Privacy policy

Rexdale Medical Centre is committed to protecting the privacy of all our patients. In conjunction with the Personal Health Information Privacy Act of 2004 (PHIPA), Rexdale Medical Centre has our own privacy policy and best practices guidelines to follow. Our privacy policy is available for all staff and patients to read. If you have concerns regarding our policy, please speak with the Security Officer, or discuss them with your family doctor at your next visit.

Privacy Policy

It is Rexdale Medical Centre Family Health Organization’s policy to protect the personal and personal health information of all our patients in accordance with legal obligations set out in Ontario’s Personal Health Information Protection Act (PHIPA) and in accordance with good business practices and privacy and security best practices. This policy is reviewed annually to ensure it maintains its adherence to legislative and regulatory requirements.

Specifically, it is Rexdale Medical Centre Family Health Organization’s policy to:

Protecting Personal Information 

1. Openness and Transparency

  • Rexdale Medical Centre Family Health Organization, henceforth Rexdale Medical Centre values patient privacy and acts to ensure that it is protected.
  • This policy has been written to capture Rexdale Medical Centre ’s current practices and to respond to federal and provincial requirements for the protection of personal information.
  • This policy describes how Rexdale Medical Centre collects, protects and discloses the personal information of patients and the rights of patients with respect to their personal information.
  • We are available to answer any patient questions regarding our privacy practices
  • This policy is available for review by staff and patients

2. Accountability

  •  The physician is ultimately accountable for the protection of the health records in his\her possession.
  • Patient information is sensitive by nature. Employees and all others in the Rexdale Medical Centre who assist with or provide care (including students and locums) are required to be aware of, and adhere to the protections described in this policy for the appropriate use and disclosure of personal information.
  • The Rexdale Medical Centre has appointed a Security Officer who has the overall responsibility to manage the privacy and security program on a day-to-day basis, in accordance with the Lead Physician
  • All persons in Rexdale Medical Centre who have access to personal information must attend privacy training and additionally adhere to the following information management practices
    • Office information management practices
      • Access is on a need to know basis
      • Access is restricted to authorized users
      • Occasional audits will be performed to ensure appropriate viewing of patient personal health information
    • Third party obligations
      • Contractual privacy agreements with third parties (including cleaning and security personnel, landlords, data processors, etc.)
  • The Rexdale Medical Centre employs strict privacy protections to ensure that
    • We protect the confidentiality of any personal information we access in the course of providing patient care.
    • We collect, use and disclose personal information only for the purposes of providing care and treatment or the administration of that care, or for other purposes expressly consented to by the patient.
    • We adhere to the privacy and security policies and procedures of this office.
    • We educate and train staff on the importance of protecting personal information on an ongoing basis.

Collection, Use and Disclosure of Personal Information 

3.  Collection of Personal Information

  •  We collect the following personal information
    • Identification/Contact information, including
      • Name
      • Date of Birth
      • Home address and phone numbers
      • Email address
    • Billing information, including
      • Ontario Health Insurance Plan (OHIP) number
      • Private medical insurance details
    • Health information, which may include
      • Medical history
      • Presenting symptoms
  • Limits on Collection

Rexdale Medical Centre will only collect the information that is required to provide care, administrate the care that is provided, and communicate with patients. We will not collect any other information, or allow information to be used for other purposes, without the patient’s express consent – except where authorized to do so by law. These limits on collection ensure that we do not collect unnecessary information.

