complying with privacy to enable innovation & research anne lavigne privacy coordinator
TRANSCRIPT
Complying with Privacy to Enable
Innovation & Research
Anne LavignePrivacy Coordinator
Legislation Privacy Legislation:
Provincial Legislation: Personal Health Information Protection Act (Bill 31) (PHIPA)
• Came into force November 1, 2004• Applies to organizations and individuals
involved in the delivery of health care services (including the Ministry of Health)
• The only health sector privacy legislation in Canada based on consent
• The only health sector privacy legislation that has been declared substantially similar to the federal legislation
PHIPA
Definition of Personal Health Information (PHI)
Means “identifying information about an individual in oral or recorded form…”
“Identifying information” means information that identifies an individual, or for which there is a reasonable basis to believe that it could be utilized, either alone, or with other information, to identify an individual.
Section 4, PHIPA
Consent
Consent may be express or implied, except where express consent is specifically required under PHIPA
Research
A health information custodian may use PHI for research purposes but only if the custodian has a research plan approved by a research ethics board
Research Ethics Board to consider: Whether research could be accomplished without
using the PHI Whether appropriate safeguards will be in place Public interest in conducting the research Whether obtaining consent directly is impractical
Research Plan
The affiliation of each person involved in the research
The nature and objectives of the research and the public or scientific benefits of the research
All other prescribed matters related to the research.
Other prescribed matters research plans
Description of proposal, PHI and potential sources
Description of how PHI will be used and any data linkages
Explanation of why research cannot be carried out without PHI and data linkage
Explanation of why consent not being sought Description of harms and benefits Description of who will have access, why,
roles, qualifications
Other prescribed matters research plans
Description of safeguards and retention schedule
Disposal plan Funding source Whether researcher applied to another REB
and response of other REB Any conflicts of interest
Research Agreement
Researcher must agree to abide by the conditions and restrictions that the
custodian imposes relating to the use, security, disclosure, return or disposal
of the information.
Requirements for Researchers
Comply with the agreements and conditions set out by REB
Use information only for the specified purpose Not to publish identifiable data Not to disclose except as required by law Not to make contact unless the custodian first
obtains consent Notify the custodian of a breach
Access to PHI for Research
• Any access to PHI, with or without express consent, must be reviewed and approved by TOH Research Ethics Board (REB) before any contact is made with patients.
• Access to PHI for the purposes of research usually requires the express consent of the individual.
• TOH REB will consider allowing such access without express consent if, in the judgment of the REB, a waiver consent seems appropriate. There are several considerations which the REB must take into account prior to waiving consent.
Collecting PHI for Research
Only the information needed for the research and approved by the REB and the custodian can be accessed
and collected.
Patient Recruitment
Only people who an individual regards as having a right to know about their personal health information, typically those who are clearly within the circle of care of the patient, may
approach the patient to open discussion about the possibility of becoming involved in a
research project.
Consideration by Privacy Office
Indicate how research patients will be recruited and contacted.
Indicate how data containing Personal Health Information (PHI) will be protected against breaches of privacy (i.e. locked cabinets, password protected).
Indicate which organizations and/or individuals will have access to PHI.
Indicate whether PHI will be leaving The Ottawa Hospital.
Indicate what patient identifiers will be used.
Consideration by Privacy Office
Indicate how the master list will be maintained and safeguarded.
Indicate how information will be stored (paper or electronic or both)
Indicate how long information will be kept after the close of the study.
Indicate how information will be destroyed after the storage date has expired.
Indicate contact information should patients have questions about their rights as a research subject.
SickKids – Stolen Laptop
• 3,000 patients personal health information on the laptop– Approximately 300 were active patients– Small sub-group – information was sensitive
(e.g. drug therapy and HIV status)– Majority were adult patients some of whom
they had not seen since 1940– 1/3 were deceased
The IPC Investigation/Order
• ORDER H-004 issued to SickKids• Information Privacy Commissioner of Ontario
ordered all Health Information Custodians in Ontario to:– Never store any personal health information
on their laptops or mobile devices unless they have taken strong steps (such as encryption) to ensure that this information is protected against unauthorized access, if the device is lost or stolen.
Key Messages
• Don’t work with identifiable patient information (key role of Research Ethics Board).
• If you can’t… Don’t take patient information out of the hospital.
• If you can’t… Use secure remote access (save information to hospital servers).
• If you can’t… Encrypt files, prevent theft.• Take an Inventory of Information• Educate, Communicate, Monitor and Audit
Questions or Comments
Please contact in confidence:Peggy Taillon
Chief Privacy Officer
Anne LavignePrivacy Coordinator