Rajeev Sharma - Ontario health privacy law

Ontario Health Privacy Law

Rajeev Sharma

416 775 8828

[email protected]

December 4, 2014

Presentation Outline

I. A summary of Ontario’s privacy laws

II. Privacy law enforcement

III. How to comply

IV. What happens when things go wrong

V. Issues that may arise in the future

VI. Appendix – a detailed explanation of federal

and provincial privacy laws


Several statutes regulate the privacy and disclosure of medical information in Ontario:

Personal Health Information Protection Act

Freedom of Information and Protection of Privacy Act

Municipal Freedom of Information and Protection of Privacy Act

The Occupational Health and Safety Act

Mental Health Act

Regulated Health Professions Act

Medicine Act Professional Misconduct Regulations


Personal Health Information Protection Act (“PHIPA”)

Regulates the collection, use, and disclosure of

personal health information by health information

custodians

Sets rules to balance the needs

of our health care system with

the individual’s right to privacy

Designed to enhance privacy

while minimizing the impact on

the patient-provider relationship


“Personal Health Information” includes oral or written

information that

relates to the individual’s physical or mental state;

relates to the provision of health care;

relates to payment or eligibility for health care;

relates to donation of body parts or bodily substances;

is a plan of service for long-term care;

is the individual’s health number; or

identifies the individual’s substitute decision-maker.


“Health Information Custodians” are anyone who is

involved in delivering health care services, such as:

health care practitioners (e.g. nurses, physicians, or

anyone who provides health care for payment);

long-term-care service providers;

community care access corporations;

hospitals and other facilities;

pharmacies and laboratories;

a medical officer of health or a board of health;

The Ministry of Health and Long-Term Care.


“Agents” of Health Information Custodians

are authorized to act on behalf of a custodian; and

perform activities for the purposes of a custodian.

An individual or organization may be considered an agent

regardless of whether it

has the authority to bind the custodian;

is employed by the custodian; and

is receiving remuneration.


Collection, Use, and Disclosure

A custodian may only collect, use, or disclose personal health information if the individual consents or PHIPAotherwise permits it.

A custodian must not collect,

use, or disclose personal health

information if

other information will serve the

purpose, or

the information is not necessary

to meet the purpose.


How do I know if the individual consents?

1. Express consent

If the disclosure is not to provide health care.

If the information is being provided to a non-custodian.

e.g. marketing, fundraising

2. Implied consent

If the disclosure is for the purpose of providing health care

Assumed if the individual is within the custodian’s

“circle of care.”

If the individual lacks capacity, the consent may be given by

a substitute decision-maker.


Implied Consent & the “Circle of Care”

To be within the circle of care and rely on implied consent, the information must

be received from the individual, a substitute decision-maker, or another custodian;

have the purpose of providing or assisting in the individual’s health care; and

be disclosed from one custodian to another custodian.

Note that some custodians cannot rely on implied consent, such as Canadian Blood Services and the Ministry of Health and Long-Term Care.


Implied Consent & the “Circle of Care”

The PHIPA does not

define “circle of care” but

it is a useful way to

describe situations where

custodians can rely on

implied consent.


Collection

Custodians should collect personal health information directly from individuals; however, it may be collected indirectly if

the individual consents;

the information is necessary to provide health care and direct collection is not reasonably possible;

a government institution needs the information an investigation or proceeding;

the information will be used for research purposes or for managing the health system; or

indirect collection is otherwise authorized.


Use

Custodians may use personal health information without

consent for

the purpose for which it was collected or created;

planning or delivering programs and services;

risk and error management;

improving the quality of care;

obtaining payment for health care or related goods and

services; and

educating agents and research purposes.