4. Use of Personal Information

  • Personal information collected from patients is used by the Rexdale Medical Centre for the purpose of
    • Identification and contact
    • Emergency contact
    • Provision and continuity of care
    • Historical record
    • Health promotion and prevention
    • Administrate the care that is provided
    • Prioritization of appointment scheduling
    • Billing provincial health plan
    • Professional requirements
    • Risk or error management, i.e., medical-legal advice (CMPA)
    • Quality assurance (peer review)
    • Research studies and trials
    • Prescriptions
  • Any breach in the use of personal or personal health information will be handled in accordance with the Policy Breach Protocol
  • Disclosure of Personal Information
  • Implied consent (Disclosures to other providers)
  • Unless otherwise indicated, we assume that patients have consented to the use of their information for the purposes of providing them with care, including sharing the information with other health providers involved in their care. By virtue of seeking care from us, the patient’s consent is implied for the provision of that care.
  • Relevant health information is shared with other providers involved in the patient’s care, including (but not limited to)
  • Other physicians in this practice
  • Other physicians in the after hours call group
  • Without consent (Disclosures mandated or authorized by law)
    • There are limited situations where the physician is legally required to disclose personal information without the patient’s consent. Examples of these situations include (but are not limited to)
      • Billing provincial health plans
      • Reporting specific diseases
      • Reporting abuse (child, elder, spouse, etc)
      • Reporting fitness (to drive, fly, etc)
      • By court order (when subpoenaed in a court case)
      • In regulatory investigations
      • For quality assessment (peer review)
      • For risk and error management, e.g., medical-legal advice
  • Express Consent (Disclosures to all other third parties)
    • The patient’s express consent (oral or written) is required before Rexdale Medical Centre will disclose personal information to third parties for any purpose other than to provide care or unless authorized to do so by law.
    • Examples of situations that involve disclosures to third parties include (but are not limited to)
      • Third party medical examinations
      • Provision of charts or chart summaries to insurance companies
    • Disclosure Log

Before a disclosure is made to a third party, a notation shall be made in the file that the patient has provided express consent, or a signed patient consent form is appended to the file.

  • Withdrawal of Consent
    • Patients have the option to withdraw consent to have their information shared with other health providers at any time.
    • Patients also have the option to withdraw consent to have their information shared with third parties.
    • If a patient chooses to withdraw their consent, the physician will discuss any significant consequences that might result with respect to their care and treatment (e.g., possible negative impact on the care provided).

Office Safeguards 

  • Security Measures
  • Safeguards are in place to protect the security of patient information
  • These safeguards include a combination of physical, technological (for offices where computers are in use) and administrative security measures.
    • We use the following physical safeguards
    • Limited access to office
      • Doors locked, alarm system
    • Limited access to records
      • Access to records is on a strictly need to know basis
    • Office layout features
      • Soundproofing and/or white noise to ensure confidentiality
  • We use the following technological safeguards
  • Protected computer access for patient health information
  • Passwords
  • User authentication
  • System protections
  • Firewall software
  • Virus scanning software
  • Protected external electronic communications – Internet
  • Separate internet access (stand alone, not connected to operating system)
  • Secure electronic record disposal
  • Safely dispose of computer hard drives
  • Destroy all other removable media (diskettes, CD-R, DVD)

Wireless and mobile communication devices (e.g. laptops, PDAs, etc) are especially vulnerable to loss, theft and unauthorized access. We take extra precautions when using these devices for patient health information.

    • Protected phone access for personal health information
      • Mobile phone devices that have access to personal health information are locked when not in use. See Password Guidelines for information on appropriate password protection.
      • Mobile phones/tablets with access to personal health information are used only by the physician. In the event that a tablet with access to personal health information is shared, access to the specific application with personal health information must be password protected
      • Any shared device that does not password protect personal health information cannot be used for work purposes.
  • We use the following administrative safeguards
  • Office information management practices
  • Access is on a need to know basis and restricted to authorized users only
  • Third party obligations
  • Contractual privacy clauses/agreements with third parties (including cleaning and security personnel, landlords, data processors, etc) to protect the privacy of personal or personal health information
  • Limits on third party access
  • Any other persons having access to patient information or to these premises (e.g., cleaners, security staff, landlords) shall, through contractual or other means, provide a comparable level of protection.
  • Staff signed confidentiality agreements
  • Staff must sign Security Acknowledgement and Confidentiality Agreement as part of (or appended to) their employment contract
  • Confidentiality agreement extends beyond the term of employment

7. Communications Policy

7.1 Rexdale Medical Centre is sensitive to the privacy of personal information, as is reflected in how we communicate with our patients, others involved in their care, and all third parties.

  • We protect personal information regardless of the format.
  • We use specific procedures to communicate personal information by
    • Telephone
  • Patient preference with regards to phone messages will be taken into consideration
  • Fax
    • Our fax machine is located in a secure or supervised area (restricted public access)
    • We use pre-programmed numbers to ensure fax received by proper recipient
  • Email
    • See Email Policy document for details
  • Post/Courier
    • Sealed envelope
    • Marked confidential
  • Record Retention
  • The Rexdale Medical Centre will retain patient records as required by law and professional regulations.
  • The Canadian Medical Protective Association (CMPA) advises members to retain their medical records for a least 10 years from the date of last entry or, in the case of minors, 10 years from the time the patient would have reached the age of majority (age 18 or 19 in all jurisdictions).
  • Some colleges advise physicians that claims may arise beyond the stipulated regulatory period, and therefore may want to keep their records longer, particularly if they are aware of a potential claim.
  • Procedures for Secure Disposal/Destruction of Personal Information
    • When information is no longer required, it is destroyed according to set procedures that govern the storage and destruction of personal information (refer to College guidelines)
      • We use the following methods to destroy/dispose of paper records
        • According to provincial College regulations
        • Shredding
      • We use the following methods to destroy/dispose of electronic records
  • Properly disposed of computer hard drive
  • Destroy all other electronic media storage (diskettes, CD-R, DVD)

