Privacy Acting Officer:

· Dr. Jeffrey Mellor, Vice President, MDERA

· Assistant: Maura Duncan, Office Manager, MDERA

MEDICAL DOCTORS ELECTRONIC RECORD ASSOCIATION OF SOUTHERN ALBERTA

PRIVACY AND SECURITY POLICY

 

Purpose

 

The collection, use and disclosure of health information by physicians who are members of MEDICAL DOCTORS ELECTRONIC RECORD ASSOCIATION OF SOUTHERN ALBERTA CORPORATION, (hereinafter referred to as the MDERA) are governed by the provisions of the Health Information Act (HIA) and this policy.  The following principles and the procedures appended to this policy are intended to enable patient care and effective service delivery, while protecting the privacy of patients of the member physicians.

 

Scope

 

This policy applies to:

· Health service providers and staff, including contractors providing services for individual physicians;

· Records in any form created or received in the course of carrying out the medical services of the member physicians;

· All facilities and equipment required to collect, manipulate, transport, transmit or keep health information.

 

Principles

 

· Physician members will comply with this policy and associated procedures with respect to health services provided to their patients.  All records related to these health services shall be deemed to be under the control of the physician who provides the services.

· Notwithstanding section 3.1 of this policy, physician members and Calgary Health Region have an interest in and require access to records created in facilities owned and operated by the health region and these records and/or information contained in these records shall be made available to Calgary Health Region in accordance with the data sharing agreement between MDERA and Calgary Health Region.

· Physicians and their affiliates shall protect the confidentiality of health information and personal information in their custody or control, and the privacy of the individuals who are the subjects of that information. This includes protection against unauthorized use, disclosure, modification, or access to the information.

· Individuals have a right of access to any information about themselves that is in the custody or control of the physician members, subject to the limited and specific exceptions set out in HIA. Individuals who believe there is an error or omission in their health information have a right to make a request to correct or amend the information.  [See Privacy and Security Procedure 1]

· When collecting health information or personal information directly from an individual, and when that information is being retained by one of the physician members and proper notice is not already given by the health region, the individual will be informed by the physician of the purpose for which the information is collected and the legal authority for the collection.  This should be done through a poster or other visible medium but can be done orally if appropriate.

· Health information shall only be used and disclosed for the purpose for which it was collected, unless alternate use or disclosure is authorized or required by law, or with the knowledge and consent of the subject individual.

· Affiliates of physicians will collect and use identifying health information and personal information only to perform their duties for the physician.

· Individuals have the right to request the Information and Privacy Commissioner to review access, privacy and correction decisions made by physician members.

· Physician members will ensure that they use the forms appended to this policy or similar forms that comply with the HIA.

 

Sanctions

 

Failure to comply with this policy and its procedures will place an individual at risk of prosecution under the HIA. An affiliate’s failure to comply will result in disciplinary action, up to and including termination of employment or contract.

 

Privacy Officer Responsibilities

 

The Health Information Act (HIA) requires custodians to identify a contact person who is responsible for ensuring compliance with the Act. 

 

MDERA shall elect one of its members to be Privacy Officer and he or she will act on behalf of member physicians.  Each physician member is responsible for ensuring implementation of this policy and for ensuring cooperation with the privacy officer as required for his or her practice.  The Privacy Officer may delegate any responsibilities to an Executive Assistant who will be responsible for day to day privacy issues.

 

The responsibilities of the Privacy Officer include:

 

· Identifying privacy compliance issues and making recommendations for improvements both to MDERA and member physicians;

· Ensuring that privacy and security policies and procedures are developed and maintained as necessary;

· Ensuring that affiliates and contractors of MDERA are aware of their responsibilities and duties under HIA;

· Responding as directed by member physicians to requests for access to or correction of health information,

· Assisting member physicians with the implementation and monitoring of the MDERA privacy policy and procedures,

· Ensuring the overall security and protection of health information in the custody of MDERA and member physicians, and

· Dealing with regional health authorities, third parties and the Office of the Information and Privacy Commissioner respecting privacy and security issues.

· Manage the Data Sharing Agreement with the Calgary Health Region

 

Terms or phrases that are bold and italicized are defined in Appendix 1

 

To access Privacy, Policies, and Procedures