Complying with Privacy to Enable

Innovation & Research

Anne LavignePrivacy Coordinator

Legislation Privacy Legislation:

Provincial Legislation: Personal Health Information Protection Act (Bill 31) (PHIPA)

• Came into force November 1, 2004• Applies to organizations and individuals

involved in the delivery of health care services (including the Ministry of Health)

• The only health sector privacy legislation in Canada based on consent

• The only health sector privacy legislation that has been declared substantially similar to the federal legislation

PHIPA

Definition of Personal Health Information (PHI)

Means “identifying information about an individual in oral or recorded form…”

“Identifying information” means information that identifies an individual, or for which there is a reasonable basis to believe that it could be utilized, either alone, or with other information, to identify an individual.

Section 4, PHIPA

Consent

Consent may be express or implied, except where express consent is specifically required under PHIPA

Research

A health information custodian may use PHI for research purposes but only if the custodian has a research plan approved by a research ethics board

Research Ethics Board to consider: Whether research could be accomplished without

using the PHI Whether appropriate safeguards will be in place Public interest in conducting the research Whether obtaining consent directly is impractical

Research Plan

The affiliation of each person involved in the research

The nature and objectives of the research and the public or scientific benefits of the research

All other prescribed matters related to the research.

Other prescribed matters research plans

Description of proposal, PHI and potential sources

Description of how PHI will be used and any data linkages

Explanation of why research cannot be carried out without PHI and data linkage

Explanation of why consent not being sought Description of harms and benefits Description of who will have access, why,

roles, qualifications

Other prescribed matters research plans

Description of safeguards and retention schedule

Disposal plan Funding source Whether researcher applied to another REB

and response of other REB Any conflicts of interest

Research Agreement

Researcher must agree to abide by the conditions and restrictions that the

custodian imposes relating to the use, security, disclosure, return or disposal

of the information.

Requirements for Researchers

Comply with the agreements and conditions set out by REB

Use information only for the specified purpose Not to publish identifiable data Not to disclose except as required by law Not to make contact unless the custodian first

obtains consent Notify the custodian of a breach

Access to PHI for Research

• Any access to PHI, with or without express consent, must be reviewed and approved by TOH Research Ethics Board (REB) before any contact is made with patients.

• Access to PHI for the purposes of research usually requires the express consent of the individual.

• TOH REB will consider allowing such access without express consent if, in the judgment of the REB, a waiver consent seems appropriate. There are several considerations which the REB must take into account prior to waiving consent.

Collecting PHI for Research

Only the information needed for the research and approved by the REB and the custodian can be accessed

and collected.

Patient Recruitment

Only people who an individual regards as having a right to know about their personal health information, typically those who are clearly within the circle of care of the patient, may

approach the patient to open discussion about the possibility of becoming involved in a

research project.

Consideration by Privacy Office

Indicate how research patients will be recruited and contacted.

Indicate how data containing Personal Health Information (PHI) will be protected against breaches of privacy (i.e. locked cabinets, password protected).

Indicate which organizations and/or individuals will have access to PHI.

Indicate whether PHI will be leaving The Ottawa Hospital.

Indicate what patient identifiers will be used.

Consideration by Privacy Office

Indicate how the master list will be maintained and safeguarded.

Indicate how information will be stored (paper or electronic or both)

Indicate how long information will be kept after the close of the study.

Indicate how information will be destroyed after the storage date has expired.

Indicate contact information should patients have questions about their rights as a research subject.

SickKids – Stolen Laptop

• 3,000 patients personal health information on the laptop– Approximately 300 were active patients– Small sub-group – information was sensitive

(e.g. drug therapy and HIV status)– Majority were adult patients some of whom

they had not seen since 1940– 1/3 were deceased

The IPC Investigation/Order

• ORDER H-004 issued to SickKids• Information Privacy Commissioner of Ontario

ordered all Health Information Custodians in Ontario to:– Never store any personal health information

on their laptops or mobile devices unless they have taken strong steps (such as encryption) to ensure that this information is protected against unauthorized access, if the device is lost or stolen.

Key Messages

• Don’t work with identifiable patient information (key role of Research Ethics Board).

• If you can’t… Don’t take patient information out of the hospital.

• If you can’t… Use secure remote access (save information to hospital servers).

• If you can’t… Encrypt files, prevent theft.• Take an Inventory of Information• Educate, Communicate, Monitor and Audit

Questions or Comments

Please contact in confidence:Peggy Taillon

Chief Privacy Officer

Anne LavignePrivacy Coordinator

613-739-6668privacy@ottawahospital.on.ca