1 / 34

Ontario’s New Personal Health Information Protection Act: What you need to know

Ontario’s New Personal Health Information Protection Act: What you need to know. Ann Cavoukian, Ph.D. Information & Privacy Commissioner/Ontario Sunnybrook and Women’s College Health Sciences Centre March 4, 2005. Health Privacy is Critical. The need for privacy has never been greater:

talib
Download Presentation

Ontario’s New Personal Health Information Protection Act: What you need to know

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Ontario’s New Personal Health Information Protection Act: What you need to know Ann Cavoukian, Ph.D. Information & Privacy Commissioner/Ontario Sunnybrook and Women’s College Health Sciences Centre March 4, 2005

  2. Health Privacy is Critical • The need for privacy has never been greater: • Extreme sensitivity of personal health information • Patchwork of rules across the health sector; with some areas currently unregulated • Increasing electronic exchanges of health information • Development of health networks • Multiple providers involved in health care of an individual – need to integrate services • Growing emphasis on improved use of technology, including electronic patient records

  3. Unique Characteristics of Personal Health Information • Highly sensitive and personal in nature • Must be shared immediately and accurately among a wide range of health care providers for the benefit of the individual’s treatment and care • Widely used and disclosed for secondary purposes that are in the public interest (e.g., research, planning, fraud investigation, quality assurance)

  4. Ontario’s Personal Health Information Protection Act (PHIPA) • Came into effect November 1, 2004 • Schedule A – the Personal Health Information Protection Act (PHIPA) • Schedule B – the Quality of Care Information Protection Act (QOCIPA)

  5. Schedule B: QCIPA Quality of Care Information Protection Act • QCIPA protects “quality of care information” that is prepared by or for a “quality of care committee” • The IPC has no oversight role over QCIPA • No oversight body has been appointed under QCIPA

  6. What is “quality of care information?” • Information that relates solely or primarily to an activity that a quality of care committee carries on as part of its functions • It is NOT: • information contained in a record maintained for the purpose of providing health care (i.e. patient chart) • Information contained in a record that is required by law to be created • Facts contained in a record of an incident if the facts are not fully recorded in the patient’s record

  7. Schedule A: PHIPABased on Fair Information Practices • Accountability • Identifying Purposes • Consent • Limiting Collection • Limiting Use, Disclosure, Retention • Accuracy • Safeguards • Openness • Individual Access • Challenging Compliance

  8. Strengths of PHIPA • Implied consent for sharing of personal health information within circle of care • Creation of health data institute to address criticism of “directed disclosures” • Open regulation-making process to bring public scrutiny to future regulations • Adequate powers of investigation to ensure that complaints are properly reviewed

  9. Scope of PHIPA • Health information custodians (HICs) that collect, use and disclose personal health information (PHI) • Non-health information custodians where they receive personal health information from a health information custodian (use and disclosure provisions)

  10. Health Information Custodians • Definition includes: • Health care practitioner • Hospitals and independent health facilities • Homes for the aged and nursing homes • Pharmacies • Laboratories • Home for special care • A centre, program or service for community health or mental health

  11. Records Management: General Practices • Must take reasonable steps to ensure accuracy • Must maintain the security of PHI • Must have a contact person to ensure compliance with Act, respond to access/correction requests, inquiries and complaints from public • Must have information practices in place that comply with the Act • Must make available a written statement of information practices – Transparency is key • Must be responsible for actions of agents

  12. PHIPA Consent • Consent is required for the collection, use, disclosure of PHI, subject to specific exceptions • Consent must: • be a consent of the individual • be knowledgeable • relate to the information • not be obtained through deception or coercion • Consent may be express or implied

  13. Meaningful Consent Forms • Notices and consent forms must be concise and understandable to be effective • PIPEDA notices and consents used by some health professionals are lengthy, confusing and counterproductive • Use notices to educate and inform patients, not as an exercise in legal drafting: The goal is effective communication

  14. Short Notices • IPC/OBA short notices working group: • To promote concise, user-friendly, sector-specific notices and consent forms to serve as effective communication tools • Adopt “multi-layered” approach, with emphasis on developing separate short notices for primary care providers, hospitals, and long-term care facilities

  15. Implied Consent • custodians may imply consent when disclosing personal health information to other custodians for the purpose of providing health care to the individual • exception – if the individual expressly withholds or withdraws consent (lock box)

  16. Checks on the Lock Box • Notification – if the custodian who discloses believes that all information necessary for the the provision of health care has not been disclosed, the custodian must notify the recipient • Override – the custodian may disclose if disclosure is necessary to eliminate or reduce a significant risk of serious bodily harm to a person or a group of persons

  17. Delayed Implementation of the Lock Box • Public hospitals have until November 1, 2005 to implement the lock box • The IPC has been working with hospitals and software vendors to develop strategies for complying with the lock box requirements • Over the next two months, we will be coordinating workshops with various stakeholders to develop short terms solutions for incorporating the lock box requirements into existing clinical information systems

  18. Express Consent • required when a health information custodian discloses to a non-custodian • required when a custodian discloses to another custodian for a purpose other than providing health care to the individual • required for marketing and fundraising (if using more than patient name and specified contact information)

  19. Right of Access and Correction PHIPA Expands and Codifies the Common-Law Right of Access • Right of access to all records of personal health information about the individual in the custody or control of any health information custodian (some exceptions) • Provides right to correct one’s records containing personal health information (some exceptions)

  20. Access • custodian must make the record available or provide a copy, if requested • custodian must respond to request within 30 days, with a possible 30 day extension • custodian must take reasonable steps to be satisfied of the individual’s identity • custodian must offer assistance in reformulating a request that lacks sufficient detail

  21. How to Correct Records • by striking out the incorrect information in a manner that does not obliterate it or • by labeling the information as incorrect and severing it from the record, while maintaining a link to the record or • if the correction cannot be recorded in the record, the custodian must ensure there is a practical system to inform persons accessing the record that the information is incorrect and where to obtain correct information

  22. Notice of Correction • at the request of the individual, the custodian must give written notice of the requested correction, to the extent reasonably possible, to persons to who the custodian has disclosed the information • exception – if the correction cannot be reasonably expected to have an effect on the ongoing provision of health care or other benefits

  23. Statement of Disagreement • if the custodian refuses a correction request, the individual is entitled to require the custodian to attach to the record a statement of disagreement prepared by the individual • custodian must make reasonable efforts to notify anyone who would have been notified if there was a correction

  24. Compliance: The Obvious • Don’t discuss confidential information in public areas (e.g. elevators, food courts, hallways) where it may be overheard; • Don’t leave PHI such as charts, reports and recruitment lists in places where they can be viewed by the public.

  25. Compliance: A Model (cont’d) • Don’t leave the computer terminal with PHI readily visible. Log off when finished and keep your password to yourself; • Don’t reveal confidential information to others without a need for them to know it; • Shred all papers that contain PHI when no longer in use.

  26. Oversight and Enforcement • Office of the Information and Privacy Commissioner is the oversight body • IPC may investigate where: • A complaint has been received • Commissioner has reasonable grounds to believe that a person has contravened or is about to contravene the Act • IPC has powers to enter and inspect premises, require access to PHI and compel testimony

  27. Role of IPC under PHIPA • Use of mediation and alternate dispute resolution always stressed • Order-making power used as a last resort • Conducting public and stakeholder education programs: education is key • Comment on an organization’s information practices

  28. Complaint Process • Complaint can be filed based on access or correction decision of a HIC • Complaint can be filed if a person believes the HIC has or is about to contravene the Act or its regulations • Complaint will usually relate to the collection, use or disclosure of personal health information

  29. Public Education Program • Frequently Asked Questions and Answers available on IPC website (including hard copies) • User Guide for Health Information Custodians available on IPC website (including hard copies) • IPC PHIPA publications distributed to Colleges and Associations of the Regulated Health Professions • IPC/MOH brochure for the general public • may be placed in reception areas • to be distributed to patients

  30. Public Education Program (con’t.) • IPC member of OHA/OMA/IPC/MOH PHIPA tool kit project • IPC/OBA “short notices” working group • Developing concise, user-friendly notices and consent forms to serve as effective communication tools • On-going meetings with Regulated Health Professions, the Federation of Health Regulatory Colleges and Associations • IPC PHIPA awareness article distributed to Colleges/Associations for inclusion in their members’ Magazines and Newsletters

  31. Keeping HIC’s Informed • Orders will be public documents and available on our Web site • Summaries of all mediated cases available on our website • Relevant data will be regularly made available to the public and health professionals (e.g. number of complaints, examples of successful mediations, common issues)

  32. Stressing the 3 C’s • Consultation • Opening lines of communication with health community and HICs • Co-operation • Rather than confrontation in resolving complaints • Collaboration • Working together to find solutions

  33. How to Contact Us Commissioner Ann Cavoukian Information & Privacy Commissioner/Ontario 2 Bloor Street East, Suite 1400 Toronto, Ontario M4W 1A8 Phone: (416) 326-3333 Web: www.ipc.on.ca E-mail: commissioner@ipc.on.ca

More Related