Presented by:

Lad Kucis

*this presentation is intended to provide a general overview

of the Personal Health Information Protection Act, 2004. It is

not intended to be construed as legal advice. For legal advice,

please consult a lawyer.

PHIPA:

An Overview

Presentation to:

Ontario Chiropractic Association

March 2, 2016

• Lad is the Co-Chair of Gardiner

Roberts’ Health Law Group and

provides legal assistance to

health sector clients

• Frequent author and speaker on

various health law issues

• Expertise:

• Health Law

• Litigation and Dispute

Resolution

Speaker

Lad Kucis

The Personal Health Information

and Protection Act, 2004 (PHIPA)

• Is an Ontario law that governs the collection, use,

disclosure, retention and disposal of “personal health

information” (PHI) within the health sector

• The object of the statute is to keep PHI confidential and

secure, while allowing for the effective delivery of health

care

• Applies to all “health information custodians” (HICs)

(i.e. persons and organizations that deliver health care)

and to persons and organizations that receive information

from HICs

3

Oversight Body

• The Information and Privacy

Commissioner of Ontario (the “IPC”)

has been designated as the independent

oversight body responsible for ensuring

that HICs collect, use, disclose, retain

and dispose of PHI in accordance with

PHIPA

• The IPC possesses wide powers include

with respect to the investigation of

complaints, entering and inspecting

premises, issuing orders, prosecutions

fines, etc.

4

PHIPA vs. PIPEDA

• The Personal Information Protection and Electronic

Documents Act (PIPEDA) is federal legislation that applies

to organizations that collect, use and disclose personal

information during the course of “commercial activities”

• PIPEDA does not apply with respect of the collection, use

and disclosure of “personal health information” that occurs

within Ontario, as PHIPA has been declared to be

“substantially similar”

• PIPEDA continues to govern where PHI crosses provincial

or national borders

5

• What does PHIPA Protect?

• To Whom does PHIPA Apply?

• Responsibilities of HICs

• Safeguarding PHI

• Consent

• Capacity

• Collection, Use & Disclosure

• Access & Correction

• Recently Proposed Amendments to PHIPA

Items to be Reviewed

6

What does PHIPA Protect?:

Personal Health Information (PHI)

7

• PHI is “identifying information” about an individual in oral

or recorded form that:

• relates to the physical or mental health of the individual,

including the health history of the individual’s family

• relates to the providing of health care to the individual,

including identifying a person as a provider of health care

to the individual

• identifies an individual’s substitute decision-maker

• is an individual’s health card number

• PHI also includes identifying information that is not PHI,

as defined above, but that is contained in a record that

contains PHI (i.e. the “mixed record rule”)

• “Identifying information” means

information that identifies an

individual or for which it is

reasonable in the circumstances that

it could be utilized, either alone or

with other information to identify an

individual”

• As such, patients do not have to be

explicitly named for information to

be considered PHI. Information can

also be PHI if it can be used with

other information to identify the

patient

PHI …cont’d

8

To Whom does PHIPA Apply?:

Health Information Custodians (HICs)

HICs are persons or organizations that

have custody or control of PHI and

include the following:

• Health Care Practitioners

• A Person who Operates a Group

Practice of Health Care Practitioners

• Hospitals

• Psychiatric facilities

• Pharmacies

9

• PHIPA also applies to the “agents” of HICs

• An “agent” in relation to a HIC, means a person that, with

the authorization of the Custodian, acts for or on behalf of

the Custodian in respect of PHI for the purposes of the

Custodian, and not the agent's own purposes, whether or

not the agent has authority to bind the Custodian, whether

or not the agent is employed by the Custodian and whether

or not the agent is being remunerated

Agents

10

• Under PHIPA, HICs may allow their agents to collect, use,

disclose, retain or dispose of PHI on their behalf, if:

• the HIC is permitted or required to collect, use,

disclose, retain or dispose of PHI, as the case may be

• the collection, use, disclosure, retention or disposal

of the PHI is in course the agent’s duties and is not

contrary to the limits imposed by the HIC or another

law

• HICs are responsible for PHI in the custody or control of

its agents

Agents …cont’d

11

• PHIPA also applies to the “recipients” of PHI

• A recipient is a non-HIC who receives PHI from a HIC

• A recipient must not use or disclose the information for any

purpose other than the purpose for which the HIC was

authorized to disclose the information under PHIPA, or for

the purpose of carrying out a statutory or legal duty, subject

to the regulations or other law

Recipients

12

Responsibilities of HICs:

Information Practices

• HICs are required to have adequate

“information practices” that

comply with PHIPA, including:

• when, how and the purposes for

which the HIC routinely

collects, uses, modifies, discloses,

retains or disposes of PHI

• the administrative, technical and

physical safeguards and practices

that the HIC maintains with

respect to PHI

13

• A HIC must designate a “contact person” or take on the

role of “contact person” himself or herself

• A “contact person” is responsible for: • facilitating compliance with PHIPA

• ensuring that all agents are informed of their duties under

PHIPA

• responding to inquiries about HIC’s information practices

• responding to requests for access to or correction of PHI

Records

• receiving complaints from the public about alleged breaches of

PHIPA

• A “contact person” is considered an “agent” of a HIC

Responsibilities of HICs:

Appoint a Contact Person

14

• HICs are required to make a written statement available to the

public that provides: • a general description of the HIC’s information practices

• how to contact the HIC or the contact person, where the HIC has

designated a contact person

• A description of how an individual may obtain access to or request

correction of their PHI Record, that is in the custody or control of the

HIC

• how to make a complaint to the HIC and/or to the Information and

Privacy Commissioner

• If a HIC uses or discloses PHI outside the scope of the

information practices set out in the written statement, without

the consent of the individual, they are required to notify the

individual at the first reasonable opportunity and to make a note

of the uses and disclosures (which is to be kept with the record)

Responsibilities of HICs:

Written Public Statement

15

• If the PHI of an individual is stolen, lost or accessed by an

unauthorized person, the HIC is required to notify the

individual at the first reasonable opportunity

• Best practices would also include the development of a

thorough privacy breach protocol, which would include

items such as containing the breach, assessing the scope of

the breach, contacting the affected individuals,

investigation/remediation, revising privacy practices,

where necessary

Responsibilities of HICs:

Reporting Privacy Breaches

16

• HICs must not collect, use or

disclose PHI if other information will

serve the purpose

• HICs must not collect, use or

disclose more PHI than is reasonably

necessary to meet the purpose

• HICs must take reasonable steps to

ensure the accuracy of the PHI that it

uses or discloses

General Limitations &

Requirements

17

Responsibilities of HICs:

Safeguarding PHI

• HICs must safeguard PHI in their custody or control by

taking steps that are reasonable in the circumstances to

ensure that:

• PHI is protected against theft, loss and unauthorized use or

disclosure

• PHI Records are protected against unauthorized copying,

modification or disposal

• PHI Records are retained, transferred and disposed of in a

secure manner

18

• Examples of physical safeguards for PHI Records include:

• storing paper PHI Records in locked filing cabinets

• ensuring that PHI Records are supervised when they are not

locked

• restricting office access to authorized personnel (i.e. through

locks, pass codes and alarm systems)

• ensuring that faxes and printers are kept in a restricted area and

are directly monitored while running

• protecting against the effects of fire

Physical Safeguards

19

• Examples of technical safeguards for PHI Records include:

• all staff should have their own computers, wherever possible.

At the very least, all staff should have their own login names

and passwords to access PHI

• passwords should not be easy to guess and should be changed

regularly

• encrypting information and removing identifiers

• installing firewalls

• using anti-virus protection

• access should be removed as soon as a staff member leaves

• an administrator login and password should be established

• automatic back-up for file recovery should be set up

Technical Safeguards

20

Technical Safeguards …cont’d

• Electronic PHI Records

should have an audit trail that

records the date and time of

each entry, showing any

changes in a record and

preserving the original

information when PHI is

changed, updated or corrected

21

Administrative Safeguards

• Examples of administrative safeguards for PHI Records

include:

• appointment of a staff member who is responsible for security

issues

• security clearances for staff members and other applicable

agents

• confidentiality agreements for all staff members and other

applicable agents

• restricting access to certain PHI to certain employees

22

Administrative Safeguards …cont’d

• The most important administrative control is the

establishment of a privacy policy, outlining the HIC’s

information practices and rules regarding PHI security,

including instructions as to how to deal with a privacy

breach, if and when it occurs (i.e. a privacy breach protocol)

