Title: Health Information Protection Act: A Major Step in Healthcare Privacy
1Health Information Protection Act A Major Step
in Healthcare Privacy
- Ann Cavoukian, Ph.D.
- Information Privacy Commissioner/Ontario
- Health Professions Appeal and Review Board
- August 9, 2004
2Health Privacy is Critical
- The need for privacy has never been greater
- Extreme sensitivity of personal health
information - Patchwork of rules across the health sector with
some areas currently unregulated - Increasing electronic exchanges of health
information - Multiple providers involved in health care of an
individual need to integrate services - Development of health networks
- Growing emphasis on improved use of technology,
including computerized patient records
3Legislation is Critical
- The IPC has been calling for legislation to
protect health information since its inception in
1987 - Dates back to Justice Krevers 1980 Report on the
Confidentiality of Health Information - The Commission documented many cases of
unauthorized access to health files maintained by
hospitals and the Ontario Health Insurance Plan - The Report called for comprehensive health
privacy legislation at that time
4Provincial Health Privacy Laws
- Alberta
- Health Information Act
- Manitoba
- Personal Health Information Act
- Québec
- Act respecting access to documents held by public
bodies and the protection of personal information - Act respecting the protection of personal
information in the private sector. - Saskatchewan
- Health Information Protection Act
5Ontario Bills of the Past
- Numerous attempts made over the years to get a
bill introduced and passed, but have never
succeeded - Bill 159 Personal Health Information Privacy
Act, 2000 - Privacy of Personal Information, 2002
6If No Provincial Health Legislation?
- If Ontario failed to enact its own legislation,
PIPEDA would have taken effect - Only commercial entities covered - ambiguity
about who is in and who is out - Not tailored to meet the needs of the health
sector - Principle-based approach rather than specifics
could result in inconsistent implementation - No local oversight
7Ontarios Health Information Protection Act, 2003
(HIPA)
- Ontario government introduced health privacy bill
(Bill 31) on December 17, 2003 - Standing Committee on General Government held
public hearings and completed clause-by-clause
study - Received Royal Assent on May 20, 2004
- Comes into effect November 1, 2004
8Bill 31 Two parts
- Schedule A the Personal Health Information
Protection Act (PHIPA) - Schedule B the Quality of Care Information
Protection Act (QOCIPA)
9Bill 31 Based on Fair Information Practices
- Accountability
- Identifying Purposes
- Consent
- Limiting Collection
- Limiting Use, Disclosure, Retention
- Accuracy
- Openness
- Individual Access
- Safeguards
- Challenging Compliance
10Scope of PHIPA
- Health information custodians (HICs) that
collect, use and disclose personal health
information (PHI) - Non-health information custodians where they
receive personal health information from a health
information custodian (use and disclosure
provisions)
11Health Information Custodians
- Definition includes
- Health care practitioner
- Hospitals and independent health facilities
- Homes for the aged and nursing homes
- Pharmacies
- Laboratories
- Home for special care
- A centre, program or service for community health
or mental health
12 PHIPA Practices
- Must take reasonable steps to ensure accuracy
- Must maintain the security of PHI
- Must have a contact person to ensure compliance
with Act, respond to access requests, inquiries
and complaints from public - Must have information practices in place that
comply with the Act - Must make available a written statement of
information practices - Must be responsible for actions of agents
13PHIPA Consent
- Consent is required for the collection, use,
disclosure of PHI, subject to specific exceptions - Consent must
- be a consent of the individual
- be knowledgeable
- relate to the information
- not be obtained through deception or coercion
- Consent may be express or implied
14Strengths of PHIPA
- Implied consent for sharing of personal health
information within circle of care - Creation of health data institute to address
criticism of directed disclosures - Open regulation-making process to bring public
scrutiny to future regulations - Adequate powers of investigation to ensure that
complaints are properly reviewed
15Oversight and Enforcement
- Office of the Information and Privacy
Commissioner is the oversight body - IPC may investigate where
- A complaint has been received
- Commissioner has reasonable grounds to believe
that a person has contravened or is about to
contravene the Act - IPC has powers to enter and inspect premises,
require access to PHI and compel testimony
16Powers of the Commissioner
- After conducting an investigation, the
Commissioner may issue an order - To provide access to, or correction of, personal
health information - To cease collecting, using or disclosing personal
health information in contravention of the Act - To dispose of records collected in contravention
of the Act - To change, cease or implement an information
practice - Orders, other than for access or correction, may
be appealed on questions of law
17Role of IPC under PHIPA
- Use of mediation and alternate dispute resolution
always stressed - Order-making power used as a last resort
- Conducting public and stakeholder education
programs education is key - Comment on an organizations information practices
18Stressing the 3 Cs
- Consultation
- Opening lines of communication with health
community and HICs - Co-operation
- Rather than confrontation in resolving complaints
- Collaboration
- Working together to find solutions
19HPARB Dealing with Privacy
- Make Privacy a corporate priority an effective
privacy program needs to be integrated into the
corporate culture - Privacy is more than a compliance issue lack of
PHIPA impact does not negate need to look at
privacy and security vulnerabilities - Senior management commitment is critical
- Privacy review and audit critical to identifying
and resolving privacy issues
20Topics for Discussion (1)Whether to Name Names
- IPC will be issuing orders and investigation
reports and making them public - A two-step process for identifying health
custodians is under consideration - Not identifying custodians for a one-year
phase-in period - After one year, publicly identifying custodians
- If identification of custodian would reveal
identify of complainant, the option exists of
anonymizing order/report.
21Topics for Discussion (2)Protecting Privacy
Outside of Office
- The IPC released Guidelines for Protecting the
Privacy and Confidentiality of Personal
Information When Working Outside the Office - Guidelines cover paper and electronic documents
that are removed from the office. - Issues to be considered include
- Secure storage of paper and electronic files at
home - Laptop and home computer security
- Wireless communications
- Immediate reporting of lost or stolen files
22How to Contact Us
- Commissioner Ann Cavoukian
- Information Privacy Commissioner/Ontario
- 80 Bloor Street West, Suite 1700
- Toronto, Ontario M5S 2V1
- Phone (416) 326-3333
- Web www.ipc.on.ca
- E-mail commissioner_at_ipc.on.ca