Building Privacy into Health Information Technology Ann Cavoukian, Ph.D. Information & Privacy Commissioner/Ontario Information Technology Association of Canada November 3, 2004 Toronto, Ontario

Slide 2 Health Privacy is Critical  The need for privacy has never been greater: Extreme sensitivity of personal health information Patchwork of rules across the health sector; with some areas currently unregulated Increasing electronic exchanges of health information Multiple providers involved in health care of an individual – need to integrate services Development of health networks Growing emphasis on improved use of technology, including computerized patient records

Slide 3 Unique Characteristics of Personal Health Information  Highly sensitive and personal in nature  Must be shared immediately and accurately among a range of health care providers for the benefit of the individual  Widely used and disclosed for secondary purposes that are seen to be in the public interest (e.g., research, planning, fraud investigation, quality assurance)

Slide 4 Ontario’s Personal Health Information Protection Act (PHIPA)  Comes into effect November 1, 2004  Schedule A – the Personal Health Information Protection Act (PHIPA)  Schedule B – the Quality of Care Information Protection Act (QOCIPA)

Slide 5 PHIPA – Based on Fair Information Practices  Accountability  Identifying Purposes  Consent  Limiting Collection  Limiting Use, Disclosure, Retention  Accuracy  Safeguards  Openness  Individual Access  Challenging Compliance

Slide 6 Strengths of PHIPA  Implied consent for sharing of personal health information within circle of care  Creation of health data institute to address criticism of “directed disclosures”  Open regulation-making process to bring public scrutiny to future regulations  Adequate powers of investigation to ensure that complaints are properly reviewed

Slide 7 Scope of PHIPA  Health information custodians (HICs) that collect, use and disclose personal health information (PHI)  Non-health information custodians where they receive personal health information from a health information custodian (use and disclosure provisions)

Slide 8 Health Information Custodian  Definition includes: Health care practitioner Hospitals and independent health facilities Homes for the aged and nursing homes Pharmacies Laboratories Home for special care A centre, program or service for community health or mental health

Slide 9 Records Management: General Practices  Must take reasonable steps to ensure accuracy  Must maintain the security of PHI  Must have a contact person to ensure compliance with Act, respond to access/correction requests, inquiries and complaints from public  Must have information practices in place that comply with the Act  Must make available a written statement of information practices  Must be responsible for actions of agents

Slide 10 Requirements With Implications for Health Information Technology  Use of electronic means  Providers to custodians  General security  Consent (implied or express)  Withdrawal or withholding of consent (lock box)  Right to access and request correction of personal health information

Slide 11 Use of Electronic Means  A health information custodian that uses electronic means to collect, use, modify, disclose, retain or dispose of personal health information shall comply with the prescribed requirements, if any. Section 10(3)  No regulations have been proposed

Slide 12 Providers to Custodians  A person who provides goods and services for the purpose of enabling a health information custodian to use electronic means to collect, use, modify, disclose, retain or dispose of personal health information shall comply with the prescribed requirements, if any. Section 10(4)

Slide 13 General Regulations that Apply to All Providers  Can only use information as necessary in the course of providing services  Cannot disclose any information  Provider must ensure that all employees and agents comply with restrictions  The release of information, to a provider that is not an agent of the custodian, is not considered to be a disclosure as long as the provider complies with the regulations O. Reg. 329/04, s. 6 (1) and 6 (4)

Slide 14 Types of Providers  Software vendors (e.g., electronic health record)  Hardware vendors  Health information network providers (e.g., SSHA, telehealth)

Slide 15 Definition of Health Information Network Provider  A person who provides services to two or more health information custodians where the services are provided primarily to custodians to enable the custodians to use electronic means to disclose personal health information to one another, whether or not the person is an agent of any of the custodians O. Reg. 329/04, s. 6 (2)

Slide 16 Regulations for Health Information Network Providers  Must notify custodian of any breach of the requirements for providers  Must provide custodian with description of services and safeguards, to share with individuals  Must make available to the public the description of services provided; the directives, guidelines and policies that apply; and a general description of safeguards O. Reg. 329/04, s. 6 (3)

Slide 17 Regulations for Health Information Network Providers (cont’d)  Must provide to custodian, upon request, an electronic record of all accesses and transfers of information  Must perform and provide to custodian an assessment of threats, vulnerabilities and risks to security and integrity of the information and how the services may affect privacy  Must require any third party it retains to comply with restrictions and conditions O. Reg. 329/04, s. 6 (3)

Slide 18 Regulations for Health Information Network Providers (cont’d)  Must enter into agreement with each custodian that describes: the services to be provided the administrative, technical and physical safeguards relating to confidentiality and security requires the provider to comply with the Act and its regulations O. Reg. 329/04, s. 6 (3)

Slide 19 Security Requirement  A health information custodian shall take steps that are reasonable in the circumstances to ensure that personal health information in the custodian’s custody or control is protected against theft, loss and unauthorized use or disclosure and to ensure that the records containing the information are protected against unauthorized copy, modification or disposal. Section 12(1)

Slide 20 Implied Consent  custodians may imply consent when disclosing personal health information to other custodians for the purpose of providing health care to the individual

Slide 21 Lock Box  where the individual expressly withholds or withdraws consent  Public hospitals have until Nov 1, 2005 to comply with the lock box requirements Section 31(2)  Information technology must Flag information to be locked Ensure that disclosure of locked information is blocked

Slide 22 Express Consent  required when a custodian discloses to a non- custodian  required when a custodian discloses to another custodian for a purpose other than providing health care to the individual  required for marketing and fundraising (when using more than name and specified contact information)

Slide 23 Right of Access and Correction PHIPA Expands and Codifies the Common- Law Right of Access  Right of access to all records of personal health information about the individual in the custody or control of any health information custodian (some exceptions)  Provides right to correct their records of personal health information (some exceptions)

Slide 24 Access  custodian must make the record available or provide a copy, if requested  custodian must respond to request within 30 days, with a possible 30 day extension  custodian must take reasonable steps to be satisfied of the individual’s identity  custodian must offer assistance in reformulating a request that lacks sufficient detail

Slide 25 How to Correct Records  by striking out the incorrect information in a manner that does not obliterate it or  by labeling the information as incorrect and severing it from the record, while maintaining a link to the record or  if the correction cannot be recorded in the record, the custodian must ensure there is a practical system to inform persons accessing the record that the information is incorrect and where to obtain correct information

Slide 26 Notice of Correction  at the request of the individual, the custodian must give written notice of the requested correction, to the extent reasonably possible, to persons to who the custodian has disclosed the information  exception – if the correction cannot be reasonably expected to have an effect on the ongoing provision of health care or other benefits

Slide 27 Statement of Disagreement  if the custodian refuses a correction request, the individual is entitled to require the custodian to attach to the record a statement of disagreement prepared by the individual  custodian must make reasonable efforts to notify anyone who would have been notified if there was a correction

Slide 28 Where do we go from here?  Start by understanding the PHIPA Information is available on the IPC and MOHLTC web sites  Review your products and services Identify where changes need to occur  Work with your client partners Particularly for retrofits

Slide 29 Guidance to Health IT Community  The IPC, in partnership with the Office of the Corporate Chief Information Officer and Ministry of Health, is developing a set of health privacy technology principles and best practices, plus boiler plate RFP statements and an implementation strategy, in consultation with the Ontario E-Health Council. We expect to consult with vendors on this document to ensure it is reasonable and fully supports the implementation of the Act.

Slide 30 Public Education Program  Frequently Asked Questions and Answers available on IPC website (including hard copies)  User Guide for Health Information Custodians available on IPC website (including hard copies)  IPC PHIPA publications distributed to Colleges and Associations of the Regulated Health Professions  IPC/MOH brochure for the general public may be placed in reception areas to be distributed to patients

Slide 31 Public Education Program (cont’d)  IPC member of OHA/OMA/IPC/MOH PHIPA tool kit project  IPC/OBA “short notices” working group Developing concise, user-friendly notices and consent forms to serve as effective communication tools  On-going meetings with Regulated Health Professions, the Federation of Health Regulatory Colleges and Associations  IPC PHIPA awareness article distributed to Colleges/Associations for inclusion in their members’ Magazines and Newsletters

Slide 32 Keeping HIC’s Informed  Orders will be public documents and available on our Web site  Summaries of mediated cases will be posted to our website  Relevant data will be regularly made available to the public and health professionals ( e.g. number of complaints, examples of successful mediations, common issues)

Slide 33 Making Health Privacy Work  Think beyond compliance with legislation  Use technology to help protect personal health information: Build privacy right into design specifications Minimize collection and routine use of personally identifiable information – use aggregate or coded information if possible Use encryption where practicable Think about using pseudonymity, coded data Conduct privacy impact assessments

Slide 34 Stressing the 3 C’s  Consultation Opening lines of communication with health community and HICs  Co-operation Rather than confrontation in resolving complaints  Collaboration Working together to find solutions

How to Contact Us Commissioner Ann Cavoukian Information & Privacy Commissioner/Ontario 2 Bloor Street West, Suite 1400 Toronto, Ontario M4W 1A8 Phone: (416) Web: