Your SlideShare is downloading. ×
  • Like
  • Save
Presentation For Chinese Medicine And Acupuncture Association
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×

Now you can save presentations on your phone or tablet

Available for both IPhone and Android

Text the download link to your phone

Standard text messaging rates apply

Presentation For Chinese Medicine And Acupuncture Association

  • 540 views
Published

 

Published in Health & Medicine
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
No Downloads

Views

Total Views
540
On SlideShare
0
From Embeds
0
Number of Embeds
0

Actions

Shares
Downloads
0
Comments
0
Likes
1

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. OVERVIEW OF THE PERSONAL HEALTH INFORMATION PROTECTION ACT, 2004 Chinese Medicine and Acupuncture Association of Canada Manuela Di Re, Health Law Counsel Information and Privacy Commissioner of Ontario Note: This overview is presented for reference only and should not be construed as legal advice. Please consult the Act and your own solicitors for all purposes of interpretation
  • 2. Why is the Need to Protect Personal Health Information So Critical?
    • The need for privacy of personal health information has never been greater given the:
      • Extreme sensitivity of personal health information
      • Number of persons involved in health care delivery
      • Electronic exchange of personal health information
      • Emphasis on information technology including electronic records of personal health information
      • Use or disclosure of personal health information for secondary purposes seen to be in the public interest (i.e. research, planning, surveillance)
  • 3. Possible Consequences if Inadequate Attention is Paid to the Protection of Privacy
    • If inadequate attention is paid to the protection of privacy of individuals, it may result in:
    • Possible discrimination, stigmatization and economic or psychological harm based on the personal health information
    • Potential for loss of trust in the health care system
        • “ A public health agenda that ignores privacy will ultimately fail because the public will lose trust and confidence in the very system striving to safeguard its health. If people fear actions taken in the name of public health are unjustifiably coercive or that sensitive medical information is collected and shared for unrelated purposes, they will not fully and honestly participate in and support critical public health activities”
  • 4. Possible Consequences if Inadequate Attention is Paid to the Protection of Privacy
    • Loss of trust and damage to the reputation of health care providers
    • Time consuming, expensive and resource intensive exercise in dealing with privacy breaches
    • Individuals deterred from seeking information, treatment or testing for medical conditions
    • Individuals using multiple health care providers
    • Individuals withholding or providing false information to health care providers
  • 5. APPLICATION OF THE ACT
  • 6. Application of the Act
    • Majority of the Act governs “personal health information” in the custody or control of:
      • “ Health Information Custodians,” or
      • “ Agents” of health information custodians
    • Act also governs use and disclosure of personal health information by non-health information custodians that receive personal health information from health information custodians
  • 7. Definition of Personal Health Information
    • Defined as identifying information that:
    • Relates to a person’s physical or mental health
    • Relates to the provision of health care to the person
    • Identifies a person’s health care provider
    • Identifies the person’s substitute decision maker
    • Relates to payments or eligibility for health care
    • Is the person’s health number
    • Relates to the donation of body parts or substances
    • Is a plan of service under Long-Term Care Act, 1994
  • 8. Definition of Health Information Custodian
    • Health information custodians include:
    • Health care practitioners that provide health care
    • Hospitals, psychiatric facilities, long-term care homes
    • Pharmacies, laboratories, ambulance services
    • Community care access corporations
    • Centres, programs or services for community or mental health whose primary purpose is health care
    • Medical Officers of Health
    • Minister/Ministry of Health and Long-Term Care
  • 9. Health Care Practitioners as Health Information Custodians
    • A “health care practitioner” is defined as:
    • A member in the meaning of the Regulated Health Professions Act, 1991 who provides health care ,
    • A drugless practitioner registered under the Drugless Practitioners Act who provides health care ,
    • A member of the College of Social Workers and Social Service Workers who provides health care , or
    • Any other person whose primary function is to provide health care for payment
  • 10. Definition of Health Care
    • “ Health care” is any observation, examination, assessment, procedure, service or care done for a health-related purpose and that is,
    • Carried out or provided to diagnose, maintain or treat an individual’s physical or mental condition,
