Rajeev Sharma - Ontario health privacy law

Ontario Health Privacy Law
Rajeev Sharma
416 775 8828
rsharma@torkinmanes.com
December 4, 2014

Presentation Outline
I. A summary of Ontario’s privacy laws
II. Privacy law enforcement
III. How to comply
IV. What happens when things go wrong
V. Issues that may arise in the future
VI. Appendix – a detailed explanation of federal
and provincial privacy laws

Several statutes regulate the privacy and disclosure of
medical information in Ontario:
 Personal Health Information Protection Act
 Freedom of Information and Protection of Privacy Act
 Municipal Freedom of Information and Protection of
Privacy Act
 The Occupational Health and Safety Act
 Mental Health Act
 Regulated Health Professions Act
 Medicine Act Professional Misconduct Regulations

Personal Health Information Protection Act (“PHIPA”)
 Regulates the collection, use, and disclosure of
personal health information by health information
custodians
 Sets rules to balance the needs
of our health care system with
the individual’s right to privacy
 Designed to enhance privacy
while minimizing the impact on
the patient-provider relationship

“Personal Health Information” includes oral or written
information that
 relates to the individual’s physical or mental state;
 relates to the provision of health care;
 relates to payment or eligibility for health care;
 relates to donation of body parts or bodily substances;
 is a plan of service for long-term care;
 is the individual’s health number; or
 identifies the individual’s substitute decision-maker.

“Health Information Custodians” are anyone who is
involved in delivering health care services, such as:
 health care practitioners (e.g. nurses, physicians, or
anyone who provides health care for payment);
 long-term-care service providers;
 community care access corporations;
 hospitals and other facilities;
 pharmacies and laboratories;
 a medical officer of health or a board of health;
 The Ministry of Health and Long-Term Care.

“Agents” of Health Information Custodians
 are authorized to act on behalf of a custodian; and
 perform activities for the purposes of a custodian.
An individual or organization may be considered an agent
regardless of whether it
 has the authority to bind the custodian;
 is employed by the custodian; and
 is receiving remuneration.

Collection, Use, and Disclosure
 A custodian may only collect, use, or disclose personal
health information if the individual consents or PHIPA
otherwise permits it.
 A custodian must not collect,
use, or disclose personal health
information if
 other information will serve the
purpose, or
 the information is not necessary
to meet the purpose.

How do I know if the individual consents?
1. Express consent
 If the disclosure is not to provide health care.
 If the information is being provided to a non-custodian.
 e.g. marketing, fundraising
2. Implied consent
 If the disclosure is for the purpose of providing health care
 Assumed if the individual is within the custodian’s
“circle of care.”
If the individual lacks capacity, the consent may be given by
a substitute decision-maker.

Implied Consent & the “Circle of Care”
To be within the circle of care and rely on implied consent,
the information must
 be received from the individual, a substitute decision-
maker, or another custodian;
 have the purpose of providing or assisting in the
individual’s health care; and
 be disclosed from one custodian to another custodian.
Note that some custodians cannot rely on implied consent,
such as Canadian Blood Services and the Ministry of
Health and Long-Term Care.

Implied Consent & the “Circle of Care”
 The PHIPA does not
define “circle of care” but
it is a useful way to
describe situations where
custodians can rely on
implied consent.

Collection
Custodians should collect personal health information
directly from individuals; however, it may be collected
indirectly if
 the individual consents;
 the information is necessary to provide health care and
direct collection is not reasonably possible;
 a government institution needs the information an
investigation or proceeding;
 the information will be used for research purposes or
for managing the health system; or
 indirect collection is otherwise authorized.

Use
Custodians may use personal health information without
consent for
 the purpose for which it was collected or created;
 planning or delivering programs and services;
 risk and error management;
 improving the quality of care;
 obtaining payment for health care or related goods and
services; and
 educating agents and research purposes.

Disclosure
Custodians may disclose personal health information without
consent that relates to
 providing health care;
 obtain the identity or make decisions for a deceased
individual;
 health programs or research;
 eliminating or reducing a significant risk of bodily harm;
 the care or custody of persons in a custodial institution or
psychiatric facility;

Disclosure
Custodians may disclose personal health information without
consent that relates to
 a legal proceeding or potential successor;
 planning and management of health systems;
 the government’s analysis of the health system;
 monitoring health payments; and
 contacting next of kin if the individual is unable to give
consent.

