1 / 27

PHIPA: The Year in Review

PHIPA: The Year in Review. Ann Cavoukian Ph.D. Information and Privacy Commissioner/Ontario. PHIPA Summit: A Balancing Act Toronto, Ontario November 3, 2005. Personal Health Information Protection Act ( PHIPA ). Came into force November 1, 2004;

paul2
Download Presentation

PHIPA: The Year in Review

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. PHIPA: The Year in Review Ann Cavoukian Ph.D. Information and Privacy Commissioner/Ontario PHIPA Summit: A Balancing Act Toronto, Ontario November 3, 2005

  2. Personal Health Information Protection Act (PHIPA) • Came into force November 1, 2004; • Applies to organizations and individuals involved in the delivery of health care services (including the Ministry of Health and Long-Term Care); • The only health sector privacy legislation in Canada based on consent: implied consent within the “circle of care,” otherwise, express consent; • Perhaps the only health sector privacy legislation that will be declared substantially similar to the federal legislation.

  3. PHIPA:First Year at the Commissioner’s Office

  4. PHIPA Implementation • Only 6 months from the time the legislation was passed until it came into force; • Nonetheless, implementation has been a surprisingly smooth process; • Custodians have done an excellent job, with a high level of cooperation with IPC in resolving issues; • Relatively few complaints to the IPC – most complaints are being handled effectively by the custodians themselves.

  5. Public Education Program • Frequently Asked Questions and Answers available on IPC website (including hard copies); • User Guide for Health Information Custodians available on IPC website (including hard copies); • IPC PHIPA publications distributed to Colleges and Associations of the Regulated Health Professions; • IPC/MOH brochure for the general public: • may be placed in reception areas; • to be distributed to patients.

  6. Public Education Program(Cont’d) • OHA Toolkit – IPC participated in its development; • IPC/OBA “short notices” working group: • Developing concise, user-friendly notices and consent forms to serve as effective communication tools; • On-going meetings with Regulated Health Professions, the Federation of Health Regulatory Colleges and Associations; • IPC PHIPA awareness article distributed to Colleges and Associations for inclusion in their members’ Magazines and Newsletters.

  7. PHIPA: Fact Sheets • Lockbox; • Disclosure of Information Permitted in Emergency or other Urgent Circumstances; • Reporting Requests under PHIPA; • Consent and Form 14; • Fundraising under PHIPA; • Ontario Regional Poison Information Centres and the Circle of Care; • Your Health Information: Your Access and Correction Rights; • Safeguarding Personal Health Information.

  8. Lock Box Issues • Lock box provisions came into full force as of November 1, 2005; • Fact sheet available on IPC website; • IPC does not expect custodians to invest in expensive technological solutions to implement the lock box, that may only be requested by a small number of patients; • IPC expects custodians to develop creative solutions to respond to individual requests; • Manual solutions to address the need for a lock box are quite acceptable.

  9. Review of Prescribed Entities and Registries • Four prescribed entities: ICES, CIHI, CCO, POGO; • Four prescribed registries: Stroke, Cardiac Care, Joint Replacement; CytoBase; • Document reviews and site visits completed; • All reports, recommendations and approvals are available on our website.

  10. Health InformationShort Notices • The goal is to develop easy to read items containing the necessary elements regarding the collection, use and disclosure of personal health information, but not to overwhelm individuals with so much information that they will not read them; • The language of the notices must be accessible and easily understood — plain language is key.

  11. Health Information Short Notices Working Group • Information and Privacy Commissioner/ Ontario; • Ontario Bar Association’s Privacy and Health Law sections; • Ministry of Health and Long-Term Care; • Ontario Dental Association; • One of only several projects around the world focusing on short notices in the health sector: • The IPC looks forward to engaging members of the health and legal profession in further improving the multi-layered approach in communicating with the public.

  12. Short Notices Products

  13. IPCComplaintsandInvestigations

  14. Stages of Complaints • Intake: • Matter may be resolved by informal resolution; • Mediation: • Matter may be resolved by a mutually agreed upon resolution between a complainant and the custodian; or • Matter may be resolved when IPC is satisfied with the actions taken by the custodian – HIC – reported breaches and IPC – Initiated Complaints; • Adjudication: • Matter is fully investigated and a determination is made on the issues.

  15. Outcomes of Complaints • Intake: • The outcome of an informal resolution is a letter to both parties confirming the resolution; • Mediation: • When the resolution is between an individual and a custodian, a letter is sent to both parties confirming the resolution; • When the IPC is satisfied with the actions taken to resolve a HIC – reported breach, or an IPC Initiated Complaint, a Report is issued; • Adjudication: • The outcome at adjudication can be a Report or an Order.

  16. Mediation Stories

  17. Mediation StoriesMisdirected Faxes • Print shop provided IPC with faxes containing health records it had received over a period of 10-15 years; • IPC determined that senders of faxes had relied on incorrect fax number printed in physician directory; • Publisher of directory agreed to correct database and notify recipients of directory of correct fax number; • Recipients of faxes took responsibility for notifying affected patients; • Senders of faxes confirmed to IPC that their records were corrected, and the incorrect fax number removed.

  18. Mediation StoriesFundraising Issues • Individual complained that: • he had received a fundraising solicitation by phone; • for a specialized healthcare unit; • No opt-out offered; • Custodian agreed to the following resolution: • Phone numbers will only be used with express consent; • All future solicitations will have clear opt-out from any fundraising contact; • IPC satisfied that institution had not used patient information to target fundraising.

  19. Mediation StoriesA Private Lab The Problem: • A computer containing patients’ PHI was stolen from a private laboratory during an after-hours break-in; • Identification of patients for the purpose of notification was extremely difficult: • The computer contained two and a half years of data on thousands of patients; • There was no back-up of information stored on hard drive; • Patients had been referred to this laboratory from countless area physicians and specialists.

  20. Mediation StoriesA Private Lab The Solution: • The IPC worked closely with the lab to develop a notification program to reach as many patients as possible: • A letter was sent to area physicians enclosing a Public Notice describing the nature of the incident; • Letter included OMA support for doctors making patients aware of the incident; • Notice described the theft and involvement of the police and the IPC; • A Public Notice was also posted at the lab where the theft had occurred; • A Press Release was provided to local media outlets.

  21. Mediation StoriesA Hospital • 396 patient diagnostic reports went missing from patients’ charts in the course of routine clerical work; • In this case, there were special circumstances that led the IPC to recommend that notice of the breach should be given in person by the health care provider and posted in the patient’s files. It was agreed that patients would be notified of the breach at their next appointment with their health care provider.

  22. Notifying Affected Parties of Privacy Breach • Common issue in custodian reported breaches is how to notify individuals who may have been affected by breach; • Custodian sometimes unsure of what happened to the personal health information; • Patients to be notified may have life threatening illnesses – don’t want to inflict additional stress; • IPC has taken a flexible approach to notification – in some cases, preferable for the physician to notify in person at next visit rather than immediately and in writing.

  23. Lessons Learned: Order #1Destruction of PHI • Real patient records used as props on a movie set; • Privacy breach was widely publicized by the media; • First step was to ensure that all records were secured – the damage contained; • Next step was the notification of affected parties; • Lesson for custodians – not sufficient to trust third party to dispose of personal health information in a secure manner; need written contractual agreement and written confirmation of destruction.

  24. Privacy Breach Protocol* • Containment • Notification • Investigation • Remediation * formally referred to as Privacy Crisis Management Protocol.

  25. Keeping HICs Informed • Summaries of all mediated cases and reports are available on our website; • Orders are public documents and available on our Web site; • Relevant data are regularly made available to the public and to health professionals (number of complaints, examples of successful mediations, common issues, etc.).

  26. How to Contact Us Dr. Ann Cavoukian Information & Privacy Commissioner/Ontario 2 Bloor Street East, Suite 1400 Toronto, Ontario M4W 1A8 Phone: (416) 326-3333 Web: www.ipc.on.ca E-mail: commissioner@ipc.on.ca

More Related