Last updated: March 25, 2024

Policy

Medical Laboratories of Windsor Ltd. believes it is vital to ensure the utmost privacy and confidentiality of our patients’ medical information, our employees’ private data and the private financial and/or operating data of the Company. To promote these goals, employees are required to maintain a strict level of confidentiality when engaging directly with the patient or during the handling of specimens procured. Further, any business-related information secured through employee interaction or business transactions must also be held to a strict level of confidentiality.
However, MLW will also make information on its policies and practices available in a variety of methods depending on the nature of its business and other considerations. Specific information about its policies and practices relating to the management of personal information is readily available to individuals as directed by applicable legislation.

The Company is governed by various pieces of legislation and accountability for the organization’s compliance with the principles rests with all employees who are responsible for the day-to-day collection and processing of personal and/or business information, and specifically with the designated individual(s). In addition, other individuals within the organization may be delegated to act on behalf of the designated individual(s).

The privacy principles that are outlined in this policy are based on the principles set out in the Personal Health Information Protection Act (PHIPA) and the Personal Information Protection and Electronic Documents Act (PIPEDA). A Privacy Practices statement of information is posted in the workplace for both patients and staff to review.

Scope

This policy and regulations apply to all MLW employees, students, volunteers, and/or independent contractors without exemption. The information in this policy will help both the employer and our employees to properly understand their rights and responsibilities. It further communicates entitlements and obligations.
It is imperative that the confidentiality and privacy of information are continually observed in the workplace.
The various legislative acts in relation to this policy apply in any public space, workplace(s), electronic space, or motorized vehicle(s).

Collection, Use and Disclosure

Medical Laboratories of Windsor collects and uses your personal information for the following:

• Provide you and your physician with quality medical laboratory results.
• Verify your identity for laboratory services.
• Verify eligibility to health care services under an act of Ontario or Canada, including without limitation OHIP eligibility.
• Verify specimen received with test results for patient result portal.
• To manage your account for billing and customer support
• For any purpose as required during testing as required or permitted by law.
• Sending promotional emails/messages about our services to inform and improve patient experience.

1.0 Definitions

Personal Health Information Protection Act (PHIPA):

“The purposes of this Act are,
(a) to establish rules for the collection, use and disclosure of personal health information about individuals that protect the confidentiality of that information and the privacy of individuals with respect to that information, while facilitating the effective provision of health care;
(b) to provide individuals with a right of access to personal health information about themselves, subject to limited and specific exceptions set out in this Act;
(c) to provide individuals with a right to require the correction or amendment of personal health information about themselves, subject to limited and specific exceptions set out in this Act;
(d) to provide for independent review and resolution of complaints with respect to personal health information; and
(e) to provide effective remedies for contraventions of this Act. 2004, c. 3, Sched. A, s. 1.”

Personal Information Protection and Electronic Documents Act (PIPEDA): PIPEDA applies to private sector organizations operating in the Province of Ontario (and elsewhere) and provides a code for the protection of personal information which consists of ten privacy principles, i) Accountability, ii) Identifying Purposes, iii) Consent, iv) Limiting Collection, v) Limiting Use, Disclosure, and Retention, vi) Accuracy, vii) Safeguards, viii) Openness, ix) Individual Access, and x) Challenging Compliance.

“An Act to support and promote electronic commerce by protecting personal information that is collected, used or disclosed in certain circumstances, by providing for the use of electronic means to communicate or record information or transactions and by amending the Canada Evidence Act, the Statutory Instruments Act and the Statute Revision Act.”

Collection: The act of gathering, acquiring, recording, or obtaining personal information from any source, including third parties, by any means.

Confidential Information: Includes but is not limited to:
a) Patient demographics
b) Customer information
c) Tests required
d) Test results
e) Clinical information
f) MLW employee information
g) Company’s past, present, and future products, processes and services
h) Information conceived, originated, discovered or developed by employees in the course of their employment with MLW
i) Information relating to the Company’s research, development, processing, engineering, computer programming and marketing, financial, sales and product planning information.

Confidentiality: Information disclosed to any employee, consultant, independent contractor, partner, supplier, student, volunteer, and other external parties of MLW where the information is not generally known in the trade or industry in which MLW operates, or has personal or personal health information attached.

Consent: Voluntary agreement with the collection, use and disclosure of personal information for defined purposes. Consent can be express or implied, and can be provided directly by the individual or by an authorized representative(s).

i) Express consent can be given orally, electronically, or in writing, but is always clearly stated.
ii) Implied consent is consent that can reasonably be inferred from an individual’s action or inaction. When a patient presents a requisition that is signed by a health care professional, the individual’s consent is implied to:

1. Collection of personal information relating to the individual necessary or incidental to be the performance of the requisitioned service;
2. Use of the personal information for the purposes identified, subject to the limitations;
3. Disclosure of the personal information to the authorized health professional that requisitioned the service.

Designed Period: The time period of interest, as identified by the individual in the request for access.

Destruction: The permanent obliteration of any protected health information in the form acquired or created.

Disclosure: In relation to personal health information in the custody or under the control of a health information custodian or a person, means to make the information available or to release it to another health information custodian or to another person, but does not include to use the information. An organization should not use or disclose personal information for purposes other than those which it has identified purposes for and received consent for. The organization should only retain personal information for as long as is necessary to fulfill its purposes.

Laboratory Report: Any laboratory report that has been reported to the ordering clinician and any subsequent changes or reprinting that may have occurred.

Organization: Includes an association, a partnership, a person and/or a trade union.

