1 PHIPA Impact on Health Care Practitioners Ann Cavoukian, Ph.D. Information & Privacy Commissioner/Ontario University of St. Michaels College Barbara Wand Seminar in Professional Ethics May 13, 2005

2 Health Privacy is Critical The need for privacy has never been greater: –Extreme sensitivity of personal health information –Patchwork of rules across the health sector; with some areas previously unregulated –Increasing electronic exchanges of health information –Multiple providers involved in health care of an individual – need to integrate services –Development of health networks –Growing emphasis on improved use of technology, including computerized patient records

3 Unique Characteristics of Personal Health Information Highly sensitive and personal in nature Must be shared immediately and accurately among a range of health care providers for the benefit of the individual Widely used and disclosed for secondary purposes that are seen to be in the public interest (e.g., research, planning, fraud investigation, quality assurance)

4 Unique Characteristics of Psychological Records Possibly the most sensitive PHI Higher risk of stigmatization and discrimination Counseling records are often more detailed and personal than other records Treatment often not publicly funded and may involve private third party players such as an insurance company Treatment is often long-term; this increases pressure from third parties for access to personal records to constantly reassess the need for treatment

5 Ontario’s Personal Health Information Protection Act (PHIPA) Came into effect November 1, 2004 Schedule A – the Personal Health Information Protection Act (PHIPA) Schedule B – the Quality of Care Information Protection Act (QOCIPA)

6 PHIPA – Based on Fair Information Practices Accountability Identifying Purposes Consent Limiting Collection Limiting Use, Disclosure, Retention Accuracy Safeguards Openness Individual Access Challenging Compliance

7 Strengths of PHIPA Implied consent for sharing of personal health information within circle of care No “directed disclosures” by the Minister of Health Open regulation-making process to bring public scrutiny to future regulations Adequate powers of investigation to ensure that complaints are properly reviewed

8 Scope of PHIPA Health information custodians (HICs) that collect, use and disclose personal health information (PHI) Non-health information custodians where they receive personal health information from a health information custodian (use and disclosure provisions)

9 Health Information Custodians Definition includes: –Health care practitioner. –Hospitals and independent health facilities –Homes for the aged and nursing homes –Pharmacies –Laboratories –Home for special care –A centre, program or service for community health or mental health

10 Records Management: General Practices Must take reasonable steps to ensure accuracy. Must maintain the security of PHI Must have a contact person to ensure compliance with Act, respond to access/correction requests, inquiries and complaints from public Must have information practices in place that comply with the Act Must make available a written statement of information practices Must be responsible for actions of agents

11 PHIPA Consent Consent is required for the collection, use, disclosure of PHI, subject to specific exceptions Consent must;  be a consent of the individual  be knowledgeable  relate to the information  not be obtained through deception or coercion Consent may be express or implied

12 Meaningful Consent Forms Notices and consent forms must be concise and understandable to be effective PIPEDA notices and consents used by some health professionals are lengthy, confusing and counterproductive Use notices and consent forms to educate and inform patients, not as an exercise in legal drafting

13 Express Consent Required when a custodian discloses to a non- custodian Required when a custodian discloses to another custodian for a purpose other than providing health care to the individual Required for marketing and fundraising (when using more than name and specified contact information)

14 Implied Consent Custodians may imply consent when disclosing personal health information to other custodians for the purpose of providing health care to the individual Exception: If the individual expressly withholds or withdraws consent (lock box)

15 Form 14 — Revoked in 1995; No statutory basis Originally prescribed under the Mental Health Act (MHA) to fulfill the consent requirement for the disclosure, transmittal or examination of clinical records As of November 1, 2004 —health care providers, under PHIPA, can utilize the generic consent form developed by the Ministry of Health and Long-Term Care (MOHLTC) If a health care provider that is subject to either Act is relying on a previously used Form 14, they must ensure that the previously obtained consent meets the consent requirements of PHIPA You may obtain a copy of a sample consent form from: v_legislation/sample_consent.html#download. Mental Health — Form 14

16 Checks on the Lock Box Notification – if the custodian who discloses believes that all information necessary for the the provision of health care has not been disclosed, the custodian must notify the recipient Override – the custodian may disclose if disclosure is necessary to eliminate or reduce a significant risk of serious bodily harm to a person or a group of persons

17 Delayed Implementation of the Lock Box Public hospitals have until November 1, 2005, to implement the lock box

18 Right of Access and Correction PHIPA Expands and Codifies the Common-Law Right of Access:  Right of access to all records of personal health information about the individual in the custody or control of any health information custodian S ome exceptions — such as raw data from standardized psychological tests or assessments.  Provides right to correct their records of personal health information S ome exceptions — such as a professional opinion or observation made in good faith.

