Presentation is loading. Please wait.

Presentation is loading. Please wait.

Www.ipc.on.ca Building Privacy into Health Information Technology Ann Cavoukian, Ph.D. Information & Privacy Commissioner/Ontario Information Technology.

Published byBryce Pearson Modified over 9 years ago

Similar presentations

Presentation on theme: "Www.ipc.on.ca Building Privacy into Health Information Technology Ann Cavoukian, Ph.D. Information & Privacy Commissioner/Ontario Information Technology."— Presentation transcript:

1 www.ipc.on.ca Building Privacy into Health Information Technology Ann Cavoukian, Ph.D. Information & Privacy Commissioner/Ontario Information Technology Association of Canada November 3, 2004 Toronto, Ontario

2 www.ipc.on.ca Slide 2 Health Privacy is Critical  The need for privacy has never been greater: Extreme sensitivity of personal health information Patchwork of rules across the health sector; with some areas currently unregulated Increasing electronic exchanges of health information Multiple providers involved in health care of an individual – need to integrate services Development of health networks Growing emphasis on improved use of technology, including computerized patient records

3 www.ipc.on.ca Slide 3 Unique Characteristics of Personal Health Information  Highly sensitive and personal in nature  Must be shared immediately and accurately among a range of health care providers for the benefit of the individual  Widely used and disclosed for secondary purposes that are seen to be in the public interest (e.g., research, planning, fraud investigation, quality assurance)

4 www.ipc.on.ca Slide 4 Ontario’s Personal Health Information Protection Act (PHIPA)  Comes into effect November 1, 2004  Schedule A – the Personal Health Information Protection Act (PHIPA)  Schedule B – the Quality of Care Information Protection Act (QOCIPA)

5 www.ipc.on.ca Slide 5 PHIPA – Based on Fair Information Practices  Accountability  Identifying Purposes  Consent  Limiting Collection  Limiting Use, Disclosure, Retention  Accuracy  Safeguards  Openness  Individual Access  Challenging Compliance

6 www.ipc.on.ca Slide 6 Strengths of PHIPA  Implied consent for sharing of personal health information within circle of care  Creation of health data institute to address criticism of “directed disclosures”  Open regulation-making process to bring public scrutiny to future regulations  Adequate powers of investigation to ensure that complaints are properly reviewed

7 www.ipc.on.ca Slide 7 Scope of PHIPA  Health information custodians (HICs) that collect, use and disclose personal health information (PHI)  Non-health information custodians where they receive personal health information from a health information custodian (use and disclosure provisions)

8 www.ipc.on.ca Slide 8 Health Information Custodian  Definition includes: Health care practitioner Hospitals and independent health facilities Homes for the aged and nursing homes Pharmacies Laboratories Home for special care A centre, program or service for community health or mental health

9 www.ipc.on.ca Slide 9 Records Management: General Practices  Must take reasonable steps to ensure accuracy  Must maintain the security of PHI  Must have a contact person to ensure compliance with Act, respond to access/correction requests, inquiries and complaints from public  Must have information practices in place that comply with the Act  Must make available a written statement of information practices  Must be responsible for actions of agents

10 www.ipc.on.ca Slide 10 Requirements With Implications for Health Information Technology  Use of electronic means  Providers to custodians  General security  Consent (implied or express)  Withdrawal or withholding of consent (lock box)  Right to access and request correction of personal health information

11 www.ipc.on.ca Slide 11 Use of Electronic Means  A health information custodian that uses electronic means to collect, use, modify, disclose, retain or dispose of personal health information shall comply with the prescribed requirements, if any. Section 10(3)  No regulations have been proposed

12 www.ipc.on.ca Slide 12 Providers to Custodians  A person who provides goods and services for the purpose of enabling a health information custodian to use electronic means to collect, use, modify, disclose, retain or dispose of personal health information shall comply with the prescribed requirements, if any. Section 10(4)

