Presentation is loading. Please wait.

Presentation is loading. Please wait.

Complying with Privacy to Enable Innovation & Research

Published byAdele Webb Modified over 9 years ago

Similar presentations

Presentation on theme: "Complying with Privacy to Enable Innovation & Research"— Presentation transcript:

1 Complying with Privacy to Enable Innovation & Research
Anne Lavigne Privacy Coordinator

2 Legislation Privacy Legislation:
Provincial Legislation: Personal Health Information Protection Act (Bill 31) (PHIPA) Came into force November 1, 2004 Applies to organizations and individuals involved in the delivery of health care services (including the Ministry of Health) The only health sector privacy legislation in Canada based on consent The only health sector privacy legislation that has been declared substantially similar to the federal legislation The PHIPA governs the manner in which personal health information may be collected, used and disclosed within the health care system. It also regulates individuals and organizations that receive personal information from health care professionals to insurance companies, pharmaceutical companies, etc.

3 PHIPA Definition of Personal Health Information (PHI) Section 4, PHIPA
Means “identifying information about an individual in oral or recorded form…” “Identifying information” means information that identifies an individual, or for which there is a reasonable basis to believe that it could be utilized, either alone, or with other information, to identify an individual. Section 4, PHIPA

4 Consent Consent may be express or implied, except where express consent is specifically required under PHIPA Express Consent Required when a custodian discloses to a non-custodian. Required when a custodian discloses to another custodian for a purpose other than providing health care to the individual. Required for marketing research and fundraising (when using more than name and specified contact information). Implied Consent Personal Health Information about an individual from the individual, the individual’s substitute decision maker or another health information custodian for the purpose of providing health care or assisting in the provision of health care to the individual, the HIC is entitled to assume that it has the individual’s implied consent to collect, use or disclose the information, unless the custodian is aware that the individual has expressly withheld or withdrawn the consent.

5 Research A health information custodian may use PHI for research purposes but only if the custodian has a research plan approved by a research ethics board Research Ethics Board to consider: Whether research could be accomplished without using the PHI Whether appropriate safeguards will be in place Public interest in conducting the research Whether obtaining consent directly is impractical

6 Research Plan The affiliation of each person involved in the research
The nature and objectives of the research and the public or scientific benefits of the research All other prescribed matters related to the research. A Research Plan must be in writing and must set out the following:

7 Other prescribed matters research plans
Description of proposal, PHI and potential sources Description of how PHI will be used and any data linkages Explanation of why research cannot be carried out without PHI and data linkage Explanation of why consent not being sought Description of harms and benefits Description of who will have access, why, roles, qualifications

8 Other prescribed matters research plans
Description of safeguards and retention schedule Disposal plan Funding source Whether researcher applied to another REB and response of other REB Any conflicts of interest

9 Research Agreement Researcher must agree to abide by the conditions and restrictions that the custodian imposes relating to the use, security, disclosure, return or disposal of the information. Under the ACT before a health information custodian discloses personal health information to a researcher, the researcher shall enter into an agreement with the custodian in which the Researcher must agree…

10 Requirements for Researchers
Comply with the agreements and conditions set out by REB Use information only for the specified purpose Not to publish identifiable data Not to disclose except as required by law Not to make contact unless the custodian first obtains consent Notify the custodian of a breach A researcher who received personal health information about an individual from a health information custodian shall…

11 Access to PHI for Research
Any access to PHI, with or without express consent, must be reviewed and approved by TOH Research Ethics Board (REB) before any contact is made with patients. Access to PHI for the purposes of research usually requires the express consent of the individual. TOH REB will consider allowing such access without express consent if, in the judgment of the REB, a waiver consent seems appropriate. There are several considerations which the REB must take into account prior to waiving consent.

12 Collecting PHI for Research
Only the information needed for the research and approved by the REB and the custodian can be accessed and collected.

13 Patient Recruitment Only people who an individual regards as having a right to know about their personal health information, typically those who are clearly within the circle of care of the patient, may approach the patient to open discussion about the possibility of becoming involved in a research project.

14 Consideration by Privacy Office
Indicate how research patients will be recruited and contacted. Indicate how data containing Personal Health Information (PHI) will be protected against breaches of privacy (i.e. locked cabinets, password protected). Indicate which organizations and/or individuals will have access to PHI. Indicate whether PHI will be leaving The Ottawa Hospital. Indicate what patient identifiers will be used.

15 Consideration by Privacy Office
Indicate how the master list will be maintained and safeguarded. Indicate how information will be stored (paper or electronic or both) Indicate how long information will be kept after the close of the study. Indicate how information will be destroyed after the storage date has expired. Indicate contact information should patients have questions about their rights as a research subject.

16 SickKids – Stolen Laptop
3,000 patients personal health information on the laptop Approximately 300 were active patients Small sub-group – information was sensitive (e.g. drug therapy and HIV status) Majority were adult patients some of whom they had not seen since 1940 1/3 were deceased

17 The IPC Investigation/Order
ORDER H-004 issued to SickKids Information Privacy Commissioner of Ontario ordered all Health Information Custodians in Ontario to: Never store any personal health information on their laptops or mobile devices unless they have taken strong steps (such as encryption) to ensure that this information is protected against unauthorized access, if the device is lost or stolen.