19 Access Custodian must make the record available or provide a copy, if requested Custodian must respond to request within 30 days, with a possible 30 day extension Custodian must take reasonable steps to be satisfied of the individual’s identity Custodian must offer assistance in reformulating a request that lacks sufficient detail

20 Expedited Access Custodian must provide expedited access if the individual requests it and provides evidence that the information is needed urgently and the custodian is reasonably able to respond within the requested time frame.

21 How to Correct Records By striking out the incorrect information in a manner that does not obliterate it; or by labeling the information as incorrect and severing it from the record, while maintaining a link to the record; or if the correction cannot be recorded in the record, the custodian must ensure there is a practical system to inform persons accessing the record that the information is incorrect and where to obtain correct information

22 Notice of Correction At the request of the individual, the custodian must give written notice of the requested correction, to the extent reasonably possible, to persons to who the custodian has disclosed the information Exception: If the correction cannot be reasonably expected to have an effect on the ongoing provision of health care or other benefits

23 Statement of Disagreement If the custodian refuses a correction request, the individual is entitled to require the custodian to attach to the record a statement of disagreement prepared by the individual Custodian must make reasonable efforts to notify anyone who would have been notified if there was a correction

24 Compliance: A Model Don’t discuss confidential information in public areas (e.g. elevators, food courts, hallways) where it may be overheard Don’t leave PHI such as charts, reports and recruitment lists in places where they can be viewed by the public

25 Compliance: A Model (cont’d) Don’t leave the computer terminal with PHI readily visible or accessible Log off the computer if you are going to be absent Access only the information you require

26 Compliance: A Model (cont’d) Don’t reveal confidential information to others without a need for them to know Keep your password to yourself Shred all papers that contain PHI when no longer in use Wear your ID badge at all times

27 Oversight and Enforcement Office of the Information and Privacy Commissioner is the oversight body IPC may investigate where:  A complaint has been received.  Commissioner has reasonable grounds to believe that a person has contravened or is about to contravene the Act IPC has powers to enter and inspect premises, require access to PHI and compel testimony

28 Role of IPC under PHIPA Use of mediation and alternate dispute resolution always stressed Order-making power used as a last resort Conducting public and stakeholder education programs — education is key Comment on an organization’s information practices

29 Complaint Process Complaint can be filed based on access or correction decision of a HIC Complaint can be filed if a person believes the HIC has or is about to contravene the Act or its regulations Complaint will usually relate to the collection, use or disclosure of personal health information

30

31 Public Education Program Frequently Asked Questions and Answers available on IPC website (including hard copies) User Guide for Health Information Custodians available on IPC website (including hard copies) IPC PHIPA publications distributed to Colleges and Associations of the Regulated Health Professions IPC/MOH brochure for the general public: –may be placed in reception areas. –to be distributed to patients

32 Public Education Program (con’t.) IPC member of OHA/OMA/IPC/MOH PHIPA tool kit project IPC/OBA “short notices” working group: –Developing concise, user-friendly notices and consent forms to serve as effective communication tools On-going meetings with Regulated Health Professions, the Federation of Health Regulatory Colleges and Associations IPC PHIPA awareness article distributed to Colleges/Associations for inclusion in their members’ Magazines and Newsletters

33 Keeping HIC’s Informed Orders will be public documents and available on our Web site Summaries of all mediated cases will be available on our website Relevant data will be regularly made available to the public and health professionals (e.g. number of complaints, examples of successful mediations, common issues)

34 Stressing the 3 C’s Consultation –Opening lines of communication with health community and HICs Co-operation –Rather than confrontation in resolving complaints Collaboration –Working together to find solutions

How to Contact Us Commissioner Ann Cavoukian Information & Privacy Commissioner/Ontario 2 Bloor Street East, Suite 1400 Toronto, Ontario M4W 1A8 Phone: (416) Web: