Patient Privacy Statement

Protecting your privacy – Our commitment to you

Hamilton Health Sciences (HHS) is committed to protecting the privacy of its patients, and to the respectful care of the personal health information (PHI) in our custody and control.

PHI includes any information that pertains to your health and identifies who you are. For example, PHI can include your date of birth, health card number, details about your medical history and test results.

HHS has established practices and procedures to ensure that your PHI is protected, treated as confidential, and available only to individuals who require access for the purpose of providing you with healthcare, or as otherwise permitted or required by law

Any person who works, studies or volunteers at HHS is required to agree, in writing, to comply with HHS’ privacy policies. Specifically, HHS maintains policies and practices, according to its obligations under the Personal Health Information Protection Act, 2004 (PHIPA), that regulate:

  • The collection, use, and disclosure of PHI;
  • Responding to individuals that seek to exercise their privacy rights, including their right to access their PHI or to correct any records of PHI pertaining to them;
  • Handling and resolving of complaints that relate to HHS’ collection, use and disclosure of PHI;
  • Safeguarding PHI; and
  • Addressing any suspected or actual contravention of PHIPA.

What is consent under PHIPA?

How we collect your personal health information

HHS now uses Epic’s health information management system. We collect and share your PHI with other authorized caregivers so that you get the best care possible. We do so safely, using privacy and security controls to help keep your PHI safe, meet health-care best practices and keep your care as a top priority.

Most often, HHS collects PHI (such as clinical information, health history, notes related to the provision of healthcare, test results or your health card number) directly from you or from a person lawfully permitted to act on your behalf. In certain instances, we may collect information from other sources if we have obtained your consent to do so or if such practices are permitted under law. For example, we will seek your express consent to collect your photograph as an alternative way of identifying you, or to assist in the provision of care, as appropriate. We will also seek your express consent to collect, use or disclose PHI about you for marketing purposes in accordance with section 33 of PHIPA.

Subject to certain exceptions under PHIPA, we do not collect your PHI unless we have your express or implied) consent to do so.

How we use your personal health information

Generally, we only use your PHI for the purpose(s) under which the information was collected or created, namely to provide healthcare and related services to you.

We may also use your PHI for other purposes, as permitted under PHIPA, such as:

  • To plan, deliver or improve our programs or services, manage our internal operations and manage the healthcare system;
  • To conduct risk management activities;
  • To train and educate healthcare professionals and HHS staff;
  • To dispose of or modify PHI in certain instances;
  • For research and statistical purposes (and only in accordance with specific HHS practices and procedures);
  • In connection with a legal proceeding or contemplated proceeding;
  • To obtain payment or process, monitor, verify or reimburse claims for payment for the provision of healthcare or related goods and services; or
  • As otherwise permitted or required under applicable law.

Other manners in which we may use your personal information

To fundraise

The HHS Foundation is dedicated to supporting HHS by raising funds for research, education, and the improvement of patient care. Unless you tell us not to, we will give your name and address to the HHS Foundation for fundraising.

To conduct patient satisfaction surveys

We want to hear from you about the quality of care and services you received at HHS. This information helps us improve the care we provide. Unless you tell us not to, we will use your name, email address and other contact information along with the dates of your visit(s) to send you patient satisfaction surveys. You can expect to be contacted by mail, email or via text message. Participation in the survey is voluntary, and if you choose to respond, your feedback will be kept confidential. These surveys provide beneficial feedback about your experience at one of our sites, which better informs HHS about ways we can work to provide the best quality of care and services to our patients.

If you do not wish to be contacted to participate in a satisfaction survey, please email privacy@hhsc.ca advising us of such.

To inform your friends and family

Unless you ask us not to, we will provide general information about your health status to family or friends who ask. This includes the name of the clinical department caring for you (e.g. Cardiology), where your room is located, and your general health status, such as “stable” or “no change”.  Your consent is required to disclose any further information.

To offer religious / spiritual support

If you tell us about your religious or spiritual affiliation, we may give your name and location where you are receiving in-patient care at HHS to a representative of that organization or denominational group so that someone can reach out to provide you with support unless you tell us not to.

For virtual care

HHS offers virtual care to make sure that we can continue to care for our patients safely and effectively. In order to do this we will be using video and audio technologies for some patient visits rather than asking you to present to your clinic in person. Please keep in mind that not all visits are suited for virtual care, and your care team will determine whether this mode of care is appropriate for you.