* Rexdale Medical Centre ensures that all information is wiped clean where possible prior to disposal of electronic data storage devices (e.g. surplus computers, internal and external hard drives, diskettes, tapes, CD- ROMs, etc.)

  • Disposal Log
  • Before the secure disposal of a health record, Rexdale Medical Centre maintains a log with the patient’s name, the time period covered by the destroyed record, the method of destruction and the person responsible for supervising the destruction (if applicable).

Patient Rights 

10. Access to Information

  •  Patients have the right to access their record in a timely manner.
  • If a patient requests a copy of their records, one will be provided at a reasonable cost (refer to College guidelines for non-insured services).
  • Access shall only be provided upon approval of the physician.
  • If the patient wishes to view the original record, one of the Rexdale Medical Centre staff must be present to maintain the integrity of the record, and a reasonable fee may be charged for this access.
  • Patients can submit access requests verbally or in writing
  • The Rexdale Medical Centre follows specific procedures to respond to access requests
  • All patients have a right to request their electronic medical record, or certain parts of their electronic medical record, be locked to their physician
    • Should another employee need access to the EMR a notification will be sent to the primary physician for review
  • Limitations on Access
  • In extremely limited circumstances the patient may be denied access to their records, but only if providing access would create a risk to that patient or to another person.
    • For example, when the information could reasonably be expected to seriously endanger the mental or physical health or safety of the individual making the request or another person.
    • Or if the disclosure would reveal personal information about another person who has not consented to the disclosure. In this case, we will do our best to separate out this information and disclose only what is appropriate.
  • Accuracy of Information
    • We make every effort to ensure that all patient information is recorded accurately.
    • If an inaccuracy is noted, the patient can request changes in their own record, and this request is documented by an annotation in the record.
    • No notation shall be made without the approval or authorization of the physician.
  • Privacy Complaints
  • It is important to us that our privacy policies and practices address patient concerns and respond to patient needs.
  • A patient who believes that the Rexdale Medical Centre has not responded to their access request or handled their personal information in a reasonable manner is encouraged to address their concerns first with their doctor.
    • Patient complaints can be made verbally or in writing
    • The Rexdale Medical Centre follows specific procedures for responding to patient complaints
      • Our complaints process is readily accessible, transparent and simple to use
      • Patients are informed of relevant complaint mechanisms
  • Patients who wish to pursue the matter further are advised to direct their complaints to the provincial college or the provincial privacy commissioner

Appendix 1: Policy Breach Protocol

Policy Statement

The Rexdale Medical Centre takes privacy seriously, and takes steps to protect the personal information of the patients that we serve.

Policy Breach

A privacy breach occurs whenever a person has contravened or is about to contravene a provision of the Personal Health Information Protection Act (PHIPA) or its regulations, including section 12(1) of PHIPA.

Responsibility/Accountability

The Rexdale Medical Centre employees are responsible and accountable to protect the privacy, confidentiality, and security of personal information from patients. It is understood that there are locations within the facilities where employees perform their duties that are “public” in nature and are open and accessible by the public. It is the employee’s responsibility to take reasonable and practical means to maintain confidentiality and privacy of the individual. See Appendix 2: Security Best Practices Guide for more information.

Contact the Lead Physician or Security Officer immediately, should a breach occur.

The types of personal information involved and the sensitivity of the information should be assessed to determine the appropriate response and notification to affected individuals. Examine the situation fully and work with the Lead Physician and/or Security Officer to ensure that any necessary details of the breach and any corrective actions are documented for later investigation and review. Consider what public harm could result from the breach, such as a risk to public health or safety.