Personal Information: Information about an identifiable individual, including employees, clients and patients, but does not include the name, title, business address or telephone number of an employee or organization. For the purpose of MLW policies this term will include the definition of personal health information such as:

1. The physical or mental health of the individual;
2. Any health service provided to the individual;
3. The donation of any body part or any bodily substance of the individual or information derived from the testing or examination of a body part or bodily substance of the individual; or
4. Any information collected purposely/incidentally in the course of providing health services to the individual.

Privacy Officer: MLW is a health information custodian, and following the requirements under PHIPA, must designate one person to be the Privacy Officer. The Privacy officer ensures MLW’s overall compliance with the Act.

Record: Means a record of information in any form or in any medium, whether in written, printed, photographic or electronic form or otherwise, and any other documentary material, regardless of physical form or characteristics and any copy of any of those items, but does not include a computer program or other mechanism that can produce a record.

Reproduction: Re-creation of the above-defined report, from stored information.

Retention: After the maximum retention period, an organization should destroy, erase, or otherwise make anonymous the personal information it has collected. Personal health information is retained as long as is necessary.

Third Party: Any organization that receives personal information from MLW in the course of providing a service on behalf of MLW. This could include services such as clinical, legal, accounting, consulting, data aggregation, management, administrative, accreditation or financial services. The third party is duly accountable for the protected management of such information.

2.0 Policy Regulations

The following regulations are in effect at all times when an employee is at work and the list below is not meant to be all inclusive of all circumstances:

1. All patient, client, or health care provider information is to be held in the strictest of confidence by all staff members. This includes ensuring that any comments or communications with, or regarding a patient, remain confidential.

2. All MLW employees, consultants, independent contractors, partners, suppliers, students, volunteers, and other external parties are to respect the confidential nature of our business. The information must be protected both during the course of employment or contract and after the employment or contract has been terminated.

3. Each MLW location will post a MLW Privacy Practices 49677.2201 notice. All employees are to read, understand and sign the MLW Privacy and Confidentiality Agreement 49677.1321 agreement upon hire. Such notice(s) will inform individuals of their rights regarding personal information.

4. MLW shall not collect personal information indiscriminately. Both the amount and the type of information collected shall be limited to that which is necessary to fulfil the purposes identified. The Company shall specify the type of information collected as part of their

information-handling policies and practices, in accordance with the Openness principle. 5. The Company shall be open about their policies and practices with respect to the management of personal information. Individuals shall be able to acquire information about the Company’s policies and practices without unreasonable effort. This information shall be made available in a form that is generally understandable.

3.0 Responsibilities

Privacy Officer: To ensure compliance with legislation the Privacy Officer shall:

• Respond to requests for access to and correction of personal information and issues concerning personal information;
• Making the necessary changes to practices, policies and procedures;
• Staff training;
• Customer relations;
• Inquiry and complaint processes; and
• Maintain current knowledge of applicable federal and provincial privacy laws and any applicable accreditation standards.

Employer (Leadership or Management Team as a collective and individual Managers or Supervisors as applicable): To protect a Team Member the Employer shall:

• Institute a ‘‘top-down’’ commitment to an absolute requirement for confidentiality in the workplace, essential in setting the tone for the organization;
• Prepare, post and communicate a posting notice indicating the employer’s commitment to privacy practices, subject to an annual review;
• Develop, communicate and maintain an effective and responsive training program so as to achieve the goal of preventing any breaches of confidentiality;
• Provide training and other resources necessary for the program’s implementation and success; and
• Take every precaution reasonable in the circumstances for the protection of confidentiality within the workplace.

Supervisor
To protect a Team Member the Supervisor shall:

• Assume responsibility within his or her area of jurisdiction for implementation of this policy and procedure, communicating this policy and procedure to their Team Members;
• Support and promote awareness of commitment to an absolute requirement for confidentiality workplace, inclusive of compliance issues;
• Ensure that all persons within the workplace conduct themselves in a manner consistent with and required by this policy;
• Immediately report to the Management Team or a member of the Human Resources Team any complaint of breach of confidentiality;
• Participate in the incident investigation process in the manner required by the Company; and
• Take every precaution reasonable in the circumstances for the protection of protection of confidentiality within the workplace.

Employee or Team Member

• Work in compliance with the Company policies, procedures, work instructions, guidelines, training material and other relevant information;
• Treat other Team Members, visitors and the public with respect and dignity, maintaining confidentiality of information;
• Participate in education and training programs directed at ensuring confidentiality in the workplace; and
• Immediately report incidents of a breach of confidentiality to their Supervisor;
• Cooperate with Human Resources in any investigation of a breach of confidentiality.

Human Resources Team:

• Provide assistance and direction for the implementation, effectiveness and continuing maintenance of the commitment to an absolute requirement for confidentiality in the workplace;
• Conduct the investigation, or assist others conduct the investigation, reporting findings and resolution. The Human Resources Manager shall review the evidence, in conjunction with the Management Team to make a determination with respect to allegations of a confidentiality breach; and
• Human Resources will be responsible for maintaining documentation of the incident, the investigation and all disciplinary and security measures taken in response to the complaint / investigation.

4.0 Consequence of Non-Compliance

Any individual may issue a complaint to the Privacy Officer or the Human Resources department if they believe their privacy rights have been violated.

Violation or failure to comply with any of the regulations and/or responsibilities of this policy will result in disciplinary action up to and including termination of employment. Disciplinary consequences will be applied for breaching reporting protocols.

Close