At Diet Designs Nutrition Counselling, your privacy is of greatest importance to us. Please find below all of the specifics on how we strive to keep your privacy protected.
Last Updated: June 14th, 2023
The Use of Personal Information
Privacy of personal information and personal health information (collectively referred to as “Personal Information”) is an important principle to Diet Designs Nutrition Counselling (hereinafter referred to as “Diet Designs Nutrition Counselling”, “we” or “our”).
We are committed to collecting, using and disclosing Personal Information of our clients (hereinafter “clients”, “you”, “your”) responsibly, in accordance with applicable law, and only to the extent necessary for the services we provide.
Diet Designs Private Practice
Owner/Manager-Tamara Humphrey, Registered Dietitian RD; Certified Diabetes Educator CDE
Health Information Custodian: Tamara Humphrey
Information Officer/Contact Person: Tamara Humphrey
Who We Are
Tamara Humphrey, RD, CDE is the head of Diet Designs Nutrition Counselling. She is the only staff at this time, that assists in the provision of care to her clients.
Diet Designs may also work with consultants and agencies that may, in the course of their duties, have limited access to Personal Information we hold. These include computer consultants, virtual assistants, volunteers/interns, credit card companies and website managers. We restrict access to any Personal Information
Table 1: Types of Personal Information and Personal Health Information that may be collected
Personal Health Information
Health history of individual
Home address, telephone number, email address
Family health history
Gender & Age
Health measurements, samples, lab results, examination results
Extended Health Benefit Coverage
Health conditions, assessment results or diagnoses
Health services provided to or received by the individual
Prognosis or other opinions formed during assessment and treatment
Compliance with assessment and treatment
Ethnicity, race or country of origin
Reasons for discharge and discharge condition and recommendations
Identity of individual’s health care providers
we hold, as much as possible. We also obtain assurances from any healthcare professionals, support staff, consultants and agencies, that they will follow appropriate privacy principles.
What is Personal Information and Personal Health Information?
Personal information means any factual or subjective information, recorded or not, about an identifiable individual, including without limitation, age, name, ID numbers, income, ethnic origin. Personal health information is identifying information about an individual in oral or recorded form that relates to the details of their healthcare, including:
the physical, nutritional or mental health of the individual (including the family health history);
the provision of health care to the individual (including identifying the individual’s health care provider(s));
a plan of service under the Home Care and Community Services Act, 1994;
payments or eligibility for health care or coverage for health care;
the individual’s health card number; or
the identification of the individual’s substitute decision-maker.
Purpose for Collecting, Using and Disclosing Personal Health Information
Primary Purposes: Diet Designs Nutrition Counselling collects, uses and discloses personal health information about a client, including without limitation, client’s health history, physical condition and social situation, in order to help us assess what clients’ needs are, to advise clients of treatment options and provide them with the chosen health care in connection with dietetic services. In addition, this information is collected to have a baseline of health and social information so that in providing ongoing health services, changes can be identified. With your permission, this information may be disclosed to other members of your health care team, to provide you with optimal health care.
Secondary Purposes: We also collect, use and disclose Personal Information for related purposes.
For example, we collect, use and disclose Personal Information to:
Obtain payment for services provided from the individual, private insurers or others, as applicable.
Conduct quality improvement and risk management activities. We review client files to ensure that we provide high quality services. External consultants (e.g., auditors, lawyers, practice consultants, voluntary accreditation programs) may conduct audits and quality improvement reviews on our behalf.
Promote our clinic through workplace wellness seminars or conferences. We will always obtain express consent from the client prior to collecting or handling Personal Health Information for this purpose.
Comply with external regulators. Our profession is regulated by the College of Dietitians of Ontario (hereinafter “CDO”), who may inspect our records and interview staff as part of its regulatory activities in the public interest. The CDO has its own strict confidentiality and privacy obligations. In addition, as professionals, we will report serious misconduct, incompetence or incapacity of other practitioners, whether they belong to other organizations or our own. We will also report information suggesting illegal behavior to authorities. In addition, we may be required by law to disclose personal health information to various governmental agencies (e.g., Ministry of Health and Long-Term Care, Children’s Aid Societies, Canada Customs and Revenue Agency, Information and Privacy Commissioner, etc.).
Educate staff and students. We value the education and development of future and current professionals. We will review client records in order to educate our staff and students about the provision of health care.
Facilitate the sale of our organization. If the organization or its assets were to be sold, the potential purchaser would want to conduct a “due diligence” review of the organization’s records to ensure that it is a viable business that has been honestly portrayed. The potential purchaser must first enter into an agreement with the organization to keep the information confidential and secure and not to retain any of the information longer than necessary to conduct the due diligence. Once a sale has been finalized, the organization may transfer records to the purchaser, but it will make reasonable efforts to provide notice to the individual before doing so.
Protecting Personal Information
We understand the importance of protecting Personal Information. For that reason, we have taken the following steps:
Paper information is either under supervision or secured in a locked and restricted area.
Electronic hardware is either under supervision or secured in a locked and restricted area at all times. In addition, strong passwords are used on all computers and mobile devices.
Personal Information is only stored on mobile devices if necessary. All Personal Information stored on mobile devices is protected by strong encryption.
We try to avoid travelling with personal health information. However, when we do so, we transport, use and store the personal health information securely.
Paper information is transferred through sealed, addressed envelopes or boxes by reputable companies with strong privacy policies.
Electronic information is either anonymized or encrypted before being transmitted.
We do not post any Personal information about our clients on our website or social media sites.
External consultants and agencies with access to Personal Information must enter into privacy agreements with us.
Openness about the Personal Information Process
Access Personal Information
You have the right (with some exceptions) to access Personal Information about you that is held by us and to know what we have done with your Personal Information.
Procedure for Accessing Personal Information
We request that all access requests be in writing. We will confirm the identity of the requestor prior to disclosing any Personal Information. We will respond to your request as soon as possible and generally within 30 days, if possible.
If the request is granted, we will provide your Personal Information or a summary of what we have in our file and will take reasonable steps to ensure that you understand the records being provided (e.g., explain short forms or codes and technical language). We may charge a fee related to the access request based on the guidelines of the Information and Privacy Commissioner’s Office of Ontario.
If a request is refused, we will provide our reasons for the refusal as well as the appropriate contact details for the Information and
Privacy Commissioner of Ontario.
Grounds for refusal to access Personal Information could include:
Frivolous, vexatious and bad faith requests
If the information is quality of care information or information generated for the College’s quality assurance program;
Raw data from standardized assessments;
There is a risk of serious harm to the treatment of recovery of the individual or of serious bodily harm to another person; or
Access would reveal the identity of a confidential source of information.
You have the right to request a correction to information held by us. The purpose is to maintain appropriate and accurate information on clients. Correction requests are restricted to factual information. Professional observations and opinions are not commonly subject to correction requests.
If we agree that there is a mistake in the record, we will make the correction, but we will not destroy the original entry. At your request and where it is reasonably possible, we will notify third parties to whom we sent this information. We reserve the right to refuse to notify a third party if the correction cannot reasonably be expected to have an effect on the ongoing provision of health care or some other benefit to the individual.
If we do not agree that there is a mistake in the record, a notice of disagreement will be filed with the record. Upon any notice of refusal, we will advise you of your right to complain to the Information and Privacy Commissioner about the refusal.
We may also refuse corrections, if, for example, the request is frivolous, vexatious or made in bad faith, or if we did not create the record and do not have sufficient knowledge, expertise or authority to make the correction.
Retention and Destruction of Personal Information
Diet Designs Nutrition Counselling will retain clinical records for 10 years after the last client interaction or 10 years after the client turns 18 years of age. If required by the circumstances Diet Designs Nutrition Counselling may retain a clinical record for a longer period of time, such as in the case that litigation is contemplated or ongoing or where a request for access to the record is outstanding.
Personal health information will be disposed of in a secure manner so that the records cannot be reconstructed (s.13 of the Act and s. 1(5.1) of the regulations). Paper records will be cross-cut shredded (using external shredding services) and electronic files will be deleted or destroyed in a way that the information cannot be recovered.
When Tamara Humphrey, RD, CDE dies, the person responsible for her estate will be responsible for complying with applicable legislation governing Personal Information until he or she is able to transfer the information to another health information custodian.
While we will take precautions to avoid any breach of your privacy, if there is a loss, theft or unauthorized access of your Personal Information we will notify you.