Guidelines on what Health Information Custodians should do in the event of breach

Upon learning of a breach, immediate action must be taken. The following guidelines must be carried out simultaneously or in quick succession

Step 1: Respond immediately by implementing the privacy breach protocol

  • Ensure Lead Physician and Security Officer are immediately notified of the breach
  • Inform the Information and Privacy Commissioner (IPC) Registrar of the privacy breach and work together constructively with IPC staff; and
  • Address the priorities of containment and notification as set out in the following steps.

Step 2: Containment – Identify the scope of the potential breach, take steps to contain it

  • Retrieve the hard copies of any personal health information that has been disclosed;
  • Ensure that no copies of the personal health information have been made or retained by the individual who was not authorized to receive the information and obtain the person’s contact information in the event that follow-up is required; and
  • Determine whether the privacy breach would allow unauthorized access to any other personal health information (e.g. an electronic information system) and take whatever necessary steps are appropriate (e.g. change passwords, identification numbers and/or temporarily shut down a system).

Step 3: Notification – Identify those individuals whose privacy was breached and notify them of the breach

  • PHIPA requires health information custodians to notify individuals at the first reasonable opportunity, but does not specify the manner in which notification must be carried out;
  • For example, notification can be by telephone or in writing, or depending on the circumstances, a notation made in the individual’s file to be discussed at his/her next appointment;
  • There are numerous factors that may need to be taken into consideration when deciding on the best form of notification (e.g. the sensitivity of the personal health information). As a result, the health information custodian may want to contact the IPC to discuss the most appropriate form of notification;
  • There may also be exceptional circumstances when the health information custodian may want to discuss notification with the IPC before proceeding (e.g. when notification is not possible or may be detrimental to the individual). If this is the case, the health information custodian is encouraged to contact the IPC to discuss these circumstances;
  • When notifying individuals affected by the breach, provide details of the extent of the breach and the specifics of the personal health information at issue;
  • Advise affected individuals of the steps that have been or will be taken to address the breach, both immediate and long-term; and
  • Advise that the IPC has been contacted to ensure that all obligations under PHIPA are fulfilled (where applicable).

Step 4: Investigation and Remediation

  • Conduct an internal investigation into the matter. The objectives of the investigation are to:
    • 1) ensure the immediate requirements of containment and notification have been addressed;
    • 2) review the circumstances surrounding the breach; and
    • 3) review the adequacy of existing policies and procedures in protecting personal health information;
  • Address the situation on a systemic basis. In some cases, program-wide procedures may warrant review (e.g. a misdirected fax transmission);
  • Advise the IPC of your findings and work together to make any necessary changes;
  • Ensure staff are appropriately educated and trained with respect to compliance with the privacy protection provisions of PHIPA; and
  • Cooperate in any further investigation into the incident undertaken by the IPC.

Appendix 2: Security Best Practices Guide

1. The Basics 

Information security as it relates to health information is the safeguarding of personal health information. The following are guidelines on how to maintain a safe and secure work environment.

Core principles of information security: 

  • Confidentiality – ensuring that personal health information is made available or disclosed only to authorized individuals.
  • Integrity – making certain that personal health information is accurate, complete and remains valid over time.
  • Availability – ensuring information is accessible to authorized individuals when and where required.

2. Security in all Places 

Printers, Photocopiers and Fax Machines 

  • Printers and fax machines should be located in an area that is accessible by authorized staff only.
  • Retrieve printed items from the machine immediately.
  • Confirm the number you fax is still valid and verify that it was dialled correctly.
    • Refer to the IPC Guidelines on Facsimile Transmission Security
  • Periodically review fax numbers stored in the speed dial and ensure that they are still valid.
  • When expecting something by fax set a specific time to receive it, especially if sensitive.
  • Do not leave original material in photocopiers or fax machines.

On the Phone 

  • Know to whom you are disclosing information. If you are uncertain, ask them to provide you with information that would verify their identity.
  • Be aware of your surroundings, including cell phone conversations. Be mindful of eavesdropping.
  • Be aware that there are techniques used to manipulate people into performing actions or divulging confidential information over the phone.
  • Always have a passcode on mobile devices that contain sensitive information. Use a non-simple password where applicable (See Password Guidelines section for more details)

In Meeting Areas

  • Clean the whiteboard of sensitive information when the meeting is over.
  • Double check that sensitive information, including documents, are removed from the meeting room at the meeting’s end.
  • Ask participants of a conference call to identify themselves at the calls’ start.
  • Always check that the phone line is closed after the meeting has come to an end.

