Privacy, the Law and Best Practice

Janice Campbell Janet Money Privacy Office Hospital for Sick Children February 2016

Personal Health Information- PHI

PHI comprises some of the most sensitive and

intimate details of one’s life – requires strong

protections to ensure privacy. Must also ensure it

is accurate, complete and accessible to those

providing care.

Often used for secondary purposes that benefits

society as whole – population health monitoring,

quality improvement, health research, and

management of our publically funded system.

P

Privacy Legislation in Ontario

PHI or PI specific?

Ontario : PHIPA, FIPPA and

QCIPA

7 other Provinces have

Health Care Specific

Legislation

PHIPA is unique

Even before Privacy Legislation

Hippocratic oath: “ All that may come to my knowledge in the exercise of my profession or outside of my profession or in daily commerce with men, which ought not to be spread abroad, Will keep secret and will never reveal Medicine Act 1991: …act of professional misconduct: Giving information concerning the condition of a patient or services rendered to a person other that the patient except with consent

Know the Key Principles In general..

May not collect, use or disclose

PHI of an individual without the

individual’s consent

All information about a person is

in a fundamental way his or her

own to communicate or retain as

he/she sees fit

Consent – beyond Yes or No

Consent must be:

Knowledgeable

Relate specifically to the PHI that

is being collected, used or disclosed

Made by a capable individual (no

age may be outlined)

Voluntary

Consent is not:

A piece of paper

The “forgotten” principle

Limiting Collection to the

purpose necessary

Only for as long as

necessary and only enough

for the purpose

De-identification of PHI is

really hard

Privacy Best

Practices

• Phone

• Print

• Online (email)

Phones/Cell phones/Smart phones

DO:

Protect your phone with a strong password (not

“1234” or “password”).

Make calls where you cannot be overheard.

DON’T:

Leave detailed voicemail messages. No need to

mention the orthopedic clinic or the rheumatology

follow-up.

Paper

Limiting Collection! Minimize

printing/note-taking.

Shred paper as soon as finished

If using a

notebook, rip

out the pages

and put them

in the

shredding

bin.

Online activity/email

DO:

Keep a tidy In Box and Sent Items.

Keep your personal and work emails

separate, and delete your work emails

frequently. Weekly would be good. Why

keep them? DON’T:

use client names in emails unless you

personally have obtained and documented

informed consent from the client.

If you receive email with client

name in it, take it out on replying, and

delete it from your In Box.

What about wi-fi hot spots?

SickKids web-based

email access is

protected in wi-fi hot

spots.

BUT best practices still apply.

AND other sites? No guarantees re

security.

Thank You…

Comments Questions,

Discussion?