RSRS – Record Storage & Retrieval Services, Inc is accountable for collecting and managing personal health information in accordance with the spirit and intent of the Personal Health Information Protection Act, 2004 (PHIPA). All staff, suppliers, consultants, contractors and clients have day-to-day accountability for meeting our privacy, confidentiality and security obligations. There are serious consequences for not complying with privacy and data protection policies.
RSRS – Record Storage & Retrieval Services, Inc. is committed to integrity in the collection, use and disclosure of all personal information, as it applies to staff, suppliers, clients and patients. We apply the same level of vigilance to all information, paper or electronic, health, personal or financial. We treat all information as if it was our own.
RSRS only collects personal health information as it relates directly to the provision of services to our clients and their patients. RSRS verifies the accuracy of the identification of the patient using personal information only. Health information is never used as a method of identification unless no other identification exists, and then only with the consent of all parties.
Where RSRS is acting as a supplier to a health care custodian, RSRS will obtain that client’s consent for collection, use and disclosure of their patients’ personal health information. Where possible, we will apply our clients’ standards and policies as they pertain to the collection, use and disclosure of all personal health information. Where no such policy exists we will apply the policies and standards outlined in PHIPA. RSRS will treat all patient information as confidential and maintain it in a secure environment. RSRS will delete/destroy all patient information in a timely and secure manner in order to limit liability and risk.
Where RSRS is acting as the health information custodian on behalf of a physician or medical practice, RSRS will in good faith attempt to obtain consent from each patient age 16 and over prior to releasing a copy of any personal health information. In an emergency situation it may not be possible to obtain consent. In those cases, we will do what is necessary to complete the circle of care and enable the treatment and care of the individual. Consent is obtained at the first reasonable opportunity thereafter. RSRS will treat all patient information as confidential and maintain it in a secure environment. RSRS will delete/destroy all patient information in a timely and secure manner in order to limit liability and risk.
RSRS collects personal and health information only for lawfully authorized purposes. The collection is limited to that necessary to enable and assist in the provision of care and to properly carry out related administrative and reporting obligations. Information is only collected fairly and lawfully. This means that individuals are never deceived or coerced in order to obtain consent for collection, use or disclosure of their information.
When you visit our website, you do so anonymously — there is no need to tell us who you are. We use all information received to communicate with you about our services, products, and promotions. Information is also gathered to maintain premium services at cost-effective prices to RSRS’ clients. We do not share information with anyone outside RSRS unless it is necessary to complete your requests.
Patient information is accessed by our team in order to enable the provision of health care and as permitted or required under PHIPA or another Act.
Personal health information is disclosed in accordance with the purpose(s) for which it has been collected, with consent, and as required or permitted by law.
Disclosure is also permitted or required to the following:
- You, your legal guardian or substitute decision-maker
- Law enforcement officers who present a warrant or subpoena, or to aid in an investigation
- The Children’s Aid Society where child abuse is suspected; the Children’s Lawyer
- The Public Guardian and Trustee
- The Coroner
All health records are retained as long as the client contract requires.
Information that is not personal health information will be retained as long as needed and will only be destroyed in accordance with the Record Retention and Destruction Policy. Hard copy records will be destroyed by fine shredding or incineration.
All reasonable steps are taken to ensure that your personal and personal health information is as accurate, complete and up-to-date as is necessary for the purposes for which it is collected.
Data Protection Safeguards
RSRS has in place effective physical, technical and administrative safeguards to protect your information from theft or loss, unauthorized access, use or disclosure, copying, modification or disposal. A comprehensive suite of data protection standards and practices preserves the confidentiality, integrity and availability of information and systems. We utilize “privacy by design” principles to build privacy and data protection into systems and operations including:
- Identifying and mitigating privacy and data protection risks
- Network firewalls, intrusion detection
- Virus and anti-spyware software
- Role based access controls and access logs
- Audits of system and patient chart access
- Mandatory strong passwords and system-initiated change password protocols
- Two-factor authentication
- Encryption technology and data transmission security
- Rigorous change management processes
- Physical and environmental controls
- Backup and recovery systems
- Secure records destruction
- Personal accountability
- Privacy and data protection training
- 24 hour Security monitoring
All staff sign confidentiality agreements. Agreements with vendors, service providers and contractors include terms requiring confidentiality and information security.
RSRS is open about our privacy, data protection and information management policies and practices. The exception is that detailed information about data protection is not made available where it could be used to compromise the security of technology systems and personal health information.
Individual’s Right of Access, Right to Correction
Individuals have a right of access to a record of their own personal health information that is in the custody or control of our facility unless a provision of PHIPA provides otherwise. The Release of Information Department and Patient Services Centre are responsible for responding to requests for copies of health records. Information about how to make a request and a request form to complete is available at www.getmymedrecord.com.
RSRS does not have the right to release any information that it has collected for the purpose of Day Forward Scanning.Under these circumstances, individuals wishing access to information that RSRS has in its systems are required to request access from their health care provider. RSRS is not able to release this information directly to any party other than the client and will only hold the information long enough to ensure the client has an opportunity to perform quality assessment, at which point it will be deleted from the RSRS systems.