18 Key Messages Don’t work with identifiable patient information (key role of Research Ethics Board). If you can’t… Don’t take patient information out of the hospital. If you can’t… Use secure remote access (save information to hospital servers). If you can’t… Encrypt files, prevent theft. Take an Inventory of Information Educate, Communicate, Monitor and Audit

19 Please contact in confidence:
Questions or Comments Please contact in confidence: Peggy Taillon Chief Privacy Officer Anne Lavigne Privacy Coordinator

Download ppt "Complying with Privacy to Enable Innovation & Research"

Similar presentations

The Role of the IRB An Institutional Review Board (IRB) is a review committee established to help protect the rights and welfare of human research subjects.

The Role of the IRB An Institutional Review Board (IRB) is a review committee established to help protect the rights and welfare of human research subjects.
Q The patient asks to bring someone in the exam room with you. Do you need to get written authorization to talk to the patient in front of that person?

Q The patient asks to bring someone in the exam room with you. Do you need to get written authorization to talk to the patient in front of that person?
Personal Health Information Act Nova Scotia Department of Health and Wellness.

Personal Health Information Act Nova Scotia Department of Health and Wellness.
PHIPA: The Year in Review Moderator: Debra Grant Panelists: Pam Slaughter Eric Holowaty Eric Holowaty Ron Heslegrave Ron Heslegrave PHIPA Summit: A Balancing.

PHIPA: The Year in Review Moderator: Debra Grant Panelists: Pam Slaughter Eric Holowaty Eric Holowaty Ron Heslegrave Ron Heslegrave PHIPA Summit: A Balancing.
1 The HIPAA Privacy Rule and Research This presentation will probably involve audience discussion, which will create action items. Use PowerPoint to keep.

1 The HIPAA Privacy Rule and Research This presentation will probably involve audience discussion, which will create action items. Use PowerPoint to keep.
HIPAA Privacy Training. 2 HIPAA Background Health Insurance Portability and Accountability Act of 1996 Copyright 2010 MHM Resources LLC.

HIPAA Privacy Training. 2 HIPAA Background Health Insurance Portability and Accountability Act of 1996 Copyright 2010 MHM Resources LLC.
HIPAA Privacy Rule Training

HIPAA Privacy Rule Training
HIPAA – Privacy Rule and Research USCRF Research Educational Series March 19, 2003.

HIPAA – Privacy Rule and Research USCRF Research Educational Series March 19, 2003.
The Health Insurance Portability and Accountability Act of 1996– charged the Department of Health and Human Services (DHHS) with creating health information.

The Health Insurance Portability and Accountability Act of 1996– charged the Department of Health and Human Services (DHHS) with creating health information.
What is HIPAA? This presentation was created by The University of Arizona Privacy Office, The Office for the Responsible Conduct of Research on March 5,

What is HIPAA? This presentation was created by The University of Arizona Privacy Office, The Office for the Responsible Conduct of Research on March 5,
HIPAA Privacy Rule Compliance Training for YSU April 9, 2014.

HIPAA Privacy Rule Compliance Training for YSU April 9, 2014.
 The Health Insurance Portability and Accountability Act of 1996.  Federal Law designed to protect sensitive information.  HIPAA violations are enforced.

 The Health Insurance Portability and Accountability Act of  Federal Law designed to protect sensitive information.  HIPAA violations are enforced.
Implementation of Privacy Board Reviews at PCMC Mary Thomason, Intermountain Healthcare Privacy Board Chair.

Implementation of Privacy Board Reviews at PCMC Mary Thomason, Intermountain Healthcare Privacy Board Chair.
Kathy O’Brien NEON and NORrad – Current PHI Sharing and How Best to Comply with PHIPA August 26, 2004.

Kathy O’Brien NEON and NORrad – Current PHI Sharing and How Best to Comply with PHIPA August 26, 2004.
Research and the Health Information Act Rachel Hayward Office of the Information and Privacy Commissioner of Alberta.

Research and the Health Information Act Rachel Hayward Office of the Information and Privacy Commissioner of Alberta.
Www.ipc.on.ca Building Privacy into Health Information Technology Ann Cavoukian, Ph.D. Information & Privacy Commissioner/Ontario Information Technology.

Building Privacy into Health Information Technology Ann Cavoukian, Ph.D. Information & Privacy Commissioner/Ontario Information Technology.
© Information and Privacy Commissioner of Ontario, 2006 Circle of Care Ontario University & College Health Association - May 24, 2013 - Manuela Di Re Associate.

© Information and Privacy Commissioner of Ontario, 2006 Circle of Care Ontario University & College Health Association - May 24, Manuela Di Re Associate.
Bev White, Manager, Research Ethics Research Services, IWK Health Centre.

Bev White, Manager, Research Ethics Research Services, IWK Health Centre.
Mark S. Hayes – Blake, Cassels & Graydon LLP Privacy and Security – Some Observations Mark S. Hayes, Blake, Cassels & Graydon LLP 7th CACR Privacy and.

Mark S. Hayes – Blake, Cassels & Graydon LLP Privacy and Security – Some Observations Mark S. Hayes, Blake, Cassels & Graydon LLP 7th CACR Privacy and.
HEAVEN’S HANDS COMMUNITY SERVICE H.I.P.A.A. What is HIPAA? HIPAA stands for the Health Insurance Portability and Accountability Act, which was passed.

HEAVEN’S HANDS COMMUNITY SERVICE H.I.P.A.A. What is HIPAA? HIPAA stands for the Health Insurance Portability and Accountability Act, which was passed.

Similar presentations

Ads by Google