Ontario’s law regulating the privacy of health information took effect Nov. 1, and may force organizations that fail to comply to pay up to tens of thousands of dollars in maximum penalties.
In what’s being hailed as the province’s first privacy law governing a specific industry, the Personal
Health Information Protection Act (PHIPA) will be overseen by the office of the Information and Privacy Commissioner, Ann Cavoukian, and apply to all individuals and organizations involved in the delivery of health-care.
The University Health Network in Toronto, which participated in the consultative process around the new law, has been ready for some time, says Matthew Anderson, vice-president and CIO.
A privacy mindset
Three years ago, the health-care organization appointed a chief privacy officer who helped implant a privacy “”mindset”” into its project processes and the overall hospital, Anderson says.
“”We don’t see, with the new privacy legislation coming in, that we’re going to have to make any fundamental changes or back off of anything.””
UHN’s privacy officer advised the IT department to conduct a privacy impact assessment whenever a current project involves the exchange of patient information outside the hospital, a policy that’s consistent with the requirements of PHIPA, he says.
For a smaller project, UHN would decide where patient information is going, who’s sending it and what safeguards exist; a larger project would prompt the involvement of a third-party privacy expert.
Although Anderson anticipates the legislation won’t surprise most health-care organizations, others may incur “”a bit more cost”” depending on their progress in building privacy safeguards into electronic patient records.
Under PHIPA, patients will have the right to demand access to their health-care files, says Bob Spence, communications co-ordinator at the office of the Information and Privacy Commissioner in Toronto.
Federally, the Personal Information Protection and Electronic Documents Act, or PIPEDA, dictates privacy requirements of the commercial sector, which “”doesn’t catch most of what many medical operations would do.””
Health-care practitioners will have 30 days, and sometimes up to 60 days, to respond under PHIPA, he says. “”There are also provisions to expedite if it’s a real emergency.””
According to the act, if you ask for your information, and you don’t get it, you can appeal to the commissioner.
Another key piece of the new privacy law is that patients can advise their main practitioner not to release certain details of their medical history to a second physician recommended to the patient, he says.
The so-called “”lockbox”” principle, in which patients can dictate which sections of their medical file are shared, doesn’t apply to hospitals for the first year the law is in effect because they need time to get their record-keeping up to speed, he says.
Individual law-breakers can expect to pay up to $50,000, and corporations face charges of up to $250,000.