Personal Health Information Protection Policy

To set out the provisions for the proper handling, protection and confidentiality of personal health information at Seneca Polytechnic.

This policy applies to Seneca employees and authorized agents, who handle personal health information on behalf of Seneca.

An individual authorized by a health information custodian to do something on behalf of the custodian with respect to personal health information. Authorized agents may collect, use, disclose, retain or dispose of personal health information as permitted by the health information custodian and considered necessary for the purposes of carrying out their duties as an agent. 

To gather, acquire, receive or obtain personal health information by any means from any source.

To give expressed or implied permission for a health information custodian to collect, use or disclose personal health information. 

To make personal health information available or to release it to another health information custodian or person.

A person or organization who has custody or control of personal health information as a result of or in connection with performing the person’s or organization’s duties pertaining to the provision of health care.

Any observation, examination, assessment, care, service or procedure that is completed for a health-related purpose and is carried out or provided to diagnose, treat or maintain an individual’s physical or mental condition to prevent disease or injury or to promote health, or as part of palliative care.

Identifying information about an individual in oral or recorded form relating to:

• the physical or mental health of the individual
• the providing of health care to the individual
• payments or eligibility for health care, or eligibility for coverage for health care
• the donation by the individual of any body part or bodily substance or the testing or examination of any such body part or bodily substance
• the individual’s health number
• the identification of an individual’s substitute decision-maker

To view, handle or otherwise deal with personal health information.

1. Seneca is committed to:
   • complying with the Personal Health Information Protection Act (PHIPA)
   • protecting privacy and ensuring confidentiality of personal health information (PHI)
   • ensuring PHI is used only for authorized purposes
   • protecting PHI from theft, loss and unauthorized access, copying, modification, use, disclosure and disposal including the use of technical, administrative and physical safeguards

1. Seneca collects, uses and discloses PHI only for lawful purposes related to health care and other authorized functions, such as:
   • providing assessment, counselling, treatment, referral and/or consultation services
   • obtaining payment for services or goods provided from a provincial health care plan, student insurance provider, private insurer or other
   • conducting quality improvement and risk-management activities
   • promoting health care-related services and events; Seneca obtains expressed consent when collecting or handling PHI for these purposes
   • complying with regulatory obligations as regulated health professionals
   • fulfilling other purposes permitted or required by law
2. Information will be collected directly from an individual, unless legislation permits or requires collection from third parties.
   
3. Seneca will provide individuals with access to their collected PHI in a mutually agreed-upon electronic format.

1. Collection, use or disclosure of PHI must be done with the knowledge and consent of the individual, unless otherwise permitted by applicable legislation.
2. Seneca may, with an individual’s consent, collect, use or disclose the person’s health card number for the purpose of:
   
   • verifying the individual’s identity
   • accurately identifying their PHI records
   • linking their records
3. Seneca is permitted to rely on an individual’s implied consent when they request treatment, unless the individual explicitly states otherwise.
   
4. Individuals have the right to withhold or withdraw consent for the collection, use or disclosure of PHI.
   
5. Seneca requires an individual’s expressed consent to disclose personal health information to an individual who is not acting as an agent of the health information custodian, or where the disclosure is not for the purposes of providing health care, unless the disclosure is otherwise permitted by applicable legislation. 
   
6. Seneca will disclose personal health information without consent only when permitted or required by applicable legislation.

1. Individuals have the right to access their health records or request a correction to their records with only limited exceptions, as permitted under applicable legislation. 

1. Seneca retains electronic health records for 10 years, or 10 years past an individual’s 18th birthday.
2. When records are no longer required, they will be securely destroyed using approved destruction methods in accordance with applicable policies and legislations.

• Appendix: Access request and contact information

• Freedom of Information and Protection of Privacy Policy
• Seneca Medical Centre Policy
• Whistle Blower Policy

• Freedom of Information and Protection of Privacy Act, 1990
• Health Care Consent Act, 1996
• Health Protection and Promotion Act, 1990
• Mental Health Act, 1990
• Mental Hospitals Act, 1990
• Personal Health Information Protection Act, 2004
• Substitute Decisions Act, 1992
• Seneca Counselling Services privacy practices

Approval Date: December 2017

Last Revision:  February 2026