Www.ipc.on.ca Ontario’s New Health Information Protection Act: The Wait is Over Ann Cavoukian,...
-
Upload
toby-edwards -
Category
Documents
-
view
219 -
download
1
Transcript of Www.ipc.on.ca Ontario’s New Health Information Protection Act: The Wait is Over Ann Cavoukian,...
www.ipc.on.ca
Ontario’s New Health Information Protection Act: The Wait is Over
Ann Cavoukian, Ph.D.Ann Cavoukian, Ph.D.Information & Privacy Commissioner/Ontario
Emergis Information Security
Toronto
February 3, 2005
www.ipc.on.cawww.ipc.on.ca Slide 2
Health Privacy is Critical
The need for privacy has never been greater:
• Extreme sensitivity of personal health information
• Patchwork of rules across the health sector; with some areas currently unregulated
• Increasing electronic exchanges of health information
• Multiple providers involved in health care of an individual – need to integrate services
• Development of health networks
• Growing emphasis on improved use of technology, including computerized patient records
www.ipc.on.cawww.ipc.on.ca Slide 3
Unique Characteristics of Personal Health Information
Highly sensitive and personal in nature
Must be shared immediately and accurately among a range of health care providers for the benefit of the individual’s treatment and care
Widely used and disclosed for secondary purposes that are seen to be in the public interest (e.g., research, planning, fraud investigation, quality assurance)
www.ipc.on.cawww.ipc.on.ca Slide 4
Ontario’s Personal Health Information Protection Act (PHIPA)
Came into effect November 1, 2004
Schedule A – the Personal Health Information Protection Act (PHIPA)
Schedule B – the Quality of Care Information Protection Act (QOCIPA)
www.ipc.on.cawww.ipc.on.ca Slide 5
PHIPA – Based on Fair Information Practices
AccountabilityIdentifying PurposesConsentLimiting CollectionLimiting Use,
Disclosure, RetentionAccuracy
SafeguardsOpennessIndividual AccessChallenging
Compliance
www.ipc.on.cawww.ipc.on.ca Slide 6
Strengths of PHIPA
Implied consent for sharing of personal health information within circle of care
Creation of health data institute to address criticism of “directed disclosures”
Open regulation-making process to bring public scrutiny to future regulations
Adequate powers of investigation to ensure that complaints are properly reviewed
www.ipc.on.cawww.ipc.on.ca Slide 7
Scope of PHIPA
Health information custodians (HICs) that collect, use and disclose personal health information (PHI)
Non-health information custodians where they receive personal health information from a health information custodian (use and disclosure provisions)
www.ipc.on.cawww.ipc.on.ca Slide 8
Health Information Custodians
Definition includes:• Health care practitioner • Hospitals and independent health facilities• Homes for the aged and nursing homes• Pharmacies• Laboratories• Home for special care• A centre, program or service for community
health or mental health
www.ipc.on.cawww.ipc.on.ca Slide 9
Records Management: General Practices
Must take reasonable steps to ensure accuracy Must maintain the security of PHI Must have a contact person to ensure compliance
with Act, respond to access/correction requests, inquiries and complaints from public
Must have information practices in place that comply with the Act
Must make available a written statement of information practices
Must be responsible for actions of agents
www.ipc.on.cawww.ipc.on.ca Slide 10
PHIPA Consent
Consent is required for the collection, use, disclosure of PHI, subject to specific exceptions
Consent must: be a consent of the individual be knowledgeable relate to the information not be obtained through deception or coercion
Consent may be express or implied
www.ipc.on.cawww.ipc.on.ca Slide 11
Meaningful Consent Forms
Notices and consent forms must be concise and understandable to be effective
PIPEDA notices and consents used by some health professionals are lengthy, confusing and counterproductive
Use notices and consent forms to educate and inform patients, not as an exercise in legal drafting
www.ipc.on.cawww.ipc.on.ca Slide 12
Short Notices
IPC/OBA short notices working group:• To promote concise, user-friendly, sector-
specific notices and consent forms to serve as effective communication tools
• Adopt “layered” approach, with emphasis on developing separate short notices for primary care providers, hospitals, and long-term care facilities
www.ipc.on.cawww.ipc.on.ca Slide 13
Implied Consent
custodians may imply consent when disclosing personal health information to other custodians for the purpose of providing health care to the individual
exception – if the individual expressly withholds or withdraws consent (lock box)
www.ipc.on.cawww.ipc.on.ca Slide 14
Checks on the Lock Box
Notification – if the custodian who discloses believes that all information necessary for the the provision of health care has not been disclosed, the custodian must notify the recipient
Override – the custodian may disclose if disclosure is necessary to eliminate or reduce a significant risk of serious bodily harm to a person or a group of persons
www.ipc.on.cawww.ipc.on.ca Slide 15
Delayed Implementation of the Lock Box
public hospitals have until November 1, 2005 to implement the lock box
www.ipc.on.cawww.ipc.on.ca Slide 16
Express Consent
required when a custodian discloses to a non-custodian
required when a custodian discloses to another custodian for a purpose other than providing health care to the individual
required for marketing and fundraising (when using more than name and specified contact information)
www.ipc.on.cawww.ipc.on.ca Slide 17
Right of Access and Correction
PHIPA Expands and Codifies the Common-Law Right of Access
Right of access to all records of personal health information about the individual in the custody or control of any health information custodian (some exceptions)
Provides right to correct their records of personal health information (some exceptions)
www.ipc.on.cawww.ipc.on.ca Slide 18
Access
custodian must make the record available or provide a copy, if requested
custodian must respond to request within 30 days, with a possible 30 day extension
custodian must take reasonable steps to be satisfied of the individual’s identity
custodian must offer assistance in reformulating a request that lacks sufficient detail
www.ipc.on.cawww.ipc.on.ca Slide 19
How to Correct Records
by striking out the incorrect information in a manner that does not obliterate it or
by labeling the information as incorrect and severing it from the record, while maintaining a link to the record or
if the correction cannot be recorded in the record, the custodian must ensure there is a practical system to inform persons accessing the record that the information is incorrect and where to obtain correct information
www.ipc.on.cawww.ipc.on.ca Slide 20
Notice of Correction
at the request of the individual, the custodian must give written notice of the requested correction, to the extent reasonably possible, to persons to who the custodian has disclosed the information
exception – if the correction cannot be reasonably expected to have an effect on the ongoing provision of health care or other benefits
www.ipc.on.cawww.ipc.on.ca Slide 21
Statement of Disagreement
if the custodian refuses a correction request, the individual is entitled to require the custodian to attach to the record a statement of disagreement prepared by the individual
custodian must make reasonable efforts to notify anyone who would have been notified if there was a correction
www.ipc.on.cawww.ipc.on.ca Slide 22
Compliance: A Model
Don’t discuss confidential information in public areas (e.g. elevators, food courts, hallways) where it may be overheard;
Don’t leave PHI such as charts, reports and recruitment lists in places where they can be viewed by the public.
www.ipc.on.cawww.ipc.on.ca Slide 23
Compliance: A Model (cont’d)
Don’t leave the computer terminal with PHI readily visible or accessible. Log off when you are finished & keep your password to yourself.
Don’t reveal confidential information to others without a need for them to know it;
Shred all papers that contain PHI when no longer in use;
www.ipc.on.cawww.ipc.on.ca Slide 24
Oversight and Enforcement
Office of the Information and Privacy Commissioner is the oversight body
IPC may investigate where:A complaint has been receivedCommissioner has reasonable grounds to believe
that a person has contravened or is about to contravene the Act
IPC has powers to enter and inspect premises, require access to PHI and compel testimony
www.ipc.on.cawww.ipc.on.ca Slide 25
Role of IPC under PHIPA
Use of mediation and alternate dispute resolution always stressed
Order-making power used as a last resort
Conducting public and stakeholder education programs: education is key
Comment on an organization’s information practices
www.ipc.on.cawww.ipc.on.ca Slide 26
Complaint Process
Complaint can be filed based on access or correction decision of a HIC
Complaint can be filed if a person believes the HIC has or is about to contravene the Act or its regulations
Complaint will usually relate to the collection, use or disclosure of personal health information
www.ipc.on.cawww.ipc.on.ca Slide 28
Public Education Program
Frequently Asked Questions and Answers available on IPC website (including hard copies)
User Guide for Health Information Custodians available on IPC website (including hard copies)
IPC PHIPA publications distributed to Colleges and Associations of the Regulated Health Professions
IPC/MOH brochure for the general public
• may be placed in reception areas
• to be distributed to patients
www.ipc.on.cawww.ipc.on.ca Slide 29
Public Education Program (con’t.)
IPC member of OHA/OMA/IPC/MOH PHIPA tool kit project
IPC/OBA “short notices” working group
• Developing concise, user-friendly notices and consent forms to serve as effective communication tools
On-going meetings with Regulated Health Professions, the Federation of Health Regulatory Colleges and Associations
IPC PHIPA awareness article distributed to Colleges/Associations for inclusion in their members’ Magazines and Newsletters
www.ipc.on.cawww.ipc.on.ca Slide 30
Keeping HIC’s Informed
Orders will be public documents and available on our Web site
Summaries of all mediated cases will be available on our website
Relevant data will be regularly made available to the public and health professionals (e.g. number of complaints, examples of successful mediations, common issues)
www.ipc.on.cawww.ipc.on.ca Slide 31
Stressing the 3 C’s
Consultation• Opening lines of communication with health
community and HICs
Co-operation• Rather than confrontation in resolving complaints
Collaboration• Working together to find solutions
www.ipc.on.ca
How to Contact UsHow to Contact Us
Commissioner Ann CavoukianCommissioner Ann CavoukianInformation & Privacy Commissioner/Ontario
2 Bloor Street East, Suite 1400
Toronto, Ontario M4W 1A8
Phone: (416) 326-3333
Web: www.ipc.on.ca
E-mail: [email protected]