www.ipc.on.ca health information protection act: a major step in healthcare privacy ann cavoukian,...

www.ipc.on.ca

Health Information Protection Act: A Major Step in Healthcare Privacy

Ann Cavoukian, Ph.D.Ann Cavoukian, Ph.D.Information & Privacy Commissioner/Ontario

St. Michael’s Hospital

Toronto

November 5, 2004

www.ipc.on.cawww.ipc.on.ca Slide 2

Health Privacy is Critical

The need for privacy has never been greater:

• Extreme sensitivity of personal health information

• Patchwork of rules across the health sector; with some areas currently unregulated

• Increasing electronic exchanges of health information

• Multiple providers involved in health care of an individual – need to integrate services

• Development of health networks

• Growing emphasis on improved use of technology, including computerized patient records


Unique Characteristics of Personal Health Information

Highly sensitive and personal in nature

Must be shared immediately and accurately among a range of health care providers for the benefit of the individual

Widely used and disclosed for secondary purposes that are seen to be in the public interest (e.g., research, planning, fraud investigation, quality assurance)


PHIPA – Based on Fair Information Practices

AccountabilityIdentifying PurposesConsentLimiting CollectionLimiting Use,

Disclosure, RetentionAccuracy

SafeguardsOpennessIndividual AccessChallenging

Compliance


Strengths of PHIPA

Implied consent for sharing of personal health information within circle of care

Creation of health data institute to address criticism of “directed disclosures”

Open regulation-making process to bring public scrutiny to future regulations

Adequate powers of investigation to ensure that complaints are properly reviewed


Scope of PHIPA

Health information custodians (HICs) that collect, use and disclose personal health information (PHI)

Non-health information custodians where they receive personal health information from a health information custodian (use and disclosure provisions)


Health Information Custodians

Definition includes:• Health care practitioner • Hospitals and independent health facilities• Homes for the aged and nursing homes• Pharmacies• Laboratories• Home for special care• A centre, program or service for community

health or mental health


Records Management: General Practices

Must take reasonable steps to ensure accuracy Must maintain the security of PHI Must have a contact person to ensure compliance

with Act, respond to access/correction requests, inquiries and complaints from public

Must have information practices in place that comply with the Act

Must make available a written statement of information practices

Must be responsible for actions of agents


PHIPA Consent

Consent is required for the collection, use, disclosure of PHI, subject to specific exceptions

Consent must: be a consent of the individual be knowledgeable relate to the information not be obtained through deception or coercion

Consent may be express or implied


Meaningful Consent Forms

Notices and consent forms must be concise and understandable to be effective

PIPEDA notices and consents used by some health professionals are lengthy, confusing and counterproductive

Use notices and consent forms to educate and inform patients, not as an exercise in legal drafting


Express Consent

required when a custodian discloses to a non-custodian

required when a custodian discloses to another custodian for a purpose other than providing health care to the individual

required for marketing and fundraising (when using more than name and specified contact information)


Implied Consent

custodians may imply consent when disclosing personal health information to other custodians for the purpose of providing health care to the individual

exception – if the individual expressly withholds or withdraws consent (lock box)


Checks on the Lock Box

Notification – if the custodian who discloses believes that all information necessary for the the provision of health care has not been disclosed, the custodian must notify the recipient

Override – the custodian may disclose if disclosure is necessary to eliminate or reduce a significant risk of serious bodily harm to a person or a group of persons


Delayed Implementation of the Lock Box

public hospitals have until November 1, 2005 to implement the lock box


Right of Access and Correction

PHIPA Expands and Codifies the Common-Law Right of Access

Right of access to all records of personal health information about the individual in the custody or control of any health information custodian (some exceptions)

Provides right to correct their records of personal health information (some exceptions)


Access

custodian must make the record available or provide a copy, if requested

custodian must respond to request within 30 days, with a possible 30 day extension

custodian must take reasonable steps to be satisfied of the individual’s identity

custodian must offer assistance in reformulating a request that lacks sufficient detail


Expedited Access

custodian must provide expedited access if the individual requests it and provides evidence that the information is needed urgently and the custodian is reasonably able to respond within the requested time frame


How to Correct Records

by striking out the incorrect information in a manner that does not obliterate it or

by labeling the information as incorrect and severing it from the record, while maintaining a link to the record or

if the correction cannot be recorded in the record, the custodian must ensure there is a practical system to inform persons accessing the record that the information is incorrect and where to obtain correct information


Notice of Correction

at the request of the individual, the custodian must give written notice of the requested correction, to the extent reasonably possible, to persons to who the custodian has disclosed the information

exception – if the correction cannot be reasonably expected to have an effect on the ongoing provision of health care or other benefits


Statement of Disagreement

if the custodian refuses a correction request, the individual is entitled to require the custodian to attach to the record a statement of disagreement prepared by the individual

custodian must make reasonable efforts to notify anyone who would have been notified if there was a correction


Oversight and Enforcement

Office of the Information and Privacy Commissioner is the oversight body

IPC may investigate where:A complaint has been receivedCommissioner has reasonable grounds to believe

that a person has contravened or is about to contravene the Act

IPC has powers to enter and inspect premises, require access to PHI and compel testimony


Role of IPC under PHIPA

Use of mediation and alternate dispute resolution always stressed

Order-making power used as a last resort

Conducting public and stakeholder education programs: education is key

Comment on an organization’s information practices


Complaint Process

Complaint can be filed based on access or correction decision of a HIC

Complaint can be filed if a person believes the HIC has or is about to contravene the Act or its regulations

Complaint will usually relate to the collection, use or disclosure of personal health information


COMPLAINT PROCESS

MEDIATION STAGE

REVIEW STAGE

INTAKE STAGE


Public Education Program

Frequently Asked Questions and Answers available on IPC website (including hard copies)

User Guide for Health Information Custodians available on IPC website (including hard copies)

IPC PHIPA publications distributed to Colleges and Associations of the Regulated Health Professions

IPC/MOH brochure for the general public

• may be placed in reception areas

• to be distributed to patients


Public Education Program (con’t.)

IPC member of OHA/OMA/IPC/MOH PHIPA tool kit project

IPC/OBA “short notices” working group

• Developing concise, user-friendly notices and consent forms to serve as effective communication tools

On-going meetings with Regulated Health Professions, the Federation of Health Regulatory Colleges and Associations

IPC PHIPA awareness article distributed to Colleges/Associations for inclusion in their members’ Magazines and Newsletters


Keeping HIC’s Informed

Orders will be public documents and available on our Web site

Summaries of all mediated cases will be available on our website

Relevant data will be regularly made available to the public and health professionals (e.g. number of complaints, examples of successful mediations, common issues)


“Naming Names”

IPC will be issuing orders and investigation reports and making them public

A two-step process for identifying health custodians will be instituted:• Not identifying custodians for a one-year phase-in period

• After one year, publicly identifying custodians

If identification of custodian would reveal identity of complainant, the option exists of anonymizing order/report.


Stressing the 3 C’s

Consultation• Opening lines of communication with health

community and HICs

Co-operation• Rather than confrontation in resolving complaints

Collaboration• Working together to find solutions

www.ipc.on.ca

How to Contact UsHow to Contact Us

Commissioner Ann CavoukianCommissioner Ann CavoukianInformation & Privacy Commissioner/Ontario

2 Bloor Street West, Suite 1400

Toronto, Ontario M4W 1A8

Phone: (416) 326-3333

Web: www.ipc.on.ca

E-mail: [email protected]

www.ipc.on.ca health information protection act: a major step in healthcare privacy ann cavoukian,...

Documents