1 / 22

Health Information Protection Act: A Major Step in Healthcare Privacy

Health Information Protection Act: A Major Step in Healthcare Privacy. Ann Cavoukian, Ph.D. Information & Privacy Commissioner/Ontario Health Professions Appeal and Review Board August 9, 2004. Health Privacy is Critical. The need for privacy has never been greater:

knox
Download Presentation

Health Information Protection Act: A Major Step in Healthcare Privacy

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Health Information Protection Act: A Major Step in Healthcare Privacy Ann Cavoukian, Ph.D. Information & Privacy Commissioner/Ontario Health Professions Appeal and Review Board August 9, 2004

  2. Health Privacy is Critical • The need for privacy has never been greater: • Extreme sensitivity of personal health information • Patchwork of rules across the health sector; with some areas currently unregulated • Increasing electronic exchanges of health information • Multiple providers involved in health care of an individual – need to integrate services • Development of health networks • Growing emphasis on improved use of technology, including computerized patient records

  3. Legislation is Critical • The IPC has been calling for legislation to protect health information since its inception in 1987 • Dates back to Justice Krever’s 1980 Report on the Confidentiality of Health Information • The Commission documented many cases of unauthorized access to health files maintained by hospitals and the Ontario Health Insurance Plan • The Report called for comprehensive health privacy legislation at that time

  4. Provincial Health Privacy Laws Alberta • Health Information Act Manitoba • Personal Health Information Act Québec • Act respecting access to documents held by public bodies and the protection of personal information • Act respecting the protection of personal information in the private sector. Saskatchewan • Health Information Protection Act

  5. Ontario Bills of the Past • Numerous attempts made over the years to get a bill introduced and passed, but have never succeeded • Bill 159 – Personal Health Information Privacy Act, 2000 • Privacy of Personal Information, 2002

  6. If No Provincial Health Legislation? • If Ontario failed to enact its own legislation, PIPEDA would have taken effect: • Only commercial entities covered - ambiguity about who is in and who is out • Not tailored to meet the needs of the health sector • Principle-based approach rather than specifics could result in inconsistent implementation • No local oversight

  7. Ontario’s Health Information Protection Act, 2003 (HIPA) • Ontario government introduced health privacy bill (Bill 31) on December 17, 2003 • Standing Committee on General Government held public hearings and completed clause-by-clause study • Received Royal Assent on May 20, 2004 • Comes into effect November 1, 2004

  8. Bill 31 – Two parts • Schedule A – the Personal Health Information Protection Act (PHIPA) • Schedule B – the Quality of Care Information Protection Act (QOCIPA)

  9. Bill 31 – Based on Fair Information Practices • Accountability • Identifying Purposes • Consent • Limiting Collection • Limiting Use, Disclosure, Retention • Accuracy • Openness • Individual Access • Safeguards • Challenging Compliance

  10. Scope of PHIPA • Health information custodians (HICs) that collect, use and disclose personal health information (PHI) • Non-health information custodians where they receive personal health information from a health information custodian (use and disclosure provisions)

  11. Health Information Custodians • Definition includes: • Health care practitioner • Hospitals and independent health facilities • Homes for the aged and nursing homes • Pharmacies • Laboratories • Home for special care • A centre, program or service for community health or mental health

  12. PHIPA Practices • Must take reasonable steps to ensure accuracy • Must maintain the security of PHI • Must have a contact person to ensure compliance with Act, respond to access requests, inquiries and complaints from public • Must have information practices in place that comply with the Act • Must make available a written statement of information practices • Must be responsible for actions of agents

  13. PHIPA Consent • Consent is required for the collection, use, disclosure of PHI, subject to specific exceptions • Consent must: • be a consent of the individual • be knowledgeable • relate to the information • not be obtained through deception or coercion • Consent may be express or implied

  14. Strengths of PHIPA • Implied consent for sharing of personal health information within circle of care • Creation of health data institute to address criticism of “directed disclosures” • Open regulation-making process to bring public scrutiny to future regulations • Adequate powers of investigation to ensure that complaints are properly reviewed

  15. Oversight and Enforcement • Office of the Information and Privacy Commissioner is the oversight body • IPC may investigate where: • A complaint has been received • Commissioner has reasonable grounds to believe that a person has contravened or is about to contravene the Act • IPC has powers to enter and inspect premises, require access to PHI and compel testimony

  16. Powers of the Commissioner • After conducting an investigation, the Commissioner may issue an order • To provide access to, or correction of, personal health information • To cease collecting, using or disclosing personal health information in contravention of the Act • To dispose of records collected in contravention of the Act • To change, cease or implement an information practice • Orders, other than for access or correction, may be appealed on questions of law

  17. Role of IPC under PHIPA • Use of mediation and alternate dispute resolution always stressed • Order-making power used as a last resort • Conducting public and stakeholder education programs: education is key • Comment on an organization’s information practices

  18. Stressing the 3 C’s • Consultation • Opening lines of communication with health community and HICs • Co-operation • Rather than confrontation in resolving complaints • Collaboration • Working together to find solutions

  19. HPARB – Dealing with Privacy • Make Privacy a corporate priority – an effective privacy program needs to be integrated into the corporate culture • Privacy is more than a compliance issue; lack of PHIPA impact does not negate need to look at privacy and security vulnerabilities • Senior management commitment is critical • Privacy review and audit critical to identifying and resolving privacy issues

  20. Topics for Discussion (1)Whether to “Name Names” • IPC will be issuing orders and investigation reports and making them public • A two-step process for identifying health custodians is under consideration: • Not identifying custodians for a one-year phase-in period • After one year, publicly identifying custodians • If identification of custodian would reveal identify of complainant, the option exists of anonymizing order/report.

  21. Topics for Discussion (2)Protecting Privacy Outside of Office • The IPC released “Guidelines for Protecting the Privacy and Confidentiality of Personal Information When Working Outside the Office” • Guidelines cover paper and electronic documents that are removed from the office. • Issues to be considered include: • Secure storage of paper and electronic files at home • Laptop and home computer security • Wireless communications • Immediate reporting of lost or stolen files

  22. How to Contact Us Commissioner Ann Cavoukian Information & Privacy Commissioner/Ontario 80 Bloor Street West, Suite 1700 Toronto, Ontario M5S 2V1 Phone: (416) 326-3333 Web: www.ipc.on.ca E-mail: commissioner@ipc.on.ca

More Related