CLIENT RECORDS COLLECTION & DISCLOSURE POLICY

SECTION 1 - INTRODUCTION

1.1 Purpose

This Client Records Collection & Disclosure Policy (the “CRCD Policy”, or the “Policy”) describes the personal information that Clayman Pharmacy collects from or about its clients, the channels through which it collects this information, how it uses this information, and to whom it discloses that information.

1.2 Scope

The policy applies to all Clayman Pharmacy employees (whether full-time or part-time), employee contractors, independent contractors, vendors, partners, suppliers, occasional help, volunteers, students, co-ops, officers, directors, shareholders (so long as it remains a Canadian Controlled Private Corporation), and anyone working at or acting on behalf of Clayman Pharmacy, and who are privy to personal information.

1.3 Definitions

Authorized Representative A person who has confirmed permission to act and make decisions on behalf of someone else. This authorization may exist for a specific purpose or duration, or it may in place indefinitely.
Chief Privacy Officer A member of the Clayman Pharmacy executive management team who is appointed with the responsibility for managing the risks and business impacts of privacy laws and policies.
Disclosure Personal information about an individual being provided to someone other than the individual or an Authorized Representative.
Explicit Consent An individual, or an Authorized Representative, clearly presented with the option to agree or disagree with the collection, use, or disclosure of personal information prior to receiving any services.
Implicit or Implied Consent
  1. An individual or Authorized Representative voluntarily providing personal information for the collection, use, or disclosure for purposes that would be considered obvious at the time.
  2. The individual or Authorized Representative provides personal information that is used in a way that clearly benefits the individual
Informed Consent This means an individual or Authorized Representative providing consent after they are informed about the expected benefits, potential risks, alternative courses of action, and the likely consequences of receiving or not receiving services, and having the opportunity to ask questions.
Manager A member of the Pharmacy personnel who is responsible for a department or is a people manager.
Non-Records Any material that is not related to clients. This may include, but is not limited to: administrative data, communications, transient memoranda, notes and memoranda having limited or short-term value or usefulness. Non-Records can be generated and/or destroyed at any time without having the need to consult this policy. Purging of non-records is encouraged so as to avoid keeping unnecessary and cumbersome files. Examples of non-records include draft client reports, draft budgets, copy of a staff letter.
Opt-out Consent This means that an individual is given the option to decline consent. If the individual does not clearly decline consent, consent is granted. Optout Consent is usually done in writing.
Personal Health Information Recorded information about an identifiable individual that relates to
  1. the individual's health, or health care history, including genetic information about the individual,
  2. the provision of health care to the individual, or
  3. payment for health care provided to the individual, and includes
  4. a government-issued Personal Health Information Number and any other identifying number, symbol or particular assigned to an individual, and
  5. any identifying information about the individual that is collected in the course of, and is incidental to, the provision of health care or payment for health care
Personal Information Includes any factual or subjective information, recorded or not, about an identifiable individual. This includes information in any form, such as:
  • age, name, ID numbers, income, disability, or ethnic origin;
  • marital status; and, credit card information
  • insurance information, existence of a dispute between a client and a merchant, intentions (for example, to acquire goods or services)
Personal information may include doctor’s notes, and medical / health information.
Personal Identifiable Information

A piece of Personal Information (including Personal Health Information) that when used alone, or in conjunction with other pieces of Personal information (including Personal Health Information) can be used to identify a specific individual.

For example, a name is Personal Identifiable Information. An address is Personal Information, but not Personally Identifiable. A birthday is Personal Information, but not Personally Identifiable. However, a birthday with an address together may be Personally Identifiable Information.

Pharmacy Personnel A member of the Service Team who is an employee, employed contractor, volunteer, occasional worker, officer, or director of the Pharmacy.
Premises A physical location of the Pharmacy as set out in any of its licenses.
Service Team Refers to those who are involved in providing pharmacy services to a particular client. This includes employees (whether full-time or part-time), employee contractors, independent contractors, vendors, partners, suppliers, occasional help, volunteers, students, co-ops, officers, directors, shareholders (so long as it remains a Canadian Controlled Private Corporation), and anyone working at or acting on behalf of Clayman Pharmacy. Once initial informed consent is obtained from the client, members of their service team are assumed to be included in that consent and can collect, use and disclose the client’s personal information for the provision of services to the client, unless they know that the client has expressly withheld or withdrawn consent.
Substitute Decision Maker See “Authorized Representative”

1.4 Related Internal Documents

  • Employee Confidentiality Agreement
  • Records Retention and Destruction Policy

1.5 Legislative Context

SECTION 2 - POLICY

2.1 Policy

Client records are to be collected and disclosed in a manner consistent with this Policy and applicable legislations to safeguard the privacy of clients in relation to the following criteria.
  • The collection and disclosure as prescribed by various municipal, provincial and federal statutes that govern the Pharmacy
  • The collection and disclosure prescribed by professional standards for the Pharmacy as communicated by the Manitoba College of Pharmacists
  • Other criteria as established by the Pharmacy

SECTION 3 - RESPONSIBILITY & PROCEDURE

3.1 Maintaining a Privacy Culture

The need to secure and maintain the privacy of collected information is not assumed to be done, nor is it to be taken for granted, but is to be actively practiced by the Pharmacy. Paper records are to be kept in file drawers and never left unattended in any place where the public has right of access. Verbal exchanges should be undertaken with full awareness of the privacy level of surroundings for any collection or exchange of personal information. Digital information is to only be accessed in private environments, whether inside or outside of the Premises.

