Transcript Bill 31 – An Overview

Health Information Protection
Act: A Major Step
in Healthcare Privacy
Ann Cavoukian, Ph.D.
Information & Privacy Commissioner/Ontario
www.ipc.on.ca
Ontario Hospital Association
Institute for Health Care Financial Managers
September 14, 2004
Health Privacy is Critical
 The need for privacy has never been greater:
• Extreme sensitivity of personal health information
• Patchwork of rules across the health sector; with some
areas currently unregulated
• Increasing electronic exchanges of health information
• Multiple providers involved in health care of an individual
– need to integrate services
• Development of health networks
• Growing emphasis on improved use of technology,
including computerized patient records
www.ipc.on.ca
Slide 2
Legislation is Critical
The IPC has been calling for legislation to
protect health information since its inception
in 1987
• Dates back to Justice Krever’s 1980 Report on the
Confidentiality of Health Information
– The Commission documented many cases of
unauthorized access to health files maintained by
hospitals and the Ontario Health Insurance Plan
– The Report called for comprehensive health privacy
legislation at that time
www.ipc.on.ca
Slide 3
Provincial Health Privacy Laws
Alberta
• Health Information Act
Manitoba
• Personal Health Information Act
Québec
• Act respecting access to documents held by public bodies
and the protection of personal information
• Act respecting the protection of personal information in
the private sector.
Saskatchewan
• Health Information Protection Act
www.ipc.on.ca
Slide 4
Ontario Bills of the Past
Numerous attempts made over the years
to get a bill introduced and passed, but
have never succeeded
• Bill 159 – Personal Health Information
Privacy Act, 2000
• Privacy of Personal Information, 2002
www.ipc.on.ca
Slide 5
Ontario’s Personal Health Information
Protection Act (PHIPA)
Comes into effect November 1, 2004
Schedule A – the Personal Health
Information Protection Act (PHIPA)
Schedule B – the Quality of Care
Information Protection Act (QOCIPA)
www.ipc.on.ca
Slide 6
PHIPA – Based on
Fair Information Practices
 Accountability
 Openness
 Identifying Purposes  Individual Access
 Consent
 Safeguards
 Limiting Collection  Challenging Compliance
 Limiting Use,
Disclosure, Retention
 Accuracy
www.ipc.on.ca
Slide 7
Scope of PHIPA
 Health information custodians (HICs) that
collect, use and disclose personal health
information (PHI)
 Non-health information custodians where
they receive personal health information
from a health information custodian
(use and disclosure provisions)
www.ipc.on.ca
Slide 8
Health Information Custodians
Definition includes:
•
•
•
•
•
•
•
Health care practitioner
Hospitals and independent health facilities
Homes for the aged and nursing homes
Pharmacies
Laboratories
Home for special care
A centre, program or service for community health
or mental health
www.ipc.on.ca
Slide 9
PHIPA Practices
Must take reasonable steps to ensure accuracy
Must maintain the security of PHI
Must have a contact person to ensure compliance
with Act, respond to access requests, inquiries and
complaints from public
Must have information practices in place that comply
with the Act
Must make available a written statement of
information practices
Must be responsible for actions of agents
www.ipc.on.ca
Slide 10
PHIPA Consent
Consent is required for the collection, use,
disclosure of PHI, subject to specific
exceptions
Consent must:
 be a consent of the individual
 be knowledgeable
 relate to the information
 not be obtained through deception or coercion
Consent may be express or implied
www.ipc.on.ca
Slide 11
Knowledgeable Consent
Consent is knowledgeable if it is reasonable in
the circumstances to believe that the
individual knows:
• the purpose, and
• that the individual may provide or withhold
consent
can imply consent if the custodian posts a
notice or describes the purpose in a brochure
www.ipc.on.ca
Slide 12
Meaningful Notices and Consent
Forms
Notices and consent forms must be concise
and understandable to be effective
PIPEDA notices and consents used by some
health professionals are lengthy, confusing
and counterproductive
Use Notices to educate and inform patients,
not as an exercise in legal drafting
www.ipc.on.ca
Slide 13
Express Consent
required when a health information
custodian discloses to a non-custodian
required when a custodian discloses to
another custodian for a purpose other
than providing health care to the
individual
www.ipc.on.ca
Slide 14
Implied Consent
custodians may imply consent when
disclosing personal health information to
other custodians for the purpose of
providing health care to the individual
(within the “circle of care”)
exception – if the individual expressly
withholds or withdraws consent
(lock box)
www.ipc.on.ca
Slide 15
Checks on the Lock Box
Notification – if the custodian who
discloses believes that all information
necessary for the the provision of health
care has not been disclosed, the
custodian must notify the recipient
Override – the custodian may disclose if
disclosure is necessary to eliminate or
reduce a significant risk of serious bodily
harm to a person or a group of persons
www.ipc.on.ca
Slide 16
Delayed Implementation of the
Lock Box
public hospitals have until November 1,
2005 to implement the lock box
www.ipc.on.ca
Slide 17
Collection, Use and Disclosure
Without Consent
Derogations from the consent principle are allowed
in limited circumstances.
