Information and Privacy Commissioner/Ontario, © 2005 PHIPA Personal Health Information Protection Act Privacy Issues Ann Cavoukian, Ph.D. Information &

Information and Privacy Commissioner/Ontario, © 2005

PHIPA Personal Health Information Protection Act

Privacy Issues

Ann Cavoukian, Ph.D.Ann Cavoukian, Ph.D.Information & Privacy Commissioner/Ontario

Sunnybrook andWomen’s College Health Sciences

Privacy Forum

March 22, 2005


Strengths of PHIPA

• Implied consent for sharing of personal health information within circle of care.

• Creation of health data institute to address criticism of “directed disclosures.”

• Open regulation-making process to bring public scrutiny to future regulations.

• Adequate powers of investigation to ensure that complaints are properly reviewed.


Public Education

• Since September, 2004 we have received over 2,000 telephone requests from health care professionals and the public, re: Personal Health Information Protection Act (PHIPA).

• On-going meetings with regulated health professions to discuss PHIPA and to answer specific questions about its application to unique environments.

• Conduct speeches/presentations/workshops.


Tools and Resources

• FAQ’s and User Guides revised to reflect regulations and posted on our website (also available in print format).

• IPC brochures:– The Personal Health Information Protection Act

and Your Privacy.– Access/Correction Complaints.– Collection, Use, Disclosure and Other

Complaints.– Your Health Information: Your Rights

(jointly with MOHLTC).


Tools and Resources (con’t.)

• Focus papers are being developed in areas where health care professionals have identified special needs and will be posted on our website:

– Health Information Custodians (HICs), Working for non-HICs.

– Safeguarding Your Personal Health Information.

– Patient & Family Rights (including Substitute Decision-Makers).

– Research.

– Mental Health “Fact Sheets”.


Keeping the Public Informed

• Orders will be public documents and available on our Web site.

• Summaries of all mediated cases will be available on our website.

• Relevant data will be regularly made available to the public and health professionals (e.g. number of complaints, examples of successful mediations, common issues).

• IPC will publish quarterly newsletter designed to promote mediation to privacy and access professionals.


Meaningful Consent Forms

• Notices and consent forms must be concise and understandable to be effective.

• PIPEDA notices and consents used by some health professionals are lengthy, confusing and counterproductive.

• Use notices to educate and inform patients, not as an exercise in legal drafting: The goal is effective communication.


Short Notices

• IPC/OBA/MOH/ODA “short notices” working group:

– To promote concise, user-friendly, sector-specific notices and consent forms to serve as effective communication tools.

– Adopted “layered” approach, with emphasis on developing separate short notices for primary care providers, hospitals and facilities, and long-term care facilities.

– Templates will be completed by June, 2005.


Short Notices (con’t.)

• The 1st layer notice will have consistent layout/format and contain necessary but understandable information about the collection, use and disclosure of personal health information.

• Distribution via OHA/OMA websites once visual identity is finalized.

• Working Group is developing brochures with additional information to supplement the short notices.


IPC Activities

• Contributing PHIPA awareness articles to health professional associations and college newsletters/magazines.

• On-going consultations/presentations to Federation of Regulated Health Professions.

• Currently meeting with prescribed registries/entities to review information practices.


Current Projects

• "Lock-Box" Technology Transition Strategy (jointly with MOHLTC).

• System Design Principles for Information Technology (co-jointly with MOHLTC, e-Health Council).

• PHIPA Privacy Training Video and PIA Template.


• Every individual has right of access/correction to a record of personal health information about the individual in the custody or control of a HIC, subject to exemptions.

• Employees of HICs are subject to access process under PHIPA.

• 30 days response time with 30 day maximum extension.

Access to Records


Fees for Access to Personal Health Information

• The current wording of PHIPA for charging fees is insufficient:– “reasonable cost recovery” is too vague

and open to interpretation.

• The regulation of fees is necessary:– regulating access fees will provide

certainty to HIC’s and ensure reasonable costs for patients.


