruction.
We reserve the right to modify the policy at any time and
the revised privacy policy will apply to all protected health
information that we currently have as well as to information
that we may generate in the future.
This document describes our privacy policy.
WHO WE ARE
Total Eye Care includes any optometrist or health care
professional, all employees, staff and student trainees
authorized to collect, use or disclose personal information.
We use a number of consultants and agencies that may, in
the course of their duties, have limited access to personal
information we hold. These include, but are not necessarily
limited to, computer consultants, bookkeepers and accountants,
credit card companies, collection agencies, website managers,
lawyers and insurers or third party payers. We restrict
their access to any personal information we hold as much
as is reasonably possible. We also have their assurance
that they follow appropriate privacy principles.
OBJECTIVE OF POLICY
In order to maintain the trust and confidence of our patients
and the public, it is essential that individuals who have
access to personal health information respect the confidential
nature of this information. In the performance of normal
duties, employees are often entrusted or exposed to sensitive
information, and are relied upon to uphold the integrity
of our office.
APPLICATION OF POLICY
1. Personal health information includes
all information that relates to an individual’s health
or health care history, including genetic information about
the individual, as well as the provision and payment of
health care provided to the individual.
In respect of optometric patients, this means:
a) Home address, phone numbers, family
status, ethnic background, gender and age;
b) any information contained in the patient’s
clinical record related to ocular health and refractive
status, general health status, inclusive of diagnosis and
treatment;
c) the patient’s demographic information,
financial position and information, home conditions, or
any other private matters relating to the patient which
have been disclosed in the course of information collection;
d) any information learned from or observed
about the patient, including conduct or behavior which may
be a result of illness of the effect of treatment; and
e) billing and payment information regarding
services provided to individual patients.
2. Only employees specifically authorized
by Garnet McBurney, Total Eye Care Privacy Officer to do
so, may collect, access, manage, disclose or destroy confidential
information, and such employees shall do so in accordance
with the principles and procedures for security outlined
in this policy.
WHY WE COLLECT PERSONAL INFORMATION:
PRIMARY PURPOSES
Total Eye Care collects, uses and discloses personal information
in order to serve our patients. For our patients, the primary
purpose for collecting personal information is to provide
optometric services. For example, we collect information
about a patient’s health history, including their
family history, physical condition and function, and social
situation in order to help us assess what their eye care
needs are, to advise them of their options and then to provide
the eye care they choose to have. We may communicate this
information to other regulated health practitioners, technicians
or individuals authorized to work in our practice as part
of a patient’s continuing care. A second primary purpose
is to obtain a baseline of health and social information
so that in providing ongoing health services we can identify
changes that are occurring over time. It would be rare for
us to collect information without the patient’s implied
consent, but this might occur in an emergency (e.g., the
patient cannot communicate) or where we believe the patient
would consent if asked and it is impractical to obtain consent
(e.g., a family member passing a message on from our patient
where we have no reason to believe that the message is not
genuine).
On our website, we collect the personal information you
provide voluntarily, and only use that information for the
purpose for which it was provided (e.g., to respond to your
Email message, to order eyeglasses, contact lenses or sunwear,
to request a private eye appointment etc.)
WHY WE COLLECT PERSONAL INFORMATION:
SECONDARY PURPOSES
Like most organizations, we also have secondary purposes
for the collection, use and disclosure of personal information.
These secondary purposes include, but are not limited to:
• To invoice patients for optometric services, to
process credit card payments or to collect unpaid accounts
either ourselves, or through a collection agency or attorney;
• When the cost of some optometric services, products
or treatments provided by our practice to patients is paid
for by third parties (e.g., MHSC, private insurance, social
assistance programs)
• To advise patients by telephone, mail or Email that
their vision and eye care needs or treatment should be reviewed
(e.g., to schedule their next appointment, to ensure that
their eyewear is still functioning properly and to consider
modifications or replacement);
• To advise patients, prospective patients and others
of special events or opportunities (e.g., newsletters, a
seminar, development of a new product or service) that we
have available;
• Purposes of administration, business planning and
ensuring that we provide high quality services, including
assessing the performance of our staff;
• Optometrists are regulated by the Manitoba Association
of Optometrists who may inspect our records and interview
staff as part of their regulatory activities in the public
interest. In addition, as professionals, we report serious
misconduct, incompetence or incapacity of other practitioners,
whether they belong to other organizations or our own. Our
practice also believes that it should report information
suggesting serious illegal behavior to the appropriate authorities.
• Like all organizations, various government agencies
(e.g., Canada Customs and Revenue Agency, Information and
Privacy Commissioner, Human Rights Commission etc.) have
the authority to review our files and interview our staff
as a part of their mandates. In these circumstances, we
may consult with professionals (e.g., lawyers, accountants)
who will investigate the matter and report back to us.
You may choose not to be a part of some of these secondary
purposes (e.g., by declining to receive newsletters or by
paying for your services in advance).
SECURITY PROCEDURES
Information Collection
• Patient interviews should be conducted in a location
and manner which assures, to the extent practicable, the
privacy of information being related by and to the patient
regarding their health history, current diagnosis and treatment
recommendations.
