1 / 30

IPC Complaint Process

IPC Complaint Process. Brian Beamish, Assistant Commissioner Robert Binstock, Registrar Mona Wong, Manager of Mediation Nancy Ferguson, Mediator/Investigator Joseph Sommer, Intake Analyst. TYPES OF COMPLAINTS: ACCESS/CORRECTION

lowell
Download Presentation

IPC Complaint Process

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. IPC Complaint Process Brian Beamish, Assistant Commissioner Robert Binstock, Registrar Mona Wong, Manager of Mediation Nancy Ferguson, Mediator/Investigator Joseph Sommer, Intake Analyst

  2. TYPES OF COMPLAINTS: • ACCESS/CORRECTION • Initiated by individual within 6 months of receiving HIC’s decision • Examples • Denial of access to requester’s personal health information (PHI). • Fee or denial of fee waiver. • Expedited Access. • Time extension. • Deemed Refusal. • Refusal to correct the requester’s PHI.

  3. TYPES OF COMPLAINTS Cont’d: • COLLECTION, USE AND DISCLOSURE • Initiated by individual if there is reason to believe the HIC has or is about to contravene the Act or its regulations. • Within one year from the time the complainant became aware of the problem. • Usually related to the collection, use or disclosure of PHI. • Custodian reported breach • IPC initiated complaint

  4. COMPLIANT PROCESS [More detailed flow charts on IPC Web site.]

  5. INTAKE: • Registrar: • reviews file to determine whether to dismiss or to stream to one of the stages in the complaint process • Intake Analysts: • Dismiss file, redirect complainant, gather more information, informally resolve, order.

  6. MEDIATION: • Mediation is the IPC’s preferred method of dispute resolution. • Summaries of resolved files on IPC Web site. • Mediators: • Assist parties to reach a full or partial settlement or simplify matters at issue • If not resolved, reports back to parties in writing before streaming file to Review. • In limited cases can issue Order.

  7. REVIEW: • Commissioner may/may not issue order. • Commissioner may make comments or recommendations on privacy implications • Order making power used as a last resort. • Orders will be posted on IPC Web site.

  8. CUSTODIAN REPORTED BREACH vs. IPC INITIATED COMPLAINT What is the difference? What do you do when faced with one?

  9. WHAT IS A “PRIVACY BREACH”? A “privacy breach” is a circumstance where personal health information is stolen, lost or accessed by unauthorized persons.

  10. WHAT IS A CUSTODIAN REPORTED BREACH? -When a custodian becomes aware themselves of a possible privacy breach; - Self-identified; - Custodians are encouraged to report these incidents to the IPC.

  11. WHAT IS AN IPC INITIATED COMPLAINT? • Upon learning of a privacy breach, the IPC may itself initiate a complaint; • Can be brought to the attention of the IPC by various sources – e.g. the media, a member of the public not affected by the breach.

  12. WHAT DO I DO WHEN FACED WITH A PRIVACY BREACH? The first two priorities are “containment” and “notification”.

  13. Containment: - Locate any PHI outside the custody or control of the responsible custodian and retrieve it; - Ensure no copies of the PHI have been made, shared with anyone or retained by the individual who was not authorized to receive it; - Determine whether the breach would allow unauthorized access to any other PHI (e.g. electronic information system) and take appropriate steps (change passwords, identification numbers).

  14. Notification: - Identify those individuals whose privacy was breached and, barring exceptional circumstances, notify those individuals, at the first reasonable opportunity; - The Act requires notification but does not specify the manner; - Can be by telephone or in writing or depending on the circumstances, a notation made in a patient’s file to be discussed at the next appointment; - When notifying, provide details of the extent of the breach and the specifics of the personal health information at issue; - Advise of the steps that have been taken to address the breach, both immediate and long-term; - Advise that the IPC has been contacted.

  15. WHAT ELSE CAN I DO? • Ensure appropriate staff within your organization are immediately notified of the breach, including the Chief Privacy Officer or contact person for the purposes of the Act; • Review any existing internal policies and procedures.

  16. WHAT PROACTIVE MEASURES CAN I TAKE? • Develop a “Privacy Breach Protocol” that includes the types of actions needed to be taken; • Educate staff about the privacy rules governing collection, retention, use and disclosure of PHI; • Educate staff about the privacy rules governing the security and safe and secure disposal of PHI;

  17. Examples of Complaints Resolved at the Intake Stage 1) Access Complaint 2) Deemed Refusal Complaint 3) Collection, Use, Disclosure Complaint

  18. Access Complaint • Patient made a request to her Ob/Gyn for a copy of her entire record of PHI • Patient received medical reports and test results, but no progress notes • IPC received a complaint as only part of the records expected by the patient were received • Intake Analyst (IA) clarified patient’s original request with Ob/Gyn’s office to provide a complete record of PHI • IA explained the requirement for the Ob/Gyn to provide the patient with her entire record • Progress notes provided to patient, complaint file closed

  19. Deemed Refusal Complaint • Patient made a request to correct her PHI with a hospital • Hospital did not issue a decision within the time required by the PHIPA. (s.55(3)) • IPC received patient’s complaint and issued a Notice of Review requiring hospital to issue a decision in 2 weeks or an order would be issued • Hospital responded on time • IA explained the hospitals obligations under the PHIPA • On confirmation that a decision was issued, IPC closed the complaint file

  20. Collection, Use, Disclosure (CUD) • Private clinic inappropriately disclosed PHI of patient A to patient B • Patient A filed a complaint with the IPC, a Notice of Complaint was issued to clinic and patient A • IA gathered details from both parties on the complaint • Clinic: acknowledged the inappropriate disclosure, provided an explanation, offered an apology to the complainant, reviewed its information practices with staff and identified the complaint as a learning experience

  21. Collection, Use, Disclosure (CUD) cont’d • IA discussed Informal Resolution of complaint with both parties • Patient agreed to the file being closed at Intake and indicated she was satisfied with the IPC’s involvement • IA wrote to both parties setting out details of the complaint, the clinic’s response and confirmed that the complaint has been closed

  22. Examples of Matters Dealt with at the Mediation/Informal Resolution Stage1) Access Complaint2) Collection, Use, Disclosure Complaint3) Collection, Use, Disclosure – Self Report by HIC4) Collection, Use, Disclosure - Report from source other than HIC

  23. Access Complaint Complaint: • When I sought access to my record the HIC tried to require me to sign a form which detailed its information practices so I could “borrow” the record, otherwise I would have to pay a fee to obtain “access”. Resolution: • information sharing about nature of HIC’s records and reason form had been presented; • HIC agreed it would not require the form to be signed in this case and would also waive the fee; • HIC agreed to consult with IPC’s Policy and Compliance Department regarding its use of the form and the special nature of its records.

  24. 2) Collection, Use, Disclosure Complaint Complaint: -I received a fundraising solicitation for a specialized healthcare unit; -I was contacted by phone and I understood this was not permitted; -the fundraising foundation was given information about my illness; -I never agreed to contact for fundraising purposes; -I wasn’t given the option to opt out of all future fundraising contact. Resolution: -information sharing about fundraising processes, relationship with foundation; -HIC agreed it will only use phone numbers with express consent; -HIC agreed all future solicitation will have clear opt out for any future fundraising contact.

  25. 3) Collection, Use, Disclosure - Custodian Reported Breach Some Examples of Losses Reported: - a fax meant for another department was forwarded to a private residence; - a routine audit revealed an employee inappropriately accessed patient PHI; - a computer was stolen containing the personal health information of patients. Resolution: -agreed on steps needed to address immediate containment issues; -discussed and agree on notification approach; -gathered information to get to bottom of how loss occurred; -discussed and agreed on steps that will be taken to avoid loss in future; -IPC Report was prepared and posted on website.

  26. 4) Collection, Use, Disclosure - IPC initiated complaint Report from Member of the Public: - A private business owner reported receiving faxes containing PHI Resolution: -agreed on steps needed to address immediate containment issues; -discussed and agreed on notification approach; -gathered information to get to bottom of how loss occurred; -discussed and agreed on steps that will be taken to avoid loss in future; -IPC Report was prepared and posted on website.

  27. IPC CONTACT INFORMATION: Information and Privacy Commissioner/Ontario 2 Bloor St West, Suite 1400 Toronto ON M4W 1A8 Telephone: 416 326-3333 Toll Free: 1-800-387-0073 TTY: 416 325-7539 Fax: 416-325-9188 Web site: http://www.ipc.on.ca

More Related