Access to Information and Records
Under the Freedom of Information and Protection of Privacy Act (FIPPA), a request must be made in writing. You can either fill out a Request Form for the Release of Patient Records (Word), or make your request in a letter and submit it to the Release of Information Coordinator at the Health Records department of the site where you received care.
While FIPPA allows for up to 30 business days from receipt of your access request to provide you with your record, many requests can be fulfilled sooner than that timeframe.
Also see: Who has the right to request access to records held by the Vancouver Island Health Authority (VIHA) under FIPPA?
It is a written request by an individual “applying” to obtain copies of records containing recorded information (either personal or business) held by the VIHA. The request must be clear, specify the records being sought and, if the applicant is acting on behalf of another individual, provide written proof of the authority to make the request.
A variety of VIHA records are requested through the Information Access and Privacy (IAP) Office. The following list will give you an idea of the scope of requests we manage:
- Contracts.
- Licensing reports (investigation, inspection, and incident) relating to residential care homes, group homes, and family day care operations.
- Environmental health reports relating to sewage systems, permits, inspections, complaint follow-ups, and food establishment inspections.
- Financial budgets, forecasts, contracts.
- Reports regarding new initiatives within VIHA.
- Specific information sharing requests from police and /or other agencies.
Outside of the IAP office, the most frequent record that is requested is an individuals’ personal health record.
Back to Top
Requests for records (as noted above) are subject to the rules and processes outlined in FIPPA, including but not limited to, being submitted in writing, responded to within 30 business days and subject to the exceptions to disclosure outlined in FIPPA.
On the other hand, requests for information typically come from an individual seeking verbal or written answers to questions, rather than specific records held by VIHA. As such, any responses to questions are not addressed under FIPPA, rather the release of information in this situation is guided by FIPPA and Confidentiality policies of VIHA.
Under FIPPA, VIHA has up to 30 business days from receipt of the written request to respond. If VIHA needs to consult with a third party, or there are large volumes of records to review, a time extension may be taken as allowed under FIPPA. In that circumstance, you will be notified in writing of the new due date and the reason for the extension.
Health care providers are expected to fully discuss your care and treatment with you throughout your hospitalization. However, the health record itself is not typically shared with you during your stay.
The personal information you provide to us is your information, but the record it is stored on is the property of the health authority. FIPPA requires that access to records held by the health authority follow a specified procedure, as outlined under that legislation, to enable designated IAP officers to review each record and ensure that anyone else’s information that may exist within your health record is adequately protected prior to disclosure.
For example, when you were admitted, a family member may have provided your health care providers with their confidential personal information or medical history in order to assist in better understanding your care needs. Their information would typically be protected from disclosure to you, especially if that family member had provided it in confidence.
Not providing immediate access to the record thus protects other individual’s privacy rights as well as ensures the health authority follows the rules stipulated by FIPPA.
Back to Top
Not just anyone can see your health information. As stated in VIHA’s notification signage, we collect your personal information in order to provide care and services to you. To ensure you receive safe and comprehensive care, relevant need-to-know information is shared with your referring physician, other care providers, or health care agencies and facilities who demonstrate they are directly involved in your ongoing care.
Personal information about you may also be provided to other individuals when the purpose for sharing is consistent with the provisions of FIPPA.
Under certain circumstances, other individuals who may be acting on your behalf or have demonstrated their legal authority to have access to specific information in your record may be provided with some or all of your records. These individuals may include, but are not limited to, Personal Representatives, Committees of Person, Executors, or a lawyer acting on your behalf. Each request would be considered individually and involve the submission of proof of the proper authority to receive access to your personal information.
Under FIPPA, you are entitled to receive a copy of your personal health record for free. Fees may apply for any special processing services that are requested.
Back to Top
Section 29 of FIPPA states that if you believe there is an error or omission in your personal information you may write to the designated I&P Officer where you received your care or service and request that the public body correct the information.
Factual errors will be corrected; however, if you are requesting the correction of an opinion or other non-factual information, under the stipulations of FIPPA, the health authority will add your letter to your health record.
