Presentation is loading. Please wait.

Presentation is loading. Please wait.

Health Information Protection Act An Overview

Similar presentations


Presentation on theme: "Health Information Protection Act An Overview"— Presentation transcript:

1 Health Information Protection Act An Overview
Ann Cavoukian, Ph.D. Information & Privacy Commissioner/Ontario Ontario Health Records Association May 7, 2004 Health Privacy is Critical

2 Health Privacy is Critical
The need for privacy has never been greater: Extreme sensitivity of personal health information Patchwork of rules across the health sector; with some areas currently unregulated Increasing electronic exchanges of health information Multiple providers involved in health care of an individual – need to integrate services Development of health networks Growing emphasis on improved use of technology, including computerized patient records Unique Characteristics of Personal Health Information

3 Unique Characteristics of Personal Health Information
Highly sensitive Collected in the context of a publicly-funded health care system Widely shared among a range of health care providers for the benefit of the individual Widely used and disclosed for secondary purposes that are seen to be in the public interest (e.g., research, planning, fraud investigation, quality assurance) Legislation is Critical

4 Legislation is Critical
The IPC has been calling for legislation to protect health information since its inception in 1987 Dates back to Justice Krever’s 1980 Report on the Confidentiality of Health Information The Commission documented many cases of unauthorized access to health files maintained by hospitals and the Ontario Health Insurance Plan The Report called for comprehensive health privacy legislation at that time Provincial Health Privacy Laws

5 Provincial Health Privacy Laws
Alberta Health Information Act Manitoba Personal Health Information Act Québec Act respecting access to documents held by public bodies and the protection of personal information Act respecting the protection of personal information in the private sector. Saskatchewan Health Information Protection Act Ontario Bills of the Past

6 Ontario Bills of the Past
Numerous attempts made over the years to get a bill introduced and passed, but have never succeeded Bill 159 – Personal Health Information Privacy Act, 2000 Privacy of Personal Information, 2002 PHIPA – Bill 31

7 PHIPA – Bill 159 On December 7, 2000, the government introduced Bill 159 Concerns about the Bill:  Directed Disclosures Extensive use of Regulations Lack of full investigation powers Privacy of Personal Information Act – 2002 (MCBS)

8 Privacy of Personal Information Act
Ontario issued a draft bill in 2002 that applied to all non-public sector organizations Created special rules for health sector MCBS consulted with stakeholders to refine aspects of the draft bill Unfortunately this draft bill was never introduced If no Provincial Health Legislation?

9 If No Provincial Health Legislation?
If Ontario fails to enact its own legislation, PIPEDA takes effect: Only commercial entities covered - ambiguity about who is in and who is out Not tailored to meet the needs of the health sector Principle-based approach rather than specifics could result in inconsistent implementation Oversight left to the federal Privacy Commissioner Ontario’s HIPA 2003

10 Ontario’s Health Information Protection Act, 2003 (HIPA)
Ontario government introduced health privacy bill (Bill 31) on December 17, 2003 Referred to the Standing Committee on General Government, which held public hearings and clause-by-clause study Received Second Reading on April 8, 2004 Expected to come into effect January 1, 2005 Bill 31 – Two Parts

11 Bill 31 – Two parts Schedule A – the Personal Health Information Protection Act (PHIPA) Schedule B – the Quality of Care Information Protection Act (QOCIPA) Bill 31 – Based on Fair Information Practices

12 Bill 31 – Based on Fair Information Practices
Accountability Identifying Purposes Consent Limiting Collection Limiting Use, Disclosure, Retention Accuracy Safeguards Openness Individual Access Challenging Compliance Scope of PHIPA

13 Scope of PHIPA Health information custodians (HICs) that collect, use and disclose personal health information (PHI) Non-health information custodians where they receive personal health information from a health information custodian (use and disclosure provisions) Def’n of Health Information Custodians

14 Health Information Custodians
Definition includes: Health care practitioners Hospitals and independent health facilities Homes for the aged and nursing homes Pharmacies Laboratories Homes for special care A centre, program or service for community health or mental health Privacy Practices required by Bill List is not exhaustive

15 PHIPA Practices Must take reasonable steps to ensure accuracy
Must maintain the security of PHI in its custody or control Must have a contact person to ensure compliance with Act, respond to access requests, inquiries and complaints from public Must have information practices in place that comply with the Act Must make available a written statement Must be responsible for actions of agents Rules on Consent Some of the practices and requirements for Health Information Custodians – based on fair information practices.