13 www.ipc.on.ca Slide 13 General Regulations that Apply to All Providers  Can only use information as necessary in the course of providing services  Cannot disclose any information  Provider must ensure that all employees and agents comply with restrictions  The release of information, to a provider that is not an agent of the custodian, is not considered to be a disclosure as long as the provider complies with the regulations O. Reg. 329/04, s. 6 (1) and 6 (4)

14 www.ipc.on.ca Slide 14 Types of Providers  Software vendors (e.g., electronic health record)  Hardware vendors  Health information network providers (e.g., SSHA, telehealth)

15 www.ipc.on.ca Slide 15 Definition of Health Information Network Provider  A person who provides services to two or more health information custodians where the services are provided primarily to custodians to enable the custodians to use electronic means to disclose personal health information to one another, whether or not the person is an agent of any of the custodians O. Reg. 329/04, s. 6 (2)

16 www.ipc.on.ca Slide 16 Regulations for Health Information Network Providers  Must notify custodian of any breach of the requirements for providers  Must provide custodian with description of services and safeguards, to share with individuals  Must make available to the public the description of services provided; the directives, guidelines and policies that apply; and a general description of safeguards O. Reg. 329/04, s. 6 (3)

17 www.ipc.on.ca Slide 17 Regulations for Health Information Network Providers (cont’d)  Must provide to custodian, upon request, an electronic record of all accesses and transfers of information  Must perform and provide to custodian an assessment of threats, vulnerabilities and risks to security and integrity of the information and how the services may affect privacy  Must require any third party it retains to comply with restrictions and conditions O. Reg. 329/04, s. 6 (3)

18 www.ipc.on.ca Slide 18 Regulations for Health Information Network Providers (cont’d)  Must enter into agreement with each custodian that describes: the services to be provided the administrative, technical and physical safeguards relating to confidentiality and security requires the provider to comply with the Act and its regulations O. Reg. 329/04, s. 6 (3)

19 www.ipc.on.ca Slide 19 Security Requirement  A health information custodian shall take steps that are reasonable in the circumstances to ensure that personal health information in the custodian’s custody or control is protected against theft, loss and unauthorized use or disclosure and to ensure that the records containing the information are protected against unauthorized copy, modification or disposal. Section 12(1)

20 www.ipc.on.ca Slide 20 Implied Consent  custodians may imply consent when disclosing personal health information to other custodians for the purpose of providing health care to the individual

21 www.ipc.on.ca Slide 21 Lock Box  where the individual expressly withholds or withdraws consent  Public hospitals have until Nov 1, 2005 to comply with the lock box requirements Section 31(2)  Information technology must Flag information to be locked Ensure that disclosure of locked information is blocked

22 www.ipc.on.ca Slide 22 Express Consent  required when a custodian discloses to a non- custodian  required when a custodian discloses to another custodian for a purpose other than providing health care to the individual  required for marketing and fundraising (when using more than name and specified contact information)

23 www.ipc.on.ca Slide 23 Right of Access and Correction PHIPA Expands and Codifies the Common- Law Right of Access  Right of access to all records of personal health information about the individual in the custody or control of any health information custodian (some exceptions)  Provides right to correct their records of personal health information (some exceptions)

24 www.ipc.on.ca Slide 24 Access  custodian must make the record available or provide a copy, if requested  custodian must respond to request within 30 days, with a possible 30 day extension  custodian must take reasonable steps to be satisfied of the individual’s identity  custodian must offer assistance in reformulating a request that lacks sufficient detail

25 www.ipc.on.ca Slide 25 How to Correct Records  by striking out the incorrect information in a manner that does not obliterate it or  by labeling the information as incorrect and severing it from the record, while maintaining a link to the record or  if the correction cannot be recorded in the record, the custodian must ensure there is a practical system to inform persons accessing the record that the information is incorrect and where to obtain correct information