3. Mobile Computing 

  • Ensure your laptop and personal digital assistant (PDA) are encrypted and/or password protected.
  • Never leave your laptop/PDA items in view in the car when left unattended
  • Never leave your laptop/PDA items or mobile phone unattended when travelling or in any other public place.
  • If your computer uses wireless connections, ensure that all wireless communications are encrypted.
  • When using CDs for data backup, store the files only in encrypted format. File encryption tools are provided in Microsoft Office applications.
    • Refer to the IPC fact sheet Encrypting Personal Health Information on Mobile Devices. 
  • When using USB memory devices (USB flash drives) for backup or to move personal health information between computers, use only devices that have built-in encryption and require a password to access information.
    • Refer to the IPC fact sheet Encrypting Personal Health Information on Mobile Devices. 
  • Use power-on passwords that must be entered before a device will start.
  • When using a laptop outside of the office environment, ensure that your screen cannot be viewed by anyone other than you.

4. Clear Desk and Environment

  • When away from the office, sensitive information (paper files and computer media) should be locked in secure cabinets. Do not leave materials unattended in open, unsecured areas such as printers, copy machines, fax machines or meeting rooms
  • All sensitive information for disposal should be destroyed or erased in a secure way. Do no place them in a blue recycling bin or garbage
    • Refer to the IPC fact sheet Secure Destruction of Personal Information

5. Password Guidelines 

  • Ensure that your computer has a screen saver that activates after a predefined time and requires a password to gain access to the computer.
  • It is recommended that you change your passwords frequently, at least every 90 days.
  • Passwords must NEVER be disclosed to anyone or written down.
  • A password should:
    • Contain a minimum of eight characters
    • Include a combination of upper and lower case letters, numbers and/or special characters
    • Should not be obvious, easily guessable, or found in a common words dictionary
    • Should not use acronyms, birthdays, sequential numbers, names of family members or pets
  • If you suspect the confidentiality of your password has been compromised, change it immediately

6. How to Protect Information

  • Understand security as it relates to your role and your obligations.
  • Where applicable, be aware of unauthorized physical access to premises through piggybacking, this is when a non-employee individual will follow an authorized employee onto the premises.
  • Select strong passwords and protect them from disclosure.
  • Always lock your screen when you are away from your computer and log out of PS
  • Never use another person’s user ID or password.
  • Scan your computer weekly to ensure that spyware or unauthorized software is not installed.
  • Make weekly backups of your data and keep the backups securely offsite.
  • Install a privacy screen over your monitor to make it difficult for casual visitors in your office to read the contents displayed.
  • Verify at least twice a year that you can restore data from backup disks or tapes.
  • Secure laptops with a physical cable lock when in use.
  • Request that your computer’s hard drive be encrypted.
  • Do not install unauthorized software of any kind.
  • Never visit websites intended for adult-only audiences, gambling or online games.
  • Keep all paper files, backup CDs and/or tapes in a fireproof cabinet.

7. Security Incidents 

What is a security incident? 

A security incident is an unwanted or unexpected situation that results in:

  • The unauthorized disclosure, destruction, modification or withholding of information.
  • A failure to comply with the organization’s security requirements.
  • Unauthorized access, use or probing of information resources.
  • An attempted, suspected or actual security compromise.
  • Waste, fraud, abuse, theft, loss of or damage to resources.

Why might they happen? 

  • Failure to comply with approved policies and practices.
  • Indifference to or being unaware of responsibilities.
  • Inadequate, or lack of, safeguards.

What are possible consequences? 

Damage to reputation, loss of trust, financial losses, theft of computing resources, loss of employment or legal consequences.

What do I do if I witness an incident? 

Security incidents must be reported to the security officer. The security officer must take appropriate action to contain actual or potential breaches, investigate and report the finding(s). If you experience an incident, report it to the security officer. All incidents relating to the information you are responsible for should be appropriately identified, responded to, escalated and investigated.

