North York General Hospital uses “Privacy by Design” principles to build strong privacy, confidentiality and security protections into our programs, services and technology initiatives. This includes mandatory annual privacy & security training and confidentiality agreements.
Our privacy and data protection practices are guided by professional codes of practice and by-laws that apply to personal health information. We recognize that information about you belongs to you and that we are simply its custodians. As custodians, our obligations include putting in place policies and practices to ensure the confidentiality and security of your information. It means that privacy and data protection is an absolute requirement when we design and deliver programs, services and technology initiatives.
Learn more about how we respect your rights under the Personal Health Information Protection Act, 2004 by reading our Privacy Principles and Practices below. The full text of our Privacy and Data Protection Policy provides more detailed information.
Chief Privacy Officer
Privacy compliance at North York General Hospital is facilitated by our Chief Privacy Officer (CPO). The CPO develops privacy and data protection policies and provides training and direction in the practical application of privacy law to collection, use, disclosure and protection of personal and personal health information.
Privacy Principles and Policies
Learn more about how we respect your rights under the Personal Health Information Protection Act, 2004 by reading our Privacy Principles and Policies. The full text of our Privacy and Data Protection Policy provides more detailed information.
North York General Hospital is committed to integrity in making decisions involving personal and personal health information and to being vigilant in identifying and addressing risks to privacy and data security.
Our hospital is accountable for collecting and managing personal health in accordance with the spirit and intent of the Personal Health Information Protection Act, 2004 (PHIPA). Physicians, employees, contractors, consultants, volunteers and students all have day-to-day accountability for meeting our privacy, confidentiality and security obligations. Vice Presidents are ultimately accountable for compliance with the Privacy and Data Protection policy within their respective portfolios. There are serious consequences for not complying with privacy and data protection policies.
The purposes for collecting personal health information are identified before or at the time of collection. Our purposes all directly relate to the effective provision of health care. Permitted purposes under PHIPA include provision of care, program and service delivery, necessary hospital administration and to comply with statutory requirements. Those who collect information on the hospital's behalf will respond to questions about collection purposes in a timely way.
We obtain an individual's consent for collection, use and disclosure of their personal health information unless this or another Act permits these activities without consent. For example, in emergency situations it may not be possible to obtain consent. In those cases, we do what is necessary to treat and care for the individual. Consent is obtained at the first reasonable opportunity thereafter.
Consent, whether express or implied, must be knowledgeable and relate to the information. For consent to be knowledgeable, identified purposes include the information most people would want to know. This is to ensure that an individual would reasonably expect the collection, use or disclosure. A short notice of our practices is prominently displayed in public areas of all North York General sites and on this website.
Individuals are informed that they may identify certain health information and withdraw consent. Potential health implications are explained if consent is withdrawn. North York General Hospital respects an individual's withdrawal of consent directive unless this or another Act permits or requires otherwise.
Personal health information is collected and recorded where required by law or established standards of professional and hospital practice. For example, we are required to report communicable diseases and gunshot wounds. An individual's withdrawal of consent will not apply in these circumstances or where disclosure is necessary to reduce or eliminate a significant risk of harm to an individual or group.
North York General Hospital collects personal and health information only for lawfully authorized purposes. The collection is limited to that necessary to provide care, to assist in the provision of care and to properly carry out related administrative and reporting obligations. Information is only collected fairly and lawfully. This means that individuals are never deceived or coerced in order to obtain consent for collection, use or disclosure of their information. When you visit this website, you do so anonymously — there is no need to tell us who you are. For more information about our website collection practices, please see our Website Privacy Statement.
PHI is used by the health care team to provide health care, to assist in the provision of care, and as permitted or required under this or another Act. The health care team is composed of primary care, attending and consulting physicians, residents, nurses, technicians, spiritual care, and support staff who are directly involved in an individual’s care or treatment. The health care team uses and shares information with team members on a “need to know” basis.
We use the information for planning and delivering patient care programs and services and to evaluate their effectiveness. Uses include educational purposes, risk and incident management, research, and activities to improve or maintain the quality of care. Approval is required from the hospital’s own or Clinical Trials Ontario certified Research Ethics Board before any research study involving human participants or their PHI is permitted to proceed. Proposed studies must meet high scientific, ethical, privacy, and data protection standards before approval is given.
After the patient is discharged from the hospital, their name, address (or email address if provided) and visit date may be used to send a survey asking for their opinion on the care received. A survey may also be conducted to help the hospital develop a more comprehensive view of our patient population. The responses will be used to strengthen equitable access to care and service provision that supports improved outcomes. An individual may have their name removed from the survey list by calling Registration at 416-756-6200.
