What You Need to Do

To comply with the Act, you must:

designate a contact person for the purposes of the Act,

• identify the purposes for which you collect, use and disclose personal health information,

• only collect, use or disclose your patients’ personal health information if you have your patients’ consent to do so or if the Act allows you to do so without consent,

• only collect, use or disclose your patients’ personal health information if no other information would serve your purpose,

• only collect, use or disclose that amount of information necessary to serve your purpose and follow reasonable information practices to protect your patients’ personal health information against theft, loss and unauthorized access, copying, modification, use, disclosure and disposal,

• take reasonable steps to ensure that your patients’ personal health information is as accurate, complete and up-to-date as needed for its use or disclosure,

• establish and maintain appropriate information practices and tell your patients about these practices (note: the rest of this Toolkit will help you develop these information practices),

• develop and make available a written statement on:

1. your information practices (in general terms),
2. your contact person’s contact information, and
3. your access, correction, inquiry and complaints procedures,

• develop procedures to:

1. identify when a use or disclosure of personal health information is beyond what is described in the written statement,
2. notify affected patients about such a use or disclosure, and
3. make and keep notes of such a use or disclosure in or linked to the affected patient’s personal health record,

• train your staff, volunteers and others acting on your behalf to follow your information practices and your procedures, and
• take reasonable steps to protect personal health information that you transfer to others (for example, including privacy clauses in your contracts with agents).