Presented by:
Lad Kucis
*this presentation is intended to provide a general overview
of the Personal Health Information Protection Act, 2004. It is
not intended to be construed as legal advice. For legal advice,
please consult a lawyer.
PHIPA:
An Overview
Presentation to:
Ontario Chiropractic Association
March 2, 2016
• Lad is the Co-Chair of Gardiner
Roberts’ Health Law Group and
provides legal assistance to
health sector clients
• Frequent author and speaker on
various health law issues
• Expertise:
• Health Law
• Litigation and Dispute
Resolution
Speaker
Lad Kucis
The Personal Health Information
and Protection Act, 2004 (PHIPA)
• Is an Ontario law that governs the collection, use,
disclosure, retention and disposal of “personal health
information” (PHI) within the health sector
• The object of the statute is to keep PHI confidential and
secure, while allowing for the effective delivery of health
care
• Applies to all “health information custodians” (HICs)
(i.e. persons and organizations that deliver health care)
and to persons and organizations that receive information
from HICs
3
Oversight Body
• The Information and Privacy
Commissioner of Ontario (the “IPC”)
has been designated as the independent
oversight body responsible for ensuring
that HICs collect, use, disclose, retain
and dispose of PHI in accordance with
PHIPA
• The IPC possesses wide powers include
with respect to the investigation of
complaints, entering and inspecting
premises, issuing orders, prosecutions
fines, etc.
4
PHIPA vs. PIPEDA
• The Personal Information Protection and Electronic
Documents Act (PIPEDA) is federal legislation that applies
to organizations that collect, use and disclose personal
information during the course of “commercial activities”
• PIPEDA does not apply with respect of the collection, use
and disclosure of “personal health information” that occurs
within Ontario, as PHIPA has been declared to be
“substantially similar”
• PIPEDA continues to govern where PHI crosses provincial
or national borders
5
• What does PHIPA Protect?
• To Whom does PHIPA Apply?
• Responsibilities of HICs
• Safeguarding PHI
• Consent
• Capacity
• Collection, Use & Disclosure
• Access & Correction
• Recently Proposed Amendments to PHIPA
Items to be Reviewed
6
What does PHIPA Protect?:
Personal Health Information (PHI)
7
• PHI is “identifying information” about an individual in oral
or recorded form that:
• relates to the physical or mental health of the individual,
including the health history of the individual’s family
• relates to the providing of health care to the individual,
including identifying a person as a provider of health care
to the individual
• identifies an individual’s substitute decision-maker
• is an individual’s health card number
• PHI also includes identifying information that is not PHI,
as defined above, but that is contained in a record that
contains PHI (i.e. the “mixed record rule”)
• “Identifying information” means
information that identifies an
individual or for which it is
reasonable in the circumstances that
it could be utilized, either alone or
with other information to identify an
individual”
• As such, patients do not have to be
explicitly named for information to
be considered PHI. Information can
also be PHI if it can be used with
other information to identify the
patient
PHI …cont’d
8
To Whom does PHIPA Apply?:
Health Information Custodians (HICs)
HICs are persons or organizations that
have custody or control of PHI and
include the following:
• Health Care Practitioners
• A Person who Operates a Group
Practice of Health Care Practitioners
• Hospitals
• Psychiatric facilities
• Pharmacies
9
• PHIPA also applies to the “agents” of HICs
• An “agent” in relation to a HIC, means a person that, with
the authorization of the Custodian, acts for or on behalf of
the Custodian in respect of PHI for the purposes of the
Custodian, and not the agent's own purposes, whether or
not the agent has authority to bind the Custodian, whether
or not the agent is employed by the Custodian and whether
or not the agent is being remunerated
Agents
10
• Under PHIPA, HICs may allow their agents to collect, use,
disclose, retain or dispose of PHI on their behalf, if:
• the HIC is permitted or required to collect, use,
