Health Sector Flashcards
Provinces with no health sector privacy laws
Quebec and Nunavat
Provinces whose laws are considered substantially similar to PIPEDA
Ontario PHIPA
Newfoundland and Labrador PHIA
Nova Scotia PIPA
New Brunswick PHIPAA
Health Information Protection Act
Introduced in 2016
Amended Ontario PHIPA
Introduced mandatory breach reporting, increasing transparency, doubling fines to 100k for individuals and 500k for companies.
Also removed requirement to prosecute within 6 months of the alleged offence
Nonlegal protocol dealing with patient information in certain circumstances
Tri-Council Policy Statement: Ethical conduct for research involving humans includes rules regarding privacy and confidentiality in research that are widely endorsed by Canadian health research community.
Personal Health Information
Sec 4 of Ontario PHIPA “personal health information” means identifying information about an individual in oral or recorded form, if the information, relates to the physical or mental health of the individual, including information that consists of the health history of the individual’s family, relates to the providing of health care to the individual, is a plan that sets out the home and community care services for the individual to be provided by a health service provider, relates to payments or eligibility for health care, relates to the donation by the individual of any body part or bodily substance of the individual or is derived from the testing or examination of any such body part or bodily substance, is the individual’s health number, identifies an individual’s substitute decision-maker.
Exception
(4) Personal health information does not include identifying information contained in a record that is in the custody or under the control of a health information custodian if,
(a) the identifying information contained in the record relates primarily to one or more employees or other agents of the custodian; and
(b) the record is maintained primarily for a purpose other than the provision of health care or assistance in providing health care to the employees or other agents. 2004, c. 3, Sched. A, s. 4 (
Purpose of health information privacy laws
to control the collection, use and disclosure of personal health information by specified health sector participants. The end goal is to enhance privacy and confidentiality while simultaneously ensuring efficient health service delivery.”
Applicability of Provincial Privacy Laws
Health sector participants are called:
Trustees - Manitoba and Sasketchwan
Custodian or Health Info Custodian - Ontario, Alberta, BC, Newfoundland and Labrador, Nova Scotia, New Burnswick.
Participants include regulated healthcare professionals; hospitals; nursing homes; independent health facilities; laboratories; pharmacies; provincial health departments or ministries; certain community, regional, district or provincial health services; boards, authorities, councils or corporations; and even some colleges, universities and school boards.”
BC Approach
Regulate patient data not the health info participants. “In British Columbia, the Ministry of Health establishes or designates a patient database as a “health information bank” into which patient data is to be submitted. The minister may then grant individuals, or classes of individuals, the authority to access and use such health information for specific and limited purposes. British Columbia public health officials assert that by creating a framework in which health data can be centralized, citizens will have better access and management options over their private information”
HINP
Provincial health privacy laws also control the collection, use and disclosure of personal health information by health information network providers (HINPs). HINPs are identified in Ontario’s PHIPA with slightly different names in other privacy laws. HINPs enable custodians to share personal health information through electronic means by providing them with IT services. It is important to note there are differences for HINPs outlined within the law, including, but not limited to, conducting privacy impact assessments (PIAs)/threat risk assessments (TRAs) and entering into written agreements with the custodians.”
Deidentifying Health Info
“The concept of deidentifying health information is found in each law. Therefore, each provides that if information is truly anonymized or deidentified, it is not protected by the law. Ontario’s law defines “identifying information” to mean information that (1) identifies an individual or (2) reasonably could be utilized, either alone or with other information, to identify an individual. It is not sufficient to simply say that information is not associated with the name of an individual. Before an organization can treat the information as not being subject to the law, it must validate that no form of data mining or data manipulation can render the information identifiable.”
Key Obligations
Accountability
Openness
Consent
Oversight
Access and right to correct information
Safeguards
Access not permitted
Not permitted:
an act or order of court order prohibits disclosure to the individual
the information in the record was collected or created primarily in anticipation of or for use in a proceeding, and the proceeding, together with all appeals or processes resulting from it, have not been concluded;
the following conditions are met:
(i) the information was collected or created in the course of an inspection, investigation or similar procedure authorized by law, or undertaken for the purpose of the detection, monitoring or prevention of a person’s receiving or attempting to receive a service or benefit, to which the person is not entitled under an Act or a program operated by the Minister, or a payment for such a service or benefit, and
(ii) the inspection, investigation, or similar procedure, together with all proceedings, appeals or processes resulting from them, have not been concluded;
4.granting the access could reasonably be expected to,
i) result in a risk of serious harm to the treatment or recovery of the individual or a risk of serious bodily harm to the individual or another person,
(ii) lead to the identification of a person who was required by law to provide information in the record to the custodian, or
(iii) lead to the identification of a person who provided information in the record to the custodian explicitly or implicitly in confidence if the custodian considers it appropriate in the circumstances that the identity of the person be kept confidential; or
Accountability
Each law places the onus on the entity covered to remain accountable for the proper use, retention, safeguarding and disposal of the health information under its custody or control. This obligation remains even when the covered entity uses a third party to outsource some of its functions. For example, in Ontario, a health information custodian may use an agent to collect, use, disclose, retain or dispose of health information only if:
i. “The custodian is permitted or required to collect, use, disclose, retain or dispose of the information in the first place
ii. The collection, use, disclosure, retention or disposition of the information is in the course of the agent’s duties and not contrary to the limits imposed by the custodian or any other law
iii. The requirements prescribed by regulation are met”
Consent
Different than other information laws because of involvement of central gov. Consent must be meaningful. Although not every law defines “meaningful consent,” the Ontario law provides some guidance.
i.) It must be the consent of the individual concerned,
ii) it must be knowledgeable,
iii) it must relate to the information at issue, and
iv) it must not be obtained through deception or coercion.
“Knowledgeable” consent requires the individual to fully understand the purpose for which the information will be collected, used and disclosed or all three.”
Assumed Consent
Ontario PHIPA allows for inferred consent with the circle of care for providing healthcare to the individual.
Essentials for assumed implied consent:
Health information custodian must fall within the category of custodian that can rely on assumed consent. Healthcare practitioners fall under this.
Info must be received from individual, substitute decision maker, or another HIC.
Info must have been used, collected, or disclosed to provide healthcare and assist in providing healthcare
No assume consent if info is disclosed to someone or organization that is not a HIC.
HIC receiving info must not be aware that individual has withheld or withdrawn consent.
“In addition, a custodian that operates a healthcare facility can imply consent to release information consisting of a patient’s name and location in the facility to a representative of a religious or other organization with which the individual is affiliated—if the individual has not exercised an entitlement to opt out of the disclosure
