Privacy Policy
Protecting Your Personal Health Information
Document ID: PP-001
Version: 1.0
Effective Date: March 20, 2026
Classification: Confidential — Internal Use Only
1. Purpose, Scope and Legislative Authority
This Privacy Policy outlines how PrimePath Community Care ("we," "us," "our," or "Organization") collects, uses, discloses, and safeguards personal health information (PHI) and personal information of individuals ("you," "your," or "individual") under its custody and control.
As a health information custodian operating in Ontario, Canada, our privacy practices are governed primarily by the Personal Health Information Protection Act, 2004 (PHIPA), with complementary compliance obligations under the Personal Information Protection and Electronic Documents Act (PIPEDA), the Health Information Act (HIA), the Accessibility for Ontarians with Disabilities Act (AODA), and the Canadian Anti-Spam Legislation (CASL).
This policy applies to all employees, volunteers, contractors, agents, and service providers ("Staff") who have access to or collect personal health information on our behalf. The policy is reviewed and updated annually, with the next scheduled review in March 2027.
2. Definitions
Personal Health Information (PHI): Information about an identifiable individual concerning their physical or mental health, health history, healthcare received or required, and payment for healthcare.
Health Information Custodian: An organization with custody or control of personal health information, including healthcare providers, public and private hospitals, community care organizations, and technology service providers.
Agent: A person or organization that collects, uses, discloses, or retains personal health information on behalf of a health information custodian.
Substitute Decision-Maker (SDM): A person legally authorized to make decisions on behalf of an individual who is incapable of making such decisions.
Capable Individual: An individual who understands the information relevant to the decision being made and appreciates the reasonably foreseeable consequences of making or not making the decision.
Circle of Care: Health professionals and organizations involved in providing health care to an individual, including caregivers, family members, and authorized representatives.
3. Collection of Personal Health Information
We collect personal health information only to the extent necessary to accomplish specific, identified purposes. Collection is limited to the minimum amount of information required to deliver services, fulfill legal obligations, and support effective client care management.
3.1 Lawful Basis for Collection
We collect personal health information based on:
- Consent obtained from the individual or their SDM
- Legal obligations (e.g., funding requirements, employment standards, child protection)
- Necessity for provision of health care services
- Public health and safety purposes
- Research or evaluation purposes (with ethics board approval)
3.2 Sources of Collection
We collect personal health information directly from:
- The individual themselves
- Family members, caregivers, or authorized representatives
- Healthcare providers and other custodians (with consent)
- Government and funding agencies (for program eligibility and reporting)
- Our website and client management systems
4. Use of Personal Health Information
4.1 Primary Purposes
We use personal health information for:
- Providing direct client care and health services
- Clinical documentation and care planning
- Appointment scheduling and follow-up
- Care coordination and communication with other providers
- Billing and payment processing
- Quality assurance and client safety monitoring
4.2 Secondary Purposes
With consent, we may use personal health information for:
- Research and program evaluation (ethics-approved)
- Training and education of health professionals
- Performance improvement initiatives
- Funnel analysis and service development
4.3 Prohibited Uses
We do NOT use personal health information for:
- Marketing or promotional purposes (without explicit consent)
- Profiling or discriminatory practices
- Sale to third parties for commercial purposes
- Political campaigns or lobbying efforts
- Any purpose unrelated to healthcare delivery or legal obligations
5. Disclosure of Personal Health Information
5.1 Disclosures Without Consent
Under PHIPA, we may disclose personal health information without consent only in the following circumstances:
- To healthcare providers directly involved in providing care to the individual
- Where required or authorized by law (mandatory reporting, court orders, search warrants)
- Where the life, safety, or health of an individual is at serious risk
- To facilitate a transfer of care in an emergency where consent cannot be obtained in time
- For the investigation or prosecution of a crime where obtaining consent would compromise the investigation
- Audits and reviews by authorized government bodies and funders
- Disclosures to legal counsel for the purpose of obtaining legal advice
5.2 Prohibited Disclosures
We do NOT disclose personal health information for direct marketing purposes, commercial third-party sales, or political activities unless explicit consent has been obtained.
6. Consent Framework
6.1 Consent Requirements
Consent is required for:
- Collection of personal health information not necessary for care
- Disclosure outside the circle of care (except as authorized by law)
- Use for secondary purposes (research, training, marketing)
- Automated decision-making or profiling
6.2 Obtaining and Recording Consent
Consent is obtained through:
- Written consent forms (signed and dated)
- Verbal consent (documented in the individual's record with date and witness signature)
- Electronic consent (through secure systems)
6.3 Withdrawal of Consent
Individuals may withdraw consent at any time by providing notice to our Privacy Officer. Withdrawal does not affect the lawfulness of uses or disclosures made prior to withdrawal, but will apply to future processing.
6.4 Incapacity and Substitute Decision-Makers
For individuals unable to provide consent, consent is obtained from their court-appointed substitute decision-maker (SDM). In the absence of a legally appointed SDM, we may consult with family members or caregivers to determine the individual's wishes, with documentation in the client record.
