вход по аккаунту


Bill 31 – An Overview

код для вставкиСкачать
Health Information Protection
An Overview
Ann Cavoukian, Ph.D.
Information & Privacy Commissioner/Ontario
Ontario Health Records Association
May 7, 2004
Health Privacy is Critical
пѓ� The need for privacy has never been greater:
• Extreme sensitivity of personal health information
• Patchwork of rules across the health sector; with some
areas currently unregulated
• Increasing electronic exchanges of health information
• Multiple providers involved in health care of an individual
– need to integrate services
• Development of health networks
• Growing emphasis on improved use of technology,
including computerized patient records
Slide 2
Unique Characteristics of Personal
Health Information
пѓ� Highly sensitive
пѓ� Collected in the context of a publicly-funded health
care system
пѓ� Widely shared among a range of health care
providers for the benefit of the individual
пѓ� Widely used and disclosed for secondary purposes
that are seen to be in the public interest (e.g.,
research, planning, fraud investigation, quality
Slide 3
Legislation is Critical
пѓ�The IPC has been calling for legislation to
protect health information since its inception
in 1987
• Dates back to Justice Krever’s 1980 Report on the
Confidentiality of Health Information
– The Commission documented many cases of
unauthorized access to health files maintained by
hospitals and the Ontario Health Insurance Plan
– The Report called for comprehensive health privacy
legislation at that time
Slide 4
Provincial Health Privacy Laws
• Health Information Act
• Personal Health Information Act
• Act respecting access to documents held by public bodies
and the protection of personal information
• Act respecting the protection of personal information in
the private sector.
• Health Information Protection Act
Slide 5
Ontario Bills of the Past
пѓ�Numerous attempts made over the years
to get a bill introduced and passed, but
have never succeeded
• Bill 159 – Personal Health Information
Privacy Act, 2000
• Privacy of Personal Information, 2002
Slide 6
PHIPA – Bill 159
пѓ�On December 7, 2000, the government
introduced Bill 159
пѓ�Concerns about the Bill:
• Directed Disclosures
• Extensive use of Regulations
• Lack of full investigation powers
Slide 7
Privacy of Personal Information Act
пѓ� Ontario issued a draft bill in 2002 that applied to all
non-public sector organizations
пѓ� Created special rules for health sector
пѓ� MCBS consulted with stakeholders to refine aspects
of the draft bill
пѓ� Unfortunately this draft bill was never introduced
Slide 8
If No Provincial Health
пѓ�If Ontario fails to enact its own legislation,
PIPEDA takes effect:
• Only commercial entities covered - ambiguity
about who is in and who is out
• Not tailored to meet the needs of the health sector
• Principle-based approach rather than specifics
could result in inconsistent implementation
• Oversight left to the federal Privacy
Slide 9
Ontario’s Health Information
Protection Act, 2003 (HIPA)
пѓ�Ontario government introduced health privacy
bill (Bill 31) on December 17, 2003
пѓ�Referred to the Standing Committee on General
Government, which held public hearings and
clause-by-clause study
пѓ�Received Second Reading on April 8, 2004
пѓ�Expected to come into effect January 1, 2005
Slide 10
Bill 31 – Two parts
�Schedule A – the Personal Health
Information Protection Act (PHIPA)
�Schedule B – the Quality of Care
Information Protection Act (QOCIPA)
Slide 11
Bill 31 – Based on
Fair Information Practices
пѓ�Identifying Purposes
пѓ�Limiting Collection
пѓ�Limiting Use,
Disclosure, Retention
пѓ�Individual Access
Slide 12
Scope of PHIPA
пѓ� Health information custodians (HICs) that
collect, use and disclose personal health
information (PHI)
пѓ� Non-health information custodians where
they receive personal health information
from a health information custodian (use and
disclosure provisions)
Slide 13
Health Information Custodians
пѓ�Definition includes:
Health care practitioners
Hospitals and independent health facilities
Homes for the aged and nursing homes
Homes for special care
A centre, program or service for community health
or mental health
Slide 14
PHIPA Practices
пѓ�Must take reasonable steps to ensure accuracy
пѓ�Must maintain the security of PHI in its custody or
пѓ�Must have a contact person to ensure compliance with
Act, respond to access requests, inquiries and
complaints from public
пѓ�Must have information practices in place that comply
with the Act
пѓ�Must make available a written statement
пѓ�Must be responsible for actions of agents
Slide 15
PHIPA Consent
пѓ�Consent is required for the collection, use,
disclosure of PHI subject to specific
пѓ�Consent must
пѓ� be a consent of the individual
пѓ� be knowledgeable
пѓ� relate to the information
пѓ� not be obtained through deception or coercion
пѓ�Consent may be express or implied
Slide 16
Collection, Use and Disclosure
Without Consent
Derogations from the consent principle are allowed
in limited circumstances.
пѓ�As required by law
пѓ�To protect the health or safety of the individual or
пѓ�To identify a deceased person or provide
reasonable notice of a person’s death
Slide 17
Patient Access to Records
PHIPA Expands and Codifies the Common-Law
Right of Access
пѓ�Right of access to all records of personal health
information about the individual in the custody or
control of any health information custodians
пѓ�Provides right to correct their records of personal
health information.