disclose, retain or dispose of PHI, as the case may be
• the collection, use, disclosure, retention or disposal
of the PHI is in course the agent’s duties and is not
contrary to the limits imposed by the HIC or another
law
• HICs are responsible for PHI in the custody or control of
its agents
Agents …cont’d
11
• PHIPA also applies to the “recipients” of PHI
• A recipient is a non-HIC who receives PHI from a HIC
• A recipient must not use or disclose the information for any
purpose other than the purpose for which the HIC was
authorized to disclose the information under PHIPA, or for
the purpose of carrying out a statutory or legal duty, subject
to the regulations or other law
Recipients
12
Responsibilities of HICs:
Information Practices
• HICs are required to have adequate
“information practices” that
comply with PHIPA, including:
• when, how and the purposes for
which the HIC routinely
collects, uses, modifies, discloses,
retains or disposes of PHI
• the administrative, technical and
physical safeguards and practices
that the HIC maintains with
respect to PHI
13
• A HIC must designate a “contact person” or take on the
role of “contact person” himself or herself
• A “contact person” is responsible for: • facilitating compliance with PHIPA
• ensuring that all agents are informed of their duties under
PHIPA
• responding to inquiries about HIC’s information practices
• responding to requests for access to or correction of PHI
Records
• receiving complaints from the public about alleged breaches of
PHIPA
• A “contact person” is considered an “agent” of a HIC
Responsibilities of HICs:
Appoint a Contact Person
14
• HICs are required to make a written statement available to the
public that provides: • a general description of the HIC’s information practices
• how to contact the HIC or the contact person, where the HIC has
designated a contact person
• A description of how an individual may obtain access to or request
correction of their PHI Record, that is in the custody or control of the
HIC
• how to make a complaint to the HIC and/or to the Information and
Privacy Commissioner
• If a HIC uses or discloses PHI outside the scope of the
information practices set out in the written statement, without
the consent of the individual, they are required to notify the
individual at the first reasonable opportunity and to make a note
of the uses and disclosures (which is to be kept with the record)
Responsibilities of HICs:
Written Public Statement
15
• If the PHI of an individual is stolen, lost or accessed by an
unauthorized person, the HIC is required to notify the
individual at the first reasonable opportunity
• Best practices would also include the development of a
thorough privacy breach protocol, which would include
items such as containing the breach, assessing the scope of
the breach, contacting the affected individuals,
investigation/remediation, revising privacy practices,
where necessary
Responsibilities of HICs:
Reporting Privacy Breaches
16
• HICs must not collect, use or
disclose PHI if other information will
serve the purpose
• HICs must not collect, use or
disclose more PHI than is reasonably
necessary to meet the purpose
• HICs must take reasonable steps to
ensure the accuracy of the PHI that it
uses or discloses
General Limitations &
Requirements
17
Responsibilities of HICs:
Safeguarding PHI
• HICs must safeguard PHI in their custody or control by
taking steps that are reasonable in the circumstances to
ensure that:
• PHI is protected against theft, loss and unauthorized use or
disclosure
• PHI Records are protected against unauthorized copying,
modification or disposal
• PHI Records are retained, transferred and disposed of in a
secure manner
18
• Examples of physical safeguards for PHI Records include:
• storing paper PHI Records in locked filing cabinets
• ensuring that PHI Records are supervised when they are not
locked
• restricting office access to authorized personnel (i.e. through
locks, pass codes and alarm systems)
• ensuring that faxes and printers are kept in a restricted area and
are directly monitored while running
• protecting against the effects of fire
Physical Safeguards
19
• Examples of technical safeguards for PHI Records include:
• all staff should have their own computers, wherever possible.
