The Health Information Protection Act HIPA

1
The Health Information Protection Act (HIPA)

• Policy and Planning Branch
• Health Information and Policy Analysis Unit
• Saskatchewan Ministry of Health

2
Overview of Session

• Brief history of the development of HIPA.
• Overview of HIPA.
• Questions
• Information on HIPA and privacy.

3
Development of HIPA

• HIPA was proclaimed on September 1, 2003.
• Reasons for development
• Privacy acts were structured to government and
  local authorities
• Need to coordinate privacy standards for numerous
  health-specific statutes
• The Hospital Standards Act,
• The Mental Health Services Act,
• The Public Health Act, and
• The Regional Health Services Act.
• Increasing need to balance the sharing of
  information with growing concerns over privacy.

4
Key Elements of HIPApertaining to personal
health information

• Duties of trustees
• Rules for the collection, use, and disclosure
• Creates a Circle of Care for information sharing
• Sets penalties for violations
• Mandates the Information and Privacy Commissioner
  of Saskatchewan.
• Legislates the rights of individuals

5
Who is a Trustee? (Section 2(t))Trustees have
custody and control over personal health
information

• Government institutions.
• Regional health authorities and affiliates.
• Special care homes.
• Personal care homes.
• Mental health facilities.
• Laboratories.
• Pharmacies.
• Community clinics.

• The Saskatchewan Cancer Agency.
• Ambulance operators.
• Regulated health professions.
• Health professional regulatory bodies.
• Others can be added through regulations.

6
According to HIPA,Personal Health Information
isInformation Regarding (Section 2(m))

• the physical or mental health of an individual
• a health service provided to an individual
• provision a health service
• registration information, including name, date of
  birth.

7
HIPA - Scope (Section 3)

• HIPA does not apply to
• Statistical or de-identified personal health
  information
• Administrative information or other records of a
  Trustee.

8
According to HIPA, what kinds of information
should be De-identified? (Section 2(d))

• Any information that could reasonably identify an
  individual
• Saskatchewan Health typically considers the
  following to be identifiable data (especially
  when linked to other data or even when there is a
  possibility of linking)
• name,
• date of birth,
• address,
• postal code,
• gender.

9

• What types of data do you work with or report on?
  

...
...
10
Tips on De-identifying Data

• Consider Special Characteristics (unique disease
  identifiers, age).
• Consider Population/Denominator Size gt 300 rule.
• Aggregate when reasonable.
• Cell Suppression lt 5 rule.
• Omit certain fields from the analysis when
  reasonable gender, age.
• Group Identification Use caution when reporting
  on groups (culture, age).

11
How does HIPA relate to other legislation?
(Section 3)

• HIPA prevails over all other statutes regarding
  personal health information with the following
  exceptions Parts II, IV, and V of HIPA do not
  apply to personal health information obtained for
  the purposes of
• The Adoption Act
• Part VIII of The Automobile Accident Insurance
  Act
• Section 16 of The Cancer Foundation Act
• The Child and Family Services Act
• The Mental Health Services Act
• The Public Disclosure Act
• The Public Health Act 1994
• The Vital Statistics Act
• The Workers Compensation Act.

12
Duties of Trustees Safeguarding Personal Health
Information (Section 16)

• Trustees must establish policies and procedures
  to maintain administrative, technical and
  physical safeguards that will
• Protect the integrity, accuracy, confidentiality
  and security of personal health information
• Protect against loss or unauthorized access to or
  use, disclosure or modification of the
  information
• Ensure compliance with HIPA by its employees.

13

• What safeguards does your organization have in
  place to protect personal health information?

14
Duties of Trustees Retention and Destruction
(Section 17)

• Trustees must 
• Retain records for the period specified in the
  regulations (not yet proclaimed).
• Ensure that records are stored in a way that they
  are readable, retrievable and usable.
• Dispose of records in a safe manner that protects
  the privacy of the individual (e.g. properly
  shred paper).

15

• What are some methods that your organization uses
  to securely destroy records?

16
Duties of Trustees Trustees have a duty to
(Sections 19 to 22)

• Ensure accuracy (Section 19)
• Disclose to another Trustee (Section 20)
• Disclose to persons other than a Trustee (Section
  21)

17

• Continuing duty of Trustees (Section 22)
• A Trustee cannot simply abandon records
• Must care for records or transfer records to
  another Trustee or to an IMSP that is a
  designated archive.
• If a Trustee abandons records, the Minister of
  Health may appoint a person or body to act in
  place of the former trustee until the personal
  health information is appropriately transferred.

18
Collection, Use and Disclosure (Section
23) Trustee requirements

• Collect, use or disclose the minimum personal
  health information required for a particular
  purpose
• a need-to-know basis.
• Implement policies and procedures that limit
  access by employees who do not require the
  information.
• De-identify information where practical.

19
More About Collection (Section 24)

• A Trustee may collect personal health
  information
• For a program or service that will benefit the
  individual
• If it is consistent with a use or disclosure
  authorized by HIPA
• If permitted by law
• With consent of the subject individual.

20
Collection, some exceptions (Section 25)

• Should be directly from a subject individual,
  except where
• The individual consents
• The individual is unable to provide the
  information
• The trustee believes, on reasonable grounds, that
  collection directly from the subject individual
  would cause harm to the subject individual or
  another person
• Collection is to determine eligibility of the
  individual to participate in a program of the
  Trustee
• Information is available to the public
• Information is collected for a use or disclosure
  authorized by HIPA
• Prescribed circumstances
• For the purpose of assembling the family medical
  history of an individual.