These are categories of records that VIHA holds which are available to the public, upon request, without submitting a formal request for access to records. These records never contain information that may be considered personal or confidential and/or requiring severing or review under the Act.
Examples of routinely releasable records would be:
Approved Policies and Procedures
Manuals
Information sheets/pamphlets/brochures
You may contact the Regional Information and Privacy Office, or, if your question relates to accessing your personal health record, contact the designated IAP Officer in the facility where you received your care.
Back to Top
Please contact the Information Access & Privacy Officer or Release of Information Coordinator (as noted on your correspondence) to address your concerns.
If you remain dissatisfied with the response you received from VIHA you may contact the Office of the Information & Privacy Commissioner.
About the IAP Office
- Information and education regarding the public’s access and privacy rights and the health authority’s management of their personal information held within a VIHA record.
- Consultation and advice regarding public and private sector privacy legislations as it pertains to a VIHA service.
- Information on how to submit an access request for, or correction request regarding, records held by VIHA.
- Contact information for designated Information & Privacy officers or Health Records Release of Information Coordinators responsible for addressing access requests for an individual’s personal health record.
- Responds to access requests for Corporate, Licensing, Financial and Environmental Health Office records.
- Investigation of and response to alleged privacy breaches.
We do not process formal access requests for inpatient/outpatient health records. Refer to the designated IAP Officer contact list for the appropriate person to manage these requests for records.
Your Privacy and Confidentiality
Information Privacy refers to the right of an individual or data subject to determine with whom their personal information is shared, under what circumstances and to know of and exercise control over the use and disclosure of and access to that information.
In addition to it being our legal right, privacy is a personal value that is interpreted differently by each of us and impacted by our age, gender and societal norms – what’s private to one may not be to another. While one person may tell you their entire health history in 5 minutes, another may not wish to disclose anything to you.
Back to Top
Confidentiality refers to the responsibility or obligation of an individual or organization to ensure that personal and confidential information is kept secure and is collected, accessed, used and disclosed appropriately.
It is a human process involving sharing of private information and the appropriate management of that which is entrusted to us.
Information Security refers to the three principles that VIHA, as data custodians, apply to the information in our custody & control whether in hard copy or electronic format: confidentiality, integrity - ensuring the information is correct, and availability of the information.
Computer Security is based on three concepts: identification (who are you?), authentication (prove it!), and authorization (we know who you are, what privileges do you have?).
Yes, VIHA is legally responsible to protect the privacy of personal information under our custody and control. We have two policies that provide a framework for the consistent management of personal and business information collected, used, disclosed and protected by the VIHA in accordance with the principles and requirements of various legislative Acts, including but not limited to the Freedom of Information and Protection of Privacy Act (FIPPA), professional bylaws, privacy codes and standards of practice.
The policies are: 1.5.1 Confidential Information – Privacy Rights of Personal Information (PDF) 1.5.2 Confidential Information – Third Party, VIHA Business and other Non-Personal Information (PDF) 16.1.1. Data Classification (PDF)
Back to Top
We collect your personal information to assist us in providing you with care and services. We also require your information to determine your eligibility for various benefits and services.
Under FIPPA, VIHA is obligated to notify you about the reasons for the collection and use of your personal information. VIHA has a Notification Sign (PDF) posted at all facilities detailing the authority under which we can collect information. Upon admission, it is important to ensure you review the sign and have the opportunity to ask questions about our management of your personal information.
We take the privacy of your personal information very seriously and have employed measures to ensure your personal information is treated in a confidential manner according to the Freedom of Information and Protection of Privacy Act.
Our notification signs about the collection, use and disclosure of your personal information highlight the reasons under which we may share your information. See a copy of the Notification Sign (PDF).
Consent means voluntary agreement by a person in the possession and exercise of sufficient mental capacity to make an intelligent choice to do something proposed by another; it supposes a physical power to act, a moral power of acting and a serious, determined and free use of these powers [Black’s].
For example, consent is given when a mentally sound individual chooses to allow another individual to receive information and/or records pertaining to them and understands the implications of that decision.
