Bill 31, the Ontario Health Information Protection Act, 2004, received Royal Assent on May 20. The Bill enacts two pieces of legislation, the Personal Health Information Protection Act, 2004, (PHIPA, the Act) and the Quality of Care Information Protection Act, 2004, both of which will be law on November 1, 2004. This article will provide a brief overview of PHIPA.
PURPOSE OF THE ACT
The Act is intended to provide rules governing the collection, use and disclosure of individuals’ personal health information (PHI) in order to protect personal privacy and the confidentiality of the information. Subject to limited and specific exceptions, individuals will be given the right to access their own PHI and to have it corrected.
HEALTH INFORMATION CUSTODIANS
The principal organizations affected by PHIPA are “health information custodians” (custodians), defined as persons who have custody or control of personal health information in connection with their powers or duties. They include
- health care practitioners, including social workers who provide health care and any other persons whose primary function is to provide health care for payment;
- service providers under the Long-Term Care Act;
- community care access corporations;
- persons who operate
- hospitals, independent health facilities, psychiatric facilities and private hospitals,
- approved charitable homes for the aged, homes for the aged, nursing homes, and care homes within the meaning of the Tenant Protection Act, 1997,
- laboratories and specimen collection centres,
- ambulance services,
- homes for special care, and
- centres, programs and services for community health and mental health;
- placement coordinators for approved charitable homes for the aged, homes for the aged and nursing homes;
- evaluators within the meaning of the Health Care Consent Act, 1996 and assessors within the meaning of the Substitute Decisions Act, 1992;
- medical officers of health and boards of health; and
- the Minister of Health and the Ministry of Health and Long-Term Care if the context requires.
Other persons can be defined as custodians by regulation if they have custody or control of PHI in connection with the performance of prescribed powers, duties or work.
PERSONAL HEALTH INFORMATION
PHI is defined to include any identifying information about an individual, whether oral or recorded, that
- relates to physical or mental health, including family health history;
- relates to the provision of health care, including the identity of the individual’s health care provider;
- is a plan of service within the meaning of the Long-Term Care Act;
- relates to payments or eligibility for health care;
- is a health number;
- identifies the individual’s substitute decision-maker; or
- relates to a donation by the individual of any body part or bodily substance.
Employers who are also custodians should note that PHI does not include identifying information about their agents or employees if the information is maintained primarily for a purpose other than providing health care, or assistance in providing health care, to the agent or employee.
Custodians are required to follow a number of practices to protect PHI. For example, they must
- maintain information practices that comply with the Act and its regulations. (This requires that they have policies regarding the collection, use, retention and disclosure of PHI and administrative, technical and physical safeguards for it.);
- take reasonable steps to ensure the accuracy of PHI;
- maintain the security of PHI in its custody or control; and
- notify an individual at the first reasonable opportunity if their PHI is lost, stolen, or accessed by an unauthorized person.
Custodians are also required to be accountable and open in terms of their privacy practices. In this connection, they must
- have a contact person responsible for ensuring compliance with the Act, responding to requests for access or correction, receiving complaints and informing all agents of their obligations;
- make available to the public a written statement that describes the custodian’s information practices, how individuals can obtain access to their PHI, have it corrected, communicate with the contact person and make a complaint; and
- be responsible for the actions of their agents.
COLLECTION, USE AND DISCLOSURE
Custodians may not collect, use or disclose an individual’s PHI unless
- they have the individual’s consent under the Act and the collection, use or disclosure is necessary for a lawful purpose; or
- the collection, use or disclosure is permitted or required by the Act.
Unless required by law to do so, custodians may not collect, use or disclose PHI if other information will serve the purpose, nor may they collect, use or disclose more PHI than is reasonably necessary to meet the purpose.
The Act provides that an individual’s PHI must be collected directly from them. Indirect collection is permitted in a number of circumstances – for example, when it is permitted or required by law, or when the collection is necessary for the individual’s health care and it is not possible to obtain the information directly from the individual in a timely manner. Similarly, the Act sets out a number of circumstances in which PHI may be used or disclosed without an individual’s consent.
