Health Information Protection Act: A Major Step in Healthcare Privacy

1
Health Information Protection Act A Major Step
in Healthcare Privacy

• Ann Cavoukian, Ph.D.
• Information Privacy Commissioner/Ontario
• Health Professions Appeal and Review Board
• August 9, 2004

2
Health Privacy is Critical

• The need for privacy has never been greater
• Extreme sensitivity of personal health
  information
• Patchwork of rules across the health sector with
  some areas currently unregulated
• Increasing electronic exchanges of health
  information
• Multiple providers involved in health care of an
  individual need to integrate services
• Development of health networks
• Growing emphasis on improved use of technology,
  including computerized patient records

3
Legislation is Critical

• The IPC has been calling for legislation to
  protect health information since its inception in
  1987
• Dates back to Justice Krevers 1980 Report on the
  Confidentiality of Health Information
• The Commission documented many cases of
  unauthorized access to health files maintained by
  hospitals and the Ontario Health Insurance Plan
• The Report called for comprehensive health
  privacy legislation at that time

4
Provincial Health Privacy Laws

• Alberta
• Health Information Act
• Manitoba
• Personal Health Information Act
• Québec
• Act respecting access to documents held by public
  bodies and the protection of personal information
• Act respecting the protection of personal
  information in the private sector.
• Saskatchewan
• Health Information Protection Act

5
Ontario Bills of the Past

• Numerous attempts made over the years to get a
  bill introduced and passed, but have never
  succeeded
• Bill 159 Personal Health Information Privacy
  Act, 2000
• Privacy of Personal Information, 2002

6
If No Provincial Health Legislation?

• If Ontario failed to enact its own legislation,
  PIPEDA would have taken effect
• Only commercial entities covered - ambiguity
  about who is in and who is out
• Not tailored to meet the needs of the health
  sector
• Principle-based approach rather than specifics
  could result in inconsistent implementation
• No local oversight

7
Ontarios Health Information Protection Act, 2003
(HIPA)

• Ontario government introduced health privacy bill
  (Bill 31) on December 17, 2003
• Standing Committee on General Government held
  public hearings and completed clause-by-clause
  study
• Received Royal Assent on May 20, 2004
• Comes into effect November 1, 2004

8
Bill 31 Two parts

• Schedule A the Personal Health Information
  Protection Act (PHIPA)
• Schedule B the Quality of Care Information
  Protection Act (QOCIPA)

9
Bill 31 Based on Fair Information Practices

• Accountability
• Identifying Purposes
• Consent
• Limiting Collection
• Limiting Use, Disclosure, Retention
• Accuracy

• Openness
• Individual Access
• Safeguards
• Challenging Compliance

10
Scope of PHIPA

• Health information custodians (HICs) that
  collect, use and disclose personal health
  information (PHI)
• Non-health information custodians where they
  receive personal health information from a health
  information custodian (use and disclosure
  provisions)

11
Health Information Custodians

• Definition includes
• Health care practitioner
• Hospitals and independent health facilities
• Homes for the aged and nursing homes
• Pharmacies
• Laboratories
• Home for special care
• A centre, program or service for community health
  or mental health

12
PHIPA Practices

• Must take reasonable steps to ensure accuracy
• Must maintain the security of PHI
• Must have a contact person to ensure compliance
  with Act, respond to access requests, inquiries
  and complaints from public
• Must have information practices in place that
  comply with the Act
• Must make available a written statement of
  information practices
• Must be responsible for actions of agents

13
PHIPA Consent

• Consent is required for the collection, use,
  disclosure of PHI, subject to specific exceptions
• Consent must
• be a consent of the individual
• be knowledgeable
• relate to the information
• not be obtained through deception or coercion
• Consent may be express or implied

14
Strengths of PHIPA

• Implied consent for sharing of personal health
  information within circle of care
• Creation of health data institute to address
  criticism of directed disclosures
• Open regulation-making process to bring public
  scrutiny to future regulations
• Adequate powers of investigation to ensure that
  complaints are properly reviewed

15
Oversight and Enforcement

• Office of the Information and Privacy
  Commissioner is the oversight body
• IPC may investigate where
• A complaint has been received
• Commissioner has reasonable grounds to believe
  that a person has contravened or is about to
  contravene the Act
• IPC has powers to enter and inspect premises,
  require access to PHI and compel testimony

16
Powers of the Commissioner

• After conducting an investigation, the
  Commissioner may issue an order
• To provide access to, or correction of, personal
  health information
• To cease collecting, using or disclosing personal
  health information in contravention of the Act
• To dispose of records collected in contravention
  of the Act
• To change, cease or implement an information
  practice
• Orders, other than for access or correction, may
  be appealed on questions of law

17
Role of IPC under PHIPA

• Use of mediation and alternate dispute resolution
  always stressed
• Order-making power used as a last resort
• Conducting public and stakeholder education
  programs education is key
• Comment on an organizations information practices

18
Stressing the 3 Cs

• Consultation
• Opening lines of communication with health
  community and HICs
• Co-operation
• Rather than confrontation in resolving complaints
• Collaboration
• Working together to find solutions

19
HPARB Dealing with Privacy

• Make Privacy a corporate priority an effective
  privacy program needs to be integrated into the
  corporate culture
• Privacy is more than a compliance issue lack of
  PHIPA impact does not negate need to look at
  privacy and security vulnerabilities
• Senior management commitment is critical
• Privacy review and audit critical to identifying
  and resolving privacy issues

20
Topics for Discussion (1)Whether to Name Names

• IPC will be issuing orders and investigation
  reports and making them public
• A two-step process for identifying health
  custodians is under consideration
• Not identifying custodians for a one-year
  phase-in period
• After one year, publicly identifying custodians
• If identification of custodian would reveal
  identify of complainant, the option exists of
  anonymizing order/report.

21
Topics for Discussion (2)Protecting Privacy
Outside of Office

• The IPC released Guidelines for Protecting the
  Privacy and Confidentiality of Personal
  Information When Working Outside the Office
• Guidelines cover paper and electronic documents
  that are removed from the office.
• Issues to be considered include
• Secure storage of paper and electronic files at
  home
• Laptop and home computer security
• Wireless communications
• Immediate reporting of lost or stolen files

22
How to Contact Us

• Commissioner Ann Cavoukian
• Information Privacy Commissioner/Ontario
• 80 Bloor Street West, Suite 1700
• Toronto, Ontario M5S 2V1
• Phone (416) 326-3333
• Web www.ipc.on.ca
• E-mail commissioner_at_ipc.on.ca