Upon learning of a possible or known breach, we will take the following steps, as applicable:
Step 1: Respond immediately by implementing the organization’s privacy breach protocol.
Inform the necessary staff within the organization.
Consider whether the Commission must or should be notified (PHIPA provides that regulations may be passed setting out certain kind of breaches that must be reported to the Commission, s. 12(3).
Step 2: Containment – Identity the scope of the potential breach and take steps to contain it.
Assess what and how much information was breached and in what manner (e.g., paper format, electronic format), including individuals or organizations who many have been involved with or are responsible for the breach, and the nature and quantity of the Personal Health information that is affected.
Determine whether copies were made and retrieve and copies of Personal Health Information (PHI) that have been disclosed.
Ensure that no copies of PHI have been made or retained by anyone who was not authorized to receive the information. Record the person’s contact information in case follow-up is required.
Determine whether the breach would allow unauthorized access to any other PHI. Implement any necessary action to contain further unauthorized access (e.g., change passwords, identification numbers and/or temporarily shut down a system).
In case of unauthorized access by an agent, consider suspending their access rights.
Step 3: Notification – Identity those individuals whose privacy was breached and notify them of the breach.
Notify all individuals whose personal health information has been compromised in the most appropriate way possible in light of the sensitivity of the information (e.g., by phone, in writing, at your next appointment, etc.) and at the first reasonable opportunity. Where appropriate the individual will be informed of the name of the agent responsible for unauthorized access, date of breach, description of the nature and scope of breach, as well as the description of the PHI that was subject to the breach, the measures implemented to contain the breach.
Inform all individuals of the steps that have or will be taken to address the privacy breach and that the Information and Privacy Commissioner’s Office, Ontario has been informed.
Provide the individuals with the organizations and the Information and Privacy Commissioner’s Office of Ontario, contact information in case individuals have further questions.
Advise the individual of their right to make a complaint to the Commission (s. 12).
Step 4: Investigation and Remediation
Conduct an internal investigation into the matter to identify how and why the privacy breach occurred.
Take the necessary steps to implement a plan that strives to avoid similar privacy breach from occurring in the future.
If deemed necessary, we will advise the Information and Privacy Commissioner’s Office of Ontario of the investigation findings and the proposed future prevention plan and work together to make any necessary changes.
Report the results of investigation to the relevant regulatory College if appropriate or required (PHIPA requires HICs to report certain events to the relevant regulatory College, including when a member is suspended, terminated or otherwise disciplined or has had their privileges or business affiliation revoked or restricted as a result of a privacy breach; s. 17.1.The organization may also be required to report the circumstances to a regulatory College under the Regulated Health Professionals Act, 1991 in cases of professional misconduct, incompetence or incapacity.)
Ensure all staff are appropriately trained and conduct further training if required.
Depending on the circumstances of the breach, we may notify and work with the Information and Privacy Commissioner of Ontario. If we take disciplinary action against one of our practitioners (or revoke or restrict the privileges or affiliation of one of our practitioners) for a privacy breach, we are required to report that to the practitioner’s regulatory College. We may also report the breach to the relevant regulatory College if we believe that it was the result of professional misconduct, incompetence or incapacity.
We maintain an internal complaint system.
If you wish to make a formal complaint about our privacy practices, you may make it in writing to Tamara Humphrey (contact details below). Tamara Humphrey will acknowledge receipt of your complaint and ensure that it is investigated promptly and that you are provided with a formal decision and reasons. Every effort is made to investigate and provide a decision and reasons within 30 days.
You also have the right to complain to the Information and Privacy Commissioner of Ontario if you have concerns about our privacy practices or how your personal health information has been handled.
If you have any questions or want to make a complaint about our privacy practices, please contact:
Tamara Humphrey, RD, CDE at firstname.lastname@example.org
You also have the right to complain to the Information and Privacy Commissioner of Ontario at the address below if you have concerns about our privacy practices or how your personal health information has been handled:
Information and Privacy Commissioner of Ontario
2 Bloor Street East, Suite 1400, Toronto, Ontario M4W 1A8
Telephone: 1 (800) 387-0073
Fax: (416) 325-9195
This policy is made under the Personal Health Information Protection Act, 2004, S.O. 2004, c. 3. It is a complex statute and provides some additional exceptions to the privacy principles that are too detailed to set out here.