7. Safeguards and Security
7.1 Administrative Safeguards
- Privacy and security policies and procedures
- Staff training and competency verification
- Background checks for all Staff with PHI access
- Confidentiality agreements and non-disclosure provisions
- Access controls and role-based permissions
- Regular security audits and risk assessments
- Incident response and breach management procedures
7.2 Physical Safeguards
- Secured facilities with controlled access (badges, locks, cameras)
- Secure storage of physical health records in locked cabinets
- Shredding or secure disposal of confidential documents
- Restricted access to areas where PHI is stored or processed
7.3 Technical Safeguards
- Encryption of personal health information in transit and at rest
- Secure password management and multi-factor authentication
- Firewalls, intrusion detection, and antivirus protection
- Regular software patching and security updates
- Data backup and disaster recovery procedures
- Automatic session timeouts for unattended systems
- Activity logging and audit trails
7.4 Third-Party Service Provider Security
Any agent or third-party service provider who has access to PHI must:
- Execute a Data Processing Agreement (DPA) or equivalent contract
- Implement equivalent privacy and security safeguards
- Limit use of PHI to authorized purposes only
- Notify us immediately of any breach or security incident
- Cooperate with audits, inspections, and investigations
- Comply with all applicable privacy legislation
8. Mandatory Reporting and Override of Privacy
PrimePath Community Care is legally obligated to report or disclose personal health information in the following circumstances, even without consent:
| Reportable Event | Reporting Authority | Legislative Authority | Timeline |
|---|---|---|---|
| Suspected child abuse or neglect | Children's Aid Society (CAS) | Child, Youth and Family Services Act | Immediately |
| Abuse or neglect of vulnerable adults | Adult Protective Services / Police | Adult Protection Case Guidelines | As soon as reasonably possible |
| Imminent risk of serious bodily harm | Police / Emergency Services | PHIPA, Common Law Duty of Care | Immediately |
| Criminal activity / Evidence of crime | Police / Law Enforcement | PHIPA Section 45(1)(a), Criminal Code | Upon investigation |
| Court order or search warrant | Court / Law Enforcement | PHIPA Section 45(1), Criminal Code | As directed by court |
| Disease surveillance / Public health outbreak | Public Health Unit / Ministry of Health | Health Protection and Promotion Act | As specified in HPPA |
9. Retention of Personal Health Information
Personal health information is retained for the minimum period necessary to accomplish the purposes for which it was collected, and in accordance with applicable legal and regulatory requirements.
| Record Type | Retention Period | Legal Authority |
|---|---|---|
| Client health records (active) | Duration of service + 10 years | PHIPA, General Practice |
| Client health records (inactive) | 10 years after last encounter | PHIPA, Common Practice |
| Consent forms and authorizations | Duration of consent + 7 years | PIPEDA, Statute of Limitations |
| Financial/billing records | 7 years from transaction | CRA, Accounting Standards |
| Employment records (staff) | 3 years after termination | Employment Standards Act |
| Incident and safety reports | Duration of service + 10 years | PHIPA, QAA, OHSA |
| Privacy breach documentation | Permanent | PHIPA Section 46, Regulatory |
| Audit and accountability logs | Minimum 3 years | PHIPA, Best Practices |
10. Privacy Breach Management
10.1 Breach Definition
A breach occurs when there is unauthorized access, use, or disclosure of personal health information, or loss of physical records containing PHI.
10.2 Breach Response Procedure
| Step | Action | Timeline |
|---|---|---|
| 1. Containment | Stop unauthorized access; isolate affected systems | Within 1 hour |
| 2. Investigation | Determine nature, scope, and timeline of breach | Within 24 hours |
| 3. Risk Assessment | Assess real or probable risk of harm | Within 24-48 hours |
| 4. Notification Determination | Determine if affected individuals must be notified | Within 48 hours |
| 5. Individual Notification | Notify affected individuals of breach details and recommended actions | Without unreasonable delay |
| 6. Regulatory Reporting | Notify Privacy Commissioner, Ministry of Health, or other regulators | Per regulatory requirements |
| 7. Remediation & Review | Document breach, implement corrective measures, provide staff training | Ongoing; formal review within 30 days |
11. Individual Rights Under PHIPA
PHIPA grants individuals the following rights regarding their personal health information:
| Right | Description |
|---|---|
| Right of Access | Request and receive access to your personal health information, including copies of records. Response provided within 30 days per PHIPA. |
| Right of Correction | Request correction of inaccurate, incomplete, or outdated information. If we disagree, a statement of disagreement is attached to the record. |
| Right to Disclosure Record | Request a record of all disclosures made in the previous three years (excluding disclosures within the circle of care). |
| Right to Request Audit | Request an audit to determine whether your information has been accessed without authorization. Results will be provided within a reasonable time. |
| Right to Withdraw Consent | Withdraw your consent at any time. Withdrawal will not affect the lawfulness of uses or disclosures prior to withdrawal. |
| Right to Lodge Complaint | File a complaint with our Privacy Officer or the Information and Privacy Commissioner of Ontario (IPC) if your privacy rights have been violated. |
12. Privacy Officer and Contact Information
Privacy Officer
Email: privacy@primepathcommunitycare.ca
Response Time: Within 30 days of receipt
Regulatory Authorities
- Information and Privacy Commissioner of Ontario (IPC): www.ipc.on.ca | 1-800-387-0073
- Ontario Health: www.ontariohealth.ca
- Ministry of Health: www.ontario.ca/ministry/health
13. Policy Review, Amendment, and Enforcement
13.1 Policy Review Schedule
This Privacy Policy is reviewed annually or when material changes to legislation, technology, or organizational practices require an update. The next scheduled review is March 2027.
13.2 Changes to This Policy
PrimePath Community Care reserves the right to modify this policy to reflect changes in legislation, technology, or organizational practices. Individuals will be notified of material changes by email or website posting.
13.3 Enforcement and Compliance
All staff, agents, and service providers are required to comply with this policy and applicable privacy legislation. Failure to comply may result in disciplinary action, civil liability, or criminal liability.
13.4 Questions and Feedback
If you have questions or feedback regarding this Privacy Policy, please contact our Privacy Officer at privacy@primepathcommunitycare.ca.
Approval and Authorization
Approved By: Kandy — Founder & Executive Director
Date Approved: March 20, 2026
Version: 1.0 (PP-001)
Next Review Date: March 2027
Classification: Confidential — Internal Use Only