21
More About Use (Section 26)

• A Trustee may use personal health information
  with consent of the subject individual, or
• For a purpose consistent with a disclosure
  authorized by HIPA
• To de-identify the information
• For a purpose that will primarily benefit the
  individual
• For a prescribed purpose.
• A Trustee cannot use or obtain access to the
  personal health information of a subject
  individual who is an employee or prospective
  employee without the individuals consent.

22
Disclosure Express Consent (Section 27(1))

• For any purpose with express consent from the
  subject individual.
• Express consent simply means that someone has
  said yes, you may disclose my personal health
  information for that purpose

23
Disclosure - Deemed Consent (Section 27(2))

• Consent is deemed to exist
• For the purpose for which the information was
  collected by the Trustee
• Circle of Care For the purpose of arranging,
  assessing the need for, providing, continuing, or
  supporting the provision of a service requested
  or required by the subject individual.
• To communicate with close family members/friends
  as the disclosure relates to the care provided.

need to know
24
Disclosure - Without Consent (Section 27(4))

• To prevent or minimize danger to the health and
  safety of any person.
• To prevent fraud, abuse or dangerous use of
  publicly funded healthcare services.
• To contact the next of kin for compassionate
  reasons.
• To administer an estate.
• For the purpose of a court proceeding.
• For program delivery, evaluation, monitoring,
  planning (limited disclosure, must remain
  confidential).

25
Disclosing Registration Information(Section 28)

• By Saskatchewan Health to
• a trustee for the provision of a health service,
• another government institution or regional health
  authority to verify eligibility or the accuracy
  of information.
• Between Saskatchewan Health and a regional health
  authority or affiliate for program delivery,
  evaluation, monitoring, research, planning.

26
Use and Disclosure for Research(Section 29)

• With consent
• Approval by a research ethics committee.
• The researcher must agree to maintain
  confidentiality and security of information and
  return any original records or copies of records
  containing personal health information to the
  Trustee.
• Without consent
• The above requirements, and must not be
  reasonably practical to obtain consent from
  individuals, and the research project may not be
  completed with de-identified data.
• Research ethics committee must agree that the
  benefits outweigh risks to privacy.

27
What happens if someone breaches HIPA? (Section
64)

• Individuals
• May be fined up to 50,000 and/or up to one year
  of imprisonment per offence.
• Corporations
• May be fined up to 500,000 per offence.
• Good faith clause protects individuals (Section
  61).

28

• What is a breach?

29

• A privacy breach occurs when personal information
  is collected, used or disclosed in violation of
  HIPA.

30
Examples of Breaches

• Staff use or disclose personal information
  databases for unauthorized purposes
• Addresses for a wedding guest list,
• Birth date to give a birthday card,
• Checking a local hockey players health status
  after an injury.

31
Examples of Breaches

• Personal information is e-mailed, faxed, mailed
  to the wrong address.

32
Examples of Breaches

• Insufficient security records are left in an
  open area, not shredded, too many people are
  provided access to records.
• Inadequate security is applied to mobile
  electronic devices such as laptops No password
  protection, no screen saver, computers left in an
  unlocked or open area, laptops left in the car
  when getting groceries.

33
Examples of Breaches

• Malicious breaches
• Gossip
• Inappropriate disclosure of personal health
  information.

34
What should I do if I think that someone has
committed a breach of HIPA?

• Notify your organizational privacy officer and
  immediate supervisor.
• Contain the breach.
• Investigate the breach and notify affected
  individuals.
• Follow-up Implement change to prevent future
  breaches Evaluate change measures.

35
How do I prevent privacy breaches?

• Appoint an organizational Privacy Officer to
  provide leadership in privacy.
• Ensure employees know the role of the Privacy
  Officer.
• Update organizational policies re collection,
  use, disclosure of personal health information.
• Implement organizational, technical, physical
  safeguards.

36
How do I prevent privacy breaches?

• Follow appropriate retention schedules and ensure
  secure destruction of records.
• Educate management and staff about policies,
  safeguards, and individual responsibilities.
• Ensure that the staff and the public know where
  to direct concerns and questions about access and
  privacy.

37
The Saskatchewan Information and Privacy
Commissioner

• Independent Third Party.
• Designated with the authority to investigate
  various privacy complaints and provide
  recommendations.
• Acts as a mediator between individuals and public
  bodies.

38
Rights of Individuals (HIPA part II)

• Provide consent (Section 5)
• Be informed. (Section 9)
• Know to whom information is disclosed outside the
  circle of care. (Section 10)
• Limit access to a comprehensive record created
  and controlled by SHIN. (Section 8)
• Access their records (Section 12)
• Request a review by the Information and Privacy
  Commissioner. (Section 14)

39
Access by Individuals to Their Own Personal
Health Information (Sections 31 to 40)

• A Trustee must provide individuals access to
  their own information.
• Fees are not required but may be charged.
• A Trustee may refuse access in limited
  circumstances.
• Individuals have a right to request amendments to
  their personal health information if incorrect.

40
Information

• Where to find HIPA? www.publications.gov.sk.ca/dep
  list.cfm?d1c42
• Saskatchewan Information and Privacy
  Commissioner www.oipc.sk.ca
• PIPEDA www.strategis.ic.gc.ca/privacy/health
• Privacy Commissioner of Canada www.privcom.gc.ca
  

41
Questions?Contact information for Saskatchewan
Ministry of HealthJacqueline Messer-Lepage,
Director, Health Information and Policy Analysis
and Chief Privacy and Access OfficerPolicy and
Planning Branch3475 Albert Street, Regina SK S4S
6X6Phone (306) 787-2137Email jmesserlepage_at_healt
h.gov.sk.ca