1. Health Information Protection Act An Overview
Ann Cavoukian, Ph.D.
Information & Privacy Commissioner/Ontario
Ontario Health Records Association
May 7, 2004
Ontario’s Health Information Protection Act

2. Ontario’s Health Information Protection Act, 2003 (HIPA)
Ontario government introduced health privacy bill (Bill 31) on December 17, 2003
Standing Committee on General Government held public hearings and completed clause-by-clause study
Received Second Reading on April 8, 2004
Second clause-by-clause review completed April 18, 2004
Expected to come into effect November 1, 2004
Bill 31 – Two Parts

3. Bill 31 – Two parts
Schedule A – the Personal Health Information Protection Act (PHIPA)
Schedule B – the Quality of Care Information Protection Act (QOCIPA)
Bill 31 – Based on Fair Information Practices

4. Bill 31 – Based on Fair Information Practices
Accountability
Identifying Purposes
Consent
Limiting Collection
Limiting Use, Disclosure, Retention
Accuracy
Safeguards
Openness
Individual Access
Challenging Compliance
Scope of PHIPA

5. Scope of PHIPA
Health information custodians (HICs) that collect, use and disclose personal health information (PHI)
Non-health information custodians where they receive personal health information from a health information custodian (use and disclosure provisions)
Def’n of Health Information Custodians

6. Health Information Custodians
Definition includes:
Health care practitioner
Hospitals and independent health facilities
Homes for the aged and nursing homes
Pharmacies
Laboratories
Home for special care
A centre, program or service for community health or mental health
Privacy Practices required by Bill
List is not exhaustive
Does not include insurance companies, SSHA, ICES, CIHI, Cancer Care

7. Records Management: General Practices
Must take reasonable steps to ensure accuracy
Must maintain the security of PHI
Must have a contact person to ensure compliance with Act, respond to access/correction requests, inquiries and complaints from public
Must have information practices in place that comply with the Act
Must make available a written statement of information practices
Must be responsible for actions of agents
PHIPA Consent

8. PHIPA Consent
Consent is required for the collection, use, disclosure of PHI, subject to specific exceptions
Consent must:
be a consent of the individual
be knowledgeable
relate to the information
not be obtained through deception or coercion
Consent may be express or implied
Knowledgeable Consent

9. Knowledgeable Consent
Consent is knowledgeable if it is reasonable in the circumstances to believe that the individual knows:
the purpose, and
that the individual may provide or withhold consent
can imply consent if the custodian posts a notice or describes the purpose in a brochure
Meaningful Consent Forms

10. Meaningful Consent Forms
Notices and consent forms must be concise and understandable to be effective
PIPEDA notices and consents used by some health professionals are lengthy, confusing and counterproductive
Use Notices and consents to educate and inform patients, not as an exercise in legal drafting
Express Consent

11. Express Consent required when a custodian discloses to a non-custodian
required when a custodian discloses to another custodian for a purpose other than providing health care to the individual
Implied Consent

12. Implied Consent
custodians may imply consent when disclosing personal health information to other custodians for the purpose of providing health care to the individual
exception – if the individual expressly withholds or withdraws consent (lock box)
Checks on the Lock Box

13. Checks on the Lock Box
Notification – if the custodian who discloses believes that all information necessary for the the provision of health care has not been disclosed, the custodian must notify the recipient
Override – the custodian may disclose if disclosure is necessary to eliminate or reduce a significant risk of serious bodily harm to a person or a group of persons
Delayed Implementation of the Lock Box

14. Delayed Implementation of the Lock Box
public hospitals have until November 1, 2005 to implement the lock box
Collection, Use and Disclosure Without Consent

15. Collection, Use and Disclosure Without Consent
Derogations from the consent principle are allowed in limited circumstances.
As required by law
To protect the health or safety of the individual or others
To identify a deceased person or provide reasonable notice of a person’s death
Right of Access and Correction

16. Right of Access and Correction
PHIPA Expands and Codifies the Common-Law Right of Access
Right of access to all records of personal health information about the individual in the custody or control of any health information custodian (some exceptions)
Provides right to correct their records of personal health information (some exceptions)
Access