26 www.ipc.on.ca Slide 26 Notice of Correction  at the request of the individual, the custodian must give written notice of the requested correction, to the extent reasonably possible, to persons to who the custodian has disclosed the information  exception – if the correction cannot be reasonably expected to have an effect on the ongoing provision of health care or other benefits

27 www.ipc.on.ca Slide 27 Statement of Disagreement  if the custodian refuses a correction request, the individual is entitled to require the custodian to attach to the record a statement of disagreement prepared by the individual  custodian must make reasonable efforts to notify anyone who would have been notified if there was a correction

28 www.ipc.on.ca Slide 28 Where do we go from here?  Start by understanding the PHIPA Information is available on the IPC and MOHLTC web sites  Review your products and services Identify where changes need to occur  Work with your client partners Particularly for retrofits

29 www.ipc.on.ca Slide 29 Guidance to Health IT Community  The IPC, in partnership with the Office of the Corporate Chief Information Officer and Ministry of Health, is developing a set of health privacy technology principles and best practices, plus boiler plate RFP statements and an implementation strategy, in consultation with the Ontario E-Health Council. We expect to consult with vendors on this document to ensure it is reasonable and fully supports the implementation of the Act.

30 www.ipc.on.ca Slide 30 Public Education Program  Frequently Asked Questions and Answers available on IPC website (including hard copies)  User Guide for Health Information Custodians available on IPC website (including hard copies)  IPC PHIPA publications distributed to Colleges and Associations of the Regulated Health Professions  IPC/MOH brochure for the general public may be placed in reception areas to be distributed to patients

31 www.ipc.on.ca Slide 31 Public Education Program (cont’d)  IPC member of OHA/OMA/IPC/MOH PHIPA tool kit project  IPC/OBA “short notices” working group Developing concise, user-friendly notices and consent forms to serve as effective communication tools  On-going meetings with Regulated Health Professions, the Federation of Health Regulatory Colleges and Associations  IPC PHIPA awareness article distributed to Colleges/Associations for inclusion in their members’ Magazines and Newsletters

32 www.ipc.on.ca Slide 32 Keeping HIC’s Informed  Orders will be public documents and available on our Web site  Summaries of mediated cases will be posted to our website  Relevant data will be regularly made available to the public and health professionals ( e.g. number of complaints, examples of successful mediations, common issues)

33 www.ipc.on.ca Slide 33 Making Health Privacy Work  Think beyond compliance with legislation  Use technology to help protect personal health information: Build privacy right into design specifications Minimize collection and routine use of personally identifiable information – use aggregate or coded information if possible Use encryption where practicable Think about using pseudonymity, coded data Conduct privacy impact assessments

34 www.ipc.on.ca Slide 34 Stressing the 3 C’s  Consultation Opening lines of communication with health community and HICs  Co-operation Rather than confrontation in resolving complaints  Collaboration Working together to find solutions

35 www.ipc.on.ca How to Contact Us Commissioner Ann Cavoukian Information & Privacy Commissioner/Ontario 2 Bloor Street West, Suite 1400 Toronto, Ontario M4W 1A8 Phone: (416) 326-3333 Web: www.ipc.on.ca E-mail: commissioner@ipc.on.ca

Download ppt "Www.ipc.on.ca Building Privacy into Health Information Technology Ann Cavoukian, Ph.D. Information & Privacy Commissioner/Ontario Information Technology."

Similar presentations

The Role of the IRB An Institutional Review Board (IRB) is a review committee established to help protect the rights and welfare of human research subjects.

The Role of the IRB An Institutional Review Board (IRB) is a review committee established to help protect the rights and welfare of human research subjects.
The Health Insurance Portability and Accountability Act of 1996– charged the Department of Health and Human Services (DHHS) with creating health information.

The Health Insurance Portability and Accountability Act of 1996– charged the Department of Health and Human Services (DHHS) with creating health information.
Health Insurance Portability and Accountability Act (HIPAA)HIPAA.