A former patient, a parent, or a guardian may be contacted to request to make a donation to the hospital. Only names and addresses are used for fundraising purposes. No health information is used. Donations to the NYGH Foundation help ensure the continued provision of the best possible health care by funding patient care programs, equipment, research, and education. Individuals may have their names removed from the fundraising mailing list by contacting the Foundation at 416-756-6994. The care individuals receive will not be affected if they decide not to make donate a donation.
PHI is disclosed as necessary for the purpose for which it is collected, with consent and as required or permitted by law. This includes disclosure to meet statutory reporting obligations and to provide for continuity and integration of care. This means that acute, primary, community/support services and long- term care providers have access to the PHI they need to support the patient throughout their care journey. The hospital also supports continuity and integration of care as a member of the North York Toronto Health Partners, an Ontario Health Team.
Admission, location, condition:
- North York General will confirm that an individual is a patient in the hospital and provide location and general condition information unless there is an objection. We obtain consent at the first reasonable opportunity. If you do not want this information disclosed, please tell us and we will respect your wishes.
Disclosure is also permitted or required to the following:
You, your legal guardian or substitute decision-maker
To care providers to determine suitability for transfer to another facility and to provide for ongoing care
To care providers to improve/maintain the quality of your care and of those provided similar care
Registries and entities prescribed in regulation such as Cancer Care Ontario, the Cardiac Care Network, Canadian Stroke Network, INSCYTE, Pediatric Oncology Group of Ontario, the Institute for Clinical Evaluation Services, the Canadian Institute for Health Information, Children's Hospital of Eastern Ontario, Ontario Institute for Health Research and health regulatory agencies
Health Information Networks such as the electronic Child Health Network (eCHN), Hospital Diagnostic Imaging Repository Services (HDIRS), Ontario Laboratory Information System (OLIS), Integrated Assessment Record (IAR) and Connecting GTA (cGTA)
Ministry of Health and Long-Term Care e-health projects such as the Enterprise Master Patient Index (EMPI) Wait Time Information System and Diabetes Testing Report
Researchers if the research has been approved by our Research Ethics Board or authorized Board of Review such as the Ontario Cancer Research Ethics Board
The Medical Officer of Health to report communicable diseases
The Workplace Safety & Insurance Board
Law enforcement officers who present a warrant or subpoena, or to aid in an investigation
The Children's Aid Society where child abuse is suspected; the Children's Lawyer
The Public Guardian and Trustee
North York General Hospital is a member of the Health Information Networks noted above. These networks permit care providers, with patient consent, to securely share electronic patient health information for the purpose of providing timely and coordinated patient care. Following are brief summaries and links to more information:
- Child Health Network (eCHN): a secure electronic system for children's medical records. About 40 health care providers in Ontario are members of eCHN. Members provide eCHN with laboratory results, doctor's notes, x-rays and visit information as well as name, age, address and contact information. This means that if your child is provided care at any of these 40 facilities, the care provider may access their medical record on the electronic system. If you do not want your child's records included in the system, please tell us. For more information please visit http://www.echn.ca/.
Hospital Diagnostic Image Repository Services (HDIRS): permits hospitals to securely share exams and diagnostic images electronically. This protects patients because it avoids duplication of tests and thereby decreases the number of X-Rays and other tests that expose patients to radiation. Please tell us if you do not want to participate in HDIRS. For more information please visit the eHealth Ontario website.
Ontario Laboratories Information System (OLIS): an electronic system managed by eHealth Ontario. It allows hospitals and community laboratories to securely share your lab test results with your health care providers. If you do not want your lab tests to be stored in OLIS, please tell us or call Service Ontario at 1-800-291-1406; TTY 1-800-268-7095.
Diabetes Testing Report (DTR): designed to assist people living with diabetes. People with diabetes need to have three tests done every year. Health care providers notify the Ministry of Health & Long-Term Care when tests are done and a DTR is created. A paper copy of the DTR is sent to your primary care provider to help ensure you receive the necessary tests every year. If you do not want to participate, please tell us or call Service Ontario at 1-800-291-1405; TTY 1-800-387-5559.
For more information about Ontario Laboratories Information System and/or the Diabetes Testing Report, please visit the Ministry of Health and Long-Term Care website.
Integrated Assessment Record (IAR): this electronic system permits authorized health service providers to securely view a consenting client's assessment information for the purpose of planning and delivering the appropriate services. It supports a client-centred approach to service delivery by strengthening the ability of care providers to collaborate and to coordinate care. Assessments are only shared with consent. Please tell us whether or not you want to participate or call the IAR Consent Management Centre at 1-855-585-5279. For more information, please visit the IAR website.
