health and business privacy law

Information and Privacy Commissioner/Ontario, © 2005

Health and Business Privacy Law

Ann Cavoukian, Ph.D.Ann Cavoukian, Ph.D.Information & Privacy Commissioner/Ontario

Ontario Bar Association“An Evening with the

Information and Privacy Commissioner of Ontario”

June 16, 2005


PHIPA: First Six Months

at the Commissioner’s Office


Ontario’s PHIPA Personal Health Information Protection Act

• Came into effect November 1, 2004

• Schedule A – the Personal Health Information Protection Act (PHIPA)

• Schedule B – the Quality of Care Information Protection Act (QOCIPA)


PHIPA Based on Fair Information Practices

• Accountability• Identifying Purposes• Consent• Limiting Collection• Limiting Use,

Disclosure, Retention• Accuracy

• Safeguards• Openness• Individual Access• Challenging Compliance


Mandate of the Legislation

• Require consent for the collection, use and disclosure of personal health information, with necessary but limited exceptions;

• Require that health information custodians treat all personal health information as confidential and keep it secure;

• Codify an individual’s right to access his/her personal health information, as well as the right to correct errors;

• Give a patient the right to instruct health information custodians not to share any part of his/her personal health information with other health care providers;


Mandate of the Legislation (Cont’d)

• Establish clear rules for the use of personal health information for fundraising or marketing purposes;

• Set guidelines for the use and disclosure of personal health information for research purposes;

• Ensure accountability by granting an individual the right to complain to the IPC about the practices of a health information custodian; and

• Establish remedies for breaches of the legislation.


Role of IPC under PHIPA

• Use of mediation and alternate dispute resolution always stressed;

• Order-making power used as a last resort;

• Conducting public and stakeholder education programs: education is key;

• Comment on an organization’s information practices.


Powers of the CommissionerUnder PHIPA, the Commissioner may make an order directing any person whose activities the Commissioner reviewed:

• to grant an individual access to a requested record, or to make

a requested correction, if a review relates to a complaint from a request by an individual for access to, or correction of, a record;

• to cease collecting, using or disclosing personal health information;

• to change, cease, not commence or implement an information practice; or

• to make comments and recommendations on the privacy implications of any matter that is the subject of the review. 2004, c. 3, Sched. A, s. 61 (1).


Commissioner’s Review If a complaint cannot be settled informally, the Commissioner may conduct

a review of the complaint. It is the Commissioner’s decision whether or not to conduct a review;

• in the absence of a complaint, the Commissioner also has the power to conduct a self-initiated review;

• in conducting a review, the Commissioner may: enter any premises associated with the review;

• inspect or copy any records, documents, and other material relevant to the review;

• summons the appearance of persons before the Commissioner and require them to provide evidence under oath; and

• inquire into records of personal health information, under specified circumstances; and issue binding orders.


The Process

COMPLAINT PROCESS

MEDIATION STAGE

REVIEW STAGE

INTAKE STAGE


Status of Cases

As of June 16, 2005, we have received 74 complaints:

• 31 Access/Correction Complaints

– (6 at Intake, 2 at Mediation; 23 Resolved)

• 26 Collection/Use/Disclosure Complaints

– (13 at Intake, 1 at Mediation, 12 Resolved)

• 16 HIC-Reported Breaches

– (7 at Mediation; 9 Resolved)

Total (74): 30 Files Open; 44 Files Closed


Mediation StoriesA Private Lab

• A computer containing patients’ PHI was stolen from a private laboratory during an after-hours break-in;

• As a solution, it was decided that the IPC would work with the laboratory to develop a notification program which included the following response:

a) area physicians were sent a Public Notice of the theft and asked to post it and provide a copy to affected patients;

b) the laboratory was asked to post a Public Notice; and

c) a press release for local media outlets was issued.