While HHS takes all reasonable steps to ensure the ongoing privacy and security of virtual care sessions, there are inherent privacy and security risks that PHI may be intercepted or unintentionally disclosed during electronic communications or virtual care visits. HHS virtual care sessions are documented in your electronic health record.

If you are concerned about engaging in virtual care, please speak to a member of your care team.

Before your virtual visit, your clinic will obtain your consent to communicate electronically. Additionally, your care provider will obtain your consent to engage in the virtual care session before the session starts.

Please be sure to ask your care team about the expectations associated with virtual care visits. Technical difficulties, such as internet connection quality, may impact the effectiveness of our communication. We want to make sure you understand this before we proceed. In order to improve privacy, you should also take steps to participate in this virtual care visit in a private setting and should not use an employer’s or someone else’s computer/device as they may be able to access your information after the fact. If it is determined you require a physical exam, you may still need to be assessed in person. You should also understand that virtual care is not a substitute for attending the Emergency Department on site if urgent care is needed.

How we may use service providers

Your PHI may be transferred (or otherwise made available) to certain third parties that provide services on our behalf. We use service providers for services such as storing your PHI and processing payments. Our service providers (which may be located in Canada or in the United States) are only provided with the information they need to perform their designated functions and are not authorized to use or disclose PHI for their own purposes. HHS take steps to make sure that everyone who performs services for us protects your privacy and only uses your PHI when necessary. While HHS avoids processing or storing data outside of Canada as much as possible, some support services are provided by vendors subject to U.S. laws or in the U.S. In these situations, PHI will be subject to the laws of another country which may be different, and less protective, than those of Canada.

When we might disclose your personal health information

We will generally seek your express consent before disclosing your PHI to a person or entity that is not a “health information custodian” (or “HIC” as defined in PHIPA) and also prior to disclosing your PHI for a purpose other than for providing healthcare or assisting in providing healthcare. For example, we will only disclose PHI about an individual to a researcher who satisfies the requirements of section 44 of PHIPA. Such persons and entities will only be permitted to use or share your personal information in accordance with the purposes for which they have received it, unless otherwise permitted or required by law.

There may be certain instances, such as legal, medical, or security reasons, as well as for research purposes, where HHS collects, uses and/or discloses PHI without your consent. However, in all cases HHS will comply with its legal obligations under PHIPA.

How we safeguard personal health information

HHS takes every reasonable steps to ensure that our staff are compliant with all legislated privacy rules and regulations. HHS has policies and procedures that clearly outline our duty to protect the privacy, confidentiality, and security of all PHI.

We have implemented reasonable administrative, technical and physical measures in an effort to safeguard the PHI in our custody and control against theft, loss, and unauthorized access, use, modification, and disclosure. We restrict access to PHI on a need-to-know basis to employees and authorized service providers who require access to fulfil their job requirements.

All HHS staff receive annual Privacy training and sign a pledge of confidentiality, which together reinforce their obligation to protect your privacy. The Privacy Office delivers role-based and annual leadership training events, leads privacy information sessions and supports access to privacy resources.We conduct regular monthly audits of our electronic systems along with other precautionary steps to safeguard PHI and monitor compliance according to HHS privacy policies.

We have record retention processes designed to retain PHI for no longer than necessary or as otherwise required to meet legal or regulatory operational requirements.

Can I limit who sees my personal health information?

Yes. You can limit access to your PHI for healthcare purposes by asking for a consent directive, also known as a ‘lockbox’. There are several kinds of consent directives – you can lock your entire health record, a specific visit, or a specific staff member(s) from seeing your record. If you want to add a consent directive to your account, contact the HHS Privacy Office for more information.

If you would like to withdraw your consent for other specific uses or disclosures that we have listed in this Privacy Statement, please contact the Privacy Office. Please note that patients seeking to withdraw their consent for participation in a clinical research study must contact the primary investigator or research co-ordinator of the study to do so.

How can I access my personal health information in Epic?

Through Epic’s MyChart patient portal, you can view your PHI online, at anytime, anywhere. Epic’s MyChart enables patients to view test results when they are ready, see future appointments and review other health information. You may also get a paper copy of your chart by contacting the Department of Health Records of the hospital where you were treated.