16 PHIPA Consent Consent is required for the collection, use, disclosure of PHI subject to specific exceptions Consent must be a consent of the individual be knowledgeable relate to the information not be obtained through deception or coercion Consent may be express or implied Collection, Use and Disclosure without Consent

17 Collection, Use and Disclosure Without Consent
Derogations from the consent principle are allowed in limited circumstances. As required by law To protect the health or safety of the individual or others To identify a deceased person or provide reasonable notice of a person’s death Patient Access to Records

18 Patient Access to Records
PHIPA Expands and Codifies the Common-Law Right of Access Right of access to all records of personal health information about the individual in the custody or control of any health information custodians Provides right to correct their records of personal health information. Recognizes special factors surrounding health information by allowing for incorrect information to be struck out without obliterating the original record. Oversight and Enforcement

19 Oversight and Enforcement
Office of the Information and Privacy Commissioner is the oversight body IPC may appoint an Assistant Commissioner for Personal Health Information IPC may investigate where: A complaint has been received Commissioner has reasonable grounds to believe that a person has contravened or is about to contravene the Act IPC has powers to enter and inspect premises, require access to PHI and compel testimony Alternatives to Investigations

20 Strengths of PHIPA Creation of health data institute to address criticism of “directed disclosures Open regulation-making process to bring public scrutiny to future regulations Implied consent for sharing of personal health information within circle of care Adequate powers of investigation to ensure that complaints are properly reviewed Current Role of IPC

21 Role of the IPC IPC currently has oversight of two laws
Provincial Freedom of Information and Protection of Privacy Act Municipal Freedom of Information and Protection of Privacy Act IPC may issue orders for access/correction appeals IPC investigates privacy complaints and may issue report with recommendations but not orders How IPC handles Access and Correction Appeals

22 Access and Correction Appeals
Appeals under current public sector laws may be dealt with through three stages: IPC will examine situation and may contact individual or organization for more information (Intake) If not dismissed, the appeal proceeds to mediation, the IPC’s preferred method of dispute resolution If mediation is unsuccessful, appeal proceeds to adjudication and an order will be issued. How IPC handles Privacy Complaints

23 Privacy Complaints IPC goal in dealing with complaints under public sector legislation is to assist organizations in taking whatever steps are necessary to prevent future occurrences Intake staff attempt to resolve complaints informally, through liaising with organization and complainant If not resolved, complaint goes to the investigation stage and a mediator investigates Mediator prepare a report, including recommendations Role of IPC under HIPA

24 Role of IPC under PHIPA Use of mediation and alternative dispute resolution to be stressed Order-making power as a last resort Conducting public and stakeholder education programs Comment on an organization’s information practices Stressing the 3 C’s

25 Stressing the 3 C’s Consultation Collaboration Co-operation
Opening lines of communication with health community Collaboration Working together to find solutions Co-operation Rather than confrontation in resolving complaints Making Health Privacy Work

26 Making Health Privacy Work
Think beyond compliance with legislation Use technology to help protect personal health information: Build privacy right into design specifications Minimize collection and routine use of personally identifiable information – use aggregate or coded information if possible Use encryption where practicable Think about using pseudonymity, coded data Conduct privacy impact assessments Lessons from Chatham-Kent

27 Lessons from Chatham-Kent
Use of encryption to secure databases Investigate privacy-enhancing technologies to shield personal health information from systems administrators Conduct an end-to-end privacy impact assessment (PIA) Conduct independent security audits Privacy Review: Chatham-Kent IT Transition Pilot Project Lessons UHN Investigation

28 Lessons From UHN Privacy Assessment
Strong Privacy Policy Real Consequences for Breaches Ongoing Privacy Training Incorporate privacy training into undergraduate curriculum for medical students Independent Security and Privacy Audits How to Contact Us

29 How to Contact Us Commissioner Ann Cavoukian
Information & Privacy Commissioner/Ontario 80 Bloor Street West, Suite 1700 Toronto, Ontario M5S 2V1 Phone: (416) Web:

30 Alternatives to Investigation
Prior to investigating a complaint, the Commissioner may: Inquire as to other means used by individual to resolve complaint Require the individual to explore a settlement Authorize a mediator to review the complaint and try to settle the issue Decision not to Investigate

31 Decision Not to Investigate
Commissioner may decide not to investigate a complaint where: An adequate response has been provided to the complainant Complaint could have been dealt with through another procedure Complainant does not have sufficient personal interest in issue Complaint is frivolous, vexatious or made in bad faith Powers of the Commissioner

32 Powers of the Commissioner
After conducting an investigation, the Commissioner may issue an order To provide access to, or correction of, personal health information To cease collecting, using or disclosing personal health information in contravention of the Act To dispose of records collected in contravention of the Act To change, cease or implement an information practice Orders, other than for access or correction, may be appealed on questions of law Action for Damages

33 Offences and Penalties
Creates offences for contravention of the legislation, including: wilfully collecting, using or disclosing PHI in contravention of the Act; once access request made, disposing of a record of personal information in an attempt to evade the request wilfully failing to comply with an order made by the IPC Maximum penalty of $50,000 for an individual and $250,000 for a corporation Strengths of Bill 31

34 Action for Damages An individual affected by an IPC order may bring an action for damages for actual harm suffered Where the harm suffered was caused by a willful or reckless breach, the compensation may include an award not exceeding $10,000 for mental anguish No action for damages may be instituted against a HIC for anything done in good faith or any alleged neglect or default that was reasonable in the circumstances Offences and Penalties


Download ppt "Health Information Protection Act An Overview"

Similar presentations


Ads by Google