• Information recorded for the patient file shall,
likewise, be maintained by the personnel authorized to collect
it, in a manner restricting its access pending transfer
to the record’s formal storage, whether done so in
computerized or written files.
Information Storage
• All records containing personal health information,
whether in written form or by electronic media, shall be
stored so as to restrict access to that information to authorized
persons.
• Paper records are stored in a supervised location
in an area of our practice to which the general public is
not permitted. Most records are computerized and are stored
on a central server located in an area of our practice to
which the general public is not permitted. Data backups
are made daily, weekly and monthly to insure against loss.
These backups are taken offsite daily by the privacy officer.
• All information in our electronic system contains
an audit trail of what time and date the entry or updated
information was added, and who made the entry or update.
• Records containing personal health information shall
be retained for a period of at least ten years from the
date of last entry. After this date, records may be destroyed,
provided there is no pending complaint or litigation relating
to a particular record.
Information Disclosure
• All requests for patient information should be
brought to the attention of Garnet McBurney, Privacy Officer
for response.
• Patients may request access to their personal health
information by way of personal review of the file, report
prepared by the doctor compiling the record, or photocopy.
Prior to disclosing information, the patient’s identity
should be confirmed. We reserve the right to charge a nominal
fee for such requests.
• Persons, other than the patient in whose name the
clinical record is held of his/her legal guardian, who request
access to personal health information must provide written
authority from the patient to access that information in
part or in whole. The patient’s authorization should
be verified (to signature on file or telephone confirmation).
However, patient consent is not required for release of
information in the following circumstances, as provided
in The Personal Health Information Act:
a) to a person who is providing or has
provided health care to the individual, to the extent necessary
to provide care to the individual unless the individual
has recorded instructions not to make the disclosure;
b) if required to provide emergency care
of identification;
c) if required for the purposes of peer
review, discipline or risk management by health professionals;
d) if required by government or its agencies
as part of a health information network or payment program;
or
e) if required in anticipation of a civil
or criminal proceeding or to comply with a subpoena or warrant
order issued by a court.
• The date and time of access, as well as the person
authorizing the access and the nature of the access (i.e.
review, report, photocopy or correction) shall be recorded
as part of the patient record. Written authorizations for
access shall be filed with the patient record.
Information Transfer and Destruction
• When original records are transferred to the custody
and control of another optometrist or physician, such transfer
shall be recorded in a log or journal specifically maintained
for that purpose, noting:
f) the name of the individual whose record
is being transferred;
g) the time period to which the information
in the record pertains;
h) the date the record is transferred;
i) the name of the person to whom the records
are transferred;
j) the method of transfer and name of transferring
agent (e.g., courier, in person).
If an entire practice’s records are being transferred
to the custody of another practice, an entry recording (c),
(d) and (e) above is sufficient.
• When the decision is made to dispose of records,
the destruction of the information shall be recorded in
a log or journal specifically maintained for that purpose,
noting:
a) the name of the individual whose record is being destroyed;
b) the time period to which the information in the record
pertains;
c) the date the record is destroyed;
d) the name of the person supervising the destruction of
the record;
e) the method of destruction and disposal of the record.
• Clinical record destruction shall be restricted
to the following methods:
a) Paper records shall be shredded;
b) Computer disk, audio tape or video tape
records shall be burned or overwritten;
c) Hard drives containing records shall
be burned or overwritten.
Security Breaches
• The office will audit all security arrangements
annually.
• Any breaches of security of personal health information
shall be immediately reported to Garnet McBurney, Privacy
Officer.
• Garnet McBurney, Privacy Officer shall investigate
the alleged breach and ensure that corrective action is
immediately taken to prevent further or similar errors,
including any punitive action deemed appropriate to the
circumstances in respect of persons responsible for the
security breach.
• All breaches shall be recorded in a log or journal
specifically maintained for that purpose, noting
a) the name of the individual reporting
the security breach;
b) the name of the individual for whom
the security of personal health information was breached;
c) the general nature of the security breach
and, if pertinent, the information improperly disclosed;
d) the date and time, if known, of the
security breach;
e) the name of the person or persons found
to be responsible for the breach;
f) the corrective action taken in response
to the breach;
g) the name of the individual(s) responsible
for investigating and taking action in respect of the breach.
Individuals having access to confidential information are
expected to abide by terms of this policy and the procedures
for compliance. Any breach of these security requirements
may result in disciplinary action up to and including termination
of employment and possible legal action.
DO YOU HAVE A QUESTION?
Jennifer Davis
Operations Manager
204-571-7614
jennifer.davis@fyidoctors.com
Total Eye Care
800 Rosser Avenue
Brandon MB R7A 6N5
Phone (204) 728-3318
Direct (204) 571-7610
Toll Free 1-800-870-8884
Fax (204) 727-4497
If you wish to make a formal complaint about our privacy practices or the application of those practices, you may make it in writing to our Operations Manager. She will acknowledge receipt of your complaint; ensure it is investigated promptly and that you are provided with a formal decision and reasons in writing.
- Total Eye Care, 2004
|