Transcript Document
Complying with Privacy
to Enable Innovation &
Research
Anne Lavigne
Privacy Coordinator
Legislation
Privacy Legislation:
Provincial Legislation: Personal Health Information
Protection Act (Bill 31) (PHIPA)
• Came into force November 1, 2004
• Applies to organizations and individuals
involved in the delivery of health care
services (including the Ministry of Health)
• The only health sector privacy legislation in
Canada based on consent
• The only health sector privacy legislation that
has been declared substantially similar to the
federal legislation
PHIPA
Definition of Personal Health
Information (PHI)
Means “identifying information about an individual in oral or
recorded form…”
“Identifying information” means information that identifies
an individual, or for which there is a reasonable basis to
believe that it could be utilized, either alone, or with other
information, to identify an individual.
Section 4, PHIPA
Consent
Consent may be express or implied,
except where express consent is
specifically required under PHIPA
Research
A health information custodian may use PHI for research
purposes but only if the custodian has a research plan
approved by a research ethics board
Research Ethics Board to consider:
Whether research could be accomplished without using
the PHI
Whether appropriate safeguards will be in place
Public interest in conducting the research
Whether obtaining consent directly is impractical
Research Plan
The affiliation of each person involved in the
research
The nature and objectives of the research and
the public or scientific benefits of the research
All other prescribed matters related to the
research.
Other prescribed matters
research plans
Description of proposal, PHI and potential
sources
Description of how PHI will be used and any data
linkages
Explanation of why research cannot be carried
out without PHI and data linkage
Explanation of why consent not being sought
Description of harms and benefits
Description of who will have access, why, roles,
qualifications
Other prescribed matters
research plans
Description of safeguards and retention
schedule
Disposal plan
Funding source
Whether researcher applied to another REB and
response of other REB
Any conflicts of interest
Research Agreement
Researcher must agree to abide by the
conditions and restrictions that the
custodian imposes relating to the use,
security, disclosure, return or disposal of
the information.
Requirements for Researchers
Comply with the agreements and conditions set
out by REB
Use information only for the specified purpose
Not to publish identifiable data
Not to disclose except as required by law
Not to make contact unless the custodian first
obtains consent
Notify the custodian of a breach
Access to PHI for Research
• Any access to PHI, with or without express consent, must
be reviewed and approved by TOH Research Ethics Board
(REB) before any contact is made with patients.
• Access to PHI for the purposes of research usually
requires the express consent of the individual.
• TOH REB will consider allowing such access without
express consent if, in the judgment of the REB, a waiver
consent seems appropriate. There are several
considerations which the REB must take into account prior
to waiving consent.
Collecting PHI for Research
Only the information needed for the
research and approved by the REB and
the custodian can be accessed and
collected.
Patient Recruitment
Only people who an individual regards as having a
right to know about their personal health
information, typically those who are clearly within
the circle of care of the patient, may approach the
patient to open discussion about the possibility of
becoming involved in a research project.
Consideration by Privacy Office
Indicate how research patients will be recruited
and contacted.
Indicate how data containing Personal Health
Information (PHI) will be protected against
breaches of privacy (i.e. locked cabinets,
password protected).
Indicate which organizations and/or individuals
will have access to PHI.
Indicate whether PHI will be leaving The Ottawa
Hospital.
Indicate what patient identifiers will be used.
Consideration by Privacy Office
Indicate how the master list will be maintained
and safeguarded.
Indicate how information will be stored (paper
or electronic or both)
Indicate how long information will be kept after
the close of the study.
Indicate how information will be destroyed after
the storage date has expired.
Indicate contact information should patients
have questions about their rights as a research
subject.
SickKids – Stolen Laptop
• 3,000 patients personal health information on
the laptop
– Approximately 300 were active patients
– Small sub-group – information was sensitive
(e.g. drug therapy and HIV status)
– Majority were adult patients some of whom
they had not seen since 1940
– 1/3 were deceased
The IPC Investigation/Order
• ORDER H-004 issued to SickKids
• Information Privacy Commissioner of Ontario
ordered all Health Information Custodians in
Ontario to:
– Never store any personal health information
on their laptops or mobile devices unless they
have taken strong steps (such as encryption)
to ensure that this information is protected
against unauthorized access, if the device is
lost or stolen.
Key Messages
• Don’t work with identifiable patient information
(key role of Research Ethics Board).
• If you can’t… Don’t take patient information out
of the hospital.
• If you can’t… Use secure remote access (save
information to hospital servers).
• If you can’t… Encrypt files, prevent theft.
• Take an Inventory of Information
• Educate, Communicate, Monitor and Audit
Questions or Comments
Please contact in confidence:
Peggy Taillon
Chief Privacy Officer
Anne Lavigne
Privacy Coordinator
613-739-6668
[email protected]