www.ipc.on.ca

Health Information Protection Act

An Overview

Ann Cavoukian, Ph.D.Ann Cavoukian, Ph.D.Information & Privacy Commissioner/Ontario

Ontario Health Records Association

May 7, 2004

www.ipc.on.cawww.ipc.on.ca Slide 2

Health Privacy is Critical

The need for privacy has never been greater:

• Extreme sensitivity of personal health information

• Patchwork of rules across the health sector; with some areas currently unregulated

• Increasing electronic exchanges of health information

• Multiple providers involved in health care of an individual – need to integrate services

• Development of health networks

• Growing emphasis on improved use of technology, including computerized patient records

www.ipc.on.cawww.ipc.on.ca Slide 3

Unique Characteristics of Personal Health Information

Highly sensitive

Collected in the context of a publicly-funded health care system

Widely shared among a range of health care providers for the benefit of the individual

Widely used and disclosed for secondary purposes that are seen to be in the public interest (e.g., research, planning, fraud investigation, quality assurance)

www.ipc.on.cawww.ipc.on.ca Slide 4

Legislation is Critical

The IPC has been calling for legislation to protect health information since its inception in 1987

• Dates back to Justice Krever’s 1980 Report on the Confidentiality of Health Information

– The Commission documented many cases of unauthorized access to health files maintained by hospitals and the Ontario Health Insurance Plan

– The Report called for comprehensive health privacy legislation at that time

www.ipc.on.cawww.ipc.on.ca Slide 5

Alberta• Health Information Act

Manitoba• Personal Health Information Act

Québec• Act respecting access to documents held by public bodies and the

protection of personal information• Act respecting the protection of personal information in the private sector.

Saskatchewan• Health Information Protection Act

Provincial Health Privacy Laws

www.ipc.on.cawww.ipc.on.ca Slide 6

Numerous attempts made over the years to get a bill introduced and passed, but have never succeeded

• Bill 159 – Personal Health Information Privacy Act, 2000

• Privacy of Personal Information, 2002

Ontario Bills of the Past

www.ipc.on.cawww.ipc.on.ca Slide 7

PHIPA – Bill 159

On December 7, 2000, the government introduced Bill 159

Concerns about the Bill: 

• Directed Disclosures

• Extensive use of Regulations

• Lack of full investigation powers

www.ipc.on.cawww.ipc.on.ca Slide 8

Privacy of Personal Information Act

Ontario issued a draft bill in 2002 that applied to all non-public sector organizations

Created special rules for health sector

MCBS consulted with stakeholders to refine aspects of the draft bill

Unfortunately this draft bill was never introduced

www.ipc.on.cawww.ipc.on.ca Slide 9

If No Provincial Health Legislation?

If Ontario fails to enact its own legislation, PIPEDA takes effect:

• Only commercial entities covered - ambiguity about who is in and who is out

• Not tailored to meet the needs of the health sector

• Principle-based approach rather than specifics could result in inconsistent implementation

• Oversight left to the federal Privacy Commissioner

www.ipc.on.cawww.ipc.on.ca Slide 10

Ontario’s Health Information Protection Act, 2003 (HIPA)

Ontario government introduced health privacy bill (Bill 31) on December 17, 2003

Referred to the Standing Committee on General Government, which held public hearings and clause-by-clause study

Received Second Reading on April 8, 2004

Expected to come into effect January 1, 2005

www.ipc.on.cawww.ipc.on.ca Slide 11

Bill 31 – Two parts

Schedule A – the Personal Health Information Protection Act (PHIPA)

Schedule B – the Quality of Care Information Protection Act (QOCIPA)

www.ipc.on.cawww.ipc.on.ca Slide 12

Bill 31 – Based on Fair Information Practices

AccountabilityIdentifying PurposesConsentLimiting CollectionLimiting Use,

Disclosure, RetentionAccuracy

SafeguardsOpennessIndividual AccessChallenging

Compliance

www.ipc.on.cawww.ipc.on.ca Slide 13

Scope of PHIPA

Health information custodians (HICs) that collect, use and disclose personal health information (PHI)

Non-health information custodians where they receive personal health information from a health information custodian (use and disclosure provisions)

www.ipc.on.cawww.ipc.on.ca Slide 14

Health Information Custodians

Definition includes:• Health care practitioners • Hospitals and independent health facilities• Homes for the aged and nursing homes• Pharmacies• Laboratories• Homes for special care• A centre, program or service for community

health or mental health

www.ipc.on.cawww.ipc.on.ca Slide 15

PHIPA Practices

Must take reasonable steps to ensure accuracy Must maintain the security of PHI in its custody or controlMust have a contact person to ensure compliance with Act,

respond to access requests, inquiries and complaints from publicMust have information practices in place that comply with the

ActMust make available a written statement Must be responsible for actions of agents

www.ipc.on.cawww.ipc.on.ca Slide 16

PHIPA Consent

Consent is required for the collection, use, disclosure of PHI subject to specific exceptions

Consent must be a consent of the individual be knowledgeable relate to the information not be obtained through deception or coercion

Consent may be express or implied

www.ipc.on.cawww.ipc.on.ca Slide 17

Collection, Use and Disclosure Without Consent

Derogations from the consent principle are allowed in limited circumstances.

As required by law

To protect the health or safety of the individual or others

To identify a deceased person or provide reasonable notice of a person’s death

www.ipc.on.cawww.ipc.on.ca Slide 18

Patient Access to Records

PHIPA Expands and Codifies the Common-Law Right of Access

Right of access to all records of personal health information about the individual in the custody or control of any health information custodians

Provides right to correct their records of personal health information.

Recognizes special factors surrounding health information by allowing for incorrect information to be struck out without obliterating the original record.

www.ipc.on.cawww.ipc.on.ca Slide 19

Oversight and Enforcement

Office of the Information and Privacy Commissioner is the oversight body

IPC may appoint an Assistant Commissioner for Personal Health Information

IPC may investigate where:A complaint has been receivedCommissioner has reasonable grounds to believe that a

person has contravened or is about to contravene the Act

IPC has powers to enter and inspect premises, require access to PHI and compel testimony

www.ipc.on.cawww.ipc.on.ca Slide 20

Strengths of PHIPA

Creation of health data institute to address criticism of “directed disclosures

Open regulation-making process to bring public scrutiny to future regulations

Implied consent for sharing of personal health information within circle of care

Adequate powers of investigation to ensure that complaints are properly reviewed

www.ipc.on.cawww.ipc.on.ca Slide 21

Role of the IPC

IPC currently has oversight of two lawsProvincial Freedom of Information and Protection of

Privacy ActMunicipal Freedom of Information and Protection of

Privacy Act

IPC may issue orders for access/correction appeals

IPC investigates privacy complaints and may issue report with recommendations but not orders

www.ipc.on.cawww.ipc.on.ca Slide 22

Access and Correction Appeals

Appeals under current public sector laws may be dealt with through three stages:

IPC will examine situation and may contact individual or organization for more information (Intake)

If not dismissed, the appeal proceeds to mediation, the IPC’s preferred method of dispute resolution

If mediation is unsuccessful, appeal proceeds to adjudication and an order will be issued.

www.ipc.on.cawww.ipc.on.ca Slide 23

Privacy Complaints

IPC goal in dealing with complaints under public sector legislation is to assist organizations in taking whatever steps are necessary to prevent future occurrences

Intake staff attempt to resolve complaints informally, through liaising with organization and complainant

If not resolved, complaint goes to the investigation stage and a mediator investigates

Mediator prepare a report, including recommendations

www.ipc.on.cawww.ipc.on.ca Slide 24

Role of IPC under PHIPA

Use of mediation and alternative dispute resolution to be stressed

Order-making power as a last resort

Conducting public and stakeholder education programs

Comment on an organization’s information practices

www.ipc.on.cawww.ipc.on.ca Slide 25

Stressing the 3 C’s

Consultation• Opening lines of communication with health community

Collaboration• Working together to find solutions

Co-operation• Rather than confrontation in resolving complaints

www.ipc.on.cawww.ipc.on.ca Slide 26

Making Health Privacy Work

Think beyond compliance with legislation Use technology to help protect personal health

information: • Build privacy right into design specifications

• Minimize collection and routine use of personally identifiable information – use aggregate or coded information if possible

• Use encryption where practicable

• Think about using pseudonymity, coded data

• Conduct privacy impact assessments

www.ipc.on.cawww.ipc.on.ca Slide 27

Lessons from Chatham-Kent

Use of encryption to secure databases

Investigate privacy-enhancing technologies to shield personal health information from systems administrators

Conduct an end-to-end privacy impact assessment (PIA)

Conduct independent security audits

Privacy Review: Chatham-Kent IT Transition Pilot Project

• www.ipc.on.ca/english/pubpres/reports/042202.pdf

www.ipc.on.cawww.ipc.on.ca Slide 28

Lessons From UHNPrivacy Assessment

Strong Privacy Policy

Real Consequences for Breaches

Ongoing Privacy Training• Incorporate privacy training into undergraduate

curriculum for medical students

Independent Security and Privacy Audits

www.ipc.on.ca/english/pubpres/reports/073002.pdf

www.ipc.on.ca

How to Contact UsHow to Contact Us

Commissioner Ann CavoukianCommissioner Ann CavoukianInformation & Privacy Commissioner/Ontario

80 Bloor Street West, Suite 1700

Toronto, Ontario M5S 2V1

Phone: (416) 326-3333

Web: www.ipc.on.ca

E-mail: commissioner@ipc.on.ca

www.ipc.on.cawww.ipc.on.ca Slide 30

Alternatives to Investigation

Prior to investigating a complaint, the Commissioner may:Inquire as to other means used by individual to

resolve complaintRequire the individual to explore a settlementAuthorize a mediator to review the complaint and

try to settle the issue

www.ipc.on.cawww.ipc.on.ca Slide 31

Decision Not to Investigate

Commissioner may decide not to investigate a complaint where:An adequate response has been provided to the

complainantComplaint could have been dealt with through

another procedureComplainant does not have sufficient personal

interest in issueComplaint is frivolous, vexatious or made in bad

faith

www.ipc.on.cawww.ipc.on.ca Slide 32

Powers of the Commissioner

After conducting an investigation, the Commissioner may issue an orderTo provide access to, or correction of, personal health

informationTo cease collecting, using or disclosing personal health

information in contravention of the ActTo dispose of records collected in contravention of the ActTo change, cease or implement an information practice

Orders, other than for access or correction, may be appealed on questions of law

www.ipc.on.cawww.ipc.on.ca Slide 33

Offences and Penalties

Creates offences for contravention of the legislation, including:wilfully collecting, using or disclosing PHI in

contravention of the Act;once access request made, disposing of a record of

personal information in an attempt to evade the request wilfully failing to comply with an order made by the

IPC

Maximum penalty of $50,000 for an individual and $250,000 for a corporation

www.ipc.on.cawww.ipc.on.ca Slide 34

Action for Damages

An individual affected by an IPC order may bring an action for damages for actual harm suffered

Where the harm suffered was caused by a willful or reckless breach, the compensation may include an award not exceeding $10,000 for mental anguish

No action for damages may be instituted against a HIC for anything done in good faith or any alleged neglect or default that was reasonable in the circumstances