Mediation StoriesA Hospital

• 396 patient diagnostic reports went missing from patients’ charts in the course of routine clerical work;

• In this case, there were special circumstances that led the IPC to recommend that notice of the breach should be given in person by the health care provider and posted in the patient’s files. It was agreed that patients would be notified of the breach at their next appointment with their health care provider.


Mediation StoriesA Records Storage Company

• A mother who was seeking both her own and her daughter’s health records from a record storage company was faced with a fee that she claimed was excessive and would impose a personal hardship.

• The IPC intervened to facilitate a reduced fee.

• The company agreed to reduce its fee if the complainant could provide information to support her statement that the fee would in fact impose a hardship. The information was provided through the mediator and the fee was reduced to an agreeable amount.

• The complainant was satisfied and the file was closed.


Short NoticesBackground


Privacy PoliciesGrowing Pains

• Short notices to the public came to be realized as a necessity when legislation governing privacy began to increase, prompting many organizations to accommodate as much of the new regulations as possible into their privacy statements and notices;

"When GLBA and HIPAA were passed, there was a requirement to make these notices even more complete and long. That has resulted in privacy notices that are barely readable and largely ineffective.”

— Martin Abrams, Executive Director, Center for Information and Policy Leadership,

Hunton & Williams LLP, 2004


Hunton & Williams

• The Hunton & Williams Center for Information Policy Leadership, pioneering in work on short notices, has conducted focus groups on privacy policies;

• They found that consumer trust in companies was eroded by lengthy, legalistic privacy policies;

• Focus group studies found that people preferred short privacy notices that clearly communicated how a company was using and sharing their personal information;

• Subjects expressed support for a common “template” that could be used by different companies.


The Short Notice• Cleary, what is needed are more effective communications tools

• The short notice is an initial notice that an individual receives when personal information is first sought;

• The goal of the short notice is to provide all individuals with essential information in an easily readable and comparable format.

• A short notice should include:

– who the privacy notice covers;– the types of information collected directly from the individual and

indirectly from others about the individual;– uses or purposes for the data collected;– the types of entities that may receive the information (if it is shared);– information on choices available to the individual to limit use and

exercise any access or other rights, and how to exercise those rights;– how to contact the organization for more information or to file a

complaint.


Why Short Notices are Important

Short notices:

• ensure that people are well informed about what an organization does with their personal information; and

• allow people to become empowered with a choice over their personal information.


Benefit of Short Notices

While individuals are the main beneficiaries of improved communication of information about an organization’s privacy practices, there are also benefits for organizations:

• Able to communicate more effectively with the public allowing for the growth of a relationship based on trust, through simple understanding;

• A standardized format could be used globally by an organization to provide for economies of scale.


Short NoticesInternational Efforts

• 2003, the movement to establish a global short privacy notice was officially recognized at the International Conference of Data Protection Commissioners in Sydney, Australia

• 2004, in Berlin, a working group of Commissioners (including the IPC), business leaders, lawyers and privacy practitioners met and prepared a memorandum recognizing that a new architecture was needed for privacy notices

• 2004, the EU Article 29 Working Group issued the position paper WP100 on the use of “multi-layered notices”


Berlin Memorandum

• Effective privacy notices should be delivered within a framework with the following core concepts:

• Multi-layered – Privacy information should not be conveyed solely in a single document

• Comprehension and Plain Language – All layers should use language that is easy to understand

• Compliance – The total notices framework (all the layers taken together) should be compliant with relevant law

• Format and Consistency – Consistent format and layout will facilitate comprehension and comparison

• Brevity – The length of a privacy notice makes a difference (maximum of seven categories)

• Public Sector – These concepts have equal applicability to government collection and use of personal information


Health InformationShort Notices


Health InformationShort Notices

• The goal is to develop easy to read items containing the necessary elements regarding the collection, use and disclosure of personal health information, but not so much information that the public will not be able to read them;

• The language of the notices must be accessible and easily understood by most people — plain language is key.


