Personal Health Information Protection Act. (PHIPA): PHIPA applies to any institution that is a health information custodian and collects, uses and discloses personal health information. Among other obligations, PHIPA requires custodians to take reasonable steps to protect personal health information from theft, loss, unauthorized use, copying, modification, disposal or disclosure. PHIPA also requires custodians to notify individuals at the first reasonable opportunity if their personal health information is stolen, lost, or accessed by unauthorized persons. Corporate Directives and Guidelines: In addition to the statutory obligations, institutions are required to follow rules related to privacy, information management, information technology, and security defined in corporate directives, and are encouraged to follow best practices outlined in related guidelines.1 WHAT IS A PRIVACY BREACH? Definition For the purposes of this Guide, a privacy breach is defined as an incident involving unauthorized disclosure of personal information in the custody or control of an institution covered by FIPPA. This would include personal information being stolen, lost, or accessed by unauthorized persons.
Personal Health Information Protection Act. Publication of confidential information regarding the institution requires adherence to the following principles: The institution agrees to allow the publication of the information as it pertains to the project providing that the institution or its practices are not the main focus of the publication. In cases where the publication focuses on the institution, the institution reserves the right to review and approve the use of this information prior to publication. The institution will be acknowledged within any publication as providing the source information. A copy of the publication will be given to the institution. Information that is lost or stolen must be reported to the Chief Privacy Officer of the appropriate institution at the first reasonable opportunity. A breach of institutional policy regarding access to information and protection of privacy may have serious consequences or be just cause for termination of my employment and/or affiliation with the institution. __________________________________________________ _______________________________ Signature of the Locally Responsible Investigator Date Signatures of Research Team members: Print Name Signature Date Signed
Personal Health Information Protection Act. In the event that under the Applicable Law, the Service Provider is considered to be a health information custodian under the Personal Health Information Protection Act, the Parties agree that they will meet to resolve any issues in good faith and to agree on alternative arrangements, if necessary, with respect to the treatment of Patient Information and Patient Records. For the purposes of this Section 5, the terms “process”, “processing” and “processes” and any grammatical variations thereof means any use of or operation or set of operations which is performed upon or in connection with data or information, by any means including without limitation, collection, recording, analysis, consultation, organization, maintenance, storage, adaptation, modeling, retrieval, disclosure or otherwise making available, combination, matching, erasure or destruction; Patient Information – Privacy and Protection The Service Provider shall protect all Patient Information processed by it with physical, organizational and technological safeguards that are appropriate to the nature, quantity and sensitivity of such information, applying security standards and procedures equivalent to those used by it to protect its own confidential information and the personal information of the Service Provider Personnel and the personal health information of other individuals whose information it processes and in conformity with any specific security directives provided to it by the LHIN. Without restriction, the Service Provider shall identify reasonably foreseeable internal and external risks to the security, confidentiality and integrity of the Patient Information that could result in a Privacy and Security Event and shall assess the sufficiency of its safeguards to control these risks. The Service Provider shall implement such additional safeguards as are appropriate to control the risks identified in the assessment conducted in accordance with this GC Section 5.1.2. The Service Provider shall limit access to all Patient Information to the Service Provider Personnel who have a need for such access in order to deliver the Services and to Authorized Persons, and shall restrict entry (including physical and/or electronic entry) and access (using appropriate security controls) of any unauthorized persons to those areas of the Service Provider’s premises or other locations in which any Patient Information is processed. Without limiting the generality of the foregoing, the Service Provider sh...