Disclosure

Custodians may disclose personal health information without

consent that relates to

providing health care;

obtain the identity or make decisions for a deceased

individual;

health programs or research;

eliminating or reducing a significant risk of bodily harm;

the care or custody of persons in a custodial institution or

psychiatric facility;


Disclosure

Custodians may disclose personal health information without

consent that relates to

a legal proceeding or potential successor;

planning and management of health systems;

the government’s analysis of the health system;

monitoring health payments; and

contacting next of kin if the individual is unable to give

consent.


Protecting Information

Once personal health information is collected, custodians

must take “reasonable steps” to ensure the information

is as accurate, complete and up-to-date as necessary;

is protected from theft, loss and unauthorized use or

disclosure (if it is in your custody or control);

records are protected against unauthorized copying,

modification or disposal.


Mandatory Breach Notification

Custodians must notify the individual if his or her personal health information is stolen, lost or accessed by authorized persons (e.g. University Health Network has logged 258 privacy incidents since 2012).

Custodians may also voluntarily report privacy breaches to the Privacy Commissioner, who will include the breaches in their annual report (e.g. Mount Sinai has reported 20 privacy breaches every year since 2010).

In 2004 Ontario was the first jurisdiction in Canada to implement this notice requirement.


Information Technology Service Providers

IT Service Providers that are not agents

must ensure their employees and other persons acting on

their behalf comply with PHIPA restrictions on the

collection, use, and disclosure of information; can only use personal health

information as it is necessary to provide the IT service; and

cannot disclose personal health information under any circumstances.


Information Technology Service Providers

All IT Service Providers that allow two or more custodians to

share personal health information electronically must:

notify the custodian of any unauthorized access;

provide public information about safeguards and policies;

keep electronic records of all accesses and transfers;

perform a risk and privacy impact assessment;

enter into an agreement with the custodian and any third

parties requiring the provider to comply with PHIPA.


Health Records

Individuals can generally access records of their own

personal health information (and not someone else’s)

Before providing access, the

custodian must take

reasonable steps to determine

the individual’s identity.


Health Cards

Non-custodians can only collect or use a health number

to provide provincially funded health resources;

for the purpose the individual provided the health number;

for purposes relating to regulating health professionals; or

for purposes relating to health administration, health planning,

research, or epidemiological studies.

Individuals can only be required

to produce health cards for

provincially funded resources.


Accountability & Transparency

Custodians must designate a contact person who

ensures the custodian and its agents comply with PHIPA;

responds to inquiries about the custodian’s practices;

responds to requests for access or correction of records; and

Receives complaints about non-compliance.

Custodians must issue a public written statement describing

the custodian’s information practices;

how to reach the custodian and/or its contact person;

how to obtain access to a request or make a correction; and

how to make a complaint to the custodian and privacy

commissioner.

II. Privacy Law Enforcement

Privacy laws may be

enforced with

Complaints

Statutory penalties

Civil lawsuits

Reputational Harm


Complaints

A person who believes PHIPA has been violated may

file a complaint with Ontario’s Information and Privacy

Commissioner.

Custodians may be liable or

found guilty of an offence if

they do not act in good faith,

act unreasonably, or do not

comply with the legislation.


Complaints

In 2013 more than 400 health-related privacy violation complaints were lodged with Ontario’s Privacy Commissioner.

Examples of privacy breaches from 2014: Hospitals inappropriately provided patient information to baby

photographers

Hospitals were handing out patient contact information to private marketing companies

Individuals may also complain to the custodian or agent themselves.


Statutory Penalties

PHIPA contains many offences, such as

wilfully collecting, using or disclosing personal health

information in contravention of PHIPA;

disposing of a record with the intent to evade an access

request; and

wilfully obstructing or making a false statement to the privacy

commissioner.

Individuals found guilty may be fined up to $50,000

Organizations found guilty may be fined up to $250,000


Civil Lawsuits

A person or entity may be sued for breach of privacy in

contract and tort law using the following causes of

action: breach of contract, trespass, negligence, breach

of fiduciary duty, or the tort of “intrusion upon

seclusion.”