Protecting Information
Once personal health information is collected, custodians
must take “reasonable steps” to ensure the information
 is as accurate, complete and up-to-date as necessary;
 is protected from theft, loss and unauthorized use or
disclosure (if it is in your custody or control);
 records are protected against unauthorized copying,
modification or disposal.

Mandatory Breach Notification
 Custodians must notify the individual if his or her
personal health information is stolen, lost or accessed
by authorized persons (e.g. University Health Network
has logged 258 privacy incidents since 2012).
 Custodians may also voluntarily report privacy breaches
to the Privacy Commissioner, who will include the
breaches in their annual report (e.g. Mount Sinai has
reported 20 privacy breaches every year since 2010).
 In 2004 Ontario was the first jurisdiction in Canada to
implement this notice requirement.

Information Technology Service Providers
IT Service Providers that are not agents
 must ensure their employees and other persons acting on
their behalf comply with PHIPA restrictions on the
collection, use, and disclosure of information;
 can only use personal health
information as it is necessary to
provide the IT service; and
 cannot disclose personal health
information under any
circumstances.

Information Technology Service Providers
All IT Service Providers that allow two or more custodians to
share personal health information electronically must:
 notify the custodian of any unauthorized access;
 provide public information about safeguards and policies;
 keep electronic records of all accesses and transfers;
 perform a risk and privacy impact assessment;
 enter into an agreement with the custodian and any third
parties requiring the provider to comply with PHIPA.

Health Records
 Individuals can generally access records of their own
personal health information (and not someone else’s)
 Before providing access, the
custodian must take
reasonable steps to determine
the individual’s identity.

Health Cards
 Non-custodians can only collect or use a health number
 to provide provincially funded health resources;
 for the purpose the individual provided the health number;
 for purposes relating to regulating health professionals; or
 for purposes relating to health administration, health planning,
research, or epidemiological studies.
 Individuals can only be required
to produce health cards for
provincially funded resources.

Accountability & Transparency
 Custodians must designate a contact person who
 ensures the custodian and its agents comply with PHIPA;
 responds to inquiries about the custodian’s practices;
 responds to requests for access or correction of records; and
 Receives complaints about non-compliance.
 Custodians must issue a public written statement describing
 the custodian’s information practices;
 how to reach the custodian and/or its contact person;
 how to obtain access to a request or make a correction; and
 how to make a complaint to the custodian and privacy
commissioner.

II. Privacy Law Enforcement
Privacy laws may be
enforced with
 Complaints
 Statutory penalties
 Civil lawsuits
 Reputational Harm

Complaints
 A person who believes PHIPA has been violated may
file a complaint with Ontario’s Information and Privacy
Commissioner.
 Custodians may be liable or
found guilty of an offence if
they do not act in good faith,
act unreasonably, or do not
comply with the legislation.

Complaints
 In 2013 more than 400 health-related privacy violation
complaints were lodged with Ontario’s Privacy
Commissioner.
 Examples of privacy breaches from 2014:
 Hospitals inappropriately provided patient information to baby
photographers
 Hospitals were handing out patient contact information to
private marketing companies
 Individuals may also complain to the custodian or agent
themselves.

Statutory Penalties
 PHIPA contains many offences, such as
 wilfully collecting, using or disclosing personal health
information in contravention of PHIPA;
 disposing of a record with the intent to evade an access
request; and
 wilfully obstructing or making a false statement to the privacy
commissioner.
 Individuals found guilty may be fined up to $50,000
 Organizations found guilty may be fined up to $250,000

Civil Lawsuits
 A person or entity may be sued for breach of privacy in
contract and tort law using the following causes of
action: breach of contract, trespass, negligence, breach
of fiduciary duty, or the tort of “intrusion upon
seclusion.”
 “Intrusion upon seclusion” is a new tort that allows for
lawsuits based on the invasion of personal privacy
(Jones v. Tsige, 2012 ONCA 32).

