Health Information Protection Act: A Major Step in Healthcare Privacy

1
Health Information Protection Act A Major Step
in Healthcare Privacy

• Ann Cavoukian, Ph.D.
• Information Privacy Commissioner/Ontario
• St. Michaels Hospital
• Toronto
• November 5, 2004

2
Health Privacy is Critical

• The need for privacy has never been greater
• Extreme sensitivity of personal health
  information
• Patchwork of rules across the health sector with
  some areas currently unregulated
• Increasing electronic exchanges of health
  information
• Multiple providers involved in health care of an
  individual need to integrate services
• Development of health networks
• Growing emphasis on improved use of technology,
  including computerized patient records

3
Unique Characteristics of Personal Health
Information

• Highly sensitive and personal in nature
• Must be shared immediately and accurately among a
  range of health care providers for the benefit of
  the individual
• Widely used and disclosed for secondary purposes
  that are seen to be in the public interest (e.g.,
  research, planning, fraud investigation, quality
  assurance)

4
PHIPA Based on Fair Information Practices

• Accountability
• Identifying Purposes
• Consent
• Limiting Collection
• Limiting Use, Disclosure, Retention
• Accuracy

• Safeguards
• Openness
• Individual Access
• Challenging Compliance

5
Strengths of PHIPA

• Implied consent for sharing of personal health
  information within circle of care
• Creation of health data institute to address
  criticism of directed disclosures
• Open regulation-making process to bring public
  scrutiny to future regulations
• Adequate powers of investigation to ensure that
  complaints are properly reviewed

6
Scope of PHIPA

• Health information custodians (HICs) that
  collect, use and disclose personal health
  information (PHI)
• Non-health information custodians where they
  receive personal health information from a health
  information custodian (use and disclosure
  provisions)

7
Health Information Custodians

• Definition includes
• Health care practitioner
• Hospitals and independent health facilities
• Homes for the aged and nursing homes
• Pharmacies
• Laboratories
• Home for special care
• A centre, program or service for community health
  or mental health

8
Records Management General Practices

• Must take reasonable steps to ensure accuracy
• Must maintain the security of PHI
• Must have a contact person to ensure compliance
  with Act, respond to access/correction requests,
  inquiries and complaints from public
• Must have information practices in place that
  comply with the Act
• Must make available a written statement of
  information practices
• Must be responsible for actions of agents

9
PHIPA Consent

• Consent is required for the collection, use,
  disclosure of PHI, subject to specific exceptions
• Consent must
• be a consent of the individual
• be knowledgeable
• relate to the information
• not be obtained through deception or coercion
• Consent may be express or implied

10
Meaningful Consent Forms

• Notices and consent forms must be concise and
  understandable to be effective
• PIPEDA notices and consents used by some health
  professionals are lengthy, confusing and
  counterproductive
• Use notices and consent forms to educate and
  inform patients, not as an exercise in legal
  drafting

11
Express Consent

• required when a custodian discloses to a
  non-custodian
• required when a custodian discloses to another
  custodian for a purpose other than providing
  health care to the individual
• required for marketing and fundraising (when
  using more than name and specified contact
  information)

12
Implied Consent

• custodians may imply consent when disclosing
  personal health information to other custodians
  for the purpose of providing health care to the
  individual
• exception if the individual expressly withholds
  or withdraws consent (lock box)

13
Checks on the Lock Box

• Notification if the custodian who discloses
  believes that all information necessary for the
  the provision of health care has not been
  disclosed, the custodian must notify the
  recipient
• Override the custodian may disclose if
  disclosure is necessary to eliminate or reduce a
  significant risk of serious bodily harm to a
  person or a group of persons

14
Delayed Implementation of the Lock Box

• public hospitals have until November 1, 2005 to
  implement the lock box

15
Right of Access and Correction

• PHIPA Expands and Codifies the Common-Law Right
  of Access
• Right of access to all records of personal health
  information about the individual in the custody
  or control of any health information custodian
  (some exceptions)
• Provides right to correct their records of
  personal health information (some exceptions)

