Title: Health Information Protection Act: A Major Step in Healthcare Privacy
1Health Information Protection Act A Major Step
in Healthcare Privacy
- Ann Cavoukian, Ph.D.
- Information Privacy Commissioner/Ontario
- Health Privacy Seminar Program
- Riley Information Services, Ottawa
- September 17, 2004
2Health Privacy is Critical
- The need for privacy has never been greater
- Extreme sensitivity of personal health
information - Patchwork of rules across the health sector with
some areas currently unregulated - Increasing electronic exchanges of health
information - Multiple providers involved in health care of an
individual need to integrate services - Development of health networks
- Growing emphasis on improved use of technology,
including computerized patient records
3Legislation is Critical
- The IPC has been calling for legislation to
protect health information since its inception in
1987 - Dates back to Justice Krevers 1980 Report on the
Confidentiality of Health Information - The Commission documented many cases of
unauthorized access to health files maintained by
hospitals and the Ontario Health Insurance Plan - The Report called for comprehensive health
privacy legislation at that time
4Provincial Health Privacy Laws
- Alberta
- Health Information Act
- Manitoba
- Personal Health Information Act
- Québec
- Act respecting access to documents held by public
bodies and the protection of personal information - Act respecting the protection of personal
information in the private sector. - Saskatchewan
- Health Information Protection Act
5Ontarios Personal Health Information Protection
Act (PHIPA)
- Comes into effect November 1, 2004
- Schedule A the Personal Health Information
Protection Act (PHIPA) - Schedule B the Quality of Care Information
Protection Act (QOCIPA)
6PHIPA Based on Fair Information Practices
- Accountability
- Identifying Purposes
- Consent
- Limiting Collection
- Limiting Use, Disclosure, Retention
- Accuracy
- Openness
- Individual Access
- Safeguards
- Challenging Compliance
7Scope of PHIPA
- Health information custodians (HICs) that
collect, use and disclose personal health
information (PHI) - Non-health information custodians where they
receive personal health information from a health
information custodian (use and disclosure
provisions)
8Health Information Custodians
- Definition includes
- Health care practitioner
- Hospitals and independent health facilities
- Homes for the aged and nursing homes
- Pharmacies
- Laboratories
- Home for special care
- A centre, program or service for community health
or mental health
9 PHIPA Practices
- Must take reasonable steps to ensure accuracy
- Must maintain the security of PHI
- Must have a contact person to ensure compliance
with Act, respond to access requests, inquiries
and complaints from public - Must have information practices in place that
comply with the Act - Must make available a written statement of
information practices - Must be responsible for actions of agents
10PHIPA Consent
- Consent-based law
- Consent is required for the collection, use,
disclosure of PHI, subject to specific exceptions - Consent may be express or implied
11Implied Consent
- custodians may imply consent when disclosing
personal health information to other custodians
for the purpose of providing health care to the
individual - (within the circle of care)
- exception if the individual expressly withholds
or withdraws consent (lock box)
12Express Consent
- required when a health information custodian
discloses to a non-custodian - required when a custodian discloses to another
custodian for a purpose other than providing
health care to the individual
13Checks on the Lock Box
- Notification if the custodian who discloses
believes that all information necessary for the
the provision of health care has not been
disclosed, the custodian must notify the
recipient - Override the custodian may disclose if
disclosure is necessary to eliminate or reduce a
significant risk of serious bodily harm to a
person or a group of persons
14Delayed Implementation of the Lock Box
- public hospitals have until November 1, 2005 to
implement the lock box
15Collection, Use and Disclosure Without Consent
- Derogations from the consent principle are
allowed in limited circumstances. - As required by law
- To protect the health or safety of the individual
or others - To identify a deceased person or provide
reasonable notice of a persons death
16Meaningful Notices and Consent Forms
- Notices and consent forms must be concise and
understandable to be effective - PIPEDA notices and consents used by some health
professionals are lengthy, confusing and
counterproductive - Use Notices to educate and inform patients, not
as an exercise in legal drafting
17Right of Access and Correction
- PHIPA Expands and Codifies the Common-Law Right
of Access - Right of access to all records of personal health
information about the individual in the custody
or control of any health information custodian
(some exceptions) - Provides right to correct their records of
personal health information (some exceptions)
18Access
- custodian must make the record available or
provide a copy, if requested - custodian must respond to request within 30 days,
with a possible 30 day extension - custodian must take reasonable steps to be
satisfied of the individuals identity - custodian must offer assistance in reformulating
a request that lacks sufficient detail
19Expedited Access
- custodian must provide expedited access if the
individual requests it and provides evidence that
the information is needed urgently and the
custodian is reasonably able to respond within
the requested time frame
20How to Correct Records
- by striking out the incorrect information in a
manner that does not obliterate it or - by labeling the information as incorrect and
severing it from the record, while maintaining a
link to the record or - if the correction cannot be recorded in the
record, the custodian must ensure there is a
practical system to inform persons accessing the
record that the information is incorrect and
where to obtain correct information
21Notice of Correction
- at the request of the individual, the custodian
must give written notice of the requested
correction, to the extent reasonably possible, to
persons to who the custodian has disclosed the
information - exception if the correction cannot be
reasonably expected to have an effect on the
ongoing provision of health care or other benefits
22Statement of Disagreement
- if the custodian refuses a correction request,
the individual is entitled to require the
custodian to attach to the record a statement of
disagreement prepared by the individual - custodian must make reasonable efforts to notify
anyone who would have been notified if there was
a correction
23Strengths of PHIPA
- Implied consent for sharing of personal health
information within circle of care - Creation of health data institute to address
criticism of directed disclosures - Open regulation-making process to bring public
scrutiny to future regulations - Adequate powers of investigation to ensure that
complaints are properly reviewed
24Oversight and Enforcement
- Office of the Information and Privacy
Commissioner is the oversight body - IPC may investigate where
- A complaint has been received
- Commissioner has reasonable grounds to believe
that a person has contravened or is about to
contravene the Act - IPC has powers to enter and inspect premises,
require access to PHI and compel testimony
25Powers of the Commissioner
- After conducting an investigation, the
Commissioner may issue an order - To provide access to, or correction of, personal
health information - To cease collecting, using or disclosing personal
health information in contravention of the Act - To dispose of records collected in contravention
of the Act - To change, cease or implement an information
practice
26Role of IPC under PHIPA
- Use of mediation and alternate dispute resolution
always stressed - Order-making power used as a last resort
- Conducting public and stakeholder education
programs education is key - Comment on an organizations information practices
27Stressing the 3 Cs
- Consultation
- Opening lines of communication with health
community and HICs - Co-operation
- Rather than confrontation in resolving complaints
- Collaboration
- Working together to find solutions
28Getting Ready
- FAQs posted to IPC website in August, 2004
- User Guide posted to IPC website in September,
2004 - IPC member of OHA/OMA/IPC/MOHLTC tool kit project
- IPC/OBA short notices working group
- On-going meetings with regulated health
professions
29How to Contact Us
- Commissioner Ann Cavoukian
- Information Privacy Commissioner/Ontario
- 80 Bloor Street West, Suite 1700
- Toronto, Ontario M5S 2V1
- Phone (416) 326-3333
- Web www.ipc.on.ca
- E-mail commissioner_at_ipc.on.ca