Privacy Policy & Information Practices
General
Privacy of personal information is an important principle to Equilibria Psychological Health (“EPH”) and Dr. Adrienne Kovacs, PhD, CPsych (EPH’s health information custodian) when providing psychological services and at our website. EPH is committed to collecting, using and disclosing personal information responsibly and only to the extent necessary for the services we provide. We try to be open and transparent regarding how we handle personal information. This document describes our privacy policies, which reflect PHIPA, PIPEDA, and the laws and standards that govern the practice of psychology in Ontario. This document may be updated at any time.
What are Personal Information (PI) and Personal Health Information (PHI)?
Personal information (PI) is information that can be used to identify an individual. Examples include personal characteristics (eg, name, sex, gender, age, income, home address, phone number, e-mail address, ethnic background, family status), their health (eg, health history, health conditions, health services received by them, the names of health professionals providing treatment) or their activities and views (eg, religion, politics, opinions expressed by an individual, criminal history).
Personal health Information (PHI) is information about an identifiable individual. It includes information that relates to: the physical and mental health of an individual (including family history), the provision of health care to the individual (including the individual’s health care provider), community and home care services, payments or eligibility for health care or coverage for health care, the donation or testing of an individual’s body part or bodily substance, the individual’s health number, and the identification of the individual’s substitute decision-maker. Information that is related to a business (eg, company name, address, telephone number) is not included in privacy legislation.
What are PHIPA and PIPEDA?
PHIPA (2004) is the Provincial [Ontario] Personal Health Information Protection Act. This Act provides rules for the collection, use, and disclosure of PHI by a health information custodian. The legislation requires health information custodians to obtain consent before collecting, using or disclosing PHI. It also requires that individuals have the right to access and request correction of their own PHI.
PIPEDA (2004) is the federal-level Personal Information Protection and Electronic Documents Act. This Act provides rules for how private-sector organizations can collect, use/safeguard, and disclose PI. Similar to PHIPA, it requires that individuals provide consent to the use of PI and have the ability to access and correct information. The Digital Privacy Act (2018) is an amendment to PIPEDA, and requires corporations to notify individuals when their security is breached.
Who We Are
EPH is a solo psychology practice. Dr. Adrienne Kovacs, PhD, CPsych is the founder and psychologist. EPH offers clinical psychology services (assessment and therapy) as well as consultation and speaking services. Employees (eg, administrative and managerial support) are required to adhere with EPH’s strict policies and procedures to maintain, manage, and protect the confidentiality of PI and PHI. We use a number of consultants and agencies that may, in the course of their duties, have limited access to PHI we hold. These include computer consultants, accountants, lawyers, and credit card companies. We restrict their access to any personal information we hold as much as is reasonably possible. We also have their assurance that they follow appropriate privacy policies.
Why We Collect PI and PHI
We collect, use, and disclose personal information in order to serve our clients. For our clinical psychology clients, the primary purpose for which we collect, use and disclose information is to provide psychological assessment and therapy. For example, we collect information about a person’s demographic information as well as psychological, social, and physical health history and current situation to help us assess what their needs are, to advise them of their options and then to provide the health care they choose to have. A second primary purpose is to obtain baseline information so that in providing ongoing health services we can identify changes that are occurring over time. Certain elements of PI and PHI may also be collected and used to determine whether someone is an appropriate candidate for psychological services with EPH.
Like most organizations, we also collect, use, and disclose information for related and secondary purposes, including but not limited to: (i) obtaining payment for health-related goods and services (eg, invoicing individuals or organizations, processing payments, and providing receipts), (ii) reviewing client files for quality improvement and risk management activities, including assessing the performance of our staff, (iii) promoting special events and opportunities like webinars (if we have your express consent to do so), (iv) complying with external regulators, and (v) educating our staff.
Information about clients who are not clinical psychology assessment/therapy clients (for example, who hire EPH for consultation or presentations) will also be collected and used in order to provide professional services.
On our website we only collect, with the exception of cookies, the personal information you provide and only use that information for the purpose you give it to us (eg, to contact us, to register for a presentation). Cookies are only used to help users navigate our website and are not used to monitor individuals. Individuals may contact Dr. EPH through the website, email, telephone, or mail. This information will be collected and stored in order to provide appropriate communication and services.
Other Circumstances When PI and PHI Might Be Disclosed
EPH recognizes the importance of confidentiality of information pertaining to mental health treatment. However, there are some limitations to confidentiality (that may lead to disclosure of PI and PHI) that are important to know:
Known abuse or danger. Due to ethical, legal and professional guidelines, including our goal to protect clients and other people, EPH may disclose information in the following situations: (i) a client is in imminent danger of harming themself or someone else (ie, suicide or homicide), (ii) if there is information about physical, sexual, emotional abuse or neglect of a child, (iii) if abuse or neglect of an elderly or vulnerable person within a long-term care or retirement facility is reasonably suspected, or (iv) if a client reveals prohibited or dangerous conduct, including sexual abuse, by another registered health care professional.
Sharing information with other health care professionals. Under PHIPA, information may be shared with other practitioners for the provision of health care to the shared client (this is described as “within the circle of care”). However, we usually try first to obtain a signed release of information form.
Insurance companies/third-party payors. If clients submit their receipts to insurance companies or third-party payers for reimbursement, it is possible that EPH would be required to provide all or part of the information in one’s psychological record. Current clients would be informed before information is shared.
Legal reasons. EPH might be required to disclose confidential information in legal situations including but not limited to the following: (i) a client waives their right to privilege or gives consent for the disclosure of confidential information, (ii) a subpoena or court order from a legal office directs the release of information, or (iii) a lawsuit is filed against us.