The Pharmacy Manager and any other Manager, shall be responsible for the training, education, and monitoring of the pharmacy personnel for maintaining this culture. Any personnel not maintaining this culture shall be identified and will need to undergo proper education and testing prior to being given access to Personal Information.

3.2 Collection of Client Information & Program Registration

In order to support clients of the Pharmacy with the services they request it is vital to collect Personal Information from individual clients. The following procedures need to be followed not only to comply with privacy legislation, but to honour the trust clients place in the Pharmacy by disclosing 4 their personal information whether it be at the time of inquiry, registration, requesting services, or requesting support for those services throughout the time they remain a client of the Pharmacy.

Therefore, all personnel are responsible to collect information from clients in a manner consistent with Privacy Principles. Personal information may be documented in either a hard copy or digital format, depending on the nature and purpose of the information that is collected, and the channel through which the client chooses to interact with the Pharmacy.

Consistent with Privacy Principles, the Pharmacy will:
  • Identify the purposes for which personal information is collected prior to collection.
  • Obtain the informed consent of the individual for the collection, use, or disclosure of the collected information.
  • Limit collection of information to what is necessary for the purposes of providing Pharmacy services
  • Use fair and lawful means to collect information.
  • Limit use and disclosure of personal information for purposes other than those for which it was collected, except with the consent of the individual or as required by law.
  • Retain only as long as necessary the personal information collected for the fulfillment of those purposes as outlined in Records Retention and Destruction Policy.
  • Ensure accuracy, completeness and up-to-date status of personal information as is necessary for the purpose for which it is used.

3.3 Obtaining Informed Consent

It is the responsibility of the Pharmacy personnel to ensure informed consent is obtained before providing Pharmacy Services. Informed consent is documented through the client’s provisioning of their Medical History, Patient Consent, and Patient Waiver documents. The Client may be provided through paper or electronic means, but must be in place prior to providing Pharmacy Services. All documents will stored in a file or in a secure digital environment. Pharmacy personnel are responsible to follow the following principles:
  • Consent must be related to the requested service
  • Client must be adequately informed prior to consenting
  • Client must have the opportunity to ask questions and all questions must be answered.
  • If a person declines to provide consent, no pressure or influence will be placed upon the person to provide consent

3.4 Disclosure of Client Records

Pharmacy personnel will only disclose Personal Information in the following circumstances:
  1. As required to provide the requested services
  2. As instructed by the client
  3. As instructed by an Authorized Representative
  4. As required by law

Pharmacy personnel will clearly identify the purposes for which Personal Information will be or is being Disclosed.

When a disclosure request is received from a third-party (e.g. insurance company, family member), Pharmacy personnel will:
  • Evaluate the request on the basis of the type, purpose and requesting party and whether other information can serve the purpose for which disclosure of personal information is sought
  • Obtain and document consent from the individual about whom personal information is requested (a digital or hard copy of the signed consent form should be retained)
  • the date of consent and date of disclosure should be noted in the file.
  • Seek assistance from an appropriate internal resource (e.g. manager, Chief Privacy Officer), if a request is unusual or if there is uncertainty about whether disclosure should be made.

3.5 Withdrawal of Consent

Should the client at anytime decide to withdraw their previously granted consent for the disclosure of information, Pharmacy personnel must ensure that this is properly documented on hard copies and digital files to ensure consistency between the two.

3.6 Client Access to Personal Records

Except under special circumstances, clients have the right to access their service records. In creating digital experiences, the Pharmacy will always endeavour to allow Clients self-serve access to Personal Information they have entered, and Personal Information created to provide them with the Pharmacy Services requested. In situations where digital Personal Information is not available, or where non-digital Personal Information is requested, Pharmacy personnel should require Clients to request access in writing, although a verbal request may be acceptable based on the nature of the request. Pharmacy personnel will aim to provide access to personal records within 3 business days. At the very least, Pharmacy personnel are to contact the client within 3 business days to explain why the request will take longer than expected. In no circumstances will the Pharmacy personnel take longer than 5 business days to provide a client access to personal records without the approval of an Officer of the Pharmacy.

Any decision to deny a client access to Personal Information will require the approval of an Officer of the Pharmacy and must be accompanied by an explanation to the client as to why the request was denied.

If it is necessary to deny a client access to only a portion of their Personal Information, than access to any portion that can be provided should be provided and should be accompanied by an explanation to the client as to why the balance of the request was denied.

3.7 Client Request to Correct/Update Their Personal Record

A client may request that Personal Information be corrected. All requests for correction that cannot be made by the client themselves must be made in writing by the client, or their substitute decision maker. Any request to correct information must be reviewed by a Manager.

Any request to update/correct a Client’s Personal Information must be completed in 2 business days unless exception status is approved by a Manager.

3.8 Appeal to Chief Privacy Officer

At any time a client, prospective client, or Authorized Individual can make a request to the Pharmacy’s Chief Privacy Officer for a clarification, explanation, or review of a decision of the Pharmacy personnel.

The Chief Privacy Officer will review any such request and respond to the requestor within 30 business days.

SECTION 4 - GOVERNANCE

4.1 Policy Owner

This policy is the responsibility of the Chief Privacy Officer to maintain