пѓ�Recognizes special factors surrounding health
information by allowing for incorrect information
to be struck out without obliterating the original
Slide 18
Oversight and Enforcement
пѓ� Office of the Information and Privacy Commissioner
is the oversight body
пѓ� IPC may appoint an Assistant Commissioner for
Personal Health Information
пѓ� IPC may investigate where:
пѓ� A complaint has been received
пѓ� Commissioner has reasonable grounds to believe that a
person has contravened or is about to contravene the Act
пѓ� IPC has powers to enter and inspect premises, require
access to PHI and compel testimony
Slide 19
Strengths of PHIPA
пѓ� Creation of health data institute to address criticism
of “directed disclosures
пѓ� Open regulation-making process to bring public
scrutiny to future regulations
пѓ� Implied consent for sharing of personal health
information within circle of care
пѓ� Adequate powers of investigation to ensure that
complaints are properly reviewed
Slide 20
Role of the IPC
пѓ� IPC currently has oversight of two laws
пѓ� Provincial Freedom of Information and Protection of
Privacy Act
пѓ� Municipal Freedom of Information and Protection of
Privacy Act
пѓ� IPC may issue orders for access/correction appeals
пѓ� IPC investigates privacy complaints and may issue
report with recommendations but not orders
Slide 21
Access and Correction Appeals
пѓ� Appeals under current public sector laws may be
dealt with through three stages:
пѓ� IPC will examine situation and may contact individual or
organization for more information (Intake)
пѓ� If not dismissed, the appeal proceeds to mediation, the
IPC’s preferred method of dispute resolution
пѓ� If mediation is unsuccessful, appeal proceeds to
adjudication and an order will be issued.
Slide 22
Privacy Complaints
пѓ� IPC goal in dealing with complaints under public
sector legislation is to assist organizations in taking
whatever steps are necessary to prevent future
пѓ� Intake staff attempt to resolve complaints informally,
through liaising with organization and complainant
пѓ� If not resolved, complaint goes to the investigation stage
and a mediator investigates
пѓ� Mediator prepare a report, including recommendations
Slide 23
Role of IPC under PHIPA
пѓ� Use of mediation and alternative dispute resolution to
be stressed
пѓ� Order-making power as a last resort
пѓ� Conducting public and stakeholder education
� Comment on an organization’s information practices
Slide 24
Stressing the 3 C’s
пѓ� Consultation
• Opening lines of communication with health community
пѓ� Collaboration
• Working together to find solutions
пѓ� Co-operation
• Rather than confrontation in resolving complaints
Slide 25
Making Health Privacy Work
пѓ� Think beyond compliance with legislation
пѓ� Use technology to help protect personal health
• Build privacy right into design specifications
• Minimize collection and routine use of personally
identifiable information – use aggregate or coded
information if possible
• Use encryption where practicable
• Think about using pseudonymity, coded data
• Conduct privacy impact assessments
Slide 26
Lessons from Chatham-Kent
пѓ� Use of encryption to secure databases
пѓ� Investigate privacy-enhancing technologies to shield
personal health information from systems administrators
пѓ� Conduct an end-to-end privacy impact assessment (PIA)
пѓ� Conduct independent security audits
пѓ� Privacy Review: Chatham-Kent IT Transition Pilot Project
Slide 27
Lessons From UHN
Privacy Assessment
пѓ� Strong Privacy Policy
пѓ� Real Consequences for Breaches
пѓ� Ongoing Privacy Training
• Incorporate privacy training into undergraduate
curriculum for medical students
пѓ� Independent Security and Privacy Audits
Slide 28
How to Contact Us
Commissioner Ann Cavoukian
Information & Privacy
80 Bloor Street West, Suite 1700
Toronto, Ontario M5S 2V1
(416) 326-3333
Alternatives to Investigation
пѓ�Prior to investigating a complaint, the
Commissioner may:
пѓ�Inquire as to other means used by individual to
resolve complaint
пѓ�Require the individual to explore a settlement
пѓ�Authorize a mediator to review the complaint and
try to settle the issue
Slide 30
Decision Not to Investigate
пѓ�Commissioner may decide not to investigate a
complaint where:
пѓ�An adequate response has been provided to the
пѓ�Complaint could have been dealt with through
another procedure
пѓ�Complainant does not have sufficient personal
interest in issue
пѓ�Complaint is frivolous, vexatious or made in bad
Slide 31
Powers of the Commissioner
пѓ� After conducting an investigation, the Commissioner
may issue an order
пѓ� To provide access to, or correction of, personal health
пѓ� To cease collecting, using or disclosing personal health
information in contravention of the Act
пѓ� To dispose of records collected in contravention of the Act
пѓ� To change, cease or implement an information practice
пѓ� Orders, other than for access or correction, may be
appealed on questions of law
Slide 32
Offences and Penalties
пѓ� Creates offences for contravention of the
legislation, including:
пѓ� wilfully collecting, using or disclosing PHI in
contravention of the Act;
пѓ� once access request made, disposing of a record of
personal information in an attempt to evade the request
пѓ� wilfully failing to comply with an order made by the
пѓ� Maximum penalty of $50,000 for an individual and
$250,000 for a corporation
Slide 33
Action for Damages
пѓ� An individual affected by an IPC order may bring
an action for damages for actual harm suffered
пѓ� Where the harm suffered was caused by a willful
or reckless breach, the compensation may include
an award not exceeding $10,000 for mental
пѓ� No action for damages may be instituted against a
HIC for anything done in good faith or any alleged
neglect or default that was reasonable in the
Slide 34
Размер файла
156 Кб
Пожаловаться на содержимое документа