For more information about consent as it relates to information sharing, contact the Regional Information and Privacy Office. For more information about consent in general, contact the Risk Management Office.
Back to Top
Authorization is the act of officially approving or sanctioning an individual(s) to complete an act on behalf of an individual or agency. For example, a lawyer may provide written authorization from a client to act on his/her behalf or a client may provide a family member with the authority to act on his/her behalf should the client become mentally incapable of making decisions.
Authorization can also be in the form of a statutory authority, outlined in legislation, of an outside agency (e.g. MCFD, Police, WCB, Coroner) to access and obtain information about a specific individual. Typical forms of legal authorization to act on behalf of another individual include: Committee of Person; Committee of Estate; Will and/or a Representation Agreement.
Please contact the Regional Information and Privacy Office to discuss your concerns.
Legislation in British Columbia
FIPPA came into force in British Columbia in 1993 to provide a legislative framework for information and privacy rights by governing public bodies’ management of personal and/or business information held in records within their custody or control. FIPPA does three crucial things at the same time:
- Makes the health authority more accountable to the public
- Makes the process of handling requests for records held by a public body uniform and consistent
- Provides strong protection for an individual’s personal privacy
Under FIPPA, personal information is defined as any recorded information that uniquely identifies you, which includes, but is not limited to your name, address, phone number, sex, race, religion, sexual orientation, fingerprints, disability or blood type.
Confidential business information includes, but is not limited to: draft correspondence; financial forecasts not yet made public; some third party business information typically supplied in confidence; specific contract language; legal opinions prepared for the health authority; some quality improvement information; ongoing labour relations issues not yet resolved; negotiations carried on or for the public body.
Further Reading (by the OIPC of BC):
A Guide to Access to Information and Privacy Protection Under BC's FIPPA (PDF)
Back to Top
Individuals may request access to any records held by VIHA, however, the release of those records will occur in accordance with the requirements under FIPPA.
Patients, residents, clients, or employees can request access to their own health records by submitting a written request (via access request form, letter, email, or fax) to the Release of Information Coordinator in the Health Records department at the site believed to hold that record.
The public may also submit a written request for records containing information held by VIHA to the appropriate Information and Privacy contact within VIHA.
Employees of the health authority have the right to review their personnel file without submitting a formal access request.
The AGA promotes every adult’s right to self-determination and provides support and protection for those who are vulnerable to abuse or no longer capable of making their own decisions. Further details about the AGA can be located on the website for the Public Guardian and Trustee of British Columbia.
Your identity is protected from disclosure under two legislations, specifically, s.46(2) of the AGA states that the identity of the person making the initial report must not be disclosed to third parties.
In addition, s.22(1) of the FIPPA will further protect your name and any personal identifiers from being released to an applicant making a request for records containing this information.
The name of the complainant is protected under both s.46(2) of the AGA and s.22(1) of FIPPA, which further protects any personal identifiers from disclosure, therefore, the name and any other identifiers of the complainant would not be released. However, other information contained in the investigation that would not identify the complainant may be released.
In addition, section 46(3) of the AGA states: “No action for damages may be brought against a person for making a report under this section or for assisting in an investigation under this Part, unless the person made the report falsely and maliciously”.
This does not stop a person from suing; the court would have to decide if the complaint was made falsely and/or maliciously.
An electronic health record is a computerized version of the paper health record that is used to document your care over time in the same way as your paper record.
A major advantage of an electronic health record is that it allows authorized health care providers to access "need to know" information about you in a timely fashion to support safe and comprehensive health care.
VIHA currently uses both paper and electronic mediums to document your personal health information.
Strict physical and electronic security protections are in place to ensure only those individuals with the proper authority are accessing your record. Our staff are trained in confidentiality and security procedures during their orientation to VIHA and have ongoing educational opportunities in confidentiality, privacy and security responsibilities.
All staff members are required to sign a confidentiality acknowledgement form and adhere to VIHA confidentiality policies. As well, random audits are done to ensure ongoing appropriate access to patient, resident and client health records.