Ontario prescribes privacy law for health-care sector

Ontario’s law regulating the privacy of health information took effect Nov. 1, and may force organizations that fail to comply to pay up to tens of thousands of dollars in maximum penalties.

In what’s being hailed as the province’s first privacy law governing a specific industry, the Personal

Health Information Protection Act (PHIPA) will be overseen by the office of the Information and Privacy Commissioner, Ann Cavoukian, and apply to all individuals and organizations involved in the delivery of health-care.

The University Health Network in Toronto, which participated in the consultative process around the new law, has been ready for some time, says Matthew Anderson, vice-president and CIO.

A privacy mindset

Three years ago, the health-care organization appointed a chief privacy officer who helped implant a privacy “”mindset”” into its project processes and the overall hospital, Anderson says.

“”We don’t see, with the new privacy legislation coming in, that we’re going to have to make any fundamental changes or back off of anything.””

UHN’s privacy officer advised the IT department to conduct a privacy impact assessment whenever a current project involves the exchange of patient information outside the hospital, a policy that’s consistent with the requirements of PHIPA, he says.

For a smaller project, UHN would decide where patient information is going, who’s sending it and what safeguards exist; a larger project would prompt the involvement of a third-party privacy expert.

Although Anderson anticipates the legislation won’t surprise most health-care organizations, others may incur “”a bit more cost”” depending on their progress in building privacy safeguards into electronic patient records.

Under PHIPA, patients will have the right to demand access to their health-care files, says Bob Spence, communications co-ordinator at the office of the Information and Privacy Commissioner in Toronto.

Federally, the Personal Information Protection and Electronic Documents Act, or PIPEDA, dictates privacy requirements of the commercial sector, which “”doesn’t catch most of what many medical operations would do.””

Health-care practitioners will have 30 days, and sometimes up to 60 days, to respond under PHIPA, he says. “”There are also provisions to expedite if it’s a real emergency.””

According to the act, if you ask for your information, and you don’t get it, you can appeal to the commissioner.

Another key piece of the new privacy law is that patients can advise their main practitioner not to release certain details of their medical history to a second physician recommended to the patient, he says.

The so-called “”lockbox”” principle, in which patients can dictate which sections of their medical file are shared, doesn’t apply to hospitals for the first year the law is in effect because they need time to get their record-keeping up to speed, he says.

Individual law-breakers can expect to pay up to $50,000, and corporations face charges of up to $250,000.

Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada

Featured Download

Related Tech News

Get ITBusiness Delivered

Our experienced team of journalists brings you engaging content targeted to IT professionals and line-of-business executives delivered directly to your inbox.