Appendix 3: Roles and Responsibilities for Security 

All Staff

  • Read, sign and comply with the Privacy Policy.
  • Read, sign, and comply with the Security Acknowledgement and Confidentiality Agreement.
  • Read and follow the best practices for security in the Security Best Practices Guide.
  • Follow clean desk practices especially in unattended workspaces. Refer to Clean Desk and Environment in Security Best Practices Guide.
  • Secure mobile computing devices, such as laptops, when unattended.
  • Question unfamiliar individuals entering restricted areas.
  • Secure information and computers used outside the office as per the IPC fact sheet Encrypting Personal Health Information
  • Avoid accidentally exposing sensitive information through conversations, exposed computer screens and unattended desks.
  • Dispose of hard copy personal health information and digital media as per IPC fact sheet “Secure Destruction of Personal and Personal Health Information.”
  • Before sending a fax, confirm the number is still valid and was dialled correctly. Find additional best practices in IPC document Guidelines on Facsimile Transmission Security.
  • Report all security incidents to the Security Officer.

Security Officer

  • Ensure the Privacy Policy is available to both staff and patients.
  • Ensure staff and contractors are aware of the Privacy Policy and informed on how it should be interpreted and put into action through support following the Security Best Practices Guide.
  • Ensure all staff are trained on their security responsibilities. Refer to “All Staff” Roles and Responsibilities and Security Best Practices Guide.
  • Collect and file the signed and dated Security Acknowledgement and Confidentiality Agreement from all staff and necessary third parties.
  • Ensure disposal of personal and personal health information meets security standards as given in the IPC fact sheet Secure Destruction of Personal and
  • Ensure staff have access to a shredding machine to securely dispose of personal health information no longer required.
  • Instruct staff how to create strong passwords, and never to share their passwords in accordance with Password Guidelines in the Security Best Practices Guide.
  • Ensure staff understand that they are not to install unauthorized software, connect unauthorized devices to their computers, or use their computers for unauthorized purposes.
  • Encourage that staff members make weekly backups of their data.
  • Revoke or suitably adjust (physical, network, system and application) access and change shared passwords as soon as employees leave or change responsibilities.
  • Direct the IT service provider to set up security safeguards on all office solutions.
  • Ensure the IT service provider provides a written description of the service provided.
  • Report all security incidents to the Lead Physician. Arrange assistance in leading the investigation, if necessary, and ensure required remediation is completed.
  • Monitor and perform spot checks on a regular basis to ensure all staff are following the Privacy Policy. Take appropriate action if not followed.

Email Policy

  • Policy Statement

When used with discretion email can be a useful communication tool for use with patients, caregivers, family members, and/or substitute decision makers (SDM) for communication of administrative, educational or health promotional purposes, and for the provision of patient care.

Use of the practice email is provided to all Rexdale Medical Centre employees, temporary and part-time workers, and authorized agents at the discretion of the centre. All emails, and their content remain property of the Rexdale Medical Centre. When applicable employees, students, temporary and part-time workers will not use their personal/home email to conduct communication with patients, caregivers, family members, and/or substitute decision makers

There are three potential areas for liability in email communication: confidentiality, privacy and security; timeliness of responses; and clarity of communication.

Use of email to communicate sensitive clinical issues such as diagnosis, prognosis, assessment, or test results is strongly discouraged. The email account will only be used for notification purposes, and as such Rexdale Medical Centre will not reply to emails received from patients. Email messages to and from the centre’s account are not encrypted and, therefore, Rexdale Medical Centre cannot guarantee the confidentiality and security of messages users send to or receive from the account.

Rexdale Medical Centre endeavours to ensure that the email account is used securely and appropriately in compliance with the Personal Health Information Protection Act (PHIPA), Freedom of Information and Protection of Privacy Act (FIPPA), any other relevant legislation in effect, and including our own policies.

A violation of this policy may result in the suspension or permanent disabling of an employees access to the account may result in disciplinary action up to, and including, termination of employment and/or affiliation with Rexdale Medical Centre.

  • Purpose

Despite the many potential advantages associated with email communication, Rexdale Medical Centre members should be aware of the legal risks and consider precautionary measures to help mitigate those risks. Additionally, patients should be informed of the risks inherent in these communications and agree to assume those risks.

The purpose of this policy is to define the acceptable use of email as a method of communication with patients/clients, family members, and/or decision makers, to outline responsibilities involving email and to provide guidelines for effective practices and processes. This policy applies to all users (physicians, interdisciplinary health professionals, management, administrative staff, students, and volunteers) of Rexdale Medical Centre.

