Security of health data prompts Ontario legislation

Ontario health organizations will soon have to review the way they handle customer information to ensure their procedures comply with the new bill presented to the Ontario government.

The Health Information Protection Act, or Bill 31, is a response to the federal privacy law, the Personal Information

Protection and Electronic Documents Act (PIPEDA), which came into full effect at the beginning of this year.

Last month George Smitherman, Ontario’s Minister of Health, presented a bill designed to eliminate any discrepancies with the federal law but ensure the security of all shared files in the health sector.

Smitherman said in a statement issued by a government representative that the act would bring better service and protection for patients across the province.

Bill 31 requires all companies and organizations that deal with personal health information to ensure they obtain consent from all patients to use their information in non-medical cases, such as marketing. It also requires companies to verify the software protects the security of all files.

For example, the Toronto-based software company Truact has reviewed its product and ensured that it complies with the new security measures if the act is past into legislation.

“”(The law) requires a tighter restriction on the Internet (and) Truact meets that requirement,”” said Truact CEO Ron Cloutier.

Truact’s software uses an encrypted digital signature through Microsoft’s Outlook Express that enables only the recipient of an e-mail message to view it.

If Bill 31 passes, it would require health information custodians (health-care practitioners, operators of hospitals, nursing homes, pharmacies or ambulance services) to notify patients if their personal information is stolen, lost or accessed by unauthorized persons. Software like Truact’s discourages the possibility of leaked information through encryption, Cloutier said

Although some companies may already comply under the act, large establishments will have more trouble complying, according to John Beardwood, treasurer of IT.CAN, a national association of Canadian information technology lawyers.

“”The more complicated the institution, the more honourable (it is) to comply,”” he said.

Beardwood said large hospitals, like those in downtown Toronto, that have various functions should begin preparing for the advent of the new legislation because it can take up to three months to have the whole institution in order with the health information act.

The federal privacy law created problems with respect to health care because it implied that doctors had to receive written consent from their patients before using or sharing personal information. That was one of the reasons health-care organizations did not have to comply with PIPEDA when it first came into effect in 2001.

“”PIPEDA was never designed with personal health legislation in mind for the province of Ontario,”” said John Beardwood, lawyer for Fasken-Martineau-Dumoul in law firm in Toronto.

The new provincial privacy law would not require health information custodians, who have custody or control of personal information as a result of their work, to have patients fill out a consent form every time the information they visit the doctor’s office. Instead, the personal information would be stored on secure database, only accessible by the custodians.

In order to ensure each company complies with Bill 31, Beardwood advises clients not to wait for legislation to take place before starting to gather information on how businesses use and share personal information.

“”Do a gap analysis between what you are doing and what is required under the act,”” he said, which includes hiring a privacy officer to oversee all management of personal information, as required under PIPEDA.

Beardwood is currently working on a statement with the Ontario Bar Association on the Health Information Protection Act for the provincial government and said the next reading of the bill should happen in the following months.

“”Their expectation is to try to push it through as fast as possible,”” said Beardwood.

Comment: info@itbusiness.ca

Share on LinkedIn Share with Google+