Reputational Harm
 In addition to the risk of complaints, statutory
penalties, and civil lawsuits, a custodians that
breaches privacy laws risks harming their
reputation and that of their organization.
 Privacy breaches often become public, resulting in
headline news and trending social media stories.
 Harm to the reputations of hospitals, individuals,
and other organizations can be significant.

III. How to comply
Privacy Policies & Procedures
 Does your organization have them?
 Are the they up to date?
 Is the content adequate?
 Can anyone in the organization access them
readily?
 Are they updated and communicated regularly?

III. How to comply
Privacy Compliance Committee
 Do you have one?
 Does it meet regularly?
 Does it keep minutes or records?
 Do its members represent all functional areas
of the organization? (e.g. IT, HR, etc.)
 What is their mandate?
 Are the members senior enough in the
organization?

III. How to comply
Privacy Compliance Audits
 Do you have regular audits?
 What do you do with the results?
 Are complaints responded to promptly?
 Are there internal consequences for non-
compliance?

III. How to comply
Privacy Training & Communication
 Do you regularly train employees on privacy?
 Is your training recorded and logged?
 Are new employees
trained right away?
 Are there regular
communications/updates?

Case study: Rouge Valley
 Patients who gave birth at Rouge Valley Centenary
Hospital between 2009 and 2013 brought a $412
million class action lawsuit against the hospital
 The patients allege that Rouge Valley employees sold
their personal information to private companies that
market RESP investments to new parents.

Case study: Rouge Valley
 The class action exposes the hospital to liability based on
the tort of intrusion upon seclusion, negligence, vicarious
liability or breach of contract
 Rouge Valley has provided
disclosure notice on its
webpage in keeping with
PHIPA regarding the possible
breach of patient information

Internal Protocol
 Who is in charge of privacy? Who do they
report to?
 How often is legal counsel engaged? How
involved are they?
 Does the organization have a critical action
committee when things go wrong? Who’s on
the committee? What is the standard operating
procedure?

Genetic Information
 Canada has not yet legislated how health insurers
and employers may use genetic testing information
 In the US and in many European countries use of
genetic information by insurers and employers is
prohibited
 Canada’s privacy commissioner has concerns, but
the last action taken was a Task Force on
Insurance and Genetics in 2004

Genetic Information
 Genetic testing may be governed by PIPEDA and
PHIPA and possibly provincial Human Rights Codes
 The Canadian Life Health Insurance Association has
issued a Position Statement on the use of genetic
information stating that
“if genetic testing has been done and the
information is available to the applicant for
insurance and/or the applicant’s physician, the
insurer would request access to that information
just as it would for other aspects of the applicant's
health history.”

VI. Appendix
i. Federal Privacy Laws
ii. Ontario Privacy Laws
iii. Other Provincial Privacy Laws

VI. Appendix – Federal Privacy Laws
Privacy Act, RSC, 1985, c. P-21
 Imposes obligations on the collection, use and disclosure of
personal information by federal government departments
and agencies
 Gives individuals the right to access and request personal
information held by federal governmental organizations
 The Privacy Act is administered by the head of the
government institutions who are subject to the Act
 Each institution listed in the Schedule to the Act (e.g.
Health Canada) is required to respond to requests for
information from individuals

Privacy Act, RSC, 1985, c. P-21
“personal information” means information about an
identifiable individual that is recorded in any form including,
without restricting the generality of the foregoing,
(a) information relating to the race, national or ethnic origin, colour,
religion, age or marital status of the individual,
(b) information relating to the education or the medical, criminal
or employment history of the individual or information relating to
financial transactions in which the individual has been involved,
(c) any identifying number, symbol or other particular assigned to
the individual,
(d) the address, fingerprints or blood type of the
individual…[emphasis added] (S. 3)

Personal Information Protection and Electronic
Documents Act [PIPEDA] SC 2000, c 5
 Provides rules for how private sector organizations may
collect, use or disclosure personal information in the
course of their commercial activities as well as federal
works, undertakings and businesses who hold
employee personal information
 Does not apply in provinces that have substantially
similar private sector privacy legislation

