Health Information Protection Act An Overview - PowerPoint PPT Presentation

1 / 30
About This Presentation
Title:

Health Information Protection Act An Overview

Description:

Ontario government introduced health privacy bill (Bill 31) on December 17, 2003 ... to believe that a person has contravened or is about to contravene the Act ... – PowerPoint PPT presentation

Number of Views:50
Avg rating:3.0/5.0
Slides: 31
Provided by: ipc179
Category:

less

Transcript and Presenter's Notes

Title: Health Information Protection Act An Overview


1
Health Information Protection ActAn Overview
  • Ann Cavoukian, Ph.D.
  • Information Privacy Commissioner/Ontario
  • Ontario Health Records Association
  • May 7, 2004

2
Ontarios Health Information Protection Act, 2003
(HIPA)
  • Ontario government introduced health privacy bill
    (Bill 31) on December 17, 2003
  • Standing Committee on General Government held
    public hearings and completed clause-by-clause
    study
  • Received Second Reading on April 8, 2004
  • Second clause-by-clause review completed April
    18, 2004
  • Expected to come into effect November 1, 2004

3
Bill 31 Two parts
  • Schedule A the Personal Health Information
    Protection Act (PHIPA)
  • Schedule B the Quality of Care Information
    Protection Act (QOCIPA)

4
Bill 31 Based on Fair Information Practices
  • Accountability
  • Identifying Purposes
  • Consent
  • Limiting Collection
  • Limiting Use, Disclosure, Retention
  • Accuracy
  • Safeguards
  • Openness
  • Individual Access
  • Challenging Compliance

5
Scope of PHIPA
  • Health information custodians (HICs) that
    collect, use and disclose personal health
    information (PHI)
  • Non-health information custodians where they
    receive personal health information from a health
    information custodian (use and disclosure
    provisions)

6
Health Information Custodians
  • Definition includes
  • Health care practitioner
  • Hospitals and independent health facilities
  • Homes for the aged and nursing homes
  • Pharmacies
  • Laboratories
  • Home for special care
  • A centre, program or service for community health
    or mental health

7
Records Management General Practices
  • Must take reasonable steps to ensure accuracy
  • Must maintain the security of PHI
  • Must have a contact person to ensure compliance
    with Act, respond to access/correction requests,
    inquiries and complaints from public
  • Must have information practices in place that
    comply with the Act
  • Must make available a written statement of
    information practices
  • Must be responsible for actions of agents

8
PHIPA Consent
  • Consent is required for the collection, use,
    disclosure of PHI, subject to specific exceptions
  • Consent must
  • be a consent of the individual
  • be knowledgeable
  • relate to the information
  • not be obtained through deception or coercion
  • Consent may be express or implied

9
Knowledgeable Consent
  • Consent is knowledgeable if it is reasonable in
    the circumstances to believe that the individual
    knows
  • the purpose, and
  • that the individual may provide or withhold
    consent
  • can imply consent if the custodian posts a notice
    or describes the purpose in a brochure

10
Meaningful Consent Forms
  • Notices and consent forms must be concise and
    understandable to be effective
  • PIPEDA notices and consents used by some health
    professionals are lengthy, confusing and
    counterproductive
  • Use Notices and consents to educate and inform
    patients, not as an exercise in legal drafting

11
Express Consent
  • required when a custodian discloses to a
    non-custodian
  • required when a custodian discloses to another
    custodian for a purpose other than providing
    health care to the individual

12
Implied Consent
  • custodians may imply consent when disclosing
    personal health information to other custodians
    for the purpose of providing health care to the
    individual
  • exception if the individual expressly withholds
    or withdraws consent (lock box)

13
Checks on the Lock Box
  • Notification if the custodian who discloses
    believes that all information necessary for the
    the provision of health care has not been
    disclosed, the custodian must notify the
    recipient
  • Override the custodian may disclose if
    disclosure is necessary to eliminate or reduce a
    significant risk of serious bodily harm to a
    person or a group of persons

14
Delayed Implementation of the Lock Box
  • public hospitals have until November 1, 2005 to
    implement the lock box

15
Collection, Use and Disclosure Without Consent
  • Derogations from the consent principle are
    allowed in limited circumstances.
  • As required by law
  • To protect the health or safety of the individual
    or others
  • To identify a deceased person or provide
    reasonable notice of a persons death