We also offer individuals the ability to sign up for several web-based portals such as ConnectMyHealth and PocketHealth which provide patients with online access to their medical and diagnostic imaging records. Please use one of the above links to learn more about accessing your HHS records online

Requesting a copy of your medical record

Subject to certain limited exceptions, you are entitled to a copy of your healthcare record. You must make such a request in writing and may be required to pay a fee.

In addition to accessing your health information through MyChart by Epic, you may request copies of your full health care record by submitting a written request (Consent to Disclose Personal Health Information form) to the hospital.  Should you wish to receive your records via email, please also complete the “Consent for E-mail Correspondence” form.

You can also use MyChart to request your full record.

Please note – the request must be dated within 30 days of our receiving it

If you are making a request for records of a deceased patient, please contact the Release of Information Clerk within the Department of Health Records of the hospital where the patient was treated.

Administration Fee

To cover the cost of time and supplies, there is an administrative cost for requests. For further information on fees and payment, please contact the Release of Information Clerk within the Department of Health Records of the hospital where you were treated.

HHS Sites – please telephone the site where you were treated if you have questions or you want to request a copy of your medical records:

Hamilton General Hospital
Health Records Department
237 Barton Street East
Hamilton, ON L8L 2X2
Phone: 905-521-2100 Ext. 46264
Fax: 905-577-8024

Juravinski Hospital and Cancer Centre
Health Records Department
699 Concession Street
Hamilton, ON L8V 5C2
Phone: 905-521-2100 Ext. 63315
Fax: 905-575-6344

McMaster University Medical Centre, McMaster Children’s Hospital, Main Street West Urgent Care Centre
1200 Main Street West
Hamilton, ON L8N 3Z5
Phone: 905-521-2100 Ext. 75123
Fax: 905-528-3828

St. Peter’s Hospital
88 Maple Avenue
Hamilton, ON L8M 1W9
Phone: 905-521-2100 Ext. 12216
Fax: 905-526-2065

West Lincoln Memorial Hospital
Correspondence / Release of Information
169 Main Street East
Grimsby, ON L3M 1P3
Phone: 905-945-2253 Ext. 11360
Fax: 905-945-3125

Are there situations when I may not be allowed access to my health record?

PHIPA includes a concise list of circumstances where an individual may be denied access to their PHI or their health record. These include:

  • if their health record or the information in the record is subject to a legal privilege that restricts disclosure to the individual
  • if another Act, an Act of Canada, or a court order prohibits disclosure to the individual in the circumstances
  • if the information was collected or created primarily in anticipation of or for use in a proceeding which together with all appeals or processes resulting from it have not been concluded
  • if the information was collected in the course of a procedure authorized by law or undertaken to investigate illegal activities and the procedure, appeals or processes resulting from them have not been concluded
  • if granting access could result in a risk of serious harm to any individual, or lead to the identification of a confidential source

Requesting Diagnostic Images

For diagnostic images (such as X-rays or scans) submitting a written request to the appropriate library below:

West Lincoln Memorial Hospital
Film Library Contact Information
Department of Radiology
169 Main Street East
Grimsby, ON L3M 1P3
Phone: 905-945-2253 Ext. 11321
Fax: 905-945-5148

Hamilton General Hospital
Film Library
237 Barton Street East
Hamilton, ON L8L 2X2
Phone: 905-521-2100 Ext. 46515
Fax: 905-527-9053

Juravinski Hospital (formerly Henderson General)
Film Library
711 Concession Street
Hamilton, ON L8V 1C3
Phone: 905-521-2100 Ext. 42257
Fax: 905-383-0583

McMaster University Medical Centre and McMaster Children’s Hospital
Film Library
P.O. Box 2000
Hamilton, ON L8N 3Z5
Phone: 905-521-2100 Ext. 75319
Fax: 905-521-5086

Or, For fast and easy access to your medical imaging and reports online with PocketHealth!

Hamilton Health Sciences patients can now view, store and instantly share their with PocketHealth! With just a few clicks, securely access your imaging records from anywhere, on any device.

Read more about PocketHealth! and it’s many benefits on the Digital Health Care page.

Are there situations when I may not be allowed access to my health record?

