Headwaters Health Care Centre (HHCC) is responsible for the protection of personal information in its possession, including information that has been transferred to a third party for processing.

The Personal Health Information Protection Act (PHIPA) came into effect on November 1, 2004. HHCC has implemented policies and practices to comply with the provincial legislation, including:

  • Implementing procedures to protect personal information
  • Establishing procedures to receive and respond to complaints and inquiries
  • Training staff and ongoing communication to staff about HHCC policies and practices
  • Updating contractual agreements between third party partners/suppliers/vendors to ensure privacy compliance to HHCC privacy policies and procedures


The term “privacy” includes both the confidentiality and security of patient information.

“Circle of care” refers to those in the health care team who are actually involved in the care and treatment of a particular patient. Members of the patient’s “circle of care” can use and disclose the patient’s personal health information for their care, unless the patient has expressly withheld or withdrawn consent. The “circle of care” does not include health care practitioners who do not provide care to the patient.

Privacy Principles

HHCC’s Privacy Policy is based on the following ten privacy principles:

  1. Accountability for Personal Information: HHCC is responsible for the personal information of patients under its control and has designated individual(s) who are accountable for its compliance with the privacy legislation.
  2. Identify Purposes for the Collection of Personal Information: HHCC and its personnel will identify the purposes for which personal information is collected at or before the time the information is collected.
  3. Consent for Collection, Use and Disclosure of Personal Information: the knowledge and informed-consent of the individual are required for the collection, use or disclosure of personal information, except where inappropriate or recognised exceptions apply.
  4. Limit Collection of Personal Information: to that which is necessary for the purposes identified. Information will be collected through fair and lawful means.
  5. Limit Use, Disclosure and Retention of Personal Information: personal information will not be used or disclosed for purposes other than those for which it was collected, except with the consent of knowledge of the individual as required by law. Personal information will be retained only as long as is legally required or is necessary to fulfil its stated purpose.
  6. Accuracy of Personal Information: personal information will be as accurate, complete and up-to-date as is necessary for the purpose for which it is used.
  7. Safeguards for Personal Information: personal information will be protected by security methods appropriate to the format and sensitivity of the information.
  8. Openness about Privacy Policies: HHCC will make readily available to individuals specific information about its policies and procedures relating to the management of personal information.
  9. Individual Access to Personal Information: upon request, an individual will be informed of the existence use and disclosure of his/her personal information and will be given access to that information. An individual will be able to challenge the accuracy and completeness of the information and have it noted or amended as appropriate – according to hospital policy.
  10. Challenge Compliance with the Privacy Policy: an individual will be able to challenge the compliance with the HHCC policy to the Chief Executive Officer (CEO) through the Co-Privacy Officers (CPOs).

Accountability for Personal Health Information

Accountability for HHCC compliance with the privacy policy rests with the Chief Executive Officer (CEO) through the Co-Privacy Officers (CPOs), who are delegated to act on behalf of the CEO in matters related to privacy. The CPOs at HHCC are designated to oversee compliance with the provincial legislation. The CPOs chair a multi-disciplinary committee to review concern or breeches and monitor and update policies and procedures.

All HHCC employees, physicians and volunteers have a duty to protect the personal information of those seeking hospital services. Access to personal health information is granted on a need-to-know basis. Information must only be accessed to effectively perform assigned duties.

Consent for the Collection Use and Disclosure of Personal Health Information

Signage (notice) has been posted in all registration areas to inform the public of the purposes for which we collect, use and disclose information, including the provision of direct patient care within the organisation and across the health system, administrative and management of the health care system, quality improvement initiatives including patient satisfaction surveys, conduct research and compile statistics, fundraise to improve our health care services and programs; and compliance with legal and regulatory requirements.

Patients have the right to withdraw their consent for some of the above uses or disclosures of their health information. If a patient makes this request, fill out a “withdrawal of consent” form located on the Intranet under Forms.

Safeguards for Personal Information

HHCC will make its employees, physicians and volunteers aware of the importance of maintaining the confidentiality of personal information. As a condition of employment/service, all HHCC employees/agents (i.e. employees, physicians, volunteers, researchers, students, consultants or contractors) must sign the HHCC Confidentiality Agreement (reference: Form – Information Technology Privacy and Security).

Employees/agents found to have sought unauthorized access to personal health information or disclosed personal health information to others outside the circle of care will be subject to disciplinary procedures (reference: Policy – Admin - Privacy – Breach of Patient Confidentiality).

Handheld wireless devices (PDAs, Blackberry®, laptops, memory sticks) and cell phones are not be used to store or transmit personal health information, unless the information is encrypted. Patients and visitors will be notified that they are not allowed to take still or motion photographs with their PDA or cell phone.

Challenging Compliance with the Privacy Policy

HHCC has put procedures in place to receive and respond to complaints or inquires about its policy and practices relating to the handling of personal information. The complaint procedure is easily accessible and simple to use.

HHCC will investigate all complaints. If a complaint is found to be justified, HHCC will take appropriate corrective measures, including, if necessary, amending our policies and practices.

Please direct questions about this policy or access to personal information to the CPOs at 519.941.2702 ext. 2578 or privacy@headwatershealth.ca


University Health Network