At the very least, all staff should have their own login names
and passwords to access PHI
• passwords should not be easy to guess and should be changed
regularly
• encrypting information and removing identifiers
• installing firewalls
• using anti-virus protection
• access should be removed as soon as a staff member leaves
• an administrator login and password should be established
• automatic back-up for file recovery should be set up
Technical Safeguards
20
Technical Safeguards …cont’d
• Electronic PHI Records
should have an audit trail that
records the date and time of
each entry, showing any
changes in a record and
preserving the original
information when PHI is
changed, updated or corrected
21
Administrative Safeguards
• Examples of administrative safeguards for PHI Records
include:
• appointment of a staff member who is responsible for security
issues
• security clearances for staff members and other applicable
agents
• confidentiality agreements for all staff members and other
applicable agents
• restricting access to certain PHI to certain employees
22
Administrative Safeguards …cont’d
• The most important administrative control is the
establishment of a privacy policy, outlining the HIC’s
information practices and rules regarding PHI security,
including instructions as to how to deal with a privacy
breach, if and when it occurs (i.e. a privacy breach protocol)
• All staff should receive thorough training to ensure that
they are completely familiar with all aspects of the privacy
policy
• Regular audits to ensure compliance with the privacy
policy and to determine whether changes should be made
23
Transfer of PHI Records
• HICs are responsible for the secure transfer of PHI
Records, which may include transfers to other HICs,
facilities, or successors
• To ensure the secure transfer of PHI Records, HICs would
be well advised to only transfer records personally or
through a staff member agent
• If a third party agent is used (i.e. a courier company), they
should be required to enter into an agreement
acknowledging that they understand the importance of
safeguarding PHI Records and will provide written
confirmation when the transfer is completed
24
Disposal of PHI
• HICs must ensure that PHI Records are disposed of in a secure
manner
• PHI Records must be destroyed in such a manner than the
reconstruction of the record is not reasonably possible
• Documents that HICs should maintain with respect to PHI
Record disposal: • Written agreements with agents
• Policy outlining disposal policies
• Maintaining a ledger outlining particulars in the disposal process: • identification of the PHI disposed of;
• the manner in which PHI was disposed of;
• the name of the individual whose PHI was disposed of;
• the date of disposal; and
• the name and telephone number of the individual who disposed of the
PHI
25
• For paper records, secure disposal
consists of permanently
destroying the documents by
irreversible shredding (i.e. cross-
cutting) or pulverizing, thus
making them unreadable
• HICs are responsible for ensuring
that steps are taken to ensure that
no unauthorized person will have
access to the records throughout
the disposal process
Disposal – Paper Records
26
Disposal – Electronic Records
• May involve physical destruction,
permanent deletion or overwriting
the information
• HICs would be well advised to
consult an expert to ensure that
appropriate technology is used to
ensure electronic PHI is
permanently destroyed
27
Consent
• The general rule is that a HIC needs to obtain an
individual’s consent to collect, use or disclose PHI, unless
PHIPA authorizes the collection, use or disclosure, without
consent
• Consent must be: • Knowledgeable (i.e. individual is aware of purpose of
collection, use or disclosure and that they may give or withhold
consent)
• Voluntary (i.e. not be obtained through deception or coercion)
• Relate to the information in question
• Given by the individual
• A consent may be “express”, or “implied”, unless PHIPA
requires it to be express
28
What is the Difference between
Express and Implied Consent?
• An express consent is a consent that has been clearly and
unmistakeably given – either orally or in writing
• An implied consent is a consent that a HIC concludes has
been given based on an individual’s action or inaction, in
the particular factual circumstances
29
• Subject to limited exceptions,
express consent is required in the
following circumstances:
• disclosures to non-HICs (i.e. to an
employer/insurer)
• disclosures to other HICs for non-
health care purposes
Where Express Consent
Required
30
• HICs are not required to
obtain an individual’s oral or
written consent every time
that PHI is collected, used or
disclosed
• HICs can rely on the implied
consent of the individual to
collect and use PHI for most
purposes
Implied Consent
31
Implied Consent
“Circle of Care”
• HICs can also rely on an assumed
implied consent when collecting, using
or disclosing PHI to another HIC within
the “circle of care” for the purpose of
providing health care to the individual
• The term “circle of care” is not defined
under PHIPA, but is rather a term of
reference used to described the
provisions of PHIPA that enable HICs to
rely on an individual’s assumed implied
consent for the purpose of providing
health care to the individual
32
Implied Consent
“Circle of Care” …cont’d
• With respect to a chiropractor’s
office, the “circle of care” may
include:
• the chiropractor
• a nurse
• a specialist
• another health care practitioner
referred to by the chiropractor
• a health care practitioner selected
by the patient, such as a pharmacist
or massage therapist
33
The “lock box”
• The “lock box” principle describes the
right of an individual to withhold or
withdraw their consent to the
collection, use or disclosure of their
PHI for health care purposes
• The withholding or withdrawing of
PHI may take various forms, including
not disclosing certain PHI, not
disclosing PHI to certain HICs, not
disclosing PHI to certain types of
HICs, etc.
34
Restrictions/Limitations
on the “lock box”
35
• If PHIPA contemplates a disclosure without consent (i.e. where
the HIC believes on reasonable grounds, that the disclosure is
necessary for the purpose of eliminating or reducing a
significant risk of bodily harm to an individual or group of
individuals)
• A HIC must record information about an individual that is
required by law or by established standards of professional
practice
• If a HIC discloses PHI to another HIC for the provision of health
care and the disclosing HIC does not have consent to disclose all
the PHI that it considers reasonably necessary for that purpose,
the disclosing HIC must notify the receiving HIC of that fact
Withdrawal of Consent
• An individual may
withdraw consent by
notifying the HIC in
writing
• A withdrawal does not
have retroactive effect
36
Capacity
• Under PHIPA, individuals are presumed to be capable of
making their own decisions regarding the collection, use,
or disclosure of their PHI
• Individuals are capable of consent if they are able to:
• Understand information relevant to deciding whether to consent
to the collection, use or disclosure of their PHI; and
• Appreciate the reasonably foreseeable consequences of giving,
not giving, withholding or withdrawing their consent
• If a HIC believes that an individual is incapable of
providing consent, PHIPA permits a substitute decision-
maker (SDM) to make a decision on an individual’s behalf
37
Ranking Order of SDMs
• PHIPA provides a hierarchy of SDMs who are authorized to
consent on behalf of an incapable individual
• These SDMs are, in order of priority:
• a statutory or court appointed guardian of the person or guardian of
property (with authority)
• attorney for personal care or attorney for property
• a representative appointed by the Consent and Capacity Board
• the individual’s spouse or partner
• individual’s child or parent
• a parent with only a right of access
• a brother or sister
• any other relative
• Public Guardian and Trustee (as last resort)
38
Collection of Information
39
• As a general rule, consent is required for any “collection”
of an individual’s PHI, unless PHIPA allows the collection
without consent
• With limited exceptions, HICs must collect PHI directly
from the individual involved
• HICs may collect PHI indirectly where, for example:
• the individual consents
• the collection is necessary for providing health care and it is not
possible to collect PHI directly from the individual that can be
relied on as accurate and complete
• the collection is necessary for providing health care and it is not
possible to collect PHI directly from the individual in a timely
manner
• the indirect collection is required or permitted by law
Indirect Collection
of Information
40
• Consent is required for the “use” of PHI, except where the
use is:
• for planning or delivering programs or services of the
HIC
• for the purpose of obtaining payment, processing,
monitoring, verifying or reimbursing claims for payment
• for risk management, for error management, in order to
improve or maintain quality of services
• for research (with research ethics board approval)
• permitted or required by law
Use of Information
41
• As a general rule, consent is required for the “disclosure” of
PHI, unless PHIPA allows the disclosure without consent. The
following are examples of disclosures where consent is not
required:
• to another HIC where it is reasonably necessary for the provision of health
care to the individual and it is not possible to get consent in a timely
manner, unless the individual has expressly instructed otherwise
• for contacting a relative, friend or SDM of an individual who is
incapacitated, injured, or ill and unable to consent personally
• necessary to eliminate or reduce a significant risk of serious bodily harm to
a person or group
• to a health professions college under the Regulated Health Professions Act,
1991
• to a person carrying out an inspection, investigation or similar procedure
that is authorized by a warrant or under an Act
Disclosure of Information
42
• An individual has a right to “access” his/her record of PHI,
subject to limited exceptions
• Where a restriction on access applies, an individual has a
right of access to that part of the record that can be severed
• A HIC must respond as soon as possible to a written access
request, but no later than 30 days after receiving the
request, subject to a 30-day extension
• An individual can request that the HIC expedite the
request, where necessary
Access
43
• Record collected/created in anticipation of, or for use in a
legal proceeding, and that proceeding is not concluded
• Record collected/created in the course of an inspection or
investigation and that process is not concluded
• Record is subject to a legal privilege that restricts
disclosure of the information to the individual