16
Right of Access and Correction
  • PHIPA Expands and Codifies the Common-Law Right
    of Access
  • Right of access to all records of personal health
    information about the individual in the custody
    or control of any health information custodian
    (some exceptions)
  • Provides right to correct their records of
    personal health information (some exceptions)

17
Access
  • custodian must make the record available or
    provide a copy, if requested
  • custodian must respond to request within 30 days,
    with a possible 30 day extension
  • custodian must take reasonable steps to be
    satisfied of the individuals identity
  • custodian must offer assistance in reformulating
    a request that lacks sufficient detail

18
Expedited Access
  • custodian must provide expedited access if the
    individual requests it and provides evidence that
    the information is needed urgently and the
    custodian is reasonably able to respond within
    the requested time frame

19
How to Correct Records
  • by striking out the incorrect information in a
    manner that does not obliterate it or
  • by labeling the information as incorrect and
    severing it from the record, while maintaining a
    link to the record or
  • if the correction cannot be recorded in the
    record, the custodian must ensure there is a
    practical system to inform persons accessing the
    record that the information is incorrect and
    where to obtain correct information

20
Notice of Correction
  • at the request of the individual, the custodian
    must give written notice of the requested
    correction, to the extent reasonably possible, to
    persons to who the custodian has disclosed the
    information
  • exception if the correction cannot be
    reasonably expected to have an effect on the
    ongoing provision of health care or other benefits

21
Statement of Disagreement
  • if the custodian refuses a correction request,
    the individual is entitled to require the
    custodian to attach to the record a statement of
    disagreement prepared by the individual
  • custodian must make reasonable efforts to notify
    anyone who would have been notified if there was
    a correction

22
Oversight and Enforcement
  • Office of the Information and Privacy
    Commissioner is the oversight body
  • IPC may investigate where
  • A complaint has been received
  • Commissioner has reasonable grounds to believe
    that a person has contravened or is about to
    contravene the Act
  • IPC has powers to enter and inspect premises,
    require access to PHI and compel testimony

23
Strengths of PHIPA
  • Creation of health data institute to address
    criticism of directed disclosures
  • Open regulation-making process to bring public
    scrutiny to future regulations
  • Implied consent for sharing of personal health
    information within circle of care
  • Adequate powers of investigation to ensure that
    complaints are properly reviewed

24
Role of the IPC
  • IPC currently has oversight of two laws
  • Provincial Freedom of Information and Protection
    of Privacy Act
  • Municipal Freedom of Information and Protection
    of Privacy Act
  • IPC may issue orders for access/correction
    appeals
  • IPC investigates privacy complaints and may issue
    report with recommendations

25
Access and Correction Appeals
  • Appeals under current public sector laws may be
    dealt with through three stages
  • IPC will examine situation and may contact
    individual or organization for more information
    (Intake)
  • If not dismissed, the appeal proceeds to
    mediation, the IPCs preferred method of dispute
    resolution
  • If mediation is unsuccessful, appeal proceeds to
    adjudication and an order will be issued.

26
Privacy Complaints
  • IPC goal in dealing with complaints under public
    sector legislation is to assist organizations in
    taking whatever steps are necessary to prevent
    future occurrences
  • Intake staff attempt to resolve complaints
    informally, through liaising with organization
    and complainant
  • If not resolved, complaint goes to the
    investigation stage and a mediator investigates
  • Mediator prepare a report, including
    recommendations

27
Role of IPC under PHIPA
  • Use of mediation and alternative dispute
    resolution to be stressed
  • Order-making power as a last resort
  • Conducting public and stakeholder education
    programs
  • Comment on an organizations information practices

28
Stressing the 3 Cs
  • Consultation
  • Opening lines of communication with health
    community
  • Collaboration
  • Working together to find solutions
  • Co-operation
  • Rather than confrontation in resolving complaints

29
Making Health Privacy Work
  • Think beyond compliance with legislation
  • Use technology to help protect personal health
    information
  • Build privacy right into design specifications
  • Minimize collection and routine use of personally
    identifiable information use aggregate or coded
    information if possible
  • Use encryption where practicable
  • Think about using pseudonymity, coded data
  • Conduct privacy impact assessments

30
How to Contact Us
  • Commissioner Ann Cavoukian
  • Information Privacy Commissioner/Ontario
  • 80 Bloor Street West, Suite 1700
  • Toronto, Ontario M5S 2V1
  • Phone (416) 326-3333
  • Web www.ipc.on.ca
  • E-mail commissioner_at_ipc.on.ca
Write a Comment
User Comments (0)
About PowerShow.com