www.ipc.on.ca building privacy into health information technology ann cavoukian, ph.d. information...

www.ipc.on.ca

Building Privacy into Health Information Technology

Ann Cavoukian, Ph.D.Information & Privacy Commissioner/Ontario

Information Technology Association of CanadaNovember 3, 2004Toronto, Ontario

www.ipc.on.cawww.ipc.on.ca Slide 2

Health Privacy is Critical

The need for privacy has never been greater:

• Extreme sensitivity of personal health information

• Patchwork of rules across the health sector; with some areas currently unregulated

• Increasing electronic exchanges of health information

• Multiple providers involved in health care of an individual – need to integrate services

• Development of health networks

• Growing emphasis on improved use of technology, including computerized patient records


Unique Characteristics of Personal Health Information

Highly sensitive and personal in nature

Must be shared immediately and accurately among a range of health care providers for the benefit of the individual

Widely used and disclosed for secondary purposes that are seen to be in the public interest (e.g., research, planning, fraud investigation, quality assurance)


Ontario’s Personal Health Information Protection Act (PHIPA)

Comes into effect November 1, 2004

Schedule A – the Personal Health Information Protection Act (PHIPA)

Schedule B – the Quality of Care Information Protection Act (QOCIPA)


PHIPA – Based on Fair Information Practices

AccountabilityIdentifying PurposesConsentLimiting CollectionLimiting Use,

Disclosure, RetentionAccuracy

SafeguardsOpennessIndividual AccessChallenging

Compliance


Strengths of PHIPA

Implied consent for sharing of personal health information within circle of care

Creation of health data institute to address criticism of “directed disclosures”

Open regulation-making process to bring public scrutiny to future regulations

Adequate powers of investigation to ensure that complaints are properly reviewed


Scope of PHIPA

Health information custodians (HICs) that collect, use and disclose personal health information (PHI)

Non-health information custodians where they receive personal health information from a health information custodian (use and disclosure provisions)


Health Information Custodian

Definition includes:• Health care practitioner • Hospitals and independent health facilities• Homes for the aged and nursing homes• Pharmacies• Laboratories• Home for special care• A centre, program or service for community

health or mental health


Records Management: General Practices

Must take reasonable steps to ensure accuracy Must maintain the security of PHI Must have a contact person to ensure compliance

with Act, respond to access/correction requests, inquiries and complaints from public

Must have information practices in place that comply with the Act

Must make available a written statement of information practices

Must be responsible for actions of agents


Requirements With Implications for Health Information Technology

Use of electronic meansProviders to custodiansGeneral securityConsent (implied or express)Withdrawal or withholding of consent

(lock box)Right to access and request correction of

personal health information


Use of Electronic Means

A health information custodian that uses electronic means to collect, use, modify, disclose, retain or dispose of personal health information shall comply with the prescribed requirements, if any.

Section 10(3)

No regulations have been proposed


Providers to Custodians

A person who provides goods and services for the purpose of enabling a health information custodian to use electronic means to collect, use, modify, disclose, retain or dispose of personal health information shall comply with the prescribed requirements, if any.

Section 10(4)


General Regulations that Apply to All Providers

Can only use information as necessary in the course of providing services

Cannot disclose any informationProvider must ensure that all employees and

agents comply with restrictionsThe release of information, to a provider that

is not an agent of the custodian, is not considered to be a disclosure as long as the provider complies with the regulations

O. Reg. 329/04, s. 6 (1) and 6 (4)


Types of Providers

Software vendors (e.g., electronic health record)

Hardware vendorsHealth information network providers

(e.g., SSHA, telehealth)


Definition of Health Information Network Provider

A person who provides services to two or more health information custodians where the services are provided primarily to custodians to enable the custodians to use electronic means to disclose personal health information to one another, whether or not the person is an agent of any of the custodians

O. Reg. 329/04, s. 6 (2)


Regulations for Health Information Network Providers

Must notify custodian of any breach of the requirements for providers

Must provide custodian with description of services and safeguards, to share with individuals

Must make available to the public the description of services provided; the directives, guidelines and policies that apply; and a general description of safeguards

O. Reg. 329/04, s. 6 (3)


Regulations for Health Information Network Providers (cont’d)

Must provide to custodian, upon request, an electronic record of all accesses and transfers of information

Must perform and provide to custodian an assessment of threats, vulnerabilities and risks to security and integrity of the information and how the services may affect privacy

Must require any third party it retains to comply with restrictions and conditions

O. Reg. 329/04, s. 6 (3)


Regulations for Health Information Network Providers (cont’d)

Must enter into agreement with each custodian that describes:• the services to be provided• the administrative, technical and physical

safeguards relating to confidentiality and security

• requires the provider to comply with the Act and its regulations

O. Reg. 329/04, s. 6 (3)


Security Requirement

A health information custodian shall take steps that are reasonable in the circumstances to ensure that personal health information in the custodian’s custody or control is protected against theft, loss and unauthorized use or disclosure and to ensure that the records containing the information are protected against unauthorized copy, modification or disposal.

