IPC Complaint Process - PowerPoint PPT Presentation

1 / 30

About This Presentation

Title:

IPC Complaint Process

Description:

Initiated by individual within 6 months of receiving HIC's decision. Examples ... the inappropriate disclosure, provided an explanation, offered an apology to the ... – PowerPoint PPT presentation

Number of Views:64

Avg rating:3.0/5.0

Slides: 31

Provided by: ipc192

Category:

more less

Transcript and Presenter's Notes

Title: IPC Complaint Process

1
IPC Complaint Process

Brian Beamish, Assistant Commissioner
Robert Binstock, Registrar
Mona Wong, Manager of Mediation
Nancy Ferguson, Mediator/Investigator
Joseph Sommer, Intake Analyst

TYPES OF COMPLAINTS
ACCESS/CORRECTION
Initiated by individual within 6 months of
receiving HICs decision
Examples
Denial of access to requesters personal health
information (PHI).
Fee or denial of fee waiver.
Expedited Access.
Time extension.
Deemed Refusal.
Refusal to correct the requesters PHI.

TYPES OF COMPLAINTS Contd
COLLECTION, USE AND DISCLOSURE
Initiated by individual if there is reason to
believe the HIC has or is about to contravene the
Act or its regulations.
Within one year from the time the complainant
became aware of the problem.
Usually related to the collection, use or
disclosure of PHI.
Custodian reported breach
IPC initiated complaint

COMPLIANT PROCESS
More detailed flow charts on IPC Web site.

INTAKE
Registrar
reviews file to determine whether to dismiss or
to stream to one of the stages in the complaint
process
Intake Analysts
Dismiss file, redirect complainant, gather more
information, informally resolve, order.

MEDIATION
Mediation is the IPCs preferred method of
dispute resolution.
Summaries of resolved files on IPC Web site.
Mediators
Assist parties to reach a full or partial
settlement or simplify matters at issue
If not resolved, reports back to parties in
writing before streaming file to Review.
In limited cases can issue Order.

REVIEW
Commissioner may/may not issue order.
Commissioner may make comments or recommendations
on privacy implications
Order making power used as a last resort.
Orders will be posted on IPC Web site.

8
(No Transcript)
9

CUSTODIAN REPORTED BREACH
vs.
IPC INITIATED COMPLAINT
What is the difference?
What do you do when faced with one?

WHAT IS A PRIVACY BREACH?
A privacy breach is a circumstance where
personal health information is stolen, lost or
accessed by unauthorized persons.

WHAT IS A CUSTODIAN REPORTED BREACH?
- When a custodian becomes aware themselves of
a possible privacy breach
- Self-identified
- Custodians are encouraged to report these
incidents to the IPC.

WHAT IS AN IPC INITIATED COMPLAINT?
Upon learning of a privacy breach, the IPC may
itself initiate a complaint
Can be brought to the attention of the IPC by
various sources e.g. the media, a member of the
public not affected by the breach.

WHAT DO I DO WHEN FACED WITH A PRIVACY BREACH?
The first two priorities are containment and
notification.

Containment
- Locate any PHI outside the custody or control
of the responsible custodian and retrieve it
- Ensure no copies of the PHI have been made,
shared with anyone or retained by the individual
who was not authorized to receive it
- Determine whether the breach would allow
unauthorized access to any other PHI (e.g.
electronic information system) and take
appropriate steps (change passwords,
identification numbers).

Notification
- Identify those individuals whose privacy was
breached and, barring exceptional
circumstances, notify those individuals, at the
first reasonable opportunity
- The Act requires notification but does not
specify the manner
- Can be by telephone or in writing or depending
on the circumstances, a notation made in a
patients file to be discussed at the next
appointment
- When notifying, provide details of the extent
of the breach and the specifics of the personal
health information at issue
- Advise of the steps that have been taken to
address the breach, both immediate and
long-term
- Advise that the IPC has been contacted.

WHAT ELSE CAN I DO?
Ensure appropriate staff within your organization
are immediately notified of the breach, including
the Chief Privacy Officer or contact person for
the purposes of the Act
Review any existing internal policies and
procedures.

WHAT PROACTIVE MEASURES CAN I TAKE?
Develop a Privacy Breach Protocol that includes
the types of actions needed to be taken
Educate staff about the privacy rules governing
collection, retention, use and disclosure of PHI
Educate staff about the privacy rules governing
the security and safe and secure disposal of PHI

18
Examples of Complaints Resolved at the Intake
Stage

1) Access Complaint
2) Deemed Refusal Complaint
3) Collection, Use, Disclosure Complaint

Access Complaint
Patient made a request to her Ob/Gyn for a copy
of her entire record of PHI
Patient received medical reports and test
results, but no progress notes
IPC received a complaint as only part of the
records expected by the patient were received
Intake Analyst (IA) clarified patients original
request with Ob/Gyns office to provide a
complete record of PHI
IA explained the requirement for the Ob/Gyn to
provide the patient with her entire record
Progress notes provided to patient, complaint
file closed

Deemed Refusal Complaint
Patient made a request to correct her PHI with a
hospital
Hospital did not issue a decision within the time
required by the PHIPA. (s.55(3))
IPC received patients complaint and issued a
Notice of Review requiring hospital to issue a
decision in 2 weeks or an order would be issued
Hospital responded on time
IA explained the hospitals obligations under the
PHIPA
On confirmation that a decision was issued, IPC
closed the complaint file

Collection, Use, Disclosure (CUD)
Private clinic inappropriately disclosed PHI of
patient A to patient B
Patient A filed a complaint with the IPC, a
Notice of Complaint was issued to clinic and
patient A
IA gathered details from both parties on the
complaint
Clinic acknowledged the inappropriate
disclosure, provided an explanation, offered an
apology to the complainant, reviewed its
information practices with staff and identified
the complaint as a learning experience

Collection, Use, Disclosure (CUD) contd
IA discussed Informal Resolution of complaint
with both parties
Patient agreed to the file being closed at Intake
and indicated she was satisfied with the IPCs
involvement
IA wrote to both parties setting out details of
the complaint, the clinics response and
confirmed that the complaint has been closed

23
Examples of Matters Dealt with at the
Mediation/Informal Resolution Stage1) Access
Complaint2) Collection, Use, Disclosure
Complaint3) Collection, Use, Disclosure Self
Report by HIC4) Collection, Use, Disclosure -
Report from source other than HIC
24

Access Complaint
Complaint
When I sought access to my record the HIC tried
to require me to sign a form which detailed its
information practices so I could borrow the
record, otherwise I would have to pay a fee to
obtain access.
Resolution
information sharing about nature of HICs records
and reason form had been presented
HIC agreed it would not require the form to be
signed in this case and would also waive the fee
HIC agreed to consult with IPCs Policy and
Compliance Department regarding its use of the
form and the special nature of its records.

2) Collection, Use, Disclosure Complaint
Complaint
-I received a fundraising solicitation for a
specialized healthcare unit
-I was contacted by phone and I understood this
was not permitted
-the fundraising foundation was given information
about my illness
-I never agreed to contact for fundraising
purposes
-I wasnt given the option to opt out of all
future fundraising contact.
Resolution
-information sharing about fundraising processes,
relationship with foundation
-HIC agreed it will only use phone numbers with
express consent
-HIC agreed all future solicitation will have
clear opt out for any future fundraising contact.