TORONTO – Ontario’s health-care providers shouldn’t let the “dreaded lockbox principle” contained in a recently-passed law force them into an IT overhaul, the provincial Information and Privacy Commissioner said Thursday.
Speaking at a one-day summit held to discuss the impact of the Personal Health Information and Privacy Act (PHIPA), Dr. Ann Cavoukian said the principle, which came into effect Nov. 1, means patients can dictate which sections of their medical file are shared. The “lockbox principle” did not apply to hospitals for the first year when PHIPA came into effect because health-care providers said they needed time to get their record-keeping up to speed.
Cavoukian said the principle was designed so that a woman seeing a gynecologist, for example, would not have to pass on irrelevant information about an abortion she had many years ago. In many cases health-care organizations should only expect to see a handful of such requests, she added, and the Information and Privacy Commissioner’s (IPC) office does not expect them to make major investments in technology to comply with them.
“You can respond to many of these things in a manual way,” she said. “You do not need to completely revamp your computer systems and IT infrastructure . . . the last thing we wanted to do was come up with something that would impede care. This cannot be a burden on the system.”
Under PHIPA, patients gained the right to demand access to their health-care files. Health-care practitioners have 30 days, and sometimes up to 60 days, to respond, and there are provisions to force a quicker turnaround on emergency requests. Individual law-breakers can expect to pay up to $50,000, and corporations face charges of up to $250,000 for failing to adhere to the law.
In the year since it was first passed, Cavoukian said her office had received 138 complaints under PHIPA, 83 of which have been resolved and 56 of which are still open. In most cases the IPC attempts to settle complaints at the “intake stage,” though she said some move to mediation by the IPC and in more extreme cases to arbitration.
One of the more challenging breaches in year one came when a computer containing two-and-a-half year’s worth of health information on thousands of patients was stolen from a private lab, Cavoukian said. There were no backups of the records on any of the lab’s hard drives and many of the patients were referred to the lab by area physicians.
“It was like looking for a needle in a haystack,” Cavoukian said. “Sometimes when you deal with these things you have to do a lot of detective work.”
The IPC responded by sending a letter to area physicians which included a public notice of the incident, along with a letter from the Ontario Medical Association urging them to inform as many potentially affected patients as possible. The notice included a description of the break-in and the police involvement, Cavoukian said. This strategy was in keeping with the IPC’s usual approach: to contain the damage, notify those effected, investigate the cause of the breach and to put in measures to prevent it from happening again.
PHIPA’s lockbox principle comes into effect as many health-care organizations attempt to create electronic health records (EHRs) that allow information to be exchanged more easily. Alan Westin, author of “Privacy as Freedom” and director of a project on health information and privacy at Columbia University, said that while trust in health-care providers may be high, trust in the data security of patient information is still low. Many patients fear information will be leaked to employers, insurance companies or marketing firms, he said. As EHRs are developed, he said more focus groups and surveys should be conducted to ensure buy-in from those whose information would be at risk.
“So far the establishment of an electronic health record has been a top-down process,” he said. “We don’t know enough about the patient-eye view of how this is playing out.”
Canada Health Infoway president Richard Alvarez said his organization, which is trying to help create a pan-Canadian interoperable EHR by 2009, said legislation like PHIPA may provide patients some of the reassurances they need.
“We will not fund any project that does not conduct a privacy impact assessment,” he said, adding that Infoway recently appointed its first chief privacy strategist.
Cavoukian said she was pleased so far at how well organizations are complying with PHIPA, considering it first came into effect only six months after it was passed. The IPC has tried to assist with the learning curve by publishing short notices informing patients of their rights under the act in the form of posters and brochures.