Privacy of your personal information is an important part of Breakthrough Autism (hereinafter “We”) providing you and your child with quality care. We understand the importance of protecting your personal information. We are committed to collecting, using and disclosing your personal information responsibly. We also try to be as open and transparent as possible about the way we handle your personal information. It is important to us to provide this service to our clients.
In this office, Nancy Marchese, M.A., C.Psych., BCBA acts as our privacy information officer (the “Privacy Information Officer”). Through our Privacy Information Officer we shall ensure that, in providing the Services hereunder, it will collect, use, maintain, disclose and destroy all personal information of about you or your child (together, our “Client”) and others dealing with the Client in accordance with all applicable privacy laws and regulations (the “Privacy Acts”). Notwithstanding the foregoing, Breakthrough Autism will retain its files until 10 years after the child’s 18th birthday.
How We Collect, Use, and Disclose Clients’ Personal information
Breakthrough Autism ensures that:
- Only necessary information is collected about you or your child;
- We only share your information with your consent, on your own behalf and that of your child (with the exception of mandatory disclosure of information as required by law that is outlined later in this policy);
- Storage, retention and destruction of your personal information complies with existing legislation, and privacy protection protocols; and
- Our privacy protocols comply with the Privacy Acts and related applicable law.
We understand and accept our responsibility that we must take reasonable steps to ensure that personal health information in our custody or control is protected against theft, loss and unauthorized use and disclosure, and that the records containing the information are protected against unauthorized copying, modification or disposal. We know we must also take reasonable steps to ensure that personal health information is not collected without authority, and that records of personal health information are retained, transferred and disposed of in a secure manner.
We understand the importance of protecting personal information. Our office will collect, use and disclose information about clients for the following purposes:
- To deliver safe and efficient care;
- To identify and to ensure continuous high quality service;
- To enable us to contact you;
- To establish and maintain communication with you;
- To offer and provide treatment, care and services in relationship the practice of applied behavior analysis (ABA);
- To communicate with other treating service providers, including specialists and educator (with your consent to do so);
- To allow us to maintain communication and contact with you to distribute treatment information and to book and confirm appointments;
- To allow us to efficiently follow-up for treatment, care, and billing;
- To comply with legal and regulatory requirements including the Privacy Acts and related law;
- To invoice for goods and services;
- To process credit card payments;
- To collect unpaid accounts; and
- To assist this office to comply with all regulatory requirements.
Policies Applicable to Employees
We require the cooperation of all employees of Breakthrough Autism in ensuring that our Client’s information remains confidential. All staff members who come in contact with personal information are aware of the sensitive nature of the information that disclosed to us. Our team is all trained in the appropriate uses and protection of your information. Here are several procedures for ensuring the confidentiality of client information:
- Any breach of confidentiality should be immediately reported to the Privacy Information Officer;
- All confidential information must be filed according to regular protocol and may be used only by authorized employees;
- No files, documents, papers or computer-stored company or client data of any kind may be taken off the premises without verbal and/or written authorization from management;
- Client information may only be used for tasks related to the provision of Services as authorized by management. Client information (including names, addresses, and telephone numbers) may not be used for any other purpose; and
- No charts, files, documents, papers or computer-stored company or client data of any kind may be reproduced or transmitted in any form or by any means, electronic or mechanical, including recording, photocopying or using information storage and retrieval systems, for any purpose without the verbal and/or written authorization of management.
We ensure that client information may not be discussed in the presence of other clients and may only be divulged to the client themselves, or the client’s parents or guardian, and only upon written request after their identity has been verified.
Accessing Your Files
The Client may access their file by making a request in writing to the Privacy Information Officer, and copies of same will be provided upon the payment of a nominal fee for photocopying. Changes to a file may be requested in writing, but will only be made upon the clinical discretion of the Privacy Information Officer. Information provided to the Privacy Information Officer is private and confidential and is only released to third parties with the Client’s informed, written consent. This consent permits the Privacy Information Officer to release information/reports to, or consult with, the individuals the Client has indicated can examine the file.
Mandatory Disclosure of Information
There are certain circumstances where the Privacy Information Officer would have to divulge personal information about the Client to a third party without the Client’s explicit consent. These include:
- Informing a potential victim of violence of a client’s intention to harm;
- Informing an appropriate family member, health care professional, or police if necessary of a client’s intention to end his or her life;
- Releasing a client’s file if there is a court order to do so;
- Informing the Children’s Aid Society if there is suspicion of a child being at risk or in need of protection due to neglect, or physical, sexual, or emotional abuse;
- Reporting a health professional who has sexually abused a client; and
- Sharing information with another practice associate.
Under the Privacy Acts, consent is implied when discussing the Services provided to the Client with members of their health care team, and this may include members of the Breakthrough Autism team and administrators. All third party recipients of personal information in relation to the Services provided hereunder are party to confidentiality agreements to further protect personal and private information.
Mandatory Reporting of Privacy Breaches
Breakthrough Autism is the Health Information Custodian and may be responsible for collecting, using and disclosing personal health information on behalf of clients under the Privacy Acts.
Under the rules in Privacy Acts, Breakthrough Autism may be required to report statistics relating to health privacy breaches annually to the Information and Privacy Commissioner of Ontario’s (“IPC”) office, which oversees compliance with the Privacy Acts.
A privacy breach is known as the unauthorized use, disclosure, loss, or theft of personal health information. The following are the circumstances in which Breakthrough Autism is required to notify the IPC:
- Where Breakthrough Autism has reasonable grounds to believe that personal health information in its custody or control was used or disclosed without authority by a person who knew or ought to have known that they were using or disclosing the information without authority;
- Where Breakthrough Autism has reasonable grounds to believe that personal health information in its custody or control was stolen;
- Where Breakthrough Autism has reasonable grounds to believe that, after an initial loss or unauthorized use or disclosure of personal health information in its custody or control, the personal health information was or will be further used or disclosed without authority;
- Where Breakthrough Autism experiences a loss or unauthorized use or disclosure of personal health information as part of a pattern of similar losses or unauthorized uses or disclosures of personal health information in its custody; and
- Where Breakthrough Autism determines that the loss or unauthorized use or disclosure of personal health information is significant after considering all relevant circumstances, including:
- Whether the personal health information that was lost or used or disclosed without authority is sensitive.
- Whether the loss or unauthorized use or disclosure involved a large volume of personal health information.
- Whether the loss or unauthorized use or disclosure involved many individuals’ personal health information.
- Whether more than one health information custodian or agent was responsible for the loss or unauthorized use or disclosure of the personal health information.
Breakthrough Autism is required to, and shall, track privacy breach statistics and provide the IPC with an annual report of the previous calendar year’s statistics.
Privacy Breach Protocol
Breakthrough Autism will take immediate action upon learning of a privacy breach in the following manner.
STEP 1: Immediately Implement Privacy Breach Protocol
We will notify all relevant staff of the breach, including our Privacy Information Officer, and we will develop and execute a plan designed to contain the breach and notify those affected.
STEP 2: Stop and Contain the Breach
- We will identify the scope of the breach and take the necessary steps to contain it, including:
- Retrieving and securing any personal health information that has been disclosed.
- Ensuring that no copies of the personal health information have been made or retained by the individual who was not authorized to receive the information.
- Determining whether the privacy breach would allow unauthorized access to any other personal health information (e.g. an electronic information system) and taking necessary steps (such as changing passwords, identification numbers and/or temporarily shutting our system down if necessary).
STEP 3: Notify those affected
We will take all necessary steps to notify those individuals whose privacy was breached:
- Identify all affected individuals and notify them of the breach at the first reasonable opportunity, keeping in mind the various factors that may need to be taken into consideration when deciding on the best form of notification.
- When notifying individuals affected by a breach, we will:
- Provide enough detail of the breach, including the extent of the breach and what personal health information was involved.
- Advise all affected individuals of the steps we are taking to address the breach, and that they are entitled to make a complaint to the IPC.
- Advise all affected individuals whether we have reported the breach to the IPC.
- Provide contact information for someone within our organization who can provide additional information, assistance and answer questions.
STEP 4: Investigation and Remediation
We will conduct an internal investigation, including:
- Ensuring that the immediate requirements of containment and notification have been met.
- Reviewing all of the circumstances surrounding the breach.
- Reviewing the adequacy of our existing policies and procedures.
- Ensuring all staff are appropriately educated and trained with respect to compliance with the privacy protection provisions of the Privacy Acts.
- Taking any other corrective action as necessary and reasonable in the circumstances.
By signing our Terms and Conditions of Services at Breakthrough Autism, Inc., you have agreed that you have given your informed consent to the collection, use and/or disclosure of your personal information for the purposes that are listed. If a new purpose arises for the use and/or disclosure of your personal information, we will seek your approval in advance.
Our office will not under any conditions supply any insurer with your confidential medical history. In the event this kind of a request is made, we will forward the information directly to you for review, and for your specific consent. When unusual requests are received, we will contact you for permission to release such information. We may also advise you if such a release in inappropriate.
Under the Privacy Acts, the Client can withdraw consent at any time, however, consent cannot be rescinded for information that has already been collected. For further information about how such information is collected or stored, or any concerns, please contact the Privacy Information Officer.