www.ipc.on.ca building privacy into health information technology ann cavoukian, ph.d. information...
TRANSCRIPT
www.ipc.on.ca
Building Privacy into Health Information Technology
Ann Cavoukian, Ph.D.Information & Privacy Commissioner/Ontario
Information Technology Association of CanadaNovember 3, 2004Toronto, Ontario
www.ipc.on.cawww.ipc.on.ca Slide 2
Health Privacy is Critical
The need for privacy has never been greater:
• Extreme sensitivity of personal health information
• Patchwork of rules across the health sector; with some areas currently unregulated
• Increasing electronic exchanges of health information
• Multiple providers involved in health care of an individual – need to integrate services
• Development of health networks
• Growing emphasis on improved use of technology, including computerized patient records
www.ipc.on.cawww.ipc.on.ca Slide 3
Unique Characteristics of Personal Health Information
Highly sensitive and personal in nature
Must be shared immediately and accurately among a range of health care providers for the benefit of the individual
Widely used and disclosed for secondary purposes that are seen to be in the public interest (e.g., research, planning, fraud investigation, quality assurance)
www.ipc.on.cawww.ipc.on.ca Slide 4
Ontario’s Personal Health Information Protection Act (PHIPA)
Comes into effect November 1, 2004
Schedule A – the Personal Health Information Protection Act (PHIPA)
Schedule B – the Quality of Care Information Protection Act (QOCIPA)
www.ipc.on.cawww.ipc.on.ca Slide 5
PHIPA – Based on Fair Information Practices
AccountabilityIdentifying PurposesConsentLimiting CollectionLimiting Use,
Disclosure, RetentionAccuracy
SafeguardsOpennessIndividual AccessChallenging
Compliance
www.ipc.on.cawww.ipc.on.ca Slide 6
Strengths of PHIPA
Implied consent for sharing of personal health information within circle of care
Creation of health data institute to address criticism of “directed disclosures”
Open regulation-making process to bring public scrutiny to future regulations
Adequate powers of investigation to ensure that complaints are properly reviewed
www.ipc.on.cawww.ipc.on.ca Slide 7
Scope of PHIPA
Health information custodians (HICs) that collect, use and disclose personal health information (PHI)
Non-health information custodians where they receive personal health information from a health information custodian (use and disclosure provisions)
www.ipc.on.cawww.ipc.on.ca Slide 8
Health Information Custodian
Definition includes:• Health care practitioner • Hospitals and independent health facilities• Homes for the aged and nursing homes• Pharmacies• Laboratories• Home for special care• A centre, program or service for community
health or mental health
www.ipc.on.cawww.ipc.on.ca Slide 9
Records Management: General Practices
Must take reasonable steps to ensure accuracy Must maintain the security of PHI Must have a contact person to ensure compliance
with Act, respond to access/correction requests, inquiries and complaints from public
Must have information practices in place that comply with the Act
Must make available a written statement of information practices
Must be responsible for actions of agents
www.ipc.on.cawww.ipc.on.ca Slide 10
Requirements With Implications for Health Information Technology
Use of electronic meansProviders to custodiansGeneral securityConsent (implied or express)Withdrawal or withholding of consent
(lock box)Right to access and request correction of
personal health information
www.ipc.on.cawww.ipc.on.ca Slide 11
Use of Electronic Means
A health information custodian that uses electronic means to collect, use, modify, disclose, retain or dispose of personal health information shall comply with the prescribed requirements, if any.
Section 10(3)
No regulations have been proposed
www.ipc.on.cawww.ipc.on.ca Slide 12
Providers to Custodians
A person who provides goods and services for the purpose of enabling a health information custodian to use electronic means to collect, use, modify, disclose, retain or dispose of personal health information shall comply with the prescribed requirements, if any.
Section 10(4)
www.ipc.on.cawww.ipc.on.ca Slide 13
General Regulations that Apply to All Providers
Can only use information as necessary in the course of providing services
Cannot disclose any informationProvider must ensure that all employees and
agents comply with restrictionsThe release of information, to a provider that
is not an agent of the custodian, is not considered to be a disclosure as long as the provider complies with the regulations
O. Reg. 329/04, s. 6 (1) and 6 (4)
www.ipc.on.cawww.ipc.on.ca Slide 14
Types of Providers
Software vendors (e.g., electronic health record)
Hardware vendorsHealth information network providers
(e.g., SSHA, telehealth)
www.ipc.on.cawww.ipc.on.ca Slide 15
Definition of Health Information Network Provider
A person who provides services to two or more health information custodians where the services are provided primarily to custodians to enable the custodians to use electronic means to disclose personal health information to one another, whether or not the person is an agent of any of the custodians
O. Reg. 329/04, s. 6 (2)
www.ipc.on.cawww.ipc.on.ca Slide 16
Regulations for Health Information Network Providers
Must notify custodian of any breach of the requirements for providers
Must provide custodian with description of services and safeguards, to share with individuals
Must make available to the public the description of services provided; the directives, guidelines and policies that apply; and a general description of safeguards
O. Reg. 329/04, s. 6 (3)
www.ipc.on.cawww.ipc.on.ca Slide 17
Regulations for Health Information Network Providers (cont’d)
Must provide to custodian, upon request, an electronic record of all accesses and transfers of information
Must perform and provide to custodian an assessment of threats, vulnerabilities and risks to security and integrity of the information and how the services may affect privacy
Must require any third party it retains to comply with restrictions and conditions
O. Reg. 329/04, s. 6 (3)
www.ipc.on.cawww.ipc.on.ca Slide 18
Regulations for Health Information Network Providers (cont’d)
Must enter into agreement with each custodian that describes:• the services to be provided• the administrative, technical and physical
safeguards relating to confidentiality and security
• requires the provider to comply with the Act and its regulations
O. Reg. 329/04, s. 6 (3)
www.ipc.on.cawww.ipc.on.ca Slide 19
Security Requirement
A health information custodian shall take steps that are reasonable in the circumstances to ensure that personal health information in the custodian’s custody or control is protected against theft, loss and unauthorized use or disclosure and to ensure that the records containing the information are protected against unauthorized copy, modification or disposal.