• A provincial or federal Act, or a court order, prohibits
disclosure of the information to the individual;
Access Exemptions
44
• Granting access could result in:
• risk of serious harm to treatment/recovery of the individual, or
of serious bodily harm to individual or others
• identification of person who provided the information in the
record in confidence, if the Custodian considers it appropriate to
keep that person’s identity confidential
• identification of person who was required by law to provide the
information in the record
Access Exemptions …cont’d
45
• An individual may request a
HIC to make a “correction” to
his/her record
• A HIC must correct the record
where the individual
demonstrates that the record is
incomplete or inaccurate for the
purposes for which the HIC uses
the record, unless an exception
applies
Correction
46
• A HIC is not required to correct a professional opinion or
observation made in good faith or a record that was not
originally created by the HIC where the HIC has
insufficient knowledge or authority to make the correction
• Where a HIC refuses to make a correction, HIC must
inform individual of refusal, provide reasons and inform of
right to appeal the refusal or the right to attach a statement
of disagreement
Correction …cont’d
47
• On September 16, 2015, the
Minister of Health introduced
Bill 119, the Health
Information Protection Act,
2015 (HIPA), which proposes
to amend a number of statutes,
including PHIPA
Proposed PHIPA Amendments
48
Change in Definitions
• Definition of “use” would be amended
• While the term “use” is currently defined as “handle or
deal with personal health information”, the proposed
amendments would expand the definition to “view, handle
and otherwise deal with personal health information
Proposed PHIPA
Amendments …cont’d
49
Notices to Patients and IPC of Privacy
Breaches
• HICs would be required to notify the
individual at the first reasonable
opportunity, where PHI is stolen,
lost or if it is used or disclosed
without authority
• In addition, in certain circumstances,
the HIC would also be required to
notify the IPC
Proposed PHIPA
Amendments …cont’d
50
Responsibilities of HICs and Agents
• Agents can only collect, use, disclose, retain or dispose of
PHI where “necessary” in the course of the agent’s duties
• HIC would be required to take steps that are reasonable in
the circumstances to ensure that agents are acting within
their authority
• HICs would be able to impose and conditions or
restrictions on permissions to agents
Proposed PHIPA
Amendments …cont’d
51
Mandatory Reporting of Privacy Breaches to Regulatory
Colleges
• HICs that employ, grant privileges to, or are otherwise
affiliated with a health care practitioner would be required
to make a report to the relevant health professions
regulatory college within 30 days of any of the following
events:
• An employee is terminated, suspended or is subject to
disciplinary action as a result of the unauthorized collection,
use, disclosure, retention or disposal of PHI
Proposed PHIPA
Amendments …cont’d
52
Mandatory Reporting of Privacy Breaches to Regulatory
Colleges …cont’d.
• An employee resigns and the HIC has reasonable grounds
to believe that the resignation is related to an investigation
or other action related to an unauthorized collection, use,
disclosure, retention or disposal of PHI
Proposed PHIPA
Amendments …cont’d
53
IPC Inspection Powers
• Would be expanded to
clarify that the IPC may
enter and inspect any
premises without a warrant
or court order where the
IPC has reasonable grounds
to believe that an offence
has been committed under
PHIPA
Proposed PHIPA
Amendments …cont’d
54
Prosecutions & Fines
• Prosecutions could be initiated on the consent of the
Attorney General, rather than requiring the prosecution to
be commenced by Attorney General
• Would remove the limitation period to commence a
prosecution (which is currently 6 months)
• Maximum fines would be doubled from $50,00 to
$100,000 for individuals and from $250,000 to $500,000
for organizations, who are found guilty of an offence under
PHIPA
Proposed PHIPA
Amendments …cont’d
55
Establishment of an Electronic
Health Record (EHR)
• The EHR would be an electronic
system developed and
maintained by a Government
prescribed organization to enable
HICs to collect, use and disclose
PHI for the purpose of providing
health care.
Proposed PHIPA
Amendments …cont’d
56
• Be aware of your legal obligations – PHIPA
• Be aware of your professional obligations – College of
Chiropractors of Ontario
• Establish a Privacy Policy
• Educate staff with respect to privacy expectations
• Create a culture of privacy in your office
• Ensure that patients are aware of your commitment to
privacy
• Stay aware of developments in the area of health privacy,
including by reviewing IPC website
Practice Tips
57
Lad Kucis
Partner
Gardiner Roberts LLP
416-864-3114
or
Connect via LinkedIn
Questions
58