Privacy Notice - Hospital Diagnostic Imaging Repository Services

HDIRS Privacy Notice

Hospital Diagnostic Imaging Repository Services (HDIRS) is one of three regional diagnostic imaging repositories (DIRs) in Ontario that enables hospitals and independent health facilities (e.g., diagnostic imaging facilities) to share your personal health information (PHI) to support diagnosis, treatment, and care.

HDIRS also provides additional services to its hospital members to enable them to share PHI for other important data-quality-oriented activities, such as the peer review service, which promotes learning and better communication among radiology professionals.

HDIRS is a health information network provider (HINP), a type of service provider under Ontario’s Personal Health Information Protection Act (PHIPA) regulations, O. Reg. 329/04 when it works on behalf of hospitals and independent health facilities to make your diagnostic imaging information (e.g., X-rays, MRIs, CT scans, ultrasounds) and related reports available to one another.

As part of the services that enable sharing of PHI among hospitals and independent health facilities, HDIRS has established best-practice safeguards to protect your PHI and coordinate the secure transmission of your PHI over the Ontario Health network with the support of third-party service providers. HDIRS closely monitors these third-party providers to ensure they meet the same privacy obligations as HDIRS.

As a service provider, HDIRS has an enterprise-wide privacy program to support our compliance with the requirements of PHIPA and its regulations as well as our agreements with hospitals and independent health facilities. We follow recognized standards in privacy and information management to safeguard your PHI more broadly. Below is a summary of our privacy program and practices for PHI.

Accountability for Privacy

The HDIRS President and Chief Executive Officer (CEO) is accountable for ensuring that HDIRS complies with its privacy obligations.

HDIRS’ Privacy Program

HDIRS has an enterprise-wide privacy program designed to meet its privacy obligations.

The foundation of this program is HDIRS’ privacy policy, which defines how HDIRS as a service provider to hospitals and independent health facilities protects the privacy of people whose information is in the DIR.
HDIRS has implemented the following measures to meet the requirements of its privacy policy:

Privacy and information management procedures to ensure that HDIRS employees appropriately limit their access to and use, disclosure, and retention of your PHI for the purposes of providing and managing the DIR services.
Privacy training and awareness for all new HDIRS employees, with refresher privacy training provided on a periodic basis.
Processes for identification and management of privacy risks.
Privacy review activities to confirm that HDIRS complies with its privacy requirements.

Consent

Getting your consent to collect, use, and disclose your diagnostic imaging information is the responsibility of the hospital or independent health facility that captures and shares your diagnostic imaging information.

If you contact HDIRS regarding any of the above, we will provide information specific to HDIRS and support you in contacting the appropriate hospital or independent health facility that shared your diagnostic imaging information to address privacy matters.

Safeguards

HDIRS has implemented information security safeguards to protect your PHI in the DIR from unauthorized collection, use, disclosure, and retention. Key safeguards include, but are not limited to:

Access controls on HDIRS information management systems (electronic and hard copy) to ensure that access to your PHI by employees and third-party service providers has been appropriately limited.
Data protection measures, including protection (e.g., encryption) of your PHI when transmitted among HDIRS, hospitals, independent health facilities, and third parties.
Network protections, including firewalls, intrusion detection and prevention measures, and anti-malware protections.

Your Privacy Rights

You must contact the hospital or independent health facility that captured and shared your diagnostic imaging information with HDIRS for the following privacy matters:

Request a copy of your information in the DIR.
Request access to information about how the hospital or independent health facility has been using, accessing, and sharing your information.
Request a correction to your diagnostic imaging information in the DIR.
Make a privacy inquiry or complaint about how the hospitals and health facilities are managing and ensuring the privacy of your information in the DIR.

If you contact HDIRS regarding any of the above, we will provide information specific to HDIRS and direct you to contact the hospital or independent health facility that shared your diagnostic imaging information in the DIR to address privacy matters.

Privacy Contacts

If you have a general inquiry or complaint about the service that HDIRS provides to hospitals and independent health facilities or our privacy and security program, contact us.

If you are not satisfied with how we resolve your question or concern, you may contact the Information and Privacy Commissioner of Ontario at:

Information and Privacy Commissioner of Ontario
2 Bloor Street East, Suite 1400
Toronto, Ontario M4W 1A8
416-326-3333
commissioner@ipc.on.ca
www.ipc.on.ca