Health Information Short Notices Working Group

– Information and Privacy Commissioner/ Ontario

– Ontario Bar Association’s Privacy and Health Law sections

– Ministry of Health and Long-Term Care

– Ontario Dental Association

• One of only several projects around the world focusing on short notices in the health sector;

• The working group will continue to make efforts in developing additional layers of information to supplement the notices

• The IPC looks forward to engaging members of the health and legal profession in further improving the multi-layered approach in communicating with the public


Short Notices Under PHIPARole of the IPC

• In Ontario, the IPC has taken a leadership role in promoting the use of short notices in the health sector

• Being the oversight body for PHIPA, the IPC has indicated that the notices prepared by health professionals must provide useful and understandable information to patients

• The IPC wanted to ensure that patients are well informed of their rights and have the knowledge to exercise those rights

• Additionally, the IPC also wanted to help Health Information Custodians communicate more effectively with the public — as PHIPA requires custodians to take reasonable steps to inform the public about their information practices and how patients may exercise their rights


Design of the Health Information Short Notice

• In line with the Berlin Memorandum, the PHIPA short notices group has adopted a multi-layered approach, with an emphasis on developing separate short notices for each of the following health care groups:

• Primary care providers • Hospitals and facilities• Long-term care facilities

• Primary Care Notices are not profession-specific, but should apply to all primary health care providers.


Design of the Health Information Short Notice (Cont’d)

Notices and brochures are harmonized with a consistent look and feel

• Notices– Capable of being used as a wall poster or in hand out paper format– Capable of being used online as well as in hard copy– Include IPC logo, logo of OBA and possibly logo of limited number

of distributing organizations – health Colleges and major health professional associations

– Have space for individual practitioner/hospital or facility to include contact information

• Brochures– Brochures can vary in length, depending on whether for primary care

or for hospital use– Brochures should be useable online as well as in hard copy


Breaches of Privacy and Security


Identity Theft

• The fastest growing form of consumer fraud in North America

• Identity theft is the most frequently cited complaint received by the F.T.C

• 10 million victims of ID theft each year, costing businesses $50 billion, and $5 billion in out-of-pocket expenses from individuals

— Federal Trade Commission, 2003

• The Canadian offices of Equifax and TransUnion credit bureaus have reported that they receive approximately 1,400 to 1,800 identity theft complaints per month


Recent Outbreak of Major Privacy Breaches

November 2004: ChoicePoint — Identity theft involving 145,000 personsDecember 2004: Bank of America — 1.2 million records misplacedJanuary 2005: T-Mobile — Illegal access to 16.3 million recordsJanuary 2005: HSBC — 180,000 MasterCard records stolenFebruary 2005: Ameritrade — 200,000 customer files lostMarch 2005: LexisNexis — Identity theft involving 32,000 recordsMarch 2005: DSW Inc — Hacker theft of 103 credit card numbersMarch 2005: Boston College — Theft of 120,000 alumni donor recordsApril 2005: TimeWarner — Lost files on 600,000 employees

May 2005: Largest Security Breach in Canada to dateUnited Food and Commercial Workers Local 832, Winnipeg, — Hard drives stolen from computers containing data on approximately 20,000 union members

June 2005: Citibank — Backup tape containing personal information on almost 4 million customers was lost by UPS delivery service


ChoicePoint

• A data aggregation and clearinghouse company that maintains databases of background information on virtually every U.S. citizen

• 19 billion public records in its database: motor vehicle registrations, license and deed transfers, military records, names, addresses and Social Security numbers

• ChoicePoint routinely sells dossiers to police, lawyers, reporters and private investigators


ChoicePointGateway for Identity Thieves

• In a plot twist taken from a Hollywood movie, criminals were creating false identities to establish accounts with ChoicePoint and then using those accounts to commit identity theft

