The OACCAC believes in the basic right of individuals to their privacy. We use the ten Canadian Standards Association Model Code privacy principles to guide us in safeguarding personal health information in partnership with your local CCAC.
The OACCAC has assigned an individual as the Chief Privacy Officer and has privacy policies and procedures in place.
The OACCAC is committed to respecting personal privacy, safeguarding confidential information and ensuring the security of personal health information within its custody. The OACCAC meets this commitment through its Privacy Program. This Program is overseen by the Chief Privacy Officer, who reports directly to the OACCAC Vice-President Finance and Administration.
Key components of OACCAC's Privacy Program include:
- Privacy Policies and procedures;
- an employee privacy training, communications and awareness program;
- a privacy audit and compliance program; and
- privacy impact assessments and threat risk assessments
As a Health Information Network Provider the OACCAC is not responsible for identifying the purposes for which your personal health information is being used. This would be done by the Health Information Custodian collecting your information.
As an Agent to the CCACs, should the OACCAC be asked to collect your personal health information on behalf of a CCAC, the OACCAC would identify the purposes for which the information would be used. The OACCAC does not use or disclose your information other than with the explicit authorization of the CCAC.
Your CCAC will let you know the purpose for which your personal health information is required prior to collection, use or disclosure of the information.
The OACCAC while acting as a Health Information Network Provider does not collect consent from CCAC patients.
Your CCAC gets your knowledgeable consent prior to the collection, use or disclosure of information. CCACs see consent as an on-going dialogue with their patients to ensure you understand how your information is being collected, used and disclosed.
As a Health Information Network Provider, the OACCAC is responsible for operating and maintaining the systems that your personal health information resides in, as a patient of a CCAC. The OACCAC never collects information directly from patients when acting in the capacity of a Health Information Network Provider.
If the OACCAC is acting as an Agent on behalf of a CCAC to collect patient information, explicit instructions would be provided by the CCAC on what information should be collected. The OACCAC limits collection to the specific purposes provided by the CCAC.
Limiting Use, Disclosure and Retention:
As a Health Information Network Provider the OACCAC uses your information only to maintain and operate the electronic systems that process your personal health information. As a Health Information Network Provider the OACCAC does not disclose your information or decide on the retention of your information. The Health Information Custodian explicitly identifies to the OACCAC how they may disclose your information. Each Health Information Custodian determines the retention policy for the information they are the custodian for and the OACCAC applies that policy to your information.
Personal and personal health information is not used or disclosed other than for those purposes for which it was collected, without the consent of the individual or as required by law. Personal information shall be retained only as long as necessary for the purpose for which it was collected. Whenever possible, the OACCAC limits the amount of personal health information used in its business processes. The OACCAC uses de-identified information whenever it can be used to support the business of operating and maintaining the business systems of the CCACs.
As an Agent of a CCAC, the OACCAC supports the CCACs in ensuring the accuracy of personal and personal health information through its operations and maintenance of the CCACs' systems. The OACCAC works with the CCAC to ensure that personal and personal health information is as accurate, complete and up-to-date as is necessary for the purposes for which it is to be used. Individuals have the right to request that their CCAC correct inaccurate information.
As a Health Information Network Provider the OACCAC has in place privacy and security standards, policies and procedures to ensure that information processed by our network and applications upholds the accuracy and integrity of the data it processes. Examples of this would be role-based access controls to specific types of information and segregation of duties.
The OACCAC is committed to having in place privacy and information security controls for personal health information or other personal information. The OACCAC adheres to the Personal Health Information Protection Act, 2004 (PHIPA).
Appropriate security controls for technology and staff are in place and maintained to safeguard unauthorized access, use or disclosure of personal health information. Examples of such controls include encryption of all mobile devices, access controls to all systems that contain personal health information, and data destruction procedures for electronic information.
Our privacy pages describe OACCAC's commitment to the privacy of your information. If requested the OACCAC will make readily available to individuals other policies and procedures that support our commitment to privacy.
As a Health Information Network Provider the OACCAC does not provide you with access to your CCAC health record. The OACCAC is not authorized by the CCACs to disclose these records to you. Individuals must make their request for access to their personal health information through your local CCAC in writing.
If you send in writing a request for access to your patient record, the OACCAC will redirect you to the applicable CCAC who can grant the request or with your permission we can forward your request to the applicable CCAC on your behalf.
As a Health Information Network Provider or Agent to the CCAC, the OACCAC is not authorized to assist you in challenging compliance of your health record.
If a CCAC patient wishes to challenge compliance of the CCAC they would be required to contact the applicable CCAC Health Records Manager or Privacy Officer.