“Intrusion upon seclusion” is a new tort that allows for

lawsuits based on the invasion of personal privacy

(Jones v. Tsige, 2012 ONCA 32).


Reputational Harm

In addition to the risk of complaints, statutory

penalties, and civil lawsuits, a custodians that

breaches privacy laws risks harming their

reputation and that of their organization.

Privacy breaches often become public, resulting in

headline news and trending social media stories.

Harm to the reputations of hospitals, individuals,

and other organizations can be significant.

III. How to comply

Privacy Policies & Procedures

Does your organization have them?

Are the they up to date?

Is the content adequate?

Can anyone in the organization access them

readily?

Are they updated and communicated regularly?

III. How to comply

Privacy Compliance Committee

Do you have one?

Does it meet regularly?

Does it keep minutes or records?

Do its members represent all functional areas of the organization? (e.g. IT, HR, etc.)

What is their mandate?

Are the members senior enough in the organization?

III. How to comply

Privacy Compliance Audits

Do you have regular audits?

What do you do with the results?

Are complaints responded to promptly?

Are there internal consequences for non-

compliance?

III. How to comply

Privacy Training & Communication

Do you regularly train employees on privacy?

Is your training recorded and logged?

Are new employees

trained right away?

Are there regular

communications/updates?


Case study: Rouge Valley

Patients who gave birth at Rouge Valley Centenary

Hospital between 2009 and 2013 brought a $412

million class action lawsuit against the hospital

The patients allege that Rouge Valley employees sold

their personal information to private companies that

market RESP investments to new parents.


Case study: Rouge Valley

The class action exposes the hospital to liability based on

the tort of intrusion upon seclusion, negligence, vicarious

liability or breach of contract

Rouge Valley has provided

disclosure notice on its

webpage in keeping with

PHIPA regarding the possible

breach of patient information


Internal Protocol

Who is in charge of privacy? Who do they report to?

How often is legal counsel engaged? How involved are they?

Does the organization have a critical action committee when things go wrong? Who’s on the committee? What is the standard operating procedure?


Genetic Information

Canada has not yet legislated how health insurers

and employers may use genetic testing information

In the US and in many European countries use of

genetic information by insurers and employers is

prohibited

Canada’s privacy commissioner has concerns, but

the last action taken was a Task Force on

Insurance and Genetics in 2004


Genetic Information

Genetic testing may be governed by PIPEDA and PHIPA and possibly provincial Human Rights Codes

The Canadian Life Health Insurance Association has issued a Position Statement on the use of genetic information stating that

“if genetic testing has been done and theinformation is available to the applicant forinsurance and/or the applicant’s physician, theinsurer would request access to that informationjust as it would for other aspects of the applicant'shealth history.”

VI. Appendix

i. Federal Privacy Laws

ii. Ontario Privacy Laws

iii. Other Provincial Privacy Laws

VI. Appendix – Federal Privacy Laws

Privacy Act, RSC, 1985, c. P-21

Imposes obligations on the collection, use and disclosure of personal information by federal government departments and agencies

Gives individuals the right to access and request personal information held by federal governmental organizations

The Privacy Act is administered by the head of the government institutions who are subject to the Act

Each institution listed in the Schedule to the Act (e.g. Health Canada) is required to respond to requests for information from individuals


Privacy Act, RSC, 1985, c. P-21“personal information” means information about an identifiable individual that is recorded in any form including, without restricting the generality of the foregoing,

(a) information relating to the race, national or ethnic origin, colour, religion, age or marital status of the individual,

(b) information relating to the education or the medical, criminal or employment history of the individual or information relating to financial transactions in which the individual has been involved,

(c) any identifying number, symbol or other particular assigned to the individual,

(d) the address, fingerprints or blood type of the individual…[emphasis added] (S. 3)


Personal Information Protection and Electronic

Documents Act [PIPEDA] SC 2000, c 5

Provides rules for how private sector organizations may

collect, use or disclosure personal information in the

course of their commercial activities as well as federal

works, undertakings and businesses who hold

employee personal information

Does not apply in provinces that have substantially

similar private sector privacy legislation


Personal Information Protection and Electronic

Documents Act [PIPEDA] SC 2000, c 5

Gives individuals the right to access and request

correction of personal information held by these

organizations

Does not have any mandatory data breach notification

requirements yet


The Office of the Privacy Commissioner of Canada

The Commissioner oversees compliance with the Privacy Act and PIPEDA.