Personal Information Protection and Electronic
Documents Act [PIPEDA] SC 2000, c 5
 Gives individuals the right to access and request
correction of personal information held by these
organizations
 Does not have any mandatory data breach notification
requirements yet

The Office of the Privacy Commissioner of Canada
 The Commissioner oversees compliance with the Privacy
Act and PIPEDA.
 The Commissioner investigates complaints made by
individuals about Government of Canada institutions
pursuant to S. 29 of the Privacy Act
 The Commissioner can investigate complaints made by
individuals about private sector organizations pursuant to
Section 11 of PIPEDA except in provinces that have
substantially similar legislation
 The Commissioner has made findings under both PIPEDA
and the Privacy Act and has handed down decisions for
cases where challenges were made by individuals

VI. Appendix – Ontario Privacy Laws
Freedom of Information and Protection of Privacy Act
(FIPPA)
 Originally applied to provincial government and public
institutions, now applies to most of the public sector
including Local Health Integration Networks (LHINS)
which include hospitals, long-term care homes and
mental health and addiction agencies
 Purpose is 1) to provide a right of access to records
and information and 2) to protect the privacy of
individuals

Municipal Freedom of Information and Protection of
Privacy Act (MFIPPA)
 Applies to all local government organizations such as
municipalities, school boards, police services board,
boards of health etc.
 Purpose is 1) to provide a right of access to records
and information and 2) to protect the privacy of
individuals

FIPPA and MFIPPA – Using Information
 Government organizations are only permitted to use
personal information if the individual consents to the
use; for the purpose for which it was obtained or
compiled or for a consistent purpose; or for a purpose
for which the information may be disclosed to the
government organization (S. 41 FIPPA)
 Government organizations must take reasonable steps
to ensure that personal information is not used unless it
is accurate and up to date (S. 40(2) FIPPA)

FIPPA and MFIPPA – Collecting Information
 Government organizations (including hospitals and
LHINs) are required to collect personal information as
part of their role in providing services to the public and
shall not collect personal information unless expressly
authorized by statute (S. 38(2) FIPPA)
 Government organizations must provide notice to
individuals whenever personal information is collected
and must specify the legal authority for the collection,
the purpose of collection and who to contact about the
collection (S. 39(2) FIPPA)

FIPPA and MFIPPA – Accessing Information
 Provincial government organizations are required
to list their personal information banks in the
Directory of Records (Ss. 44-45 FIPPA)
 The directory describes the kinds of personal
information kept by each provincial government
organization.
 Municipal government organizations should have
their own directories available (S. 34 MFIPPA)

FIPPA and MFIPPA – Disclosing Information
 Under FIPPA and MFIPPA, some of the
circumstances in which government organizations
are permitted to disclose personal information
include:
 where the individual has consented to the disclosure;
 for the purpose for which the personal information was
obtained or compiled or for a consistent purpose;
 where the disclosure is necessary and proper in the
discharge of the organization’s functions;
 for the purpose of complying with another Act;

FIPPA and MFIPPA – Disclosing Information
 Circumstances in which government organizations are
permitted to disclose personal information:
 for law enforcement purposes;
 in compelling circumstances affecting the health or safety of an
individual;
 in compassionate circumstances, to facilitate contact with the
next of kin or a friend of an individual who is injured, ill or
deceased;
 to the Information and Privacy Commissioner; and
 to the Government of Canada in order to facilitate the auditing
of shared cost programs. (S. 42 FIPPA, S. 32 MFIPPA)

Mental Health Act (MHA)
 MHA governs psychiatric facilities and the
admission, detention, treatment, and release of
psychiatric patients.
 PHIPA repealed several sections of the MHA and
amended others, most notably, those relating to
confidentiality, disclosure, access, and correction of
records.
 The obligations created by PHIPA apply in addition
to those created by MHA.
 If the provisions of MHA and PHIPA conflict, PHIPA
prevails unless otherwise stated in the Acts.