Consent is a basic requirement for the collection, use and disclosure of PHI under the Act, subject to limited exceptions. To be valid, consent must be knowledgeable, voluntary, related to the PHI in question, not obtained by deception or coercion, and given by the individual concerned.
Consent may be express or implied. Generally, custodians engaged in the provision of direct health care may rely on the individual’s implied consent for the collection, use and disclosure of PHI for the purpose of providing the health care.
However, if a custodian discloses PHI to a non-custodian, the individual’s consent must be express. This means, for example, that the disclosure of PHI by a custodian to an insurance company or an employer must be authorized by express consent of the individual. Similarly, if a custodian discloses PHI to another custodian for a purpose other than providing health care, consent must be express.
PHIPA AND NON-CUSTODIANS
While the Act principally applies to custodians, non-custodians, such as employers and schools, are also affected by some of its provisions. Under the Act’s “recipient rule”, non-custodians who receive PHI from a custodian may use or disclose the information only for the purpose for which the custodian was authorized to disclose it or to carry out a statutory or legal duty. Moreover, a non-custodian who receives PHI from a custodian may not use or disclose more of the information than is reasonably necessary to meet the purpose of the use or disclosure, unless required by law. Note however, that the recipient rule does not apply to non-custodians who are bound by the Freedom of Information and Protection of Privacy Act (FIPPA) or the Municipal Freedom of Information and Protection of Privacy Act (MFIPPA), Ontario’s public sector privacy legislation.
There are also special rules for non-custodians in relation to health card numbers. Non-custodians may collect and use health card numbers only for
- the provision of publicly-funded health services;
- the purpose for which the number was disclosed to it by the custodian;
- the regulation of health professionals; and
- health administration, planning, research or epidemiological studies, if the non-custodian is specified in the regulations.
Non-custodians may not disclose a health card number except as required by law.
ACCESS AND CORRECTION
Subject to some exceptions, individuals have the right to access their own PHI from custodians by making a written request. Custodians have 30 days to respond and, if required, must assist the individuals to formulate sufficiently detailed requests.
Individuals who have been granted access to their PHI and who believe that it is inaccurate or incomplete may request in writing that the custodian correct the record containing the PHI. A custodian has 30 days to respond and, if the individual demonstrates that the record is inaccurate and gives the custodian sufficient information to correct it, the custodian must do so.
The Act is administered and enforced by the Information and Privacy Commissioner (IPC), whose office currently oversees FIPPA and MFIPPA. Anyone (i.e. not only patients) may complain to the IPC about a contravention of the Act or its regulations. The IPC may investigate in response to a complaint or on its own initiative, and may make orders as a result. Unless an order relates to access to or correction of PHI, it may be appealed to the Divisional Court. Complaints and orders may be made against non-custodians as well as custodians.
ACTION FOR DAMAGES
If the IPC has made a final order, or if a person has been convicted of an offence under the Act, a person affected by the order or by the conduct giving rise to the offence may commence a court action for damages for harm suffered as a result of the contravention of the Act. If the court determines that the harm suffered was a result of willful or reckless actions on the part of the defendant, the court may award up to $10,000 as damages for mental anguish.
The Act creates a number of offences including
- willfully collecting, using or disclosing PHI in contravention of the Act;
- knowingly disposing of PHI to avoid granting access;
- obstructing the IPC in the performance of its duties;
- willfully failing to comply with an IPC order; and
- retaliating against a person who complains to the IPC about a contravention (whistleblower protection).
The Act provides for fines of up to $50,000 for individuals and $250,000 for organizations. If a corporation commits an offence, any officer, member, employee or agent found to have authorized or acquiesced in the offence may be held personally liable.
UPCOMING EMOND HARNDEN SEMINAR
Readers wishing to learn more about PHIPA and other privacy issues may wish to attend the following event:
For further information, please contact Steven Williams at (613) 940-2737.