    • Carried out or provided to prevent disease or injury or to promote health, or
    • Carried out or provided as part of palliative care
  • 11. Definition of Agent
    • Person that, with authorization of the health information custodian, acts for or on behalf of the custodian and not its own purposes
    • It is irrelevant whether or not the agent :
      • is employed by the health information custodian
      • is remunerated by the health information custodian
      • has the authority to bind the health information custodian
  • 12. DUTIES ON HEALTH INFORMATION CUSTODIANS AND THEIR AGENTS
  • 13. Duties Imposed on Health Information Custodians and Their Agents
    • Duties are imposed on health information custodians and their agents with respect to:
      • Collection, use and disclosure of personal health information
      • Requests for access and correction
      • Transparency of information practices
      • Security of personal health information
  • 14. COLLECTION, USE AND DISCLOSURE
  • 15. Collection, Use and Disclosure
    • Not permitted to collect, use or disclose personal health information if other information sufficient for the purpose
    • Not permitted to collect, use or disclose more personal health information than necessary
    • Not permitted to collect, use or disclose personal health information UNLESS:
      • The individual consents, or
      • The collection, use or disclosure is permitted by the Act
  • 16. Collection, Use and Disclosure (cont’d)
    • Consent is not required where:
      • Collection is permitted without consent by section 36
      • Use is permitted without consent by section 37
      • Disclosure is permitted without consent by sections 38- 50
    • Where consent of the individual is required, it must be ensured that the consent:
      • Is that of the individual or a substitute decision maker,
      • Is knowledgeable,
      • Relates to the personal health information, and
      • Is not obtained by deception or coercion
  • 17. Collection, Use and Disclosure (cont’d)
    • Where consent of the individual is required, the consent may be express or implied except when express consent is required by the Act
    • Individuals have the right, subject to certain exceptions, to:
      • Withdraw consent to the collection, use and disclosure, including for the provision of health care; and
      • Provide an express instruction not to use or disclose personal health information for the purposes of providing health care in the circumstances set out in sections 37(1)(a), 38(1)(a) and 50(1)(e) of the Act
  • 18. Practice Tips for Collection, Use and Disclosure
    • Communicate purposes for which personal health information is routinely collected, used or disclosed
    • Do not collect, use or disclose personal health information if other information serves the purpose
    • Do not collect, use or disclose more personal health information than is reasonably necessary
    • Collect, use or disclose personal health information with consent unless the collection, use or disclosure is permitted or required to be made without consent
    • Ensure that notices and consent forms are concise and understandable
  • 19. ACCESS AND CORRECTION
  • 20. Requests for Access
    • An individual has a right of access to his or her records of personal health information subject to certain exceptions and exemptions
    • Must respond to a request for access within 30 days with a possible 30 day extension
    • When granting access, health information custodians must:
      • Make the record available for examination and, upon request, provide a copy of the record to the individual
      • Take reasonable steps to be satisfied as to identity
      • Provide an explanation of any term, code or abbreviation used in the records if reasonably practical
  • 21. Fee for Access
    • A health information custodian that makes a record or part of a record available, or provides a copy, may charge a fee provided an estimate is first provided
    • Fee must not exceed the amount set out in the regulations to the Act or the amount of reasonable cost recovery if no amount is set out in the regulations
    • To date, no amount has been set out in regulations
    • A health information custodian may waive payment of all or part of the fee if it is fair and equitable to do so
  • 22. Requests for Correction
    • An individual may request correction of his or her records of personal health information
    • Must respond to such a request within 30 days with a possible 30 day extension
    • Health information custodians must correct records of personal health information unless:
        • It consists of a record that was not originally created by the health information custodian and the health information custodian has insufficient expertise, knowledge or authority to correct the record; or
        • It consists of professional opinion or observation that the health information custodian has made in good faith
  • 23. TRANSPARENCY OF INFORMATION PRACTICES
  • 24. Transparency of Information Practices
    • Health information custodians must implement and make available a policy setting out:
      • When, how and the purposes for which personal health information is collected, used, disclosed, retained or disposed
      • The administrative, technical and physical safeguards implemented to protect personal health information
      • How an individual may obtain access or request a correction of his or her record of personal health information
      • How an individual may make a complaint about compliance
    • Must designate a person to oversee compliance and respond to requests for access or correction
  • 25. Practices Tips for Ensuring Transparency
    • Designate a person who is accountable for ensuring privacy compliance and provide their name and contact information to your clients
    • Implement policies, procedures and practices to protect personal health information
    • Communicate these policies, procedures and practices to clients
  • 26. SECURITY OF PERSONAL HEALTH INFORMATION
  • 27. Security of Personal Health Information
    • Must ensure personal health information is retained, transferred and disposed of securely
    • Must take reasonable steps to ensure personal health information is protected against:
      • Theft, loss and unauthorized use or disclosure
      • Unauthorized copying, modification or disposal
    • Must notify an individual at the first reasonable opportunity if personal health information is stolen, lost or accessed by unauthorized person
  • 28. Implementation of Administrative, Technical and Physical Safeguards
    • Administrative Safeguards
    • Require execution of confidentiality agreements
    • Limit number of persons with access to personal health information based on the “need to know”
    • Develop, monitor and enforce privacy and security policies
    • Technical Safeguards
    • Implement protocol for encryption, pseudonymization, anonymization
    • Institute strong authentication measures (computer password protection and unique log on identifications)
    • Implement detailed audit monitoring systems
    • Physical Safeguards
    • Store personal health information in secure settings such as combination lock doors, smart card door entry and locked cabinets
    • Deploy routine surveillance
  • 29. ROLE OF THE INFORMATION AND PRIVACY COMMISSIONER
  • 30. Role of the Information and Privacy Commissioner of Ontario
    • Information and Privacy Commissioner/ Ontario has oversight responsibility for the Act
    • This includes:
      • Public and stakeholder education
      • Undertaking reviews of complaints received
      • Undertaking reviews of its own initiative
  • 31. Public and Stakeholder Education
    • Tools and resources available on our website, www.ipc.on.ca , include:
    • Frequently Asked Questions: Personal Health Information Protection Act
    • Guide to the Personal Health Information Protection Act
    • Frequently Asked Questions: Health Cards and Health Numbers
    • Safeguarding Personal Health Information Fact Sheet
    • Secure Destruction of Personal Information Fact Sheet
    • Privacy Impact Assessment Guidelines for the Ontario Personal Health Information Protection Act
    • Practice Direction for Drafting a Letter Responding to a Request for Access to Personal Health Information
    • Practice Direction for Clarifying Access Requests
  • 32. Undertaking Reviews
    • May conduct a review and investigate where:
      • A written complaint has been received
      • There are reasonable grounds to believe a person has contravened or is about to contravene the Act
    • In conducting a review, have the power to:
      • Enter and inspect premises
      • Require access to personal health information
      • Compel testimony
  • 33.  
  • 34. Stages of Complaint Based Review Process
    • Intake:
    • The complaint will be reviewed by the Registrar
    • An intake analyst may contact the health information custodian and complainant to obtain further information and/or to explain the complaint process
    • A complaint may be resolved informally, dismissed (i.e. if outside jurisdiction) or sent to mediation and/or review
    • Mediation:
    • A mediator is assigned to attempt to reach a settlement of the complaint or to simplify the matters at issue in the complaint
    • Where mediation is successful, a letter is sent confirming the resolution and a mediation report may be issued/published
    • Where mediation is not successful, a letter is sent outlining the issues resolved and those that remain outstanding and advising the parties that the complaint will be sent for review
  • 35. Stages of Complaint Based Review Process (cont’d)
    • Review:
    • An investigator is assigned to conduct the review
    • Reviews are normally conducted in writing
    • Parties are permitted to make written representations
    • After reviewing the representations, the investigator will prepare a draft order on the results of the review
    • Parties are permitted to comment on the draft order
    • The investigator then issues a final order
  • 36. How to Contact Us Information & Privacy Commissioner/Ontario 2 Bloor Street East, Suite 1400 Toronto, Ontario M4W 1A8 Phone: (416) 326-3333 Web: www.ipc.on.ca E-mail: [email_address]