Health Insurance Portability and Accountability Act (HIPAA)HIPAA.
NAU HIPAA Awareness Training

NAU HIPAA Awareness Training
COMPLYING WITH HIPAA PRIVACY RULES Presented by: Larry Grudzien, Attorney at Law.

COMPLYING WITH HIPAA PRIVACY RULES Presented by: Larry Grudzien, Attorney at Law.
Health Insurance Portability Accountability Act of 1996 HIPAA for Researchers: IRB Related Issues HSC USC IRB.

Health Insurance Portability Accountability Act of 1996 HIPAA for Researchers: IRB Related Issues HSC USC IRB.
Kathy O’Brien NEON and NORrad – Current PHI Sharing and How Best to Comply with PHIPA August 26, 2004.

Kathy O’Brien NEON and NORrad – Current PHI Sharing and How Best to Comply with PHIPA August 26, 2004.
Research and the Health Information Act Rachel Hayward Office of the Information and Privacy Commissioner of Alberta.

Research and the Health Information Act Rachel Hayward Office of the Information and Privacy Commissioner of Alberta.
Complying with Privacy to Enable Innovation & Research

Complying with Privacy to Enable Innovation & Research
© Information and Privacy Commissioner of Ontario, 2006 Circle of Care Ontario University & College Health Association - May 24, 2013 - Manuela Di Re Associate.

© Information and Privacy Commissioner of Ontario, 2006 Circle of Care Ontario University & College Health Association - May 24, Manuela Di Re Associate.
Www.ipc.on.ca Personal Health Information Protection Act: The Role of the IPC Information & Privacy Commissioner/Ontario Toronto, Ontario October 20, 2004.

Personal Health Information Protection Act: The Role of the IPC Information & Privacy Commissioner/Ontario Toronto, Ontario October 20, 2004.
Health Information Protection Act An Overview

Health Information Protection Act An Overview
Information and Privacy Commissioner/Ontario, © 2005 PHIPA Personal Health Information Protection Act Privacy Issues Ann Cavoukian, Ph.D. Information &

Information and Privacy Commissioner/Ontario, © 2005 PHIPA Personal Health Information Protection Act Privacy Issues Ann Cavoukian, Ph.D. Information &
Data Classification & Privacy Inventory Workshop

Data Classification & Privacy Inventory Workshop
Www.oaic.gov.au Introduction to the APPs and the OAIC’s regulatory approach Presented by: Este Darin-Cooper Director, Regulation and Strategy May 2015.

Introduction to the APPs and the OAIC’s regulatory approach Presented by: Este Darin-Cooper Director, Regulation and Strategy May 2015.
Version 6.0 Approved by HIPAA Implementation Team April 14, 2003 1 HIPAA Learning Module The following is an educational Powerpoint presentation on the.

Version 6.0 Approved by HIPAA Implementation Team April 14, HIPAA Learning Module The following is an educational Powerpoint presentation on the.
Privacy in Ontario Brian Beamish Office of the Information and Privacy Commissioner/Ontario Presentation to Security Canada Central 2002 International.

Privacy in Ontario Brian Beamish Office of the Information and Privacy Commissioner/Ontario Presentation to Security Canada Central 2002 International.
1 Access to Information & Protection of Privacy Information and Privacy Commission, Ontario 2001.

1 Access to Information & Protection of Privacy Information and Privacy Commission, Ontario 2001.
Anglican Province of Canada Privacy Policy. Commitment to Privacy The Privacy Policy, including the Web Privacy Statement, is the Anglican Province of.

Anglican Province of Canada Privacy Policy. Commitment to Privacy The Privacy Policy, including the Web Privacy Statement, is the Anglican Province of.
Taking Steps to Protect Privacy A presentation to Hamilton-area Physiotherapy Managers by Bob Spence Communications Co-ordinator Office of the Ontario.

Taking Steps to Protect Privacy A presentation to Hamilton-area Physiotherapy Managers by Bob Spence Communications Co-ordinator Office of the Ontario.

Similar presentations

Ads by Google