Health Information Protection
Act
An Overview
Ann Cavoukian, Ph.D.
Information & Privacy Commissioner/Ontario
Ontario Health Records Association
www.ipc.on.ca
May 7, 2004
Health Privacy is Critical
 The need for privacy has never been greater:
• Extreme sensitivity of personal health information
• Patchwork of rules across the health sector; with some
areas currently unregulated
• Increasing electronic exchanges of health information
• Multiple providers involved in health care of an individual
– need to integrate services
• Development of health networks
• Growing emphasis on improved use of technology,
including computerized patient records
www.ipc.on.ca
Slide 2
Unique Characteristics of Personal
Health Information
 Highly sensitive
 Collected in the context of a publicly-funded health
care system
 Widely shared among a range of health care
providers for the benefit of the individual
 Widely used and disclosed for secondary purposes
that are seen to be in the public interest (e.g.,
research, planning, fraud investigation, quality
assurance)
www.ipc.on.ca
Slide 3
Legislation is Critical
The IPC has been calling for legislation to
protect health information since its inception
in 1987
• Dates back to Justice Krever’s 1980 Report on the
Confidentiality of Health Information
– The Commission documented many cases of
unauthorized access to health files maintained by
hospitals and the Ontario Health Insurance Plan
– The Report called for comprehensive health privacy
legislation at that time
www.ipc.on.ca
Slide 4
Provincial Health Privacy Laws
Alberta
• Health Information Act
Manitoba
• Personal Health Information Act
Québec
• Act respecting access to documents held by public bodies
and the protection of personal information
• Act respecting the protection of personal information in
the private sector.
Saskatchewan
• Health Information Protection Act
www.ipc.on.ca
Slide 5
Ontario Bills of the Past
Numerous attempts made over the years
to get a bill introduced and passed, but
have never succeeded
• Bill 159 – Personal Health Information
Privacy Act, 2000
• Privacy of Personal Information, 2002
www.ipc.on.ca
Slide 6
PHIPA – Bill 159
On December 7, 2000, the government
introduced Bill 159
Concerns about the Bill:
• Directed Disclosures
• Extensive use of Regulations
• Lack of full investigation powers
www.ipc.on.ca
Slide 7
Privacy of Personal Information Act
 Ontario issued a draft bill in 2002 that applied to all
non-public sector organizations
 Created special rules for health sector
 MCBS consulted with stakeholders to refine aspects
of the draft bill
 Unfortunately this draft bill was never introduced
www.ipc.on.ca
Slide 8
If No Provincial Health
Legislation?
If Ontario fails to enact its own legislation,
PIPEDA takes effect:
• Only commercial entities covered - ambiguity
about who is in and who is out
• Not tailored to meet the needs of the health sector
• Principle-based approach rather than specifics
could result in inconsistent implementation
• Oversight left to the federal Privacy
Commissioner
www.ipc.on.ca
Slide 9
Ontario’s Health Information
Protection Act, 2003 (HIPA)
Ontario government introduced health privacy
bill (Bill 31) on December 17, 2003
Referred to the Standing Committee on General
Government, which held public hearings and
clause-by-clause study
Received Second Reading on April 8, 2004
Expected to come into effect January 1, 2005
www.ipc.on.ca
Slide 10
Bill 31 – Two parts
Schedule A – the Personal Health
Information Protection Act (PHIPA)
Schedule B – the Quality of Care
Information Protection Act (QOCIPA)
www.ipc.on.ca
Slide 11
Bill 31 – Based on
Fair Information Practices
Accountability
Identifying Purposes
Consent
Limiting Collection
Limiting Use,
Disclosure, Retention
Accuracy
www.ipc.on.ca
Safeguards
Openness
Individual Access
Challenging
Compliance
Slide 12
Scope of PHIPA
 Health information custodians (HICs) that
collect, use and disclose personal health
information (PHI)
 Non-health information custodians where
they receive personal health information
from a health information custodian (use and
disclosure provisions)
www.ipc.on.ca
Slide 13
Health Information Custodians
Definition includes:
•
•
•
•
•
•
•
Health care practitioners
Hospitals and independent health facilities
Homes for the aged and nursing homes
Pharmacies
Laboratories
Homes for special care
A centre, program or service for community health
or mental health
www.ipc.on.ca
Slide 14
PHIPA Practices
Must take reasonable steps to ensure accuracy
Must maintain the security of PHI in its custody or
control
Must have a contact person to ensure compliance with
Act, respond to access requests, inquiries and
complaints from public
Must have information practices in place that comply
with the Act
Must make available a written statement
Must be responsible for actions of agents
www.ipc.on.ca
Slide 15
PHIPA Consent
Consent is required for the collection, use,
disclosure of PHI subject to specific
exceptions
Consent must
 be a consent of the individual
 be knowledgeable
 relate to the information
 not be obtained through deception or coercion
Consent may be express or implied
www.ipc.on.ca
Slide 16
Collection, Use and Disclosure
Without Consent
Derogations from the consent principle are allowed
in limited circumstances.
As required by law
To protect the health or safety of the individual or
others
To identify a deceased person or provide
reasonable notice of a person’s death
www.ipc.on.ca
Slide 17
Patient Access to Records
PHIPA Expands and Codifies the Common-Law
Right of Access
Right of access to all records of personal health
information about the individual in the custody or
control of any health information custodians
Provides right to correct their records of personal
health information.
Recognizes special factors surrounding health
information by allowing for incorrect information
to be struck out without obliterating the original
record.
www.ipc.on.ca
Slide 18
Oversight and Enforcement
 Office of the Information and Privacy Commissioner
is the oversight body
 IPC may appoint an Assistant Commissioner for
Personal Health Information
 IPC may investigate where:
 A complaint has been received
 Commissioner has reasonable grounds to believe that a
person has contravened or is about to contravene the Act
 IPC has powers to enter and inspect premises, require
access to PHI and compel testimony
www.ipc.on.ca
Slide 19
Strengths of PHIPA
 Creation of health data institute to address criticism
of “directed disclosures
 Open regulation-making process to bring public
scrutiny to future regulations
 Implied consent for sharing of personal health
information within circle of care
 Adequate powers of investigation to ensure that
complaints are properly reviewed
www.ipc.on.ca
Slide 20
Role of the IPC
 IPC currently has oversight of two laws
 Provincial Freedom of Information and Protection of
Privacy Act
 Municipal Freedom of Information and Protection of
Privacy Act
 IPC may issue orders for access/correction appeals
 IPC investigates privacy complaints and may issue
report with recommendations but not orders
www.ipc.on.ca
Slide 21
Access and Correction Appeals
 Appeals under current public sector laws may be
dealt with through three stages:
 IPC will examine situation and may contact individual or
organization for more information (Intake)
 If not dismissed, the appeal proceeds to mediation, the
IPC’s preferred method of dispute resolution
 If mediation is unsuccessful, appeal proceeds to
adjudication and an order will be issued.
www.ipc.on.ca
Slide 22
Privacy Complaints
 IPC goal in dealing with complaints under public
sector legislation is to assist organizations in taking
whatever steps are necessary to prevent future
occurrences
 Intake staff attempt to resolve complaints informally,
through liaising with organization and complainant
 If not resolved, complaint goes to the investigation stage
and a mediator investigates
 Mediator prepare a report, including recommendations
www.ipc.on.ca
Slide 23
Role of IPC under PHIPA
 Use of mediation and alternative dispute resolution to
be stressed
 Order-making power as a last resort
 Conducting public and stakeholder education
programs
 Comment on an organization’s information practices
www.ipc.on.ca
Slide 24
Stressing the 3 C’s
 Consultation
• Opening lines of communication with health community
 Collaboration
• Working together to find solutions
 Co-operation
• Rather than confrontation in resolving complaints
www.ipc.on.ca
Slide 25
Making Health Privacy Work
 Think beyond compliance with legislation
 Use technology to help protect personal health
information:
• Build privacy right into design specifications
• Minimize collection and routine use of personally
identifiable information – use aggregate or coded
information if possible
• Use encryption where practicable
• Think about using pseudonymity, coded data
• Conduct privacy impact assessments
www.ipc.on.ca
Slide 26
Lessons from Chatham-Kent
 Use of encryption to secure databases
 Investigate privacy-enhancing technologies to shield
personal health information from systems administrators
 Conduct an end-to-end privacy impact assessment (PIA)
 Conduct independent security audits
 Privacy Review: Chatham-Kent IT Transition Pilot Project
• www.ipc.on.ca/english/pubpres/reports/042202.pdf
www.ipc.on.ca
Slide 27
Lessons From UHN
Privacy Assessment
 Strong Privacy Policy
 Real Consequences for Breaches
 Ongoing Privacy Training
• Incorporate privacy training into undergraduate
curriculum for medical students
 Independent Security and Privacy Audits
 www.ipc.on.ca/english/pubpres/reports/073002.pdf
www.ipc.on.ca
Slide 28
How to Contact Us
Commissioner Ann Cavoukian
Information & Privacy
Commissioner/Ontario
80 Bloor Street West, Suite 1700
Toronto, Ontario M5S 2V1
www.ipc.on.ca
Phone:
Web:
E-mail:
(416) 326-3333
www.ipc.on.ca
commissioner@ipc.on.ca
Alternatives to Investigation
Prior to investigating a complaint, the
Commissioner may:
Inquire as to other means used by individual to
resolve complaint
Require the individual to explore a settlement
Authorize a mediator to review the complaint and
try to settle the issue
www.ipc.on.ca
Slide 30
Decision Not to Investigate
Commissioner may decide not to investigate a
complaint where:
An adequate response has been provided to the
complainant
Complaint could have been dealt with through
another procedure
Complainant does not have sufficient personal
interest in issue
Complaint is frivolous, vexatious or made in bad
faith
www.ipc.on.ca
Slide 31
Powers of the Commissioner
 After conducting an investigation, the Commissioner
may issue an order
 To provide access to, or correction of, personal health
information
 To cease collecting, using or disclosing personal health
information in contravention of the Act
 To dispose of records collected in contravention of the Act
 To change, cease or implement an information practice
 Orders, other than for access or correction, may be
appealed on questions of law
www.ipc.on.ca
Slide 32
Offences and Penalties
 Creates offences for contravention of the
legislation, including:
 wilfully collecting, using or disclosing PHI in
contravention of the Act;
 once access request made, disposing of a record of
personal information in an attempt to evade the request
 wilfully failing to comply with an order made by the
IPC
 Maximum penalty of $50,000 for an individual and
$250,000 for a corporation
www.ipc.on.ca
Slide 33
Action for Damages
 An individual affected by an IPC order may bring
an action for damages for actual harm suffered
 Where the harm suffered was caused by a willful
or reckless breach, the compensation may include
an award not exceeding $10,000 for mental
anguish
 No action for damages may be instituted against a
HIC for anything done in good faith or any alleged
neglect or default that was reasonable in the
circumstances
www.ipc.on.ca
Slide 34