  • Definitions

3.1 External Use – Use of the email account to send messages to users outside of the organization

3.2 Personal Health Information – Identifying information about an individual in oral or recorded form that:

  • relates to the physical or mental health of the individual, including information that comprises the health history of the individual’s family;
  • relates to the provision of health care to the individual, including the identification of a person as a provider of health care to the individual;
  • is a plan of service within the meaning of the Long Term Care Act, 1994 for the individual;
  • relates to payments or eligibility for health care, or eligibility for coverage for health care, in respect of the individual;
  • relates to the donation by the individual of any body part or bodily substance or is derived from the testing or examination of any such body part or bodily substance,
  • is the individual’s health number; or
  • identifies an individual’s substitute decision maker.

For the purposes of this policy, identifying information means information that identifies an individual or for which it is reasonably foreseeable in the circumstances that it could be utilized, either alone or with other information, to identify an individual. Personal information can be information about a physician or another care provider, a hospital staff person, a patient, or a patient’s family member.  Examples of personal health information include, but are not limited to, a name, health insurance number, address, telephone number, and personal health information related to a patient’s care such as blood type, x-rays, consultation notes, etc.

3.3 Anonymized Patient Information – means aggregated patient information or personal health information in which all personal identifiers have been removed.

3.4 Coordination of Care – refers to the organization of patient care activities between two or more participants (including the patient) involved in a patient’s care to facilitate the delivery of services. Coordination of care activities include but are not limited to administrative tasks such as scheduling appointments and family meetings, sharing of contact information related to referrals, and linking patients with third party services.

  • Sending Information by Email with Patients/Family/Substitute Decision Makers

Rexdale Medical Centre staff may communicate with patients through email to support patient care activities. Consent to receive emails from Rexdale Medical Centre is implied, unless expressly stated by the patient. The patient, or caregiver to the patient, may request to read the Email Policy at the office. Further, the patient, or caregiver to the patient, will be emailed a more concise version of the policy for his or her own viewing.

Patients should be informed of the potential risk associated with use of email containing personal health information and agree to the assumption of those risks. When obtaining consent Rexdale Medical Centre staff must educate patients that email is not intended to be used to address urgent inquires or emergencies.

Email communication does not eliminate the need to have direct conversations with patients to provide clarification and opportunities for more comprehensive dialogue about a patient’s plan of care.

Regulated Health Professionals should consult their respective regulatory standards and guidelines to support decision-making related to the appropriateness of email use in patient care.

Patient inquires regarding the use of email and the email policy can be directed toward the Security Officer, Lead Physician, or their primary physician.

  • Documentation

All clinically relevant information referred to in an email must be captured within the electronic health record. Email does not serve as an alternate mechanism for documentation.

Email communications should be copied or printed and placed directly in the electronic medical record.

Appendix A:

General Guidelines for Emailing with Patients

  • Contents of email messages are not encrypted.
  • At no time should personal health information be contained in a mass communication or in an email sent to group distribution lists.
  • Limit the inclusion of personal health information to content required for the intended purpose of the email communication
  • Use “Private” and “Confidential” in the subject line to alert the recipient that the email contains sensitive or personal health information.
  • Double-check all “To”, “Cc”, and “Bcc” fields prior to sending messages to avoid sending email to incorrect recipients.
  • Do not include personal health information in the subject line of email (e.g., full patient name, or health condition)
  • If there is a need to communicate with groups of patients via email, never include patient-specific personal health information and ensure contact information is included in the blind copy field only.
  • All email accounts that are provided to patients for email communication must have the following automatic reply: Please do NOT use this email for contacting Rexdale Medical Centre. If this is a medical emergency call 911 immediately. To book an appointment, speak with a receptionist, or contact the office for any other reason please call 416-743-5853 during regular office hours, Monday to Friday. For urgent matters outside of office hours you may call Telehealth Ontario at 1-866-553-7205. Note that we use this email to send reminders of appointments. If you wish to stop receiving emails from Rexdale Medical Centre please reply to this email or call the office during regular office hours.
  • All messages to external users must contain the following disclaimer, which is attached automatically to all email messages sent from the Rexdale account to external email addresses: This message is intended only for the use of the intended recipients, and it may be privileged and confidential. If you are not the intended recipient, you are hereby notified that any review, retransmission, conversion to hard copy, copying, circulation or other use of this message is strictly prohibited and may be illegal. If you are not the intended recipient, please notify me immediately by calling 416-743-5853. Please DO NOT respond to this email.
  • If you are in doubt whether to include certain information in an email message, refer to the Email Policy, or contact the Security Officer and/or Lead Physician.
  • It is strictly prohibited to send or forward email messages containing personal health information that identifies a patient to an external email account unless a patient/substitute decision maker has expressly consented in writing to communicating with the Rexdale Medical Centre email by email and the consent has been documented in the patient’s electronic health record.