Connecting GTA (cGTA): this program and related electronic system integrates electronic patient information from across the care continuum to make it available to care providers at the point of care. It is an initiative of eHealth Ontario, Canada Health Infoway and local Health Integration Networks.
cGTA's electronic system includes a central clinical data repository that stores patient health information collected from multiple health care sources. The system is designed to permit health care providers to securely share patient information if the patient consents. It means, for instance, that when you visit NYGH, your care provider will be able to view your health records from previous visits to other health care organizations that are participating in cGTA. This enhanced access will make it easier for patients and their care givers to move more easily through the care journey. The goal is to deliver better, timelier and more coordinated care to each patient. If you do not want your information shared through cGTA, please tell us. For more information about cGTA, please visit the eHealth Ontario website.
North York Family Health Team (NYFHT): the NYFHT is a group of over80 family doctors who are credentialed at NYGH (have admitting privileges) and provide primary care to approximately 94,000 patients in the North York area. Many of these patients are also patients of the hospital. Health information is shared between the hospital and the NYFHT to improve and maintain the quality of care each organization provides to these patients and to those provided similar care. If you do not want your personal health information shared for these purposes, please tell us.
Our Disclosure of Personal Health Information Policy provides more information about disclosure practices.
All records held by the hospital will be securely maintained and will only be destroyed in accordance with our Record Retention and Destruction Policy. Please note that electronic health records are permanently retained as a lifelong, comprehensive view of an individual's health history and in support of effective provision of high quality health care.
For more information, please see our Record Retention and Destruction Policy and Schedule
All reasonable steps are taken to ensure that your personal and personal health information is as accurate, complete and up-to-date as is necessary for the purposes for which it is collected. You can help us with this when you register by having the full name and current contact information of your primary care doctor. This helps us ensure that reports are sent to the right doctor.
If you have previously been a patient, we will ask you to confirm your registration information to ensure it is still correct. We inform recipients of any limitations on the accuracy, completeness and up-to-date character of the information.
North York General has in place effective physical, technical and administrative safeguards to protect your information from theft or loss, unauthorized access, use or disclosure, copying, modification or disposal. A comprehensive suite of data protection standards and practices preserves the confidentiality, integrity and availability of information and systems. We utilize "privacy by design" principles to build privacy and data protection into systems and operations including:
Identifying and mitigating privacy and data protection risks
Network firewalls, intrusion detection
Virus and anti-spyware software
Role based access controls and access logs
Audits of system and patient chart access
Strong passwords mandatory and system initiated change password protocols
Encryption technology and data transmission security
Rigorous change management processes
Physical and environmental controls
Backup and recovery systems
Locked filing cabinets
Secure records destruction
Privacy and data protection training
24 hour Security Officers
Physicians, employees, volunteers and health care students sign confidentiality agreements and wear photo identification. Agreements with vendors, service providers and contractors include terms requiring confidentiality and information security. When we enter into partnerships with other hospitals to improve services, such as to reduce wait times between diagnosis and treatment, the agreements provide for effective protection of personal health information.
Any person who contravenes our Privacy & Data Protection Policy is subject to sanctions up to and including dismissal, contract termination or termination of hospital privileges.
Protections for paper and electronic records are regularly reviewed and updated as necessary. Privacy enhancing technologies are implemented where feasible.
Our policy on Mobile Devices, Removable Storage Media & Personal Health Information Security provides more information on our security practices.
North York General is open about our privacy, data protection and information management policies and practices. The exception is that detailed information about data protection is not made available where it could be used to compromise the security of technology systems and personal health information.
Individuals are provided meaningful information about our practices through a combination of public notices including this website, policies and brochures, registration forms and oral communication. Large notices summarizing our collection, use and disclosure practices are prominently posted in all hospital sites.
Individuals have a right of access to a record of their own personal health information that is in the custody or control of our hospital unless a provision of PHIPA provides otherwise. This means that if you are a patient in the hospital, you can arrange to see your chart by speaking to a nurse or your physician. Access will be provided when it will not cause a disruption to patient care.
After discharge, the Release of Information Department is responsible for responding to requests for copies of health records. Information about how to make a request and a request form to complete is available at Your Health Information.
You also have a right to request correction of your information if you believe it to be inaccurate. If you are a patient in the hospital, information may be corrected by speaking to a nurse or your physician. The decision about whether to amend a record will be made a person who has the knowledge and authority to do so, normally the record author or medical staff.
Following discharge, correction requests may be made to the Release of Information Department. If a correction is made that could affect your health care, those providing care to you will be notified.
If you have any questions, comments or concerns about North York General compliance with your rights under PHIPA, please contact our Chief Privacy Officer at 416-756-6448, email firstname.lastname@example.org, or write to:
Chief Privacy Officer 1W-Room 118
North York General Hospital
4001 Leslie Street
Toronto Ontario M2K 1E1
A complaint may be made to the Information & Privacy Commissioner/Ontario. The Commissioner is located at 2 Bloor St. E., Suite 1400, Toronto, ON M4W 1A8; telephone 416-326-3333.