17. Access
custodian must make the record available or provide a copy, if requested
custodian must respond to request within 30 days, with a possible 30 day extension
custodian must take reasonable steps to be satisfied of the individual’s identity
custodian must offer assistance in reformulating a request that lacks sufficient detail
Expedited Access

18. Expedited Access
custodian must provide expedited access if the individual requests it and provides evidence that the information is needed urgently and the custodian is reasonably able to respond within the requested time frame
How to Correct Records

19. How to Correct Records
by striking out the incorrect information in a manner that does not obliterate it or
by labeling the information as incorrect and severing it from the record, while maintaining a link to the record or
if the correction cannot be recorded in the record, the custodian must ensure there is a practical system to inform persons accessing the record that the information is incorrect and where to obtain correct information
Notice of Correction

20. Notice of Correction
at the request of the individual, the custodian must give written notice of the requested correction, to the extent reasonably possible, to persons to who the custodian has disclosed the information
exception – if the correction cannot be reasonably expected to have an effect on the ongoing provision of health care or other benefits
Statement of Disagreement

21. Statement of Disagreement
if the custodian refuses a correction request, the individual is entitled to require the custodian to attach to the record a statement of disagreement prepared by the individual
custodian must make reasonable efforts to notify anyone who would have been notified if there was a correction
Oversight and Enforcement

22. Oversight and Enforcement
Office of the Information and Privacy Commissioner is the oversight body
IPC may investigate where:
A complaint has been received
Commissioner has reasonable grounds to believe that a person has contravened or is about to contravene the Act
IPC has powers to enter and inspect premises, require access to PHI and compel testimony
Strengths of PHIPA

23. Strengths of PHIPA
Creation of health data institute to address criticism of “directed disclosures”
Open regulation-making process to bring public scrutiny to future regulations
Implied consent for sharing of personal health information within circle of care
Adequate powers of investigation to ensure that complaints are properly reviewed
Current Role of IPC
What happened to other Bill?
Subjected to much public criticism from a wide range of stakeholders and eventually died on the order paper

24. Role of the IPC IPC currently has oversight of two laws
Provincial Freedom of Information and Protection of Privacy Act
Municipal Freedom of Information and Protection of Privacy Act
IPC may issue orders for access/correction appeals
IPC investigates privacy complaints and may issue report with recommendations
How IPC handles Access and Correction Appeals

25. Access and Correction Appeals
Appeals under current public sector laws may be dealt with through three stages:
IPC will examine situation and may contact individual or organization for more information (Intake)
If not dismissed, the appeal proceeds to mediation, the IPC’s preferred method of dispute resolution
If mediation is unsuccessful, appeal proceeds to adjudication and an order will be issued.
How IPC handles Privacy Complaints

26. Privacy Complaints
IPC goal in dealing with complaints under public sector legislation is to assist organizations in taking whatever steps are necessary to prevent future occurrences
Intake staff attempt to resolve complaints informally, through liaising with organization and complainant
If not resolved, complaint goes to the investigation stage and a mediator investigates
Mediator prepare a report, including recommendations
Role of IPC under HIPA

27. Role of IPC under PHIPA
Use of mediation and alternative dispute resolution to be stressed
Order-making power as a last resort
Conducting public and stakeholder education programs
Comment on an organization’s information practices
Stressing the 3 C’s

28. Stressing the 3 C’s Consultation Collaboration Co-operation
Opening lines of communication with health community
Collaboration
Working together to find solutions
Co-operation
Rather than confrontation in resolving complaints
Making Health Privacy Work

29. Making Health Privacy Work
Think beyond compliance with legislation
Use technology to help protect personal health information:
Build privacy right into design specifications
Minimize collection and routine use of personally identifiable information – use aggregate or coded information if possible
Use encryption where practicable
Think about using pseudonymity, coded data
Conduct privacy impact assessments
How to Contact Us

30. How to Contact Us Commissioner Ann Cavoukian
Information & Privacy Commissioner/Ontario
80 Bloor Street West, Suite 1700
Toronto, Ontario M5S 2V1
Phone: (416)
Web: