Confidentiality Agreement

Please review the following agreement in its entirety: 

This Agreement pertains to the access, use and disclosure of any Confidential Information and material pertaining to the Hospital and/or its patients. This agreement is applicable to all individuals affiliated with the Hospital and its functions, and to all users of the Hospital Health Information Systems, who have access to Confidential Information held in any media.  This Agreement must be renewed annually as a condition of continued access to Hospital systems and information.

 

Definitions:

“The Hospital” is defined as Brightshores/SBGHC/HDH/MAHC/OSMH/MRHA wherein “Brightshores” means Brightshores Health System, “SBGHC” means South Bruce Grey Health Centre, “HDH” means Hanover & District Hospital, “MAHC” means Muskoka Algonquin Healthcare, “OSMH” means Orillia Soldiers’ Memorial Hospital, and “MRHA” means Mississippi River Health Alliance.

“Confidential Information” includes:

  • personal health information of patients, such as but not limited to health records in any format (including paper or electronic), conversations, registration information, financial history, the fact that someone is, has been, or may become a patient of the Hospital, the name of a substitute decision-maker, etc; and/or
  • any personal or work-related information and material relating to the Hospital, its functions, and all persons affiliated with the Hospital.

I understand that the Hospital is a health information custodian under the Personal Health Information Protection Act, 2004 (PHIPA) and that the Hospital, its staff, and physicians and other health care providers must comply with PHIPA’s requirements for personal health information including in relation to consent, patient access to records of personal health information, and safeguards.

I have read and agree to follow the Hospital privacy policies If I need help understanding these policies, I will ask my manager or the Hospital’s Privacy Officer.

As a condition of my association with the Hospital, I understand and agree that:

  1. I shall respect the privacy of the Hospital’s patients/clients, employees and all persons affiliated with the Hospital. Further, I shall keep in strict confidence and only collect, use and/or disclose personal information relating to these individuals as required by the performance of my duties under the terms of my association with the Hospital and in accordance with the laws of Ontario and Canada.
  2. I am allowed to collect, use, and disclose (including: receive, look at, access, ask for, view, copy, record, print, read, listen, share with others) personal health information on a “need to know basis” only, and even then only the minimum amount required, as required for my role or as I have been authorized in writing or as required by law. I am not permitted to access personal health information without proper authorization, even if I am curious or know the person. Unauthorized access is considered snooping and is strictly prohibited.
  3. I will not communicate confidential information either within or outside the Hospital, except to persons authorized to receive such information and only for the purposes of performing my duties.
  4. I will not collect, use, or disclose the personal health information of family, friends, coworkers or any other individual, unless they are under my direct care or I am authorized as part of my official duties at the Hospital and not for my own purposes.
  5. I will not take photographs, videos, or make recordings within the hospital without consent.
  6. Before using any form of artificial intelligence (AI), such as an AI scribe, during a patient encounter, I will confirm that the patient has been informed and has provided consent in accordance with Hospital policies.
  7. If I am a patient of the Hospital, I will only access my own personal health information in the custody or control of the Hospital through the same method as approved for the public according to the Hospital’s policies.
  8. If I act as a substitute decision-maker, I will only access personal health information related to the individual for whom I am acting, through the same method as approved for the public according to the Hospital’s policies.
  9. I am not allowed to use PHI to engage in self-study (such as but not limited to learning how to document or learning about our patients and the services we offer them or learning how others provide services) without written permission from my manager or the Privacy Officer of the Hospital.
  10. I will not alter, destroy, or copy, any information provided to me, or that I may have access to or overhear during the terms of my association with the Hospital except with authorization of the Hospital and in accordance with Hospital policies and procedures.
  11. This Confidentiality Agreement does not apply to information I previously and independently developed alone or with others prior to my association with the Hospital and that I can substantiate by written records or to information in the public domain.
  12. I shall maintain the confidentiality and security of any systems User ID(s) and Password(s) that have been assigned to me by the Hospital to enable my access to any networks, applications and I acknowledge that I am responsible for all actions taken and access carried out when an electronic system has been opened using my password. I will not provide my passwords/access codes to anyone nor will I attempt to use those of others. If I have reason to believe that my passwords/access codes have been compromised, I will immediately inform my manager and/or contact the Privacy Officer of the Hospital.
  13. I will protect any physical access devices (for example keys and badges). I will not lend my devices out to another individual, nor will I attempt to use those of others. I will immediately report any compromised, lost, or stolen devices to my manager and/or to the Privacy Officer of the Hospital.
  14. I will access, process, and transmit personal health information using only authorized hardware, software, or other authorized equipment. I understand that I may not save personal health information on an unencrypted laptop, USB key, or other unencrypted portable device.
  15. I will not remove personal health information from the Hospital’s premises (including taking it home to work on) except as authorized. If authorized, I shall securely store the information and ensure it is in my custody and control at all times.
  16. I am aware that email messages can be modified, forwarded, intercepted and shared, without my knowledge or permission, making email messages vulnerable to fraud, privacy breaches, and unintended disclosure to third parties. Further, I am aware that the privacy and security of external email cannot be guaranteed and that external emails can damage Hospital Information Systems. I acknowledge that the Hospital does not endorse the use of external email systems and that personal health information should not be transmitted through external email.
  17. I agree that faxed documents must be sent and received in a secure environment. To maintain the integrity and confidentiality of information transmitted by fax, I will ensure that I adhere to standardized controls for cover sheets (i.e., defining who to contact and return information to if received in error), the retention of confirmation sheets, and the maintenance of pre-programmed fax numbers.
  18. I understand that the Hospital conducts routine audits and actively monitors system activity logs to ensure patient information is protected against unauthorized access, use, disclosure, copying, modification, or disposal. I am aware that my access to electronic systems is tracked and recorded, and that this information may be reviewed as part of privacy and security oversight processes.
  19. I understand that any unauthorized access, use, or disclosure of Confidential Information will be reported to the Privacy Officer of the Hospital. I will immediately report all incidents involving loss, theft or unauthorized use or disclosure of personal health information to the Hospital’s Privacy Officer. I will cooperate with the Hospital if I am involved in a privacy incident or breach.
  20. I understand that any privacy breach may result in corrective action being taken. Such corrective action may include, but is not limited to: retraining, loss of access to systems, suspension, reporting my conduct to the Information and Privacy Commissioner of Ontario or a professional regulatory body or sponsoring agency, school or institution, termination of contract, restriction or revocation or privileges, and immediate dismissal. I understand there could also be notification of affected persons. I understand a privacy breach could also result in my being fined, prosecuted, or sued. If I work remotely or perform any duties outside of Hospital premises, I will do so only in accordance with the Hospital’s policies and related privacy and security procedures. I will ensure that any access to, processing of, or communication involving personal health information is conducted using secure, authorized devices and systems. I understand that I may not store, transmit, or print personal health information in a non-secure environment or on unauthorized devices. I will take all reasonable steps to protect confidential information from unauthorized access, viewing, or disclosure while working remotely, including when working in shared or public spaces.
  21. Regardless of any changes that may occur to my title, duties, status and/or other terms of my association with the Hospital, and even if I cease to be employed by or associated with the Hospital, I understand and agree that the terms of this Agreement will continue to apply and/or may need to be maintained indefinitely.
  22. I understand and agree to abide by all the conditions outlined above. I further understand and agree that should my association with the Hospital terminate, I may be required to return or destroy any pertinent Confidential Information, as requested by the Hospital.

 

The following reference materials are associated with this Agreement, as per the Information and Privacy Commissioner of Ontario:

[1] Breach Notification Assessment Tool;

[2] Detecting and Deterring Unauthorized Access to Personal Health Information