Guidelines For Appropriate Use of Email Communication With Patients

  • Administrative
  • Reminding patients of upcoming appointments
  • Providing practice policies and protocols (i.e. privacy policy, non-insured billing)
  • Patient satisfaction surveys
  • Verifying patient contact information
  • Clinic newsletters, memos, or other non-clinical information
  • Education and Health Promotion
  • Providing general educational and health promotion electronic documents and resources
  • Providing links to educational and health promotion websites
  • Incorporating health promotion messages
  • Providing guidance to patients regarding health-related web sites
  • Newsletters and alerts
  • Community support resources

3. Patient Care

  • Notifying or reminding about routine tests and procedures

Risks of using email

Transmitting patient information poses several risks of which the patient should be aware. The patient should carefully read through the outlined risks below and understand that unless otherwise stated, they consent to email communication with Rexdale Medical Centre. The risks include, but are not limited to, the following:

  • The privacy and security of email communication cannot be guaranteed.
  • Employers and online services may have a legal right to inspect and keep emails that pass through their system.
  • Email is easier to falsify than handwritten or signed hard copies. In addition, it is impossible to verify the true identity of the sender, or to ensure that only the recipient can read the email once it has been sent.
  • Emails can introduce viruses into a computer system, and potentially damage or disrupt the computer.
  • Email can be forwarded, intercepted, circulated, stored or even changed without the knowledge or permission of the physician or the patient. Email senders can easily misaddress an email, resulting in it being sent to many unintended and unknown recipients.
  • Email is indelible. Even after the sender and recipient have deleted their copies of the email, back-up copies may exist on a computer or in cyberspace.
  • Use of email to discuss sensitive information can increase the risk of such information being disclosed to third parties.
  • Email can be used as evidence in court.

Conditions of using email

The physician or administrative staff will use reasonable means to protect the security and confidentiality of email information sent and received. However, because of the risks outlined above, the physician or administrative staff of the Rexdale Medical Centre cannot guarantee the security and confidentiality of email communication, and will not be liable for improper disclosure of confidential information that is not the direct result of intentional misconduct of the physician or administrative staff member. Thus, patients consent to the use of email for patient information unless they contact the clinic directly to state otherwise. Consent to the use of email includes agreement with the following conditions:

  • Emails to the patient concerning diagnosis or treatment may be made part of the patient’s medical record.
  • The physician or administrative staff member may forward the contents of emails internally to other members of Rexdale Medical Centre and to those involved, as necessary, for diagnosis, treatment, health care operations, and other handling.
  • The physician or administrative staff member of will not forward emails to independent third parties without the patient’s prior written consent, except as authorized or required by law.
  • The use of email at Rexdale Medical Centre is used exclusively for outgoing messages. Unless expressly given permission, patients are not to respond to or send emails to the office account.
  • Email communication is not an appropriate substitute for clinical examinations or in-person visits. The patient is responsible for following up with the appropriate party on the contents of the email by phone or in person, when appropriate.
  • The physician or administrative staff member will not discuss sensitive medical information, such as sexually transmitted disease, AIDS/HIV, mental health, developmental disability, or substance abuse over email.
  • The patient is responsible for informing the physician or administrative staff member of any types of information the patient does not want to be sent by email, in addition to those set out in the bullet above.
  • The patient can add to or modify this list at any time by notifying the physician or administrative staff member in writing.
  • The physician or administrative staff member is not responsible for information loss due to technical failures.

Instructions for communication by email

To communicate by email, the patient shall:

  • Do not use your employment email address.
  • Limit or avoid using an employer’s computer.
  • Inform the physician of any changes in patient’s email address.
  • Take precautions to preserve the confidentiality of emails, such as using screen savers and safeguarding computer passwords.
  • Withdraw consent only by email or written communication to the physician or administrative staff member.

Patient acknowledgement

Unless otherwise stated, the patient acknowledges that they have read and understood the risks associated with the communication of email between them and the physician or administrative staff member at Rexdale Medical Centre, and consent to the conditions outline herein, as well as any other instructions that the physician or administrative staff member may impose to communicate with patients by email. Any physician or administrative staff member of Rexdale Medical Centre has a right to, upon the provision of written notice; withdraw the option of communicating through email.