PHIPA includes a concise list of circumstances where an individual may be denied access to their PHI or their health record. These include:

  • if their health record or the information in the record is subject to a legal privilege that restricts disclosure to the individual
  • if another Act, an Act of Canada, or a court order prohibits disclosure to the individual in the circumstances
  • if the information was collected or created primarily in anticipation of or for use in a proceeding which together with all appeals or processes resulting from it have not been concluded
  • if the information was collected in the course of a procedure authorized by law or undertaken to investigate illegal activities and the procedure, appeals or processes resulting from them have not been concluded
  • if granting access could result in a risk of serious harm to any individual, or lead to the identification of a confidential source

Requesting a correction to your personal health care information

If you believe that factual information in your medical record is incorrect, you have the right to ask to have it corrected. To correct something in your health record, talk to your health-care provider or contact the HHS Privacy Office for more information.

To make a correction request, complete the Correction Request Form and send it to the Privacy Office.

Report a privacy breach or concern

If you are concerned that another individual has inappropriately accessed your health care information or that of a loved one, or have questions regarding this Privacy Statement or any privacy related activities at HHS, please contact our Privacy and Freedom of Information office:

Hamilton Health Sciences – King West
P.O. Box 2000,
Hamilton, ON
L8N 3Z5
Tel: 905-521-2100 ext. 75122
Fax: 905-577-8474
Email: privacy@hhsc.ca

If you wish to make a complaint about HHS’ privacy practices, you may contact the Information and Privacy Commissioner of Ontario at:

2 Bloor Street East, Suite 1400
Toronto, Ontario M4W 1A8
Tel.: 1-800-387-0073
Website: www.ipc.on.ca

Protecting the Privacy of Our Patients and Staff Requires Your Co-operation

Recording with electronic devices

To protect your privacy, recording using electronic devices is not allowed in public and common areas of the hospital. HHS is committed to protecting the privacy of all patients, visitors and staff and we will ask you to stop recording if anyone feels uncomfortable. As well, we may also ask you to delete any recordings made on site. If you do not stop or delete the recording(s), Security will be engaged and may need to escort you from the building.

Tips to follow when recording a hospital visit

  • Before recording, talk with your health care provider about what part of the visit you want to record and why.
  • Ask whether a better option exists, including recording part, but not all, of the visit. Talk about these options with your provider.
  • As a courtesy, ask anyone who will be included for their consent, before recording. This includes physicians, nurses, therapists, technicians etc.

Your provider may document the recording in your HHS medical record (including time/date, who consented and was present, and what was covered).

Providers that process data on your behalf

Hamilton Health Sciences (HHS) uses Microsoft 365 (M365) services.

HHS data, within the M365 environment, is managed in accordance with provincial privacy legislation, including the Personal Health Information Protection Act (PHIPA), the Freedom of Information and Privacy Protection Act (FIPPA) and HHS’ acceptable use policies. HHS will undertake privacy and security assessments to protect and safeguard HHS data in the M365 environment, where required, related to the use of the M365 applications for specific purposes related to our work. For more information about Microsoft’s privacy practices related to the collection, use, storage, and retention of data held in the M365 environment, please follow the link below:

MS Privacy Statement

M365 Teams has functionalities including business messaging, calling, video meetings and file sharing. Additional features used by HHS include recording and transcription features.

If you attend an event, meeting, or training session where HHS uses MS Teams, and the encounter is to be recorded and/or transcribed using M365, you will receive a privacy notice in which you will be asked to provide consent to continue before the recording occurs.

Personal information recorded or transcribed within the M365 Teams environment relates to directly consenting participants in recorded meetings or to data where HHS has an established legal requirement for processing. In the event you do not consent to participating in the recording or having your information transcribed, you must opt out of the recorded session by leaving the meeting. Otherwise, the personal information (e.g. your name, email domain, profile picture) made available during the meeting will be collected.

The personal information collected during the recordings and transcriptions may include: your name, job title, organization, image and personal contributions to the event/purpose for which you attend. Personal health information may also be recorded in virtual care visits.

The recording could contain:

  • video stream (including images of yourself) if you choose to enable your camera during the meeting or have a photo of yourself set within your profile;
  • audio stream, if you choose to enable your microphone during the meeting, which could include any opinions you contribute and anything you say about yourself;
  • chat contributions within the meeting could also be captured as text in the meeting recording;
  • personal information; and
  • personal health information

If you have any questions regarding your privacy at HHS, please contact the Privacy office at privacy@hhsc.ca or by phone at 905-521-2100 ext. 75122.