Ontario’s law regulating the privacy of health information takes effect November 1, and may force organizations that fail to comply to pay up to tens of thousands of dollars in maximum penalties.
In what’s being hailed as the province’s first privacy law governing a specific industry, the
Personal Health Information Protection Act (PHIPA) will be overseen by the office of the Information and Privacy Commissioner, Ann Cavoukian, and apply to all individuals and organizations involved in the delivery of health- care services.
The University Health Network in Toronto, which was part of the consultative process around the new law, has been ready for some time, according to Matthew Anderson, vice-president and CIO.
Three years ago, the health-care organization appointed a chief privacy officer who helped implant a privacy “”mindset”” into its project processes and the overall hospital, said Anderson.
“”We don’t see, with the new privacy legislation coming in, that we’re going to have to make any fundamental changes or back off of anything.””
UHN’s privacy officer advised the IT department to conduct a privacy impact assessment whenever a current project involves the exchange of patient information outside the hospital, a policy that’s consistent with the requirements of PHIPA, he explained.
So for a smaller project, UHN would decide where patient information is going, who’s sending it and what safeguards exist; a larger project would prompt the involvement of a third-party privacy expert.
Anderson said the typical cost of undertaking a privacy impact assessment for each project is $5,000 to $10,000, which would cover consulting fees and staff time.
Athough Anderson anticipates the legislation won’t surprise most health-care organizations, others may incur “”a bit more cost”” depending on their progress in building privacy safeguards into electronic patient records.
Under PHIPA, patients will have the right to demand access to their own health-care file, explained Bob Spence, communications co-ordinator at the office of the Information and Privacy Commissioner in Toronto.
Federally, the Personal Information Protection and Electronic Documents Act, or PIPEDA, dictates privacy requirements of the commercial sector, which “”doesn’t catch most of what many medical operations would do.””
Health-care practitioners will have 30 days, and sometimes up to 60 days, to respond under PHIPA, he said. “”There are also provisions to expedite if it’s a real emergency.””
As of Monday, “”if you ask for your information, and you don’t get it, you can appeal it to the commissioner.””
Another key piece of the new privacy rules is that patients can advise their main practitioner not to release certain details of their medical history to a second physician recommended to the patient, he said.
For example, a woman who had an abortion years ago may not want to divulge that to another doctor if it’s irrelevant to her current medical problem, in which case the primary physician would alert his colleague only about the incompleteness of the file, explained Spence.
The so-called “”lockbox”” principle, in which patients can dictate which sections of their medical file are shared, doesn’t apply to hospitals for the first year the law is in effect because they need time to get their record-keeping up to speed, he said.
Some details omitted
Another patient right is to file a complaint against anyone covered under the law who is believed to have incorrectly collected or used their private health information.
Although the law is aimed at health-care providers, to some extent it also impacts insurance companies. So, for example, an insurer that’s allowed in a contract to look into a policy subscriber’s medical status can only use and collect information related to this specific purpose, explained Spence.
Likewise, IT employers are also affected, said Dan Palayew, a partner specializing in the labour, employment and privacy practices of law firm Ogilvy Renault in Ottawa.
He said a technology company that requests a doctor’s note from a sick employee still has certain obligations under the act concerning the ways it uses and protects what’s in effect personal health information.
“”Most employers are pretty careful about doctors’ notes, but the days of having a doctor’s note sort of faxed in and left lying around the office —— which sometimes used to happen —— those days have to be gone,”” explained Palayew.
Not only will this breach translate to charges against the firm, it invites bad publicity too, he said.
Individual law-breakers can expect to pay up to $50,000, and corporations face charges of up to $250,000, he added. Additional damages of up to $10,000 can be awarded to an individual complainant.
The privacy commissioner expects the vast majority of cases to be settled through mediation, following by a decision by the commissioner or one of her designates, Palayew explained. He said going to court is a last step in the process.
Manitoba, Saskatchewan and Alberta are the only other provinces with privacy laws governing the health-care sector. Those with general legislation impacting the overall private sector include Alberta, B.C. and Quebec.
Palayew predicted that over the next year, Ontario’s coming privacy law on health care will likely be followed by draft privacy legislation for the general private sector.