 “patient” includes a current or former patient or out-
patient, and anyone who is or has been detained in
a psychiatric facility
 The officer in charge (OIC) of a psychiatric facility
may collect, use and disclose personal health
information about a patient, with or without the
patient’s consent, for the purposes of,
 examining, assessing, observing or detaining the patient
in accordance with the MHA; or
 complying with an order or disposition made under the
Criminal Code

 The MHA sets out mandatory disclosure of personal
health information for:
 Capacity and Consent Board proceedings
 Persons entitled to have access under s. 83 of the Substitute
Decisions Act
 Compliance with summons, order, direction, notice or similar
requirement in respect of matter that may be in issue in a court
of competent jurisdiction or under any Act
 except where the attending physician states in writing that he or she
is of the opinion that the disclosure is likely to result in harm to the
treatment or recovery of the patient or is likely to result in injury to the
mental condition of a third person, or bodily harm to a third person.

 The MHA sets out permissible disclosure of
personal health information to:
 A physician who is considering issuing or renewing, or
who has issued or renewed, a CTO;
 A physician appointed to act as a substitute of the CTO’s
issuing physician;
 Where requested by the issuing physician or a person
named in the CTP, to another person named in a
person’s CPT; and
 A prescribed person who is providing advocacy services
to patients in prescribed circumstances, i.e., a rights
adviser.

Public Hospitals Act (PHA)
 PHA applies to all public hospitals in Ontario, but not to
private hospitals under the Private Hospitals Act or
independent health facilities under the Independent Health
Facilities Act (S. 2)
 PHA only briefly refers to record keeping, confidentiality,
disclosure, and related issues, leaving these to be spelled
out in Regulation 965 – Hospital Management
 PHIPA replaces the term “medical record” in PHA with the
term “record of personal health information
 The obligations created by PHIPA apply in addition to those
created by PHA.
 if the provisions of PHA and PHIPA conflict, PHIPA prevails unless
otherwise stated.

Occupational Health and Safety Act (OHSA)
 Except where allowed under the OHSA or as
required by another law, worker health and safety
representatives:
 must not disclose any information about any workplace
tests or inquiries conducted under the Act;
 must not reveal the name of any person from whom
information is received;
 may disclose the results of any medical examinations or
tests of workers only in a way that does not identify
anyone. (S. 63(1))

Occupational Health and Safety Act (OHSA)
 No employer shall seek to gain access,
except by an order of the court or other tribunal
or in order to comply with another statute, to a
health record concerning a worker without the
worker’s written consent (S. 63(2))

Regulated Health Professionals Act
 Various acts are specific to different health
professionals and provide protection based on the
duties and requirements of confidentiality by the
members of those professions, as well as
regulations that outline disciplinary action for
breaches of health care provider confidentiality
such as the Medicine Act Professional Misconduct
Regulations

Personal Health Information Protection Act (PHIPA)
 Deemed substantially similar to Part 1 of PIPEDA
 Health information custodians (“HICs”) are exempt from PIPEDA
 Anyone described in Section 3. (1) of PHIPA is considered a health
information custodian, e.g.
 health care practitioners or a group practice of health care practitioners
 persons or organizations providing a community service under the Long-
Term Care Act, 1994
 a community care access corporation under the Community Care Access
Corporations Act, 2001
 public or private hospitals
 psychiatric facilities under the Mental Health Act
 an institution under the Mental Hospitals Act
 an independent health facility under the Independent Health Facilities Act,
etc.

PHIPA – Consent to Collection
 Collection may happen only when the individual consents or
if PHIPA permits collection without consent, and consent
may be express or implied depending on the circumstances
(Ss. 18 - 29)
 HICs must collect the health information directly from the
individual except in limited circumstances (S. 36), such as:
 Where the individual consents to indirect collection;
 The information is reasonably necessary for providing health care
and cannot reasonably be collected directly from the individual
accurately or in a timely manner
 Custodians must take reasonable steps to inform the public
about their collection practices

PHIPA – Accessing Health Information
 The right of access does not apply to records
that contain:
 quality of care information;
 information required for quality assurance programs;
 raw data from psychological tests or assessments;
 other specified types of information (i.e., information
that is used solely for research purposes and
laboratory test results) (S. 51(1)).

