300 likes | 493 Views
IPC Complaint Process. Brian Beamish, Assistant Commissioner Robert Binstock, Registrar Mona Wong, Manager of Mediation Nancy Ferguson, Mediator/Investigator Joseph Sommer, Intake Analyst. TYPES OF COMPLAINTS: ACCESS/CORRECTION
E N D
IPC Complaint Process Brian Beamish, Assistant Commissioner Robert Binstock, Registrar Mona Wong, Manager of Mediation Nancy Ferguson, Mediator/Investigator Joseph Sommer, Intake Analyst
TYPES OF COMPLAINTS: • ACCESS/CORRECTION • Initiated by individual within 6 months of receiving HIC’s decision • Examples • Denial of access to requester’s personal health information (PHI). • Fee or denial of fee waiver. • Expedited Access. • Time extension. • Deemed Refusal. • Refusal to correct the requester’s PHI.
TYPES OF COMPLAINTS Cont’d: • COLLECTION, USE AND DISCLOSURE • Initiated by individual if there is reason to believe the HIC has or is about to contravene the Act or its regulations. • Within one year from the time the complainant became aware of the problem. • Usually related to the collection, use or disclosure of PHI. • Custodian reported breach • IPC initiated complaint
COMPLIANT PROCESS [More detailed flow charts on IPC Web site.]
INTAKE: • Registrar: • reviews file to determine whether to dismiss or to stream to one of the stages in the complaint process • Intake Analysts: • Dismiss file, redirect complainant, gather more information, informally resolve, order.
MEDIATION: • Mediation is the IPC’s preferred method of dispute resolution. • Summaries of resolved files on IPC Web site. • Mediators: • Assist parties to reach a full or partial settlement or simplify matters at issue • If not resolved, reports back to parties in writing before streaming file to Review. • In limited cases can issue Order.
REVIEW: • Commissioner may/may not issue order. • Commissioner may make comments or recommendations on privacy implications • Order making power used as a last resort. • Orders will be posted on IPC Web site.
CUSTODIAN REPORTED BREACH vs. IPC INITIATED COMPLAINT What is the difference? What do you do when faced with one?
WHAT IS A “PRIVACY BREACH”? A “privacy breach” is a circumstance where personal health information is stolen, lost or accessed by unauthorized persons.
WHAT IS A CUSTODIAN REPORTED BREACH? -When a custodian becomes aware themselves of a possible privacy breach; - Self-identified; - Custodians are encouraged to report these incidents to the IPC.
WHAT IS AN IPC INITIATED COMPLAINT? • Upon learning of a privacy breach, the IPC may itself initiate a complaint; • Can be brought to the attention of the IPC by various sources – e.g. the media, a member of the public not affected by the breach.
WHAT DO I DO WHEN FACED WITH A PRIVACY BREACH? The first two priorities are “containment” and “notification”.
Containment: - Locate any PHI outside the custody or control of the responsible custodian and retrieve it; - Ensure no copies of the PHI have been made, shared with anyone or retained by the individual who was not authorized to receive it; - Determine whether the breach would allow unauthorized access to any other PHI (e.g. electronic information system) and take appropriate steps (change passwords, identification numbers).
Notification: - Identify those individuals whose privacy was breached and, barring exceptional circumstances, notify those individuals, at the first reasonable opportunity; - The Act requires notification but does not specify the manner; - Can be by telephone or in writing or depending on the circumstances, a notation made in a patient’s file to be discussed at the next appointment; - When notifying, provide details of the extent of the breach and the specifics of the personal health information at issue; - Advise of the steps that have been taken to address the breach, both immediate and long-term; - Advise that the IPC has been contacted.
WHAT ELSE CAN I DO? • Ensure appropriate staff within your organization are immediately notified of the breach, including the Chief Privacy Officer or contact person for the purposes of the Act; • Review any existing internal policies and procedures.
WHAT PROACTIVE MEASURES CAN I TAKE? • Develop a “Privacy Breach Protocol” that includes the types of actions needed to be taken; • Educate staff about the privacy rules governing collection, retention, use and disclosure of PHI; • Educate staff about the privacy rules governing the security and safe and secure disposal of PHI;
Examples of Complaints Resolved at the Intake Stage 1) Access Complaint 2) Deemed Refusal Complaint 3) Collection, Use, Disclosure Complaint
Access Complaint • Patient made a request to her Ob/Gyn for a copy of her entire record of PHI • Patient received medical reports and test results, but no progress notes • IPC received a complaint as only part of the records expected by the patient were received • Intake Analyst (IA) clarified patient’s original request with Ob/Gyn’s office to provide a complete record of PHI • IA explained the requirement for the Ob/Gyn to provide the patient with her entire record • Progress notes provided to patient, complaint file closed
Deemed Refusal Complaint • Patient made a request to correct her PHI with a hospital • Hospital did not issue a decision within the time required by the PHIPA. (s.55(3)) • IPC received patient’s complaint and issued a Notice of Review requiring hospital to issue a decision in 2 weeks or an order would be issued • Hospital responded on time • IA explained the hospitals obligations under the PHIPA • On confirmation that a decision was issued, IPC closed the complaint file
Collection, Use, Disclosure (CUD) • Private clinic inappropriately disclosed PHI of patient A to patient B • Patient A filed a complaint with the IPC, a Notice of Complaint was issued to clinic and patient A • IA gathered details from both parties on the complaint • Clinic: acknowledged the inappropriate disclosure, provided an explanation, offered an apology to the complainant, reviewed its information practices with staff and identified the complaint as a learning experience
Collection, Use, Disclosure (CUD) cont’d • IA discussed Informal Resolution of complaint with both parties • Patient agreed to the file being closed at Intake and indicated she was satisfied with the IPC’s involvement • IA wrote to both parties setting out details of the complaint, the clinic’s response and confirmed that the complaint has been closed
Examples of Matters Dealt with at the Mediation/Informal Resolution Stage1) Access Complaint2) Collection, Use, Disclosure Complaint3) Collection, Use, Disclosure – Self Report by HIC4) Collection, Use, Disclosure - Report from source other than HIC
Access Complaint Complaint: • When I sought access to my record the HIC tried to require me to sign a form which detailed its information practices so I could “borrow” the record, otherwise I would have to pay a fee to obtain “access”. Resolution: • information sharing about nature of HIC’s records and reason form had been presented; • HIC agreed it would not require the form to be signed in this case and would also waive the fee; • HIC agreed to consult with IPC’s Policy and Compliance Department regarding its use of the form and the special nature of its records.
2) Collection, Use, Disclosure Complaint Complaint: -I received a fundraising solicitation for a specialized healthcare unit; -I was contacted by phone and I understood this was not permitted; -the fundraising foundation was given information about my illness; -I never agreed to contact for fundraising purposes; -I wasn’t given the option to opt out of all future fundraising contact. Resolution: -information sharing about fundraising processes, relationship with foundation; -HIC agreed it will only use phone numbers with express consent; -HIC agreed all future solicitation will have clear opt out for any future fundraising contact.
3) Collection, Use, Disclosure - Custodian Reported Breach Some Examples of Losses Reported: - a fax meant for another department was forwarded to a private residence; - a routine audit revealed an employee inappropriately accessed patient PHI; - a computer was stolen containing the personal health information of patients. Resolution: -agreed on steps needed to address immediate containment issues; -discussed and agree on notification approach; -gathered information to get to bottom of how loss occurred; -discussed and agreed on steps that will be taken to avoid loss in future; -IPC Report was prepared and posted on website.
4) Collection, Use, Disclosure - IPC initiated complaint Report from Member of the Public: - A private business owner reported receiving faxes containing PHI Resolution: -agreed on steps needed to address immediate containment issues; -discussed and agreed on notification approach; -gathered information to get to bottom of how loss occurred; -discussed and agreed on steps that will be taken to avoid loss in future; -IPC Report was prepared and posted on website.
IPC CONTACT INFORMATION: Information and Privacy Commissioner/Ontario 2 Bloor St West, Suite 1400 Toronto ON M4W 1A8 Telephone: 416 326-3333 Toll Free: 1-800-387-0073 TTY: 416 325-7539 Fax: 416-325-9188 Web site: http://www.ipc.on.ca