Status of Complaints and Reviews

• To date, we have received 30 complaints:

• 11 Access/Correction Complaints (5 at Intake, 1 at Mediation; 5 Resolved).• 9 Collection/Use/Disclosure Complaints (5 at Intake and 3 at Mediation; 1 Resolved).• 10 HIC-Reported Breaches (7 at review; 3

Resolved).

• The type of HICs involved in these complaints include hospitals, community care access centres, clinics and individual doctor's offices.


Mediation Stories

Two Issues:• Inadvertent disclosure of personal

health information (PHI), on health care facility’s website.

• Diagnostic reports missing from patient charts.


Mediation Results

• There were special circumstances in both of these cases that led the IPC to recommend that notice of the breach should be given in person by the health care provider and posted in the patient’s files.

• It was agreed that the patient’s would be notified of the breach at their next appointment with their health care provider.


• Form 14 — Revoked in 1995; No statutory basis

• Originally prescribed under the Mental Health Act (MHA) to fulfill the consent requirement for the disclosure, transmittal or examination of clinical records.

• As of November 1, 2004 —health care providers, under PHIPA, can utilize the generic consent form developed by the Ministry of Health and Long-Term Care (MOHLTC).

• If a health care provider that is subject to either Act is relying on a previously used Form 14, they must ensure that the previously obtained consent meets the consent requirements of PHIPA.

• You may obtain a copy of a sample consent form from: http://www.health.gov.on.ca/english/providers/legislation/priv_legislation/sample_consent.html#download.

Mental Health Issues


• Derogations from the consent principle are allowed in limited circumstances, for example:– To protect the health or safety of the

individual or others (s. 40(1)).– To a person carrying out an

inspection, investigation or similar procedure that is authorized by a warrant or by law (s. 43(1)(g)).

– As required by law (s. 43(1)(h)).

Permissible Disclosures:Safety and Law Enforcement Purposes


• Disclosing name & patient location to a representative of patient’s religious affiliation. – Rule:

• Rely on implied consent to disclose only if patient has provided information and been given the opportunity to opt out and has not done so.

• Hospitals are permitted to use PHI without consent for the purpose of delivering a chaplain visiting program.

Other Disclosures


• Confirming appointments on voicemail.

• Calling patients in waiting rooms.

• Overhead paging.

• White Boards.

Common Uses


• Generally, these are uses, but all of these scenarios may involve potential disclosures.

• General rule for disclosure to non-HICs: Express consent is required.

• However, HICs are required to take steps that are reasonable in the circumstance to ensure against unauthorized disclosures.

• Best Practice: – Ensure that individuals are aware of such uses;– Take steps that are reasonable in the circumstances

to minimize against inadvertent disclosures. (i.e., use minimal amount of info; provide options).

Common Uses: Best Practices


• Parent may consent where child is under 16 years old unless:– Child made own treatment decision

under Health Care Consent Act (s. 23(1)[2]i); or

– Participated in own counseling under Child and Family Services Act (s. 23(1)[2]ii).

• In the event of a conflict between capable child and parent, child’s decision prevails (s. 23(3)).

Persons Who May Consent…


• Ranked list of SDMs in order of priority:– Guardian of person or of property.– Attorney for personal care or property.– Representative appointed by Consent and

Capacity Board.– Spouse or partner.– Child’s custodial parent.– Parent with right of access only.– Brother or sister.– Any other relative.– Public Guardian and Trustee (as last resort).

Substitute Decision Maker (SDM)


Substantial Similarity

• The Commissioner has written to the Minister of Industry and the Federal Privacy Commissioner urging early finding of substantial similarity.

• A protocol for the handling of health related complaints that fall within both PHIPA and PIPEDA pending a finding of substantial similarity has been agreed to and the terms of that protocol can be found on the Federal Commissioner’s website.


How to Contact Us

Commissioner Ann CavoukianCommissioner Ann CavoukianInformation & Privacy Commissioner/Ontario2 Bloor Street East, Suite 1400Toronto, Ontario M4W 1A8

Phone: (416) 326-3333Web: www.ipc.on.caE-mail: [email protected]

Documents

Information and Privacy Commissioner/Ontario, © 2005 PHIPA Personal Health Information Protection Act Privacy Issues Ann Cavoukian, Ph.D. Information &