• In response, ChoicePoint:– Notified 35,000 Californians as required by California

law, SB1386– Notified an additional 145,000 persons that

“unauthorized third parties” had obtained their personal information

• Los Angeles police believe that the actual number of persons affected could be 500,000 or more


ChoicePointFallout and Cost

• Since the privacy breach was discovered, ChoicePoint’s stock value has fallen from $48 to approximately $38

• ChoicePoint will pay to re-screen, and re-credential, 17,000 customers to verify that they are legitimate businesses

• Suspension of contract with New York State — other states pending

• March 2005, suspension of sales to small businesses — loss of 5% of annual revenue or, $900 million

• Three separate lawsuits have been filed:– Victim of I.D. theft– Class action by individuals– Class action by shareholders


The Unpredictable Cost:Litigation

Privacy & American Business, Consumer Privacy Litigation Report, 2004

• Since 2000, 182 cases of consumer privacy litigation have been brought against 234 corporate defendants, with $160 million paid out in damages.

•$52.5m to the Federal Trade Commission•$39.7m to state regulators•$32.3m to private individuals•$28.4m to private class action• $6.9m to various federal agencies


• California SB 1386 became effective in on July 1, 2003

• Essentially, it requires an agency, person or business that conducts business in California and owns or licenses computerized “personal information” to disclose any breach of security to any resident whose unencrypted data is believed to have been disclosed

SB1386


• This law has had a substantial impact on business practices in California. The California Office of Privacy Protection recently surveyed California companies and found that:

• 76% changed their communications polices as a result of the new law;

• 50% changed the way they used social security numbers; and

• 33% changed security procedures.

Impact of SB1386


The Coming Privacy Storm

• April 2005, 39 bills were pending in 19 states modeled after California’s SB1386

• May 2005, six states signed laws that now require consumers to be notified if personal information has been subject to a security breach–Arkansas, Georgia, Indiana, Montana, North Dakota and Washington

• Although the new laws are similar to California’s SB1386, varying state requirements will likely put pressure on Congress to pass a federal version of SB1386

• Legislation is also being considered that would ban the sale of Social Security numbers without the permission of the owner, except when needed by law enforcement


Made in Ontario Law

• In March of 2005, the IPC wrote a letter to the Minister of Consumer and Business Services, highlighting the need for private sector legislation in Ontario;

• Emphasis was placed on the increasing number of large-scale privacy breaches and the growing number of U.S. states that have bills pending to target identity theft;

• Further mention was given to the fact that Alberta, British Columbia and Quebec have already enacted private sector privacy legislation.


Getting Your Clients Ready for Privacy Legislation

• Complying with privacy principles may require changes to your clients’ personal information management practices

• An effective privacy program needs to be integrated into the corporate culture

• It is essential that privacy protection become a corporate priority throughout all levels of the organization

• Senior Management and Board of Directors’ commitment is critical (www.ipc.on.ca/docs/director.pdf)


Assist Your Client to Develop a Privacy Plan

• Your clients must:– Understand the privacy principles– Identify company personal information holdings– Assess the impact of privacy principles on operations and align information

practices– Design or change existing information management systems

• Train staff, re-train staff – an on-going process

• Test and evaluate systems and processes

• Create or revise policies, procedures and practices

• Develop or revise forms and communications material

• Redraft contracts with agents/suppliers for compliance

• Inform the public and educate customers – use short notices!


Final Thought

“Anyone today who thinks the privacy issue has peaked is greatly mistaken…we are in the early stages of a sweeping change in attitudes that will fuel political battles and put once-routine business practices under the microscope.”

- Forrester Research, March 5, 2001


How to Contact Us

Commissioner Ann CavoukianCommissioner Ann CavoukianInformation & Privacy Commissioner/Ontario2 Bloor Street East, Suite 1400Toronto, Ontario M4W 1A8

Phone: (416) 326-3333Web: www.ipc.on.caE-mail: [email protected]

health and business privacy law

Documents