Placing appropriate controls on health data users, while conferring rights on data subjects …that, in a nutshell, is what the Personal Health Information Protection Act, 2004 (PHIPA) accomplishes.
The Ontario government-enacted law that came into force on November 1 applies to all individuals and organizations involved in health care services delivery. These include physicians and other healthcare practitioners – referred to in the Act as “health information custodians” – as well as any agent, who is authorized to collect, use and disclose personal health information on behalf of that custodian.
PHIPA has comprehensive provisions for healthcare practitioners and others to ensure personal health information of patients is kept confidential and secure.
But the scope of the Act goes much further.
It addresses two fundamental requirements – the need for privacy and the equally important need for seamless sharing of health information within the circle of care, whenever necessary, to ensure proper delivery of services.
These are often viewed as competing needs though they certainly need not be.
On the information privacy front, the challenges have never been greater than today. Pervasive adoption of communication and automation technologies is transforming the healthcare environment in Ontario as never before.
New health networks, proliferation of electronic health information exchanges, increased use of computerized health records and clinical management systems have undoubtedly enhanced healthcare service delivery in the province and countrywide. But they have also generated new questions and concerns about health information privacy among a wide range of stakeholders, including practitioners, patients, healthcare IT product vendors, and health information network providers.
Some concerns have to do with the security of the new technologies, while others relate to the scope and effectiveness of privacy regulations and investigation/enforcement mechanisms.
On the policy front, until now there’s been a patchwork of rules across the healthcare sector in Ontario, with some areas unregulated – leading many to joke that their driving records are more secure than their healthcare information.
PHIPA – A Balancing Act
Within this environment the new Act plays a vital role.
It represents the best balancing act (no pun intended) of competing interests in healthcare that need to be addressed.
Health information is unique in that it is sensitive and personal but must also be shared immediately and accurately among a range of healthcare providers for the benefit of the individual. Non-disclosure or delayed communication of health information within the circle of care can have unfortunate consequences.
I experienced this myself when records of a pre-surgery CT scan done on me in one Toronto hospital could not be electronically transmitted to another where the surgery was to be performed – as the two hospitals were not part of the same health network.
My husband volunteered to carry the results over but the nursing staff declined his request for “security” reasons, and said they would send them across by taxi. The results never arrived at the second hospital and my surgery was delayed for 18 hours! That may be a good anecdote after the fact, but it does illustrate something very crucial…that privacy concerns should never impede on the delivery of service. Instead, a balance must be maintained between the two.
And that’s what the new legislation accomplishes. It is founded on openness and transparency – which are the bedrock of privacy.
Effective health information privacy legislation maintains the equilibrium between allowing health care professionals to quickly pass on information needed for patient care to another health professional, while restricting unauthorized disclosure.
PHIPA does just that. While it builds in extensive privacy protection, it is designed not to interrupt the actual delivery of health care services.
PHIPA is based on fair information practices such as accountability, identifying purposes, consent, limiting collection and use, accuracy, and establishing safeguards. It builds upon many existing standards and protections enshrined in various statutes, the common law and professional codes of conduct. It also establishes new duties and responsibilities for health care professionals and for organizations that receive personal health information from health care providers covered under PHIPA.
While at present the Act does not include specific regulations relating to EHRs, it does require all custodians of personal health information to take “reasonable” steps to ensure data is protected against theft, loss and unauthorized use or disclosure.
For EHR custodians, reasonable steps could conceivably include looking at issues like best privacy protection technologies and practices, and tools to secure access points to and from electronic record users.
This would apply not just to EHR custodians but also to solution providers (software and hardware vendors), and to health information network providers (like Smart Systems for Health Agency).
Network providers, for instance, are required to offer custodians a description of safeguards and services – and notify them if there’s been any breach of requirements relating to them (the providers).
They also have to perform – and provide to the custodian – an assessment of threats, vulnerabilities and risks to the security and integrity of information, and the impact of their services on privacy. They must ensure third parties retained by them also comply with these conditions.
Implied consent is an important PHIPA provision.
Physicians who provide direct health care services are considered to be within the “circle of care” and are permitted to rely on an individual’s implied consent for the collection, use and disclosure of personal health information. Disclosures outside the circle of care or to another custodian unrelated to the provision of health care will require express consent.
The exceptions to “implied consent”, however, are cases (hopefully infrequent), where a person expressly withholds or withdraws consent for his or her health information to be disclosed.
In such cases, public hospitals have until November 1, 2005 to comply with “lock box” requirements. If necessary, IT tools would have to be put in place to ensure flagged information is locked and disclosure of locked information is barred.
A very significant facet of PHIPA has to do with “rights of access and correction.” The new law expands and codifies the common law right of access.
It gives an individual right of access to all his or her personal health information records in the custody or control of any health information custodian (with a few exceptions). Custodians will also be required to notify the person if personal information is lost, stolen, or accessed by an unauthorized individual or organization.
Again it’s important that custodians using EHRs put processes and tools in place to comply with these access and correction requirements.
PHIPA should have minimal impact on the daily functions of physicians who continue to maintain the confidentiality and security of personal health information and ensure the highest protective privacy standards continue to be in place.
Complaints regarding privacy breaches by any custodian covered under PHIPA can be made to my office – the Office of the Information and Privacy Commissioner/Ontario (IPC).
The IPC is an independent oversight body charged with broad investigation, mediation and order