The Commissioner investigates complaints made by individuals about Government of Canada institutions pursuant to S. 29 of the Privacy Act

The Commissioner can investigate complaints made by individuals about private sector organizations pursuant to Section 11 of PIPEDA except in provinces that have substantially similar legislation

The Commissioner has made findings under both PIPEDAand the Privacy Act and has handed down decisions for cases where challenges were made by individuals

VI. Appendix – Ontario Privacy Laws

Freedom of Information and Protection of Privacy Act

(FIPPA)

Originally applied to provincial government and public

institutions, now applies to most of the public sector

including Local Health Integration Networks (LHINS)

which include hospitals, long-term care homes and

mental health and addiction agencies

Purpose is 1) to provide a right of access to records

and information and 2) to protect the privacy of

individuals


Municipal Freedom of Information and Protection of

Privacy Act (MFIPPA)

Applies to all local government organizations such as

municipalities, school boards, police services board,

boards of health etc.

Purpose is 1) to provide a right of access to records

and information and 2) to protect the privacy of

individuals


FIPPA and MFIPPA – Using Information

Government organizations are only permitted to use personal information if the individual consents to the use; for the purpose for which it was obtained or compiled or for a consistent purpose; or for a purpose for which the information may be disclosed to the government organization (S. 41 FIPPA)

Government organizations must take reasonable steps to ensure that personal information is not used unless it is accurate and up to date (S. 40(2) FIPPA)


FIPPA and MFIPPA – Collecting Information

Government organizations (including hospitals and LHINs) are required to collect personal information as part of their role in providing services to the public and shall not collect personal information unless expressly authorized by statute (S. 38(2) FIPPA)

Government organizations must provide notice to individuals whenever personal information is collected and must specify the legal authority for the collection, the purpose of collection and who to contact about the collection (S. 39(2) FIPPA)


FIPPA and MFIPPA – Accessing Information

Provincial government organizations are required to list their personal information banks in the Directory of Records (Ss. 44-45 FIPPA)

The directory describes the kinds of personal information kept by each provincial government organization.

Municipal government organizations should have their own directories available (S. 34 MFIPPA)


FIPPA and MFIPPA – Disclosing Information

Under FIPPA and MFIPPA, some of the circumstances in which government organizations are permitted to disclose personal information include: where the individual has consented to the disclosure;

for the purpose for which the personal information was obtained or compiled or for a consistent purpose;

where the disclosure is necessary and proper in the discharge of the organization’s functions;

for the purpose of complying with another Act;


FIPPA and MFIPPA – Disclosing Information

Circumstances in which government organizations are permitted to disclose personal information: for law enforcement purposes;

in compelling circumstances affecting the health or safety of an individual;

in compassionate circumstances, to facilitate contact with the next of kin or a friend of an individual who is injured, ill or deceased;

to the Information and Privacy Commissioner; and

to the Government of Canada in order to facilitate the auditing of shared cost programs. (S. 42 FIPPA, S. 32 MFIPPA)


Mental Health Act (MHA)

MHA governs psychiatric facilities and the admission, detention, treatment, and release of psychiatric patients.

PHIPA repealed several sections of the MHA and amended others, most notably, those relating to confidentiality, disclosure, access, and correction of records.

The obligations created by PHIPA apply in addition to those created by MHA. If the provisions of MHA and PHIPA conflict, PHIPA

prevails unless otherwise stated in the Acts.



“patient” includes a current or former patient or out-patient, and anyone who is or has been detained in a psychiatric facility

The officer in charge (OIC) of a psychiatric facility may collect, use and disclose personal health information about a patient, with or without the patient’s consent, for the purposes of, examining, assessing, observing or detaining the patient

in accordance with the MHA; or

complying with an order or disposition made under the Criminal Code



The MHA sets out mandatory disclosure of personal health information for:

Capacity and Consent Board proceedings

Persons entitled to have access under s. 83 of the Substitute Decisions Act

Compliance with summons, order, direction, notice or similar requirement in respect of matter that may be in issue in a court of competent jurisdiction or under any Act

except where the attending physician states in writing that he or she is of the opinion that the disclosure is likely to result in harm to the treatment or recovery of the patient or is likely to result in injury to the mental condition of a third person, or bodily harm to a third person.



The MHA sets out permissible disclosure of personal health information to:

A physician who is considering issuing or renewing, or who has issued or renewed, a CTO;

A physician appointed to act as a substitute of the CTO’s issuing physician;

Where requested by the issuing physician or a person named in the CTP, to another person named in a person’s CPT; and

A prescribed person who is providing advocacy services to patients in prescribed circumstances, i.e., a rights adviser.


Public Hospitals Act (PHA)

PHA applies to all public hospitals in Ontario, but not to private hospitals under the Private Hospitals Act or independent health facilities under the Independent Health Facilities Act (S. 2)

PHA only briefly refers to record keeping, confidentiality, disclosure, and related issues, leaving these to be spelled out in Regulation 965 – Hospital Management

PHIPA replaces the term “medical record” in PHA with the term “record of personal health information

The obligations created by PHIPA apply in addition to those created by PHA. if the provisions of PHA and PHIPA conflict, PHIPA prevails unless

otherwise stated.


Occupational Health and Safety Act (OHSA)

Except where allowed under the OHSA or as

required by another law, worker health and safety

representatives:

must not disclose any information about any workplace

tests or inquiries conducted under the Act;

must not reveal the name of any person from whom

information is received;

may disclose the results of any medical examinations or

tests of workers only in a way that does not identify

anyone. (S. 63(1))


Occupational Health and Safety Act (OHSA)

No employer shall seek to gain access,

except by an order of the court or other tribunal

or in order to comply with another statute, to a

health record concerning a worker without the

worker’s written consent (S. 63(2))


Regulated Health Professionals Act

Various acts are specific to different health

professionals and provide protection based on the

duties and requirements of confidentiality by the

members of those professions, as well as

regulations that outline disciplinary action for

breaches of health care provider confidentiality

such as the Medicine Act Professional Misconduct

Regulations


Personal Health Information Protection Act (PHIPA)

Deemed substantially similar to Part 1 of PIPEDA

Health information custodians (“HICs”) are exempt from PIPEDA

Anyone described in Section 3. (1) of PHIPA is considered a health information custodian, e.g.

health care practitioners or a group practice of health care practitioners

persons or organizations providing a community service under the Long-Term Care Act, 1994

a community care access corporation under the Community Care Access Corporations Act, 2001

public or private hospitals

psychiatric facilities under the Mental Health Act

an institution under the Mental Hospitals Act

an independent health facility under the Independent Health Facilities Act, etc.


PHIPA – Consent to Collection

Collection may happen only when the individual consents or if PHIPA permits collection without consent, and consent may be express or implied depending on the circumstances (Ss. 18 - 29)

HICs must collect the health information directly from the individual except in limited circumstances (S. 36), such as:

Where the individual consents to indirect collection;

The information is reasonably necessary for providing health care and cannot reasonably be collected directly from the individual accurately or in a timely manner

Custodians must take reasonable steps to inform the public about their collection practices


PHIPA – Accessing Health Information

The right of access does not apply to records

that contain:

quality of care information;

information required for quality assurance programs;

raw data from psychological tests or assessments;

other specified types of information (i.e., information

that is used solely for research purposes and

laboratory test results) (S. 51(1)).


PHIPA – Mandatory Data Breach Notification

Requirements

A privacy breach occurs whenever a person has

contravened or is about to contravene a provision of the

PHIPA or its regulations, including s. 12(1)

S. 12(1) requires HICs to take steps that are reasonable in

the circumstances to ensure personal health information in

their custody or control is protected against theft, loss and

unauthorized use or disclosure and to ensure that records

containing personal health information are protected against

unauthorized copying, modification or disposal


PHIPA – Retaining and Disposing of Information

PHIPA requires that health information custodians

ensure records of personal health information are

retained, transferred and disposed of in a secure

manner, and that if any personal health information

is the subject of a request for access, that it be

retained for as long as necessary to allow the

individual to exhaust any recourse under the Act

that he or she may have with respect to the

request. (S. 13)


Electronic PHIPA – Bill 78

EPHIPA proposes to amend three statutes, and

create a new Part V.1, Electronic Health

Records, under existing the PHIPA

First reading of Bill 78 was May 29, 2013

Second Reading started on October 10, 2013

and continued on November 20, 2013 and April

28, 2014



EPHIPA is intended to provide a framework for electronic health records (EHRs) and enable prescribed organizations to create and maintain EHRs, define the EHRs and specify parameters for the creation and maintenance of EHRs

EPHIPA would permit prescribed persons who are not HICs to collect and use health numbers for the purpose of creating or maintaining the EHR



Prescribed organizations would be required to assume all responsibilities relating to the creation and maintenance of the HER

While these organizations have not yet been identified, the legislation sets out parameters in which they can manage PHI as non-HICs. Existing regulations under PHIPA clarify that eHealth Ontario

has the authority as a Health Information Network Provider (HINP) to create and maintain EHRs.

This authority expired as of December 31, 2013, and our understanding is that eHealth Ontario will be named as the initial prescribed organization under this new legislative framework.



The collection, use, disclosure and access of personal health information in the EHR context would be further clarified in EPHIPA

The definition and functioning of individual consent and consent overrides are proposed to be modified under EPHIPA

Electronic Health Records requirements and standards will be presented by Fida Hindi in more detail later today


Information and Privacy Commissioner (“IPC”) of Ontario

The IPC of Ontario is an officer of the legislature pursuant to

Section 4 of FIPPA

The Commissioner investigates privacy complaints and

resolves appeals between government organizations and

individuals

Decisions of the Commissioner rule on access and privacy

decisions and practices of governmental organizations

The Commissioner reviews the personal health information

policies of certain entities and investigates complaints under

PHIPA

VI. Appendix – Other Provincial Privacy Laws

British Columbia, Alberta and Quebec have their own

private-sector privacy rights legislation that has been

deemed “substantially similar” to PIPEDA, and are exempted

from PIPEDA application in the private business sector

There is a mandatory data breach notification requirement

under Alberta’s PIPA

Ontario, Alberta, Manitoba, Saskatchewan, New Brunswick

and Newfoundland and Labrador have sector specific health

information privacy legislation that has been deemed

“substantially similar” to PIPEDA, and are exempt from

PIPEDA’s application to personal health information

VI. Appendix – Other Provincial Privacy Laws

Manitoba has enacted health privacy legislation but it has

not yet been deemed to be substantially similar to PIPEDA

Prince Edward Island, Northwest Territories, Nunavut and

Yukon do not have any private sector privacy legislation and

are governed by PIPEDA

Torkin Manes LLP

151 Yonge Street, Suite 1500

Toronto, ON M5C 2W7

www.torkinmanes.com

Rajeev Sharma

416 775 8828

[email protected]

Questions?

Thank you!

Rajeev Sharma - Ontario health privacy law

Education

Transcript of Rajeev Sharma - Ontario health privacy law