As required by law
To protect the health or safety of the individual or
others
To identify a deceased person or provide
reasonable notice of a person’s death
www.ipc.on.ca
Slide 18
Right of Access and Correction
PHIPA Expands and Codifies the CommonLaw Right of Access
Right of access to all records of personal
health information about the individual in
the custody or control of any health
information custodian (some exceptions)
Provides right to correct their records of
personal health information (some
exceptions)
www.ipc.on.ca
Slide 19
Access
custodian must make the record available or
provide a copy, if requested
custodian must respond to request within 30
days, with a possible 30 day extension
custodian must take reasonable steps to be
satisfied of the individual’s identity
custodian must offer assistance in
reformulating a request that lacks sufficient
detail
www.ipc.on.ca
Slide 20
Expedited Access
custodian must provide expedited access
if the individual requests it and provides
evidence that the information is needed
urgently and the custodian is reasonably
able to respond within the requested time
frame
www.ipc.on.ca
Slide 21
How to Correct Records
by striking out the incorrect information in a
manner that does not obliterate it or
by labeling the information as incorrect and
severing it from the record, while maintaining a
link to the record or
if the correction cannot be recorded in the
record, the custodian must ensure there is a
practical system to inform persons accessing
the record that the information is incorrect and
where to obtain correct information
www.ipc.on.ca
Slide 22
Notice of Correction
at the request of the individual, the
custodian must give written notice of the
requested correction, to the extent
reasonably possible, to persons to who the
custodian has disclosed the information
exception – if the correction cannot be
reasonably expected to have an effect on the
ongoing provision of health care or other
benefits
www.ipc.on.ca
Slide 23
Statement of Disagreement
if the custodian refuses a correction
request, the individual is entitled to
require the custodian to attach to the
record a statement of disagreement
prepared by the individual
custodian must make reasonable efforts
to notify anyone who would have been
notified if there was a correction
www.ipc.on.ca
Slide 24
Strengths of PHIPA
 Implied consent for sharing of personal health
information within circle of care
 Creation of health data institute to address criticism
of “directed disclosures”
 Open regulation-making process to bring public
scrutiny to future regulations
 Adequate powers of investigation to ensure that
complaints are properly reviewed
www.ipc.on.ca
Slide 25
Oversight and Enforcement
Office of the Information and Privacy
Commissioner is the oversight body
IPC may investigate where:
A complaint has been received
Commissioner has reasonable grounds to believe
that a person has contravened or is about to
contravene the Act
IPC has powers to enter and inspect premises,
require access to PHI and compel testimony
www.ipc.on.ca
Slide 26
Powers of the Commissioner
 After conducting an investigation, the Commissioner
may issue an order
 To provide access to, or correction of, personal health
information
 To cease collecting, using or disclosing personal health
information in contravention of the Act
 To dispose of records collected in contravention of the Act
 To change, cease or implement an information practice
 Orders, other than for access or correction, may be
appealed on questions of law
www.ipc.on.ca
Slide 27
Role of IPC under PHIPA
 Use of mediation and alternate dispute resolution
always stressed
 Order-making power used as a last resort
 Conducting public and stakeholder education
programs: education is key
 Comment on an organization’s information practices
www.ipc.on.ca
Slide 28
Stressing the 3 C’s
Consultation
• Opening lines of communication with health
community and HICs
Co-operation
• Rather than confrontation in resolving complaints
Collaboration
• Working together to find solutions
www.ipc.on.ca
Slide 29
Getting Ready
FAQ’s posted to IPC website in August, 2004
User Guide released in September, 2004
IPC member of OHA/OMA/IPC/MOHLTC
tool kit project
IPC/OBA “short notices” working group
On-going meetings with regulated health
professions
www.ipc.on.ca
Slide 30
How to Contact Us
Commissioner Ann Cavoukian
Information & Privacy
Commissioner/Ontario
80 Bloor Street West, Suite 1700
Toronto, Ontario M5S 2V1
www.ipc.on.ca
Phone:
Web:
E-mail:
(416) 326-3333
www.ipc.on.ca
[email protected]