Section 12(1)
www.ipc.on.cawww.ipc.on.ca Slide 20
Implied Consent
custodians may imply consent when disclosing personal health information to other custodians for the purpose of providing health care to the individual
www.ipc.on.cawww.ipc.on.ca Slide 21
Lock Box
where the individual expressly withholds or withdraws consent
Public hospitals have until Nov 1, 2005 to comply with the lock box requirements
Section 31(2)
Information technology must • Flag information to be locked• Ensure that disclosure of locked information is
blocked
www.ipc.on.cawww.ipc.on.ca Slide 22
Express Consent
required when a custodian discloses to a non-custodian
required when a custodian discloses to another custodian for a purpose other than providing health care to the individual
required for marketing and fundraising (when using more than name and specified contact information)
www.ipc.on.cawww.ipc.on.ca Slide 23
Right of Access and Correction
PHIPA Expands and Codifies the Common-Law Right of Access
Right of access to all records of personal health information about the individual in the custody or control of any health information custodian (some exceptions)
Provides right to correct their records of personal health information (some exceptions)
www.ipc.on.cawww.ipc.on.ca Slide 24
Access
custodian must make the record available or provide a copy, if requested
custodian must respond to request within 30 days, with a possible 30 day extension
custodian must take reasonable steps to be satisfied of the individual’s identity
custodian must offer assistance in reformulating a request that lacks sufficient detail
www.ipc.on.cawww.ipc.on.ca Slide 25
How to Correct Records
by striking out the incorrect information in a manner that does not obliterate it or
by labeling the information as incorrect and severing it from the record, while maintaining a link to the record or
if the correction cannot be recorded in the record, the custodian must ensure there is a practical system to inform persons accessing the record that the information is incorrect and where to obtain correct information
www.ipc.on.cawww.ipc.on.ca Slide 26
Notice of Correction
at the request of the individual, the custodian must give written notice of the requested correction, to the extent reasonably possible, to persons to who the custodian has disclosed the information
exception – if the correction cannot be reasonably expected to have an effect on the ongoing provision of health care or other benefits
www.ipc.on.cawww.ipc.on.ca Slide 27
Statement of Disagreement
if the custodian refuses a correction request, the individual is entitled to require the custodian to attach to the record a statement of disagreement prepared by the individual
custodian must make reasonable efforts to notify anyone who would have been notified if there was a correction
www.ipc.on.cawww.ipc.on.ca Slide 28
Where do we go from here?
Start by understanding the PHIPA• Information is available on the IPC and
MOHLTC web sites
Review your products and services• Identify where changes need to occur
Work with your client partners• Particularly for retrofits
www.ipc.on.cawww.ipc.on.ca Slide 29
Guidance to Health IT Community
The IPC, in partnership with the Office of the Corporate Chief Information Officer and Ministry of Health, is developing a set of health privacy technology principles and best practices, plus boiler plate RFP statements and an implementation strategy, in consultation with the Ontario E-Health Council.• We expect to consult with vendors on this
document to ensure it is reasonable and fully supports the implementation of the Act.
www.ipc.on.cawww.ipc.on.ca Slide 30
Public Education Program
Frequently Asked Questions and Answers available on IPC website (including hard copies)
User Guide for Health Information Custodians available on IPC website (including hard copies)
IPC PHIPA publications distributed to Colleges and Associations of the Regulated Health Professions
IPC/MOH brochure for the general public
• may be placed in reception areas
• to be distributed to patients
www.ipc.on.cawww.ipc.on.ca Slide 31
Public Education Program (cont’d)
IPC member of OHA/OMA/IPC/MOH PHIPA tool kit project
IPC/OBA “short notices” working group
• Developing concise, user-friendly notices and consent forms to serve as effective communication tools
On-going meetings with Regulated Health Professions, the Federation of Health Regulatory Colleges and Associations
IPC PHIPA awareness article distributed to Colleges/Associations for inclusion in their members’ Magazines and Newsletters
www.ipc.on.cawww.ipc.on.ca Slide 32
Keeping HIC’s Informed
Orders will be public documents and available on our Web site
Summaries of mediated cases will be posted to our website
Relevant data will be regularly made available to the public and health professionals (e.g. number of complaints, examples of successful mediations, common issues)
www.ipc.on.cawww.ipc.on.ca Slide 33
Making Health Privacy Work
Think beyond compliance with legislation Use technology to help protect personal health
information: • Build privacy right into design specifications
• Minimize collection and routine use of personally identifiable information – use aggregate or coded information if possible
• Use encryption where practicable
• Think about using pseudonymity, coded data
• Conduct privacy impact assessments
www.ipc.on.cawww.ipc.on.ca Slide 34
Stressing the 3 C’s
Consultation• Opening lines of communication with health
community and HICs
Co-operation• Rather than confrontation in resolving complaints
Collaboration• Working together to find solutions
www.ipc.on.ca
How to Contact UsHow to Contact Us
Commissioner Ann CavoukianCommissioner Ann CavoukianInformation & Privacy Commissioner/Ontario
2 Bloor Street West, Suite 1400
Toronto, Ontario M4W 1A8
Phone: (416) 326-3333
Web: www.ipc.on.ca
E-mail: [email protected]