16
Access

• custodian must make the record available or
  provide a copy, if requested
• custodian must respond to request within 30 days,
  with a possible 30 day extension
• custodian must take reasonable steps to be
  satisfied of the individuals identity
• custodian must offer assistance in reformulating
  a request that lacks sufficient detail

17
Expedited Access

• custodian must provide expedited access if the
  individual requests it and provides evidence that
  the information is needed urgently and the
  custodian is reasonably able to respond within
  the requested time frame

18
How to Correct Records

• by striking out the incorrect information in a
  manner that does not obliterate it or
• by labeling the information as incorrect and
  severing it from the record, while maintaining a
  link to the record or
• if the correction cannot be recorded in the
  record, the custodian must ensure there is a
  practical system to inform persons accessing the
  record that the information is incorrect and
  where to obtain correct information

19
Notice of Correction

• at the request of the individual, the custodian
  must give written notice of the requested
  correction, to the extent reasonably possible, to
  persons to who the custodian has disclosed the
  information
• exception if the correction cannot be
  reasonably expected to have an effect on the
  ongoing provision of health care or other benefits

20
Statement of Disagreement

• if the custodian refuses a correction request,
  the individual is entitled to require the
  custodian to attach to the record a statement of
  disagreement prepared by the individual
• custodian must make reasonable efforts to notify
  anyone who would have been notified if there was
  a correction

21
Oversight and Enforcement

• Office of the Information and Privacy
  Commissioner is the oversight body
• IPC may investigate where
• A complaint has been received
• Commissioner has reasonable grounds to believe
  that a person has contravened or is about to
  contravene the Act
• IPC has powers to enter and inspect premises,
  require access to PHI and compel testimony

22
Role of IPC under PHIPA

• Use of mediation and alternate dispute resolution
  always stressed
• Order-making power used as a last resort
• Conducting public and stakeholder education
  programs education is key
• Comment on an organizations information practices

23
Complaint Process

• Complaint can be filed based on access or
  correction decision of a HIC
• Complaint can be filed if a person believes the
  HIC has or is about to contravene the Act or its
  regulations
• Complaint will usually relate to the collection,
  use or disclosure of personal health information

24
(No Transcript)
25
Public Education Program

• Frequently Asked Questions and Answers available
  on IPC website (including hard copies)
• User Guide for Health Information Custodians
  available on IPC website (including hard copies)
• IPC PHIPA publications distributed to Colleges
  and Associations of the Regulated Health
  Professions
• IPC/MOH brochure for the general public
• may be placed in reception areas
• to be distributed to patients

26
Public Education Program (cont.)

• IPC member of OHA/OMA/IPC/MOH PHIPA tool kit
  project
• IPC/OBA short notices working group
• Developing concise, user-friendly notices and
  consent forms to serve as effective communication
  tools
• On-going meetings with Regulated Health
  Professions, the Federation of Health Regulatory
  Colleges and Associations
• IPC PHIPA awareness article distributed to
  Colleges/Associations for inclusion in their
  members Magazines and Newsletters

27
Keeping HICs Informed

• Orders will be public documents and available on
  our Web site
• Summaries of all mediated cases will be available
  on our website
• Relevant data will be regularly made available to
  the public and health professionals (e.g. number
  of complaints, examples of successful mediations,
  common issues)

28
Naming Names

• IPC will be issuing orders and investigation
  reports and making them public
• A two-step process for identifying health
  custodians will be instituted
• Not identifying custodians for a one-year
  phase-in period
• After one year, publicly identifying custodians
• If identification of custodian would reveal
  identity of complainant, the option exists of
  anonymizing order/report.

29
Stressing the 3 Cs

• Consultation
• Opening lines of communication with health
  community and HICs
• Co-operation
• Rather than confrontation in resolving complaints
• Collaboration
• Working together to find solutions

30
How to Contact Us

• Commissioner Ann Cavoukian
• Information Privacy Commissioner/Ontario
• 2 Bloor Street West, Suite 1400
• Toronto, Ontario M4W 1A8
• Phone (416) 326-3333
• Web www.ipc.on.ca
• E-mail commissioner_at_ipc.on.ca