Title: Health Information Protection Act An Overview
1Health Information Protection ActAn Overview
- Ann Cavoukian, Ph.D.
- Information Privacy Commissioner/Ontario
- Ontario Health Records Association
- May 7, 2004
2Ontarios Health Information Protection Act, 2003
(HIPA)
- Ontario government introduced health privacy bill
(Bill 31) on December 17, 2003 - Standing Committee on General Government held
public hearings and completed clause-by-clause
study - Received Second Reading on April 8, 2004
- Second clause-by-clause review completed April
18, 2004 - Expected to come into effect November 1, 2004
3Bill 31 Two parts
- Schedule A the Personal Health Information
Protection Act (PHIPA) - Schedule B the Quality of Care Information
Protection Act (QOCIPA)
4Bill 31 Based on Fair Information Practices
- Accountability
- Identifying Purposes
- Consent
- Limiting Collection
- Limiting Use, Disclosure, Retention
- Accuracy
- Safeguards
- Openness
- Individual Access
- Challenging Compliance
5Scope of PHIPA
- Health information custodians (HICs) that
collect, use and disclose personal health
information (PHI) - Non-health information custodians where they
receive personal health information from a health
information custodian (use and disclosure
provisions)
6Health Information Custodians
- Definition includes
- Health care practitioner
- Hospitals and independent health facilities
- Homes for the aged and nursing homes
- Pharmacies
- Laboratories
- Home for special care
- A centre, program or service for community health
or mental health
7Records Management General Practices
- Must take reasonable steps to ensure accuracy
- Must maintain the security of PHI
- Must have a contact person to ensure compliance
with Act, respond to access/correction requests,
inquiries and complaints from public - Must have information practices in place that
comply with the Act - Must make available a written statement of
information practices - Must be responsible for actions of agents
8PHIPA Consent
- Consent is required for the collection, use,
disclosure of PHI, subject to specific exceptions - Consent must
- be a consent of the individual
- be knowledgeable
- relate to the information
- not be obtained through deception or coercion
- Consent may be express or implied
9Knowledgeable Consent
- Consent is knowledgeable if it is reasonable in
the circumstances to believe that the individual
knows - the purpose, and
- that the individual may provide or withhold
consent - can imply consent if the custodian posts a notice
or describes the purpose in a brochure
10Meaningful Consent Forms
- Notices and consent forms must be concise and
understandable to be effective - PIPEDA notices and consents used by some health
professionals are lengthy, confusing and
counterproductive - Use Notices and consents to educate and inform
patients, not as an exercise in legal drafting
11Express Consent
- required when a custodian discloses to a
non-custodian - required when a custodian discloses to another
custodian for a purpose other than providing
health care to the individual
12Implied Consent
- custodians may imply consent when disclosing
personal health information to other custodians
for the purpose of providing health care to the
individual - exception if the individual expressly withholds
or withdraws consent (lock box)
13Checks on the Lock Box
- Notification if the custodian who discloses
believes that all information necessary for the
the provision of health care has not been
disclosed, the custodian must notify the
recipient - Override the custodian may disclose if
disclosure is necessary to eliminate or reduce a
significant risk of serious bodily harm to a
person or a group of persons
14Delayed Implementation of the Lock Box
- public hospitals have until November 1, 2005 to
implement the lock box
15Collection, Use and Disclosure Without Consent
- Derogations from the consent principle are
allowed in limited circumstances. - As required by law
- To protect the health or safety of the individual
or others - To identify a deceased person or provide
reasonable notice of a persons death
16Right of Access and Correction
- PHIPA Expands and Codifies the Common-Law Right
of Access - Right of access to all records of personal health
information about the individual in the custody
or control of any health information custodian
(some exceptions) - Provides right to correct their records of
personal health information (some exceptions)
17Access
- custodian must make the record available or
provide a copy, if requested - custodian must respond to request within 30 days,
with a possible 30 day extension - custodian must take reasonable steps to be
satisfied of the individuals identity - custodian must offer assistance in reformulating
a request that lacks sufficient detail
18Expedited Access
- custodian must provide expedited access if the
individual requests it and provides evidence that
the information is needed urgently and the
custodian is reasonably able to respond within
the requested time frame
19How to Correct Records
- by striking out the incorrect information in a
manner that does not obliterate it or - by labeling the information as incorrect and
severing it from the record, while maintaining a
link to the record or - if the correction cannot be recorded in the
record, the custodian must ensure there is a
practical system to inform persons accessing the
record that the information is incorrect and
where to obtain correct information
20Notice of Correction
- at the request of the individual, the custodian
must give written notice of the requested
correction, to the extent reasonably possible, to
persons to who the custodian has disclosed the
information - exception if the correction cannot be
reasonably expected to have an effect on the
ongoing provision of health care or other benefits
21Statement of Disagreement
- if the custodian refuses a correction request,
the individual is entitled to require the
custodian to attach to the record a statement of
disagreement prepared by the individual - custodian must make reasonable efforts to notify
anyone who would have been notified if there was
a correction
22Oversight and Enforcement
- Office of the Information and Privacy
Commissioner is the oversight body - IPC may investigate where
- A complaint has been received
- Commissioner has reasonable grounds to believe
that a person has contravened or is about to
contravene the Act - IPC has powers to enter and inspect premises,
require access to PHI and compel testimony
23Strengths of PHIPA
- Creation of health data institute to address
criticism of directed disclosures - Open regulation-making process to bring public
scrutiny to future regulations - Implied consent for sharing of personal health
information within circle of care - Adequate powers of investigation to ensure that
complaints are properly reviewed
24Role of the IPC
- IPC currently has oversight of two laws
- Provincial Freedom of Information and Protection
of Privacy Act - Municipal Freedom of Information and Protection
of Privacy Act - IPC may issue orders for access/correction
appeals - IPC investigates privacy complaints and may issue
report with recommendations
25Access and Correction Appeals
- Appeals under current public sector laws may be
dealt with through three stages - IPC will examine situation and may contact
individual or organization for more information
(Intake) - If not dismissed, the appeal proceeds to
mediation, the IPCs preferred method of dispute
resolution - If mediation is unsuccessful, appeal proceeds to
adjudication and an order will be issued.
26Privacy Complaints
- IPC goal in dealing with complaints under public
sector legislation is to assist organizations in
taking whatever steps are necessary to prevent
future occurrences - Intake staff attempt to resolve complaints
informally, through liaising with organization
and complainant - If not resolved, complaint goes to the
investigation stage and a mediator investigates - Mediator prepare a report, including
recommendations
27Role of IPC under PHIPA
- Use of mediation and alternative dispute
resolution to be stressed - Order-making power as a last resort
- Conducting public and stakeholder education
programs - Comment on an organizations information practices
28Stressing the 3 Cs
- Consultation
- Opening lines of communication with health
community - Collaboration
- Working together to find solutions
- Co-operation
- Rather than confrontation in resolving complaints
29Making Health Privacy Work
- Think beyond compliance with legislation
- Use technology to help protect personal health
information - Build privacy right into design specifications
- Minimize collection and routine use of personally
identifiable information use aggregate or coded
information if possible - Use encryption where practicable
- Think about using pseudonymity, coded data
- Conduct privacy impact assessments
30How to Contact Us
- Commissioner Ann Cavoukian
- Information Privacy Commissioner/Ontario
- 80 Bloor Street West, Suite 1700
- Toronto, Ontario M5S 2V1
- Phone (416) 326-3333
- Web www.ipc.on.ca
- E-mail commissioner_at_ipc.on.ca