Section 12(1)


Implied Consent

custodians may imply consent when disclosing personal health information to other custodians for the purpose of providing health care to the individual


Lock Box

where the individual expressly withholds or withdraws consent

Public hospitals have until Nov 1, 2005 to comply with the lock box requirements

Section 31(2)

Information technology must • Flag information to be locked• Ensure that disclosure of locked information is

blocked


Express Consent

required when a custodian discloses to a non-custodian

required when a custodian discloses to another custodian for a purpose other than providing health care to the individual

required for marketing and fundraising (when using more than name and specified contact information)


Right of Access and Correction

PHIPA Expands and Codifies the Common-Law Right of Access

Right of access to all records of personal health information about the individual in the custody or control of any health information custodian (some exceptions)

Provides right to correct their records of personal health information (some exceptions)


Access

custodian must make the record available or provide a copy, if requested

custodian must respond to request within 30 days, with a possible 30 day extension

custodian must take reasonable steps to be satisfied of the individual’s identity

custodian must offer assistance in reformulating a request that lacks sufficient detail


How to Correct Records

by striking out the incorrect information in a manner that does not obliterate it or

by labeling the information as incorrect and severing it from the record, while maintaining a link to the record or

if the correction cannot be recorded in the record, the custodian must ensure there is a practical system to inform persons accessing the record that the information is incorrect and where to obtain correct information


Notice of Correction

at the request of the individual, the custodian must give written notice of the requested correction, to the extent reasonably possible, to persons to who the custodian has disclosed the information

exception – if the correction cannot be reasonably expected to have an effect on the ongoing provision of health care or other benefits


Statement of Disagreement

if the custodian refuses a correction request, the individual is entitled to require the custodian to attach to the record a statement of disagreement prepared by the individual

custodian must make reasonable efforts to notify anyone who would have been notified if there was a correction


Where do we go from here?

Start by understanding the PHIPA• Information is available on the IPC and

MOHLTC web sites

Review your products and services• Identify where changes need to occur

Work with your client partners• Particularly for retrofits


Guidance to Health IT Community

The IPC, in partnership with the Office of the Corporate Chief Information Officer and Ministry of Health, is developing a set of health privacy technology principles and best practices, plus boiler plate RFP statements and an implementation strategy, in consultation with the Ontario E-Health Council.• We expect to consult with vendors on this

document to ensure it is reasonable and fully supports the implementation of the Act.


Public Education Program

Frequently Asked Questions and Answers available on IPC website (including hard copies)

User Guide for Health Information Custodians available on IPC website (including hard copies)

IPC PHIPA publications distributed to Colleges and Associations of the Regulated Health Professions

IPC/MOH brochure for the general public

• may be placed in reception areas

• to be distributed to patients


Public Education Program (cont’d)

IPC member of OHA/OMA/IPC/MOH PHIPA tool kit project

IPC/OBA “short notices” working group

• Developing concise, user-friendly notices and consent forms to serve as effective communication tools

On-going meetings with Regulated Health Professions, the Federation of Health Regulatory Colleges and Associations

IPC PHIPA awareness article distributed to Colleges/Associations for inclusion in their members’ Magazines and Newsletters


Keeping HIC’s Informed

Orders will be public documents and available on our Web site

Summaries of mediated cases will be posted to our website

Relevant data will be regularly made available to the public and health professionals (e.g. number of complaints, examples of successful mediations, common issues)


Making Health Privacy Work

Think beyond compliance with legislation Use technology to help protect personal health

information: • Build privacy right into design specifications

• Minimize collection and routine use of personally identifiable information – use aggregate or coded information if possible

• Use encryption where practicable

• Think about using pseudonymity, coded data

• Conduct privacy impact assessments


Stressing the 3 C’s

Consultation• Opening lines of communication with health

community and HICs

Co-operation• Rather than confrontation in resolving complaints

Collaboration• Working together to find solutions

www.ipc.on.ca

How to Contact UsHow to Contact Us

Commissioner Ann CavoukianCommissioner Ann CavoukianInformation & Privacy Commissioner/Ontario

2 Bloor Street West, Suite 1400

Toronto, Ontario M4W 1A8

Phone: (416) 326-3333

Web: www.ipc.on.ca

E-mail: [email protected]

www.ipc.on.ca building privacy into health information technology ann cavoukian, ph.d. information...

Documents

mental health slide

health privacy

community health

health sector

ontario slide

reviewed slide

range of health care

quality assurance slide