1 / 61

Taking the Temperature of Ontario’s Health Privacy

Ken Anderson Assistant Commissioner (Privacy) Information & Privacy Commissioner/Ontario. Taking the Temperature of Ontario’s Health Privacy. Access and Privacy Conference 2005 Edmonton, Alberta June 17, 2005. Access and Privacy 2005. Personal Health Information Protection Act, 2004

lotus
Télécharger la présentation

Taking the Temperature of Ontario’s Health Privacy

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Ken Anderson Assistant Commissioner (Privacy) Information & Privacy Commissioner/Ontario Taking the Temperature of Ontario’s Health Privacy Access and Privacy Conference 2005 Edmonton, Alberta June 17, 2005

  2. Access and Privacy 2005 • Personal Health Information Protection Act, 2004 • What Has Happened Since November 1, 2004? • What Are the Issues? • What Hasn’t Happened? • Where Are We Going? • Research-Is there a Registry in Your Future? • Questions?

  3. PHIPA Personal Health Information and Protection Act. 2004

  4. PHIPA • Came into effect November 1, 2004. • Schedule A – the Personal Health Information Protection Act (PHIPA). • Schedule B – the Quality of Care Information Protection Act (QCIPA).

  5. Spirit of PHIPA • A health information custodian (“HIC”) shall not collect, use or disclose personal health information (“PHI”) unless • It has the individual’s consent and the collection, use and disclosure is necessary for a lawful purpose; or • The collection, use or disclosure is permitted by PHIPA. (PHIPA, s.29) • A HIC shall not collect, use or disclose more PHI than is reasonably necessary to meet the purpose.(PHIPA, s. 30(2))

  6. Strengths of PHIPA • Consent based law. • Implied consent for sharing of personal health information within “circle of care.” (PHIPA s. 20(2)) • Open regulation-making process to bring public scrutiny to future regulations. (PHIPA s. 74) • Adequate powers of investigation to ensure that complaints are properly reviewed. (PHIPA s. 60)

  7. PHIPA Consent • Consent is required for the collection, use, disclosure of PHI, subject to specific exceptions. (PHIPA s. 29) • Consent must: • be a consent of the individual • be knowledgeable • relate to the information • not be obtained through deception or coercion (PHIPA s. 18(1)) • Consent may be express or implied, except where express consent is required. (PHIPA s. 18(2) and (3))

  8. Implied Consent • HICs may imply consent when disclosing personal health information to other HICs for the purpose of providing health care to the individual. (PHIPA section 20(2)) • Exception – if the individual expressly withholds or withdraws consent. (PHIPA s. 20(2))

  9. The Significance of Implied Consent for Health Care • The community of HICs that are entitled to share information based on implied consent is one of the foundations of the consent based model that is PHIPA. • Enables an expeditious sharing of information in situations where the individual has not expressly withheld or withdrawn consent to the use or disclosure of the information.

  10. Express Consent • Required when a HIC discloses to a non-HIC. (PHIPA s. 18(3)(a)) • Required when a HIC discloses to another HIC for a purpose other than providing health care to the individual. (PHIPA s. 18(3)(b)) • Required for marketing and fundraising (when using more than name and specified contact information). (PHIPA s.32 and 33)

  11. Knowledgeable Consent • Consent is knowledgeable if it is reasonable in the circumstances to believe that the individual knows the purposes of the collection, use or disclosure and that the individual may give or withhold consent. (PHIPA s. 18(5)) • Does not mean “informed” consent which is a higher standard used in the treatment context.

  12. Use and Disclosure Without Consent Derogations from the consent principle are allowed in limited circumstances: • When collecting payment or processing health plan claims, (PHIPA s. 37(1)(i), 38(1)(b), 39(1)(a)) • To a regulatory health college for administration & enforcement, (PHIPA s. 43(1)(b)) • To eliminate or reduce a significant risk of severe bodily harm to a person or group of persons, (PHIPA s. 40(1)) • To educate agents, (PHIPA s. 37(1)(e)) • To identify a deceased person, (PHIPA s. 38(4)) • As required by law. (PHIPA s. 37(1)(b) and 43(1)(h))

  13. Four Key IPC Roles • Promote public education; (PHIPA s. 66(b)) • Research and provide advice on proposed legislation and policy; (PHIPA s. 66(b)) • Investigate privacy complaints; (PHIPA s. 56 and 58) • Resolve appeals. (PHIPA s. 61)

  14. IPC Goals • Use of mediation and alternate dispute resolution always stressed – IPC publishes quarterly newsletter designed to promote mediation to privacy and access professionals. • Order-making power used as a last resort. • Conducting public and stakeholder education programs: education is key. • Comment on an organization’s information practices.

  15. IPC Approach Stressing the 3 C’s: • Consultation • Opening lines of communication with health community and HICs. • Co-operation • Rather than confrontation in resolving complaints. • Collaboration • Working together to find solutions.

  16. WHAT HAS HAPPENED AT THE IPC SINCE NOVEMBER 1, 2004?

  17. Public Education Program • IPC PHIPA awareness articles distributed to Colleges/Associations for inclusion in their members’ Magazines and Newsletters. • Presentations and other educational sessions at annual meetings of health regulatory colleges.

  18. Can We Help You? Info@ipc.on.ca • over 2,000 requests in the last four months of 2004 • Over 1,000 requests in the first three months of 2005

  19. Tools and Resources • Frequently Asked Questions and Answers • User Guide for Health Information Custodians • Joint IPC/MOHLTC brochure for the general public: • may be placed in reception areas • to be distributed to patients

  20. Tools and Resources (cont’d.) • IPC member of OHA/OMA/IPC/MOHLTC tool kit project • Fact Sheets are posted on the web site: • Reporting Requests under PHIPA • Fundraising under PHIPA • Ontario Region Poison Control Centre and PHIPA • Your health Information: Your Access and Correction Rights • Safeguarding Personal Health Information

  21. Keeping HIC’s Informed • Issuance of Orders. • Orders are public documents and available on our Web site. • Summaries of all mediated cases are available on our website. • Relevant data will be regularly made available to the public and health professionals (e.g. number of complaints, examples of successful mediations, common issues).

  22. Naming Names • IPC will be issuing orders and investigation reports and making them public. • A two-step process for identifying health custodians will be instituted: • Not identifying HICs for a one-year phase-in period. • After one year, publicly identifying HICs. • If identification of HIC would reveal identity of complainant, the option exists of anonymizing the order/report.

  23. Short Notices • IPC/OBA/MOHLTC/ODA “short notices” working group: • To promote concise, user-friendly, sector-specific notices and consent forms to serve as effective communication tools. • Adopted “layered” approach, with emphasis on developing separate short notices for primary care providers, hospitals and facilities, and long-term care facilities.

  24. Short Notices (cont’d.) • The 1st layer notice has consistent layout/format and contains necessary but understandable information about the collection, use and disclosure of personal health information. • Mass distribution to HICs • Working Group also developed brochures with additional information to supplement the short notices.

  25. Recruitment • To improve our service to the health care community and the public, the IPC has recruited professional policy, legal and tribunal staff with proven experience in the health care field.

  26. WHAT ARE THE ISSUES?

  27. Alberta was right…. • Access • Correction

  28. Open Complaints 10 Access and Correction 16 CUD 9 HIC Reported Breach 0 IPC Initiated Complaint Closed Complaints 19 Access and Correction 10 CUD 7 HIC Reported Breach 0 IPC Initiated Complaint Figure the Stats!

  29. IPC and EHR • “Electronic records would without a doubt improve the timeliness and quality of care for individuals.” File electronic health-care records ‘overdue’ Globe and Mail, Andre Picard, February 3, 2005 • “Electronic health records are one of the keys to modernizing Canada’s health system and improving access and outcomes for Canadians” Romanow Report, 2002

  30. Canada Health Infoway • One CHI objective is to develop a conceptual architectural framework for interoperable EHRs in Canada. • IPC is part of an Ontario “EHR” working group that also participates in the CHI consultations. • IPC goal is to ensure that credible privacy and security safeguards are built into the design and implementation of EHRs.

  31. Ontario eHealth Council • IPC is a member of Chair’s Advisory Council on eGovernment • IPC is an active participant in the Privacy and Security Architecture Group, Client Registry Standards Working Group, and the Interoperable Consent Management Strategy Group.

  32. Digital Imaging Networks • A number of Ontario hospitals in the south western region have initiated a project to standardize their diagnostic imaging infrastructures and create a shared system - will become operational in two years • IPC to review PIA and working with IBM to review the technology

  33. Emergencies and the Disclosure of PHI • Second Interim Report on SARS and Public Health Legislation, April 5, 2005, by The Honourable Mr. Justice Archie Campbell, Commissioner • Consulting with Public Health Division of the Ministry of Health on sharing of PHI in emergency situations affecting public health and safety

  34. May Disclose As Required By Law? • Mandatory Gunshot Reporting,2005, • Workplace Safety and Insurance Act, (PHIPA s. 43(1)(h)) • Disclosures to the Police in other circumstances: with or without a warrant, (PHIPA s. 43(1)(g)) • Disclosures to the CAS. (PHIPA s. 43(1)(e)) Note: Where PHIPA is discretionary it does not relieve a HIC from complying with a legal requirement (PHIPA s.6(3)(b))

  35. Other Disclosures • Within a health facility – name and location and health status. (PHIPA s. 38(3) 1,2 and 3) • Religious affiliation – “circle of care”? (PHIPA s. 20(4)) • Fundraising – name and mailing address may be collected, used and disclosed on the basis of implied consent where certain conditions are met. (PHIPA s. 32(1)(b); O. Reg. 329/04 s. 10)

  36. WHAT HASN’T HAPPENED?

  37. Complaint Issues • “Consent” and “Circle of Care” are not the predominant issues

  38. Substantially Similar • May be imminent • Exemption Order, Canada Gazette Part 1 • Not a predominant issue

  39. Fees for Access to Personal Health Information • The current wording of PHIPA for charging fees is insufficient - “reasonable cost recovery” is too vague and open to interpretation (PHIPA s. 35(2), 54(10) and 54(11)) • HICs need certainty and patients require that costs be reasonable • IPC has proposed that the Ministry of Health adopt the Alberta model. ( set out in Regulation 70/2001 to the HIA)

  40. Limitations upon our Role as Educator • Conflict between our role as an administrative tribunal and our role as educator • No opinions about meaning of the statutory provisions • No opinions based on particular fact situations or course of conduct • Limited participation in working groups at this stage of implementation

  41. Privacy Impact Assessments • Alberta HIA, section 64, requires custodians to prepare privacy impact assessments and for the Commissioner to review and comment upon those PIAs. • There is no equivalent obligation in PHIPA. • However, PIAs and Policies and Toolkits are often submitted to the IPC for comment.

  42. Research – Is there a Registry or Entity in Your Future?

  43. Respect for Human Dignity • The cardinal principle of modern research ethics is respect for human dignity. This principle aspires to protecting the multiple and interdependent interests of the person -- from bodily to psychological to cultural integrity. • Respect for human dignity also implies the principles of respect for privacy and confidentiality. Tri-Council Policy Statement: Ethical Conduct for Research Involving Humans

  44. Collection for Research Purposes • PHIPA permits HICs to collect PHI indirectly without consent (provided that the certain criteria are met). (PHIPA s. 36) • PHIPA permits HICs to collect indirectly without consent from another person who is authorized by law to disclose it to the HIC (e.g., another custodian). (PHIPA s. 36(1)(g))

  45. Use for Research Purposes • Custodian may use PHI for research purposes if the custodian prepares a research plan and has a research ethics board (REB) approve it. (PHIPA s. 37(3))

  46. Disclosure for Research Purposes • HIC may disclose PHI if the researcher submits to the HIC: • An application. • A research plan, and; • A copy of the decision of the REB that approves the research plan, and; • Enters into an agreement with the HIC. (PHIPA s. 44)

  47. IPC Perspective on Research Provisions • Flexible approach. • Allows for use and disclosure of PHI, without consent, under appropriate circumstances. • Oversight left to REBs. • Safeguards are more comprehensive than those in other legislation.

  48. IPC and CIHR • IPC is a member of the Privacy Advisory Committee that advises CIHR, Canada's main federal funding agency for health research, on the development of privacy best practices for health research. • The draft “Guidelines for Protecting Privacy and Confidentiality in the Design, Conduct and Evaluation of Health Research – Best Practices” is currently under review.

  49. Registries • HICs are permitted to disclose PHI to a person who maintains a registry for the purpose of improving the provision of health care (PHIPA s. 39(1)(c) • Registries are also permitted to use or disclose PHI for research purposes with a research plan approved by a research ethics board (O. Reg. 329/04 s. 13(4))

More Related