1 / 43

Health and Business Privacy Law

Health and Business Privacy Law. Ann Cavoukian, Ph.D. Information & Privacy Commissioner/Ontario. Ontario Bar Association “An Evening with the Information and Privacy Commissioner of Ontario” June 16, 2005. PHIPA: First Six Months at the Commissioner’s Office.

Download Presentation

Health and Business Privacy Law

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Health and Business Privacy Law Ann Cavoukian, Ph.D. Information & Privacy Commissioner/Ontario Ontario Bar Association “An Evening with the Information and Privacy Commissioner of Ontario” June 16, 2005

  2. PHIPA: First Six Months at the Commissioner’s Office

  3. Came into effect November 1, 2004 Schedule A – the Personal Health Information Protection Act (PHIPA) Schedule B – the Quality of Care Information Protection Act (QOCIPA) Ontario’s PHIPAPersonal Health Information Protection Act

  4. Accountability Identifying Purposes Consent Limiting Collection Limiting Use, Disclosure, Retention Accuracy PHIPA Based on Fair Information Practices • Safeguards • Openness • Individual Access • Challenging Compliance

  5. Require consent for the collection, use and disclosure of personal health information, with necessary but limited exceptions; Require that health information custodians treat all personal health information as confidential and keep it secure; Codify an individual’s right to access his/her personal health information, as well as the right to correct errors; Give a patient the right to instruct health information custodians not to share any part of his/her personal health information with other health care providers; Mandate of the Legislation

  6. Establish clear rules for the use of personal health information for fundraising or marketing purposes; Set guidelines for the use and disclosure of personal health information for research purposes; Ensure accountability by granting an individual the right to complain to the IPC about the practices of a health information custodian; and Establish remedies for breaches of the legislation. Mandate of the Legislation (Cont’d)

  7. Use of mediation and alternate dispute resolution always stressed; Order-making power used as a last resort; Conducting public and stakeholder education programs: education is key; Comment on an organization’s information practices. Role of IPC under PHIPA

  8. Under PHIPA, the Commissioner may make an order directing any person whose activities the Commissioner reviewed: to grant an individual access to a requested record, or to make a requested correction, if a review relates to a complaint from a request by an individual for access to, or correction of, a record; to cease collecting, using or disclosing personal health information; to change, cease, not commence or implement an information practice; or to make comments and recommendations on the privacy implications of any matter that is the subject of the review.  2004, c. 3, Sched. A, s. 61 (1). Powers of the Commissioner

  9. If a complaint cannot be settled informally, the Commissioner may conduct a review of the complaint. It is the Commissioner’s decision whether or not to conduct a review; in the absence of a complaint, the Commissioner also has the power to conduct a self-initiated review; in conducting a review, the Commissioner may: enter any premises associated with the review; inspect or copy any records, documents, and other material relevant to the review; summons the appearance of persons before the Commissioner and require them to provide evidence under oath; and inquire into records of personal health information, under specified circumstances; and issue binding orders. Commissioner’s Review

  10. The Process

  11. As of June 16, 2005, we have received 74 complaints: 31 Access/Correction Complaints (6 at Intake, 2 at Mediation; 23 Resolved) 26 Collection/Use/Disclosure Complaints (13 at Intake, 1 at Mediation, 12 Resolved) 16 HIC-Reported Breaches (7 at Mediation; 9 Resolved) Total (74): 30 Files Open; 44 Files Closed Status of Cases

  12. A computer containing patients’ PHI was stolen from a private laboratory during an after-hours break-in; As a solution, it was decided that the IPC would work with the laboratory to develop a notification program which included the following response: a) area physicians were sent a Public Notice of the theft and asked to post it and provide a copy to affected patients; b) the laboratory was asked to post a Public Notice; and c) a press release for local media outlets was issued. Mediation StoriesA Private Lab

  13. 396 patient diagnostic reports went missing from patients’ charts in the course of routine clerical work; In this case, there were special circumstances that led the IPC to recommend that notice of the breach should be given in person by the health care provider and posted in the patient’s files. It was agreed that patients would be notified of the breach at their next appointment with their health care provider. Mediation StoriesA Hospital

  14. A mother who was seeking both her own and her daughter’s health records from a record storage company was faced with a fee that she claimed was excessive and would impose a personal hardship. The IPC intervened to facilitate a reduced fee. The company agreed to reduce its fee if the complainant could provide information to support her statement that the fee would in fact impose a hardship. The information was provided through the mediator and the fee was reduced to an agreeable amount. The complainant was satisfied and the file was closed. Mediation StoriesA Records Storage Company

  15. Short Notices Background

  16. Short notices to the public came to be realized as a necessity when legislation governing privacy began to increase, prompting many organizations to accommodate as much of the new regulations as possible into their privacy statements and notices; "When GLBA and HIPAA were passed, there was a requirement to make these notices even more complete and long. That has resulted in privacy notices that are barely readable and largely ineffective.” — Martin Abrams, Executive Director, Center for Information and Policy Leadership, Hunton & Williams LLP, 2004 Privacy PoliciesGrowing Pains

  17. The Hunton & Williams Center for Information Policy Leadership, pioneering in work on short notices, has conducted focus groups on privacy policies; They found that consumer trust in companies was eroded by lengthy, legalistic privacy policies; Focus group studies found that people preferred short privacy notices that clearly communicated how a company was using and sharing their personal information; Subjects expressed support for a common “template” that could be used by different companies. Hunton & Williams

  18. Cleary, what is needed are more effective communications tools The short notice is an initial notice that an individual receives when personal information is first sought; The goal of the short notice is to provide all individuals with essential information in an easily readable and comparable format. A short notice should include: who the privacy notice covers; the types of information collected directly from the individual and indirectly from others about the individual; uses or purposes for the data collected; the types of entities that may receive the information (if it is shared); information on choices available to the individual to limit use and exercise any access or other rights, and how to exercise those rights; how to contact the organization for more information or to file a complaint. The Short Notice

  19. Short notices: ensure that people are well informed about what an organization does with their personal information; and allow people to become empowered with a choice over their personal information. Why Short Notices are Important

  20. While individuals are the main beneficiaries of improved communication of information about an organization’s privacy practices, there are also benefits for organizations: Able to communicate more effectively with the public allowing for the growth of a relationship based on trust, through simple understanding; A standardized format could be used globally by an organization to provide for economies of scale. Benefit of Short Notices

  21. 2003, the movement to establish a global short privacy notice was officially recognized at the International Conference of Data Protection Commissioners in Sydney, Australia 2004, in Berlin, a working group of Commissioners (including the IPC), business leaders, lawyers and privacy practitioners met and prepared a memorandum recognizing that a new architecture was needed for privacy notices 2004, the EU Article 29 Working Group issued the position paper WP100 on the use of “multi-layered notices” Short NoticesInternational Efforts

  22. Effective privacy notices should be delivered within a framework with the following core concepts: Multi-layered – Privacy information should not be conveyed solely in a single document Comprehension and Plain Language – All layers should use language that is easy to understand Compliance – The total notices framework (all the layers taken together) should be compliant with relevant law Format and Consistency – Consistent format and layout will facilitate comprehension and comparison Brevity – The length of a privacy notice makes a difference (maximum of seven categories) Public Sector – These concepts have equal applicability to government collection and use of personal information Berlin Memorandum

  23. Health Information Short Notices

  24. The goal is to develop easy to read items containing the necessary elements regarding the collection, use and disclosure of personal health information, but not so much information that the public will not be able to read them; The language of the notices must be accessible and easily understood by most people — plain language is key. Health InformationShort Notices

  25. Information and Privacy Commissioner/ Ontario Ontario Bar Association’s Privacy and Health Law sections Ministry of Health and Long-Term Care Ontario Dental Association One of only several projects around the world focusing on short notices in the health sector; The working group will continue to make efforts in developing additional layers of information to supplement the notices The IPC looks forward to engaging members of the health and legal profession in further improving the multi-layered approach in communicating with the public Health Information Short Notices Working Group

  26. In Ontario, the IPC has taken a leadership role in promoting the use of short notices in the health sector Being the oversight body for PHIPA, the IPC has indicated that the notices prepared by health professionals must provide useful and understandable information to patients The IPC wanted to ensure that patients are well informed of their rights and have the knowledge to exercise those rights Additionally, the IPC also wanted to help Health Information Custodians communicate more effectively with the public — as PHIPA requires custodians to take reasonable steps to inform the public about their information practices and how patients may exercise their rights Short Notices Under PHIPARole of the IPC

  27. In line with the Berlin Memorandum, the PHIPA short notices group has adopted a multi-layered approach, with an emphasis on developing separate short notices for each of the following health care groups: Primary care providers Hospitals and facilities Long-term care facilities Primary Care Notices are not profession-specific, but should apply to all primary health care providers. Design of the Health Information Short Notice

  28. Notices and brochures are harmonized with a consistent look and feel Notices Capable of being used as a wall poster or in hand out paper format Capable of being used online as well as in hard copy Include IPC logo, logo of OBA and possibly logo of limited number of distributing organizations – health Colleges and major health professional associations Have space for individual practitioner/hospital or facility to include contact information Brochures Brochures can vary in length, depending on whether for primary care or for hospital use Brochures should be useable online as well as in hard copy Design of the Health Information Short Notice (Cont’d)

  29. Breaches of Privacy and Security

  30. The fastest growing form of consumer fraud in North America Identity theft is the most frequently cited complaint received by the F.T.C 10 million victims of ID theft each year, costing businesses $50 billion, and $5 billion in out-of-pocket expenses from individuals — Federal Trade Commission, 2003 The Canadian offices of Equifax and TransUnion credit bureaus have reported that they receive approximately 1,400 to 1,800 identity theft complaints per month Identity Theft

  31. November 2004: ChoicePoint — Identity theft involving 145,000 persons December 2004: Bank of America — 1.2 million records misplaced January 2005: T-Mobile — Illegal access to 16.3 million records January 2005: HSBC — 180,000 MasterCard records stolen February 2005: Ameritrade — 200,000 customer files lost March 2005: LexisNexis — Identity theft involving 32,000 records March 2005: DSW Inc — Hacker theft of 103 credit card numbers March 2005: Boston College — Theft of 120,000 alumni donor records April 2005: TimeWarner — Lost files on 600,000 employees May 2005: Largest Security Breach in Canada to date United Food and Commercial Workers Local 832, Winnipeg, — Hard drives stolen from computers containing data on approximately 20,000 union members June 2005:Citibank — Backup tape containing personal information on almost 4 million customers was lost by UPS delivery service Recent Outbreak of Major Privacy Breaches

  32. A data aggregation and clearinghouse company that maintains databases of background information on virtually every U.S. citizen 19 billion public records in its database: motor vehicle registrations, license and deed transfers, military records, names, addresses and Social Security numbers ChoicePoint routinely sells dossiers to police, lawyers, reporters and private investigators ChoicePoint

  33. In a plot twist taken from a Hollywood movie, criminals were creating false identities to establish accounts with ChoicePoint and then using those accounts to commit identity theft In response, ChoicePoint: Notified 35,000 Californians as required by California law, SB1386 Notified an additional 145,000 persons that “unauthorized third parties” had obtained their personal information Los Angeles police believe that the actual number of persons affected could be 500,000 or more ChoicePointGateway for Identity Thieves

  34. Since the privacy breach was discovered, ChoicePoint’s stock value has fallen from $48 to approximately $38 ChoicePoint will pay to re-screen, and re-credential, 17,000 customers to verify that they are legitimate businesses Suspension of contract with New York State — other states pending March 2005, suspension of sales to small businesses — loss of 5% of annual revenue or, $900 million Three separate lawsuits have been filed: Victim of I.D. theft Class action by individuals Class action by shareholders ChoicePointFallout and Cost

  35. The Unpredictable Cost:Litigation • Since 2000, 182 cases of consumer privacy litigation have been brought against 234 corporate defendants, with $160 million paid out in damages. • $52.5m to the Federal Trade Commission • $39.7m to state regulators • $32.3m to private individuals • $28.4m to private class action • $6.9m to various federal agencies Privacy & American Business, Consumer Privacy Litigation Report, 2004

  36. SB1386 • California SB 1386 became effective in on July 1, 2003 • Essentially, it requires an agency, person or business that conducts business in California and owns or licenses computerized “personal information” to disclose any breach of security to any resident whose unencrypted data is believed to have been disclosed

  37. Impact of SB1386 • This law has had a substantial impact on business practices in California. The California Office of Privacy Protection recently surveyed California companies and found that: • 76% changed their communications polices as a result of the new law; • 50% changed the way they used social security numbers; and • 33% changed security procedures.

  38. The Coming Privacy Storm April 2005, 39 bills were pending in 19 states modeled after California’s SB1386 May 2005, six states signed laws that now require consumers to be notified if personal information has been subject to a security breach Arkansas, Georgia, Indiana, Montana, North Dakota and Washington Although the new laws are similar to California’s SB1386, varying state requirements will likely put pressure on Congress to pass a federal version of SB1386 Legislation is also being considered that would ban the sale of Social Security numbers without the permission of the owner, except when needed by law enforcement

  39. Made in Ontario Law In March of 2005, the IPC wrote a letter to the Minister of Consumer and Business Services, highlighting the need for private sector legislation in Ontario; Emphasis was placed on the increasing number of large-scale privacy breaches and the growing number of U.S. states that have bills pending to target identity theft; Further mention was given to the fact that Alberta, British Columbia and Quebec have already enacted private sector privacy legislation.

  40. Complying with privacy principles may require changes to your clients’ personal information management practices An effective privacy program needs to be integrated into the corporate culture It is essential that privacy protection become a corporate priority throughout all levels of the organization Senior Management and Board of Directors’ commitment is critical (www.ipc.on.ca/docs/director.pdf) Getting Your Clients Ready for Privacy Legislation

  41. Your clients must: Understand the privacy principles Identify company personal information holdings Assess the impact of privacy principles on operations and align information practices Design or change existing information management systems Train staff, re-train staff – an on-going process Test and evaluate systems and processes Create or revise policies, procedures and practices Develop or revise forms and communications material Redraft contracts with agents/suppliers for compliance Inform the public and educate customers – use short notices! Assist Your Client to Develop a Privacy Plan

  42. Final Thought “Anyone today who thinks the privacy issue has peaked is greatly mistaken…we are in the early stages of a sweeping change in attitudes that will fuel political battles and put once-routine business practices under the microscope.” - Forrester Research, March 5, 2001

  43. How to Contact Us Commissioner Ann Cavoukian Information & Privacy Commissioner/Ontario 2 Bloor Street East, Suite 1400 Toronto, Ontario M4W 1A8 Phone: (416) 326-3333 Web:www.ipc.on.ca E-mail:commissioner@ipc.on.ca

More Related