• All staff should receive thorough training to ensure that

they are completely familiar with all aspects of the privacy

policy

• Regular audits to ensure compliance with the privacy

policy and to determine whether changes should be made

23

Transfer of PHI Records

• HICs are responsible for the secure transfer of PHI

Records, which may include transfers to other HICs,

facilities, or successors

• To ensure the secure transfer of PHI Records, HICs would

be well advised to only transfer records personally or

through a staff member agent

• If a third party agent is used (i.e. a courier company), they

should be required to enter into an agreement

acknowledging that they understand the importance of

safeguarding PHI Records and will provide written

confirmation when the transfer is completed

24

Disposal of PHI

• HICs must ensure that PHI Records are disposed of in a secure

manner

• PHI Records must be destroyed in such a manner than the

reconstruction of the record is not reasonably possible

• Documents that HICs should maintain with respect to PHI

Record disposal: • Written agreements with agents

• Policy outlining disposal policies

• Maintaining a ledger outlining particulars in the disposal process: • identification of the PHI disposed of;

• the manner in which PHI was disposed of;

• the name of the individual whose PHI was disposed of;

• the date of disposal; and

• the name and telephone number of the individual who disposed of the

PHI

25

• For paper records, secure disposal

consists of permanently

destroying the documents by

irreversible shredding (i.e. cross-

cutting) or pulverizing, thus

making them unreadable

• HICs are responsible for ensuring

that steps are taken to ensure that

no unauthorized person will have

access to the records throughout

the disposal process

Disposal – Paper Records

26

Disposal – Electronic Records

• May involve physical destruction,

permanent deletion or overwriting

the information

• HICs would be well advised to

consult an expert to ensure that

appropriate technology is used to

ensure electronic PHI is

permanently destroyed

27

Consent

• The general rule is that a HIC needs to obtain an

individual’s consent to collect, use or disclose PHI, unless

PHIPA authorizes the collection, use or disclosure, without

consent

• Consent must be: • Knowledgeable (i.e. individual is aware of purpose of

collection, use or disclosure and that they may give or withhold

consent)

• Voluntary (i.e. not be obtained through deception or coercion)

• Relate to the information in question

• Given by the individual

• A consent may be “express”, or “implied”, unless PHIPA

requires it to be express

28

What is the Difference between

Express and Implied Consent?

• An express consent is a consent that has been clearly and

unmistakeably given – either orally or in writing

• An implied consent is a consent that a HIC concludes has

been given based on an individual’s action or inaction, in

the particular factual circumstances

29

• Subject to limited exceptions,

express consent is required in the

following circumstances:

• disclosures to non-HICs (i.e. to an

employer/insurer)

• disclosures to other HICs for non-

health care purposes

Where Express Consent

Required

30

• HICs are not required to

obtain an individual’s oral or

written consent every time

that PHI is collected, used or

disclosed

• HICs can rely on the implied

consent of the individual to

collect and use PHI for most

purposes

Implied Consent

31

Implied Consent

“Circle of Care”

• HICs can also rely on an assumed

implied consent when collecting, using

or disclosing PHI to another HIC within

the “circle of care” for the purpose of

providing health care to the individual

• The term “circle of care” is not defined

under PHIPA, but is rather a term of

reference used to described the

provisions of PHIPA that enable HICs to

rely on an individual’s assumed implied

consent for the purpose of providing

health care to the individual

32

Implied Consent

“Circle of Care” …cont’d

• With respect to a chiropractor’s

office, the “circle of care” may

include:

• the chiropractor

• a nurse

• a specialist

• another health care practitioner

referred to by the chiropractor

• a health care practitioner selected

by the patient, such as a pharmacist

or massage therapist

33

The “lock box”

• The “lock box” principle describes the

right of an individual to withhold or

withdraw their consent to the

collection, use or disclosure of their

PHI for health care purposes

• The withholding or withdrawing of

PHI may take various forms, including

not disclosing certain PHI, not

disclosing PHI to certain HICs, not

disclosing PHI to certain types of

HICs, etc.