Unforeseen disruption in services. In the event of an unforeseen disruption in services (eg, serious illness of the psychologist), client information may be shared with another individual who has been delegated to communicate with EPH clients in such a situation.
Compliance with external regulators including the College of Psychologists of Ontario (CPO). The CPO may inspect our records and interview our staff as a part of its regulatory activities in the public interest. The CPO has its own strict confidentiality and privacy obligations.
To facilitate the sale of our organization. If EPH or its assets were to be sold, the potential purchaser would want to conduct a “due diligence” review of the organization’s records to ensure that it is a viable business that has been honestly portrayed. The potential purchaser must first enter into an agreement with the organization to keep the information confidential and secure and not to retain any of the information longer than necessary to conduct the due diligence. Once a sale has been finalized, the organization may transfer records to the purchaser, but it will make reasonable efforts to provide notice to the individual before doing so.
Protection of PI and PHI
EPH takes several steps to protect information against theft, loss, and unauthorized use or disclosure including the following: (i) digital information is secured by encryption and strong passwords, (ii) email and communication through the website are encrypted by Hushmail, and (iii) communication through the clinical psychology platform is encrypted by Owl Practice. We use Owl Practice, which is a PIPEDA and PHIPA-compliant, secure, web-based practice management system that stores and manages client records and also offers video capability. Owl has multiple safeguards in place to ensure that connections are secure and private. For example, Owl video therapy does not rely on any third-party integrations, runs on Owl-owned and operated servers (not a third-party cloud) located in two Toronto data centres, and all video traffic is encrypted. The use of a client portal ensures that all hosted sessions can be secure, requiring that clients log in and the psychologist admits them before connecting. We also perform audit logs of electronic health records.
Although we strive to minimize the storage of paper information, it is either under supervision or secured in a locked filing cabinet in a restricted area.
In the event that PI or PHI is stolen or lost or used or disclosed without authority, Dr. Kovacs would notify the individual(s).
Retention and Destruction of PI and PHI
We need to retain personal information for some time to ensure that we can answer any questions you might have about the services provided and for our own accountability to external regulatory bodies. However, in order to protect your privacy, we do not want to keep personal information for too long. As per Ontario laws and standards, clinical psychology client information will be retained for a minimum of ten years after the last client interaction. Paper files containing PI/PHI are destroyed by cross-cut shredding. Electronic information is destroyed by deletion in a matter that the information cannot be recovered. We may also send some or all of the client file to our clients.
Information about individuals and/or organizations who are not clinical psychology clients but whom enter into a professional relationship with EPH/Dr. Kovacs will be retained for the time period consistent with professional standards and Revenue Canada requirements.
How A Client May Review and/or Correct Their Information
With only a few exceptions, clients have the right to see what personal information we hold about them. Clinical psychology clients may request access to content of their clinical records by contacting Dr. Kovacs. We can help clients understand what information we might have about them. We can also try to help clients understand any information they do not understand (eg, technical or scientific language). We would first need to confirm the client’s identity before providing this access. We reserve the right to ask that the request be made in writing and also to charge a nominal fee for such requests. We will respond to requests as soon as possible and generally within 30 days, if at all possible. If we cannot give you access, we will tell you the reason as best we can, as to why.
If a client believes there is a mistake in the information, they have the right to ask for it to be corrected This applies to factual information and not to any professional opinions we have have formed. We may ask you to provide documentation that our files are wrong. Where we agree that we made a mistake we will make the correction. At the client’s request and when it is reasonably possible, we will notify anyone to whom we sent this information (but we may deny your request if it would not reasonably have an effect on the ongoing provision of health care). If we do not agree that there has been a mistake, we will still agree to include in our file a brief statement from you on this point.
If There is a Privacy Breach
While we will take precautions to avoid any breach of privacy, if there is a loss, theft, or unauthorized access of PI or PHI we would notify the client(s). Upon learning of a possible or known breach, we will take the following steps: (i) We will contain the breach to the best of our ability (eg, retrieving hard copies of PHI that have been disclosed, ensuring no copies have been made, taking steps to prevent unauthorized access to electronic information such as changing passwords), (ii) We will notify affected individuals (we will provide our contact information in case the client has further questions and we will provide the Privacy Commissioner’s contact information and advise the affected individuals(s) of their right to complain to the Commissioner, and (iii) We will investigate and remediate the problem by conducting an internal investigation, determining what steps should be taken to prevent future breaches, and ensuring staff is appropriately trained and conduct further training if necessary.
Depending on the circumstances of the breach, we may notify and work with the Information and Privacy Commissioner of Ontario. We may also report the breach to the relevant regulatory College if we believe that it was the result of professional misconduct, incompetence, or incapacity.
Do You Have Questions or Concerns?
Current/former clinical psychology clients are encouraged to speak directly to Dr. Kovacs with any questions or concerns.
Dr. Kovacs is our Information Officer/Contact Person and she can be reached by mail at: 10-255 The East Mall, Suite 1262, Etobicoke, Ontario, M9B 0A9 or through our website at: Contact EPH. She will attempt to answer any questions or concerns. If a person wishes to make a formal complaint about our privacy policies, it may be made to our Information Officer. She will acknowledge receipt of the complaint, ensure that it is investigated promptly, and provide a formal decision and reasons.
For questions about the laws and ethical and professional standards pertaining to psychology, individuals are directed to the CPO website: CPO Public – Regulating Psychologists and Psychological Associates in Ontario.
Individuals also have the right to complain to the Information and Privacy Officer of Ontario if they have concerns about our privacy policies or how personal information has been handled. Contact Us - Information and Privacy Commissioner of Ontario
This policy was prepared in accordance with PHIPA, PIPEDA, and the Digital Privacy Act. These acts are complex and provides additional details and exceptions to privacy principles that are too detailed to include here.