PHIPA – Mandatory Data Breach Notification
Requirements
 A privacy breach occurs whenever a person has
contravened or is about to contravene a provision of the
PHIPA or its regulations, including s. 12(1)
 S. 12(1) requires HICs to take steps that are reasonable in
the circumstances to ensure personal health information in
their custody or control is protected against theft, loss and
unauthorized use or disclosure and to ensure that records
containing personal health information are protected against
unauthorized copying, modification or disposal

PHIPA – Retaining and Disposing of Information
 PHIPA requires that health information custodians
ensure records of personal health information are
retained, transferred and disposed of in a secure
manner, and that if any personal health information
is the subject of a request for access, that it be
retained for as long as necessary to allow the
individual to exhaust any recourse under the Act
that he or she may have with respect to the
request. (S. 13)

Electronic PHIPA – Bill 78
 EPHIPA proposes to amend three statutes, and
create a new Part V.1, Electronic Health
Records, under existing the PHIPA
 First reading of Bill 78 was May 29, 2013
 Second Reading started on October 10, 2013
and continued on November 20, 2013 and April
28, 2014

 EPHIPA is intended to provide a framework for
electronic health records (EHRs) and enable
prescribed organizations to create and maintain
EHRs, define the EHRs and specify parameters
for the creation and maintenance of EHRs
 EPHIPA would permit prescribed persons who
are not HICs to collect and use health numbers
for the purpose of creating or maintaining the
EHR

 Prescribed organizations would be required to assume
all responsibilities relating to the creation and
maintenance of the HER
 While these organizations have not yet been identified,
the legislation sets out parameters in which they can
manage PHI as non-HICs.
 Existing regulations under PHIPA clarify that eHealth Ontario
has the authority as a Health Information Network Provider
(HINP) to create and maintain EHRs.
 This authority expired as of December 31, 2013, and our
understanding is that eHealth Ontario will be named as the
initial prescribed organization under this new legislative
framework.

 The collection, use, disclosure and access of
personal health information in the EHR context
would be further clarified in EPHIPA
 The definition and functioning of individual
consent and consent overrides are proposed to
be modified under EPHIPA
 Electronic Health Records requirements and
standards will be presented by Fida Hindi in
more detail later today

Information and Privacy Commissioner (“IPC”) of Ontario
 The IPC of Ontario is an officer of the legislature pursuant to
Section 4 of FIPPA
 The Commissioner investigates privacy complaints and
resolves appeals between government organizations and
individuals
 Decisions of the Commissioner rule on access and privacy
decisions and practices of governmental organizations
 The Commissioner reviews the personal health information
policies of certain entities and investigates complaints under
PHIPA

VI. Appendix – Other Provincial Privacy Laws
 British Columbia, Alberta and Quebec have their own
private-sector privacy rights legislation that has been
deemed “substantially similar” to PIPEDA, and are exempted
from PIPEDA application in the private business sector
 There is a mandatory data breach notification requirement
under Alberta’s PIPA
 Ontario, Alberta, Manitoba, Saskatchewan, New Brunswick
and Newfoundland and Labrador have sector specific health
information privacy legislation that has been deemed
“substantially similar” to PIPEDA, and are exempt from
PIPEDA’s application to personal health information

VI. Appendix – Other Provincial Privacy Laws
 Manitoba has enacted health privacy legislation but it has
not yet been deemed to be substantially similar to PIPEDA
 Prince Edward Island, Northwest Territories, Nunavut and
Yukon do not have any private sector privacy legislation and
are governed by PIPEDA

Torkin Manes LLP
151 Yonge Street, Suite 1500
Toronto, ON M5C 2W7
www.torkinmanes.com
Rajeev Sharma
416 775 8828
rsharma@torkinmanes.com
Questions?
Thank you!

Rajeev Sharma - Ontario health privacy law

Recommended

Recommended

More Related Content

What's hot

What's hot (13)

Viewers also liked

Viewers also liked (19)

Similar to Rajeev Sharma - Ontario health privacy law

Similar to Rajeev Sharma - Ontario health privacy law (20)

Recently uploaded

Recently uploaded (20)

Rajeev Sharma - Ontario health privacy law