34

Restrictions/Limitations

on the “lock box”

35

• If PHIPA contemplates a disclosure without consent (i.e. where

the HIC believes on reasonable grounds, that the disclosure is

necessary for the purpose of eliminating or reducing a

significant risk of bodily harm to an individual or group of

individuals)

• A HIC must record information about an individual that is

required by law or by established standards of professional

practice

• If a HIC discloses PHI to another HIC for the provision of health

care and the disclosing HIC does not have consent to disclose all

the PHI that it considers reasonably necessary for that purpose,

the disclosing HIC must notify the receiving HIC of that fact

Withdrawal of Consent

• An individual may

withdraw consent by

notifying the HIC in

writing

• A withdrawal does not

have retroactive effect

36

Capacity

• Under PHIPA, individuals are presumed to be capable of

making their own decisions regarding the collection, use,

or disclosure of their PHI

• Individuals are capable of consent if they are able to:

• Understand information relevant to deciding whether to consent

to the collection, use or disclosure of their PHI; and

• Appreciate the reasonably foreseeable consequences of giving,

not giving, withholding or withdrawing their consent

• If a HIC believes that an individual is incapable of

providing consent, PHIPA permits a substitute decision-

maker (SDM) to make a decision on an individual’s behalf

37

Ranking Order of SDMs

• PHIPA provides a hierarchy of SDMs who are authorized to

consent on behalf of an incapable individual

• These SDMs are, in order of priority:

• a statutory or court appointed guardian of the person or guardian of

property (with authority)

• attorney for personal care or attorney for property

• a representative appointed by the Consent and Capacity Board

• the individual’s spouse or partner

• individual’s child or parent

• a parent with only a right of access

• a brother or sister

• any other relative

• Public Guardian and Trustee (as last resort)

38

Collection of Information

39

• As a general rule, consent is required for any “collection”

of an individual’s PHI, unless PHIPA allows the collection

without consent

• With limited exceptions, HICs must collect PHI directly

from the individual involved

• HICs may collect PHI indirectly where, for example:

• the individual consents

• the collection is necessary for providing health care and it is not

possible to collect PHI directly from the individual that can be

relied on as accurate and complete

• the collection is necessary for providing health care and it is not

possible to collect PHI directly from the individual in a timely

manner

• the indirect collection is required or permitted by law

Indirect Collection

of Information

40

• Consent is required for the “use” of PHI, except where the

use is:

• for planning or delivering programs or services of the

HIC

• for the purpose of obtaining payment, processing,

monitoring, verifying or reimbursing claims for payment

• for risk management, for error management, in order to

improve or maintain quality of services

• for research (with research ethics board approval)

• permitted or required by law

Use of Information

41

• As a general rule, consent is required for the “disclosure” of

PHI, unless PHIPA allows the disclosure without consent. The

following are examples of disclosures where consent is not

required:

• to another HIC where it is reasonably necessary for the provision of health

care to the individual and it is not possible to get consent in a timely

manner, unless the individual has expressly instructed otherwise

• for contacting a relative, friend or SDM of an individual who is

incapacitated, injured, or ill and unable to consent personally

• necessary to eliminate or reduce a significant risk of serious bodily harm to

a person or group

• to a health professions college under the Regulated Health Professions Act,

1991

• to a person carrying out an inspection, investigation or similar procedure

that is authorized by a warrant or under an Act

Disclosure of Information

42

• An individual has a right to “access” his/her record of PHI,

subject to limited exceptions

• Where a restriction on access applies, an individual has a

right of access to that part of the record that can be severed

• A HIC must respond as soon as possible to a written access

request, but no later than 30 days after receiving the

request, subject to a 30-day extension

• An individual can request that the HIC expedite the

request, where necessary

Access

43

• Record collected/created in anticipation of, or for use in a

legal proceeding, and that proceeding is not concluded

• Record collected/created in the course of an inspection or

investigation and that process is not concluded

• Record is subject to a legal privilege that restricts

disclosure of the information to the individual

• A provincial or federal Act, or a court order, prohibits

disclosure of the information to the individual;

Access Exemptions

44

• Granting access could result in:

• risk of serious harm to treatment/recovery of the individual, or

of serious bodily harm to individual or others

• identification of person who provided the information in the

record in confidence, if the Custodian considers it appropriate to

keep that person’s identity confidential

• identification of person who was required by law to provide the

information in the record

Access Exemptions …cont’d

45

• An individual may request a

HIC to make a “correction” to

his/her record

• A HIC must correct the record

where the individual

demonstrates that the record is

incomplete or inaccurate for the

purposes for which the HIC uses

the record, unless an exception

applies

Correction

46

• A HIC is not required to correct a professional opinion or

observation made in good faith or a record that was not

originally created by the HIC where the HIC has

insufficient knowledge or authority to make the correction

• Where a HIC refuses to make a correction, HIC must

inform individual of refusal, provide reasons and inform of

right to appeal the refusal or the right to attach a statement

of disagreement

Correction …cont’d

47

• On September 16, 2015, the

Minister of Health introduced

Bill 119, the Health

Information Protection Act,

2015 (HIPA), which proposes

to amend a number of statutes,

including PHIPA

Proposed PHIPA Amendments

48

Change in Definitions

• Definition of “use” would be amended

• While the term “use” is currently defined as “handle or

deal with personal health information”, the proposed

amendments would expand the definition to “view, handle

and otherwise deal with personal health information

Proposed PHIPA

Amendments …cont’d

49

Notices to Patients and IPC of Privacy

Breaches

• HICs would be required to notify the

individual at the first reasonable

opportunity, where PHI is stolen,

lost or if it is used or disclosed

without authority

• In addition, in certain circumstances,

the HIC would also be required to

notify the IPC

Proposed PHIPA

Amendments …cont’d

50

Responsibilities of HICs and Agents

• Agents can only collect, use, disclose, retain or dispose of

PHI where “necessary” in the course of the agent’s duties

• HIC would be required to take steps that are reasonable in

the circumstances to ensure that agents are acting within

their authority

• HICs would be able to impose and conditions or

restrictions on permissions to agents

Proposed PHIPA

Amendments …cont’d

51

Mandatory Reporting of Privacy Breaches to Regulatory

Colleges

• HICs that employ, grant privileges to, or are otherwise

affiliated with a health care practitioner would be required

to make a report to the relevant health professions

regulatory college within 30 days of any of the following

events:

• An employee is terminated, suspended or is subject to

disciplinary action as a result of the unauthorized collection,

use, disclosure, retention or disposal of PHI

Proposed PHIPA

Amendments …cont’d

52

Mandatory Reporting of Privacy Breaches to Regulatory

Colleges …cont’d.

• An employee resigns and the HIC has reasonable grounds

to believe that the resignation is related to an investigation

or other action related to an unauthorized collection, use,

disclosure, retention or disposal of PHI

Proposed PHIPA

Amendments …cont’d

53

IPC Inspection Powers

• Would be expanded to

clarify that the IPC may

enter and inspect any

premises without a warrant

or court order where the

IPC has reasonable grounds

to believe that an offence

has been committed under

PHIPA

Proposed PHIPA

Amendments …cont’d

54

Prosecutions & Fines

• Prosecutions could be initiated on the consent of the

Attorney General, rather than requiring the prosecution to

be commenced by Attorney General

• Would remove the limitation period to commence a

prosecution (which is currently 6 months)

• Maximum fines would be doubled from $50,00 to

$100,000 for individuals and from $250,000 to $500,000

for organizations, who are found guilty of an offence under

PHIPA

Proposed PHIPA

Amendments …cont’d

55

Establishment of an Electronic

Health Record (EHR)

• The EHR would be an electronic

system developed and

maintained by a Government

prescribed organization to enable

HICs to collect, use and disclose

PHI for the purpose of providing

health care.

Proposed PHIPA

Amendments …cont’d

56

• Be aware of your legal obligations – PHIPA

• Be aware of your professional obligations – College of

Chiropractors of Ontario

• Establish a Privacy Policy

• Educate staff with respect to privacy expectations

• Create a culture of privacy in your office

• Ensure that patients are aware of your commitment to

privacy

• Stay aware of developments in the area of health privacy,

including by reviewing IPC website

Practice Tips

57

Lad Kucis

Partner

Gardiner Roberts LLP

416-864-3114

lkucis@grllp.com

or

Connect via LinkedIn

Questions

58