Trillium Health Partners (“THP”, “we”, “us” or “our”) values the trust you have placed in us and are committed to ensuring your personal health information remains confidential and secure. This written statement describes how we collect, use, disclose and safeguard your personal health information, and how you can access and correct such information. The information here also applies to someone who is authorized to act on your behalf respecting your personal health information.
THP is a health information custodian and the practices described in this written statement are consistent with our obligations under the Personal Health Information Protection Act, 2004 (“PHIPA”).
1. Collection
THP may collect personal health information in the following ways:
- directly from you;
- from someone who is legally authorized to act on your behalf; or
- indirectly from other sources (e.g., another health care provider who is or has been involved in your care, shared systems) where permitted by law.
We only collect personal health information that is reasonably necessary to fulfil the intended purpose.
2. Use and Disclosure of Personal Health Information
THP uses and discloses your personal health information to:
- provide or assist in providing health care
- collect payment for treatment and care
- plan, administer and manage our programs and operations
- conduct risk management activities
- monitor programs and conduct quality improvement activities
- conduct research
- engage in teaching and other educational activities
- create or compile statistics
- facilitate fundraising activities
- comply with legal and regulatory requirements
- conduct de-identification
- engage in activities in accordance with your additional specific consents
- engage in other legally permissible purposes.
Our use and disclosure of your personal health information is done in accordance with PHIPA.
3. De-identification
We may de-identify your personal health information in order to remove any information that identifies you or for which it is reasonably foreseeable in the circumstances that the information could be used, either alone or with other information, to identify you. THP, our agents, our service providers and any other entities to whom we disclose de-identified information may use such information for our/their own purposes, including program management, risk management and quality improvement activities such as the training of artificial intelligence models.
4. Artificial Intelligence
THP may use systems powered by artificial intelligence (“AI Systems”) when processing your personal health information. These AI Systems enhance the provision of health care by complementing clinical decision-making and streamlining our administration. We are committed to the safe and responsible use of AI Systems, and at all times prioritize patient privacy and recognize that AI Systems do not replace medical expertise.
5. Consent
We will only collect, use or disclose your personal health information with your consent, or as permitted or required by law. In certain circumstances, your consent may be implied.
You may withhold or withdraw your consent at any time by contacting THP’s Health Records (Release of Information) Office, linked in this written statement. Withdrawal of consent will not have a retroactive effect.
6. Safeguards
We maintain administrative, technical and physical safeguards to protect the confidentiality and security of your personal health information in our custody or control. Safeguards are appropriate to the sensitivity of the information and may include:
- internal policies and procedures that define the roles and responsibilities of our personnel regarding the processing of personal health information;
- technical safeguards, such as encryption, firewalls, passwords, Data Loss Prevention, Identity and Access Management, End-point Detection and Response (EDR), 24x7 MSSP (Managed Security Service Provider), to protect personal health information collected, used, or stored in electronic format;
- security safeguards aligned with security framework NIST CFS2.0 and Ontario Health CSOM (Cyber Security Operation Model) requirements and guidance;
- a designated privacy officer accountable for our compliance with applicable privacy laws;
- requirements for our personnel who have access to personal health information to complete privacy and data security training and to sign a confidentiality agreement obligating them to comply with this written statement;
- procedures for receiving, investigating, and responding to inquiries or complaints regarding our information handling practices; and
- contractual provisions and other measures to require our service providers to whom we transfer personal health information to maintain adequate privacy protections and standards.
We monitor the effectiveness of and compliance with these safeguards through regular audits and assessments.
7. Individual Access and Correction
Under PHIPA, you have the right to request access to and correction of personal health information records under our custody or control. You may exercise this right by making a written request to our Health Records (Release of Information) Office.
8. Inquiries and Challenging Compliance
You may direct any inquiries or complaints to our privacy officer:
Mail:
Privacy Office
100 Queensway West
Mississauga, ON L5B 1B8
Email: Privacy@thp.ca
You may also make a complaint to the Information and Privacy Commissioner of Ontario:
Information and Privacy Commissioner of Ontario
2 Bloor Street East, Suite 1400
Toronto, ON M4W 1A8
416-326-3333 (Toronto area)
1-800-387-0073 (Long distance)
416-325-7539 (TDD/TTY)
info@ipc.on.ca
