Update on The Personal Health Information Protection Act

By Sharan K. Basran

Overview and Purpose

The Personal Health Information Protection Act (PHIPA or Act), which came into force on November 1, 2004, fills a significant gap in privacy legislation by creating a comprehensive set of rules for the handling of personal health information in the health care system. These rules are guided by a number of overarching purposes:

• The fundamental purpose of the PHIPA is to protect the privacy of individuals and the confidentiality of their personal health information;
• The Act also strives to ensure the effective delivery of heath care, in part through requiring institutions to maintain accurate information;
• The PHIPA sets up a process for challenging compliance and ensuring enforcement of its principles, rights, and obligations.

Application

The Act casts a broad net since it applies to the collection, use and disclosure of personal health information by “health care custodians.” Health care custodians are given primary responsibility for PHI and must take steps to ensure the confidentiality of information in their custody or control. Health Care Custodians (custodians) are individuals and institutions involved in the delivery of health services and regularly handle personal health information. A Health care Custodian includes amongst other examples, health care practitioners, Hospitals, Long-Term Care Homes, Nursing Homes, and Community Health Programs. In this definition, the Act places responsibility and obligations both on an institutional and individual level.

The Act also extends to the use and disclosure of personal health information (PHI) by other individuals where they receive PHI from a health care custodian. It is important to note that the PHIPA recognizes and places similar duties of confidentiality on agents of health care custodians. An agent is anyone who is authorized by a custodian to do anything on behalf of the custodian with respect to PHI. This would include employees of a Hospital such as records management services and clerical staff.

Personal Health Information is also given an expansive definition under the Act. It refers to information that identifies an individual or where it is reasonably foreseeable that either alone or with other information it could be used to identify an individual. This includes not only information related to the health of an individual and the nature of health care provided to an individual, but extends to information which relates to payment or eligibility for health care and the individual’s health number. It is significant to observe that the Act excludes from its definition of PHI, identifying information held by a Custodian if the information is about employees or other agents of the Custodian. Such an exclusion is unusual, particularly when Hospitals and other organizations have well-developed Occupational Health Departments which may provide care or assessments on employees. Such information about employees is similar to patient health information as both are sensitive and highly personal in nature.

Obligations and Responsibilities

The key obligations under the Act placed on Health Care Custodians are as follows:

First, the PHIPA sets up an institutional framework to protect PHI by requiring Custodians to develop information practices which comply with the requirements of the Act. The practice must detail how the institution routinely collects, uses, modifies, discloses, retains and disposes of PHI, as well as the safeguards to ensure confidentiality. These information practices must be in writing and available to the public.

Second, the Act polices certain actions which custodians may take in relation to PHI, including collection, use and disclosure. The legislation permits Custodians to collect, use or disclose personal health information only in two defined circumstances: where the individual consents either implicitly or explicitly; or where it is otherwise permitted or authorized under the Act. Considering the proposed actions in relation to PHI, each of the terms collection, use and disclosure is given a special meaning as set out in the Act:

• Collection means to gather, acquire, receive, or obtain personal health information by any means from any source.
• The word “use” is also given a distinct meaning under the Act, to handle or deal with personal health information in the custody or control of a Custodian or a person, but does not include disclosure. The Act provides that transferring personal health information between an agent of the Custodian and the Custodian is considered to be a use and not a disclosure. Therefore, the internal transfer of information within a health information custodian, involving employees and agents of the Custodian are considered uses and not disclosure.
• Disclosure on the other hand means to make PHI available or to release it to another health information custodian or to another person.

The Act requires different types of consent depending on the circumstances. Consent may be either express or implied, except where the Act explicitly says it must be express. Consent must be express where it involves individuals who are not health information custodians. Therefore, consent to the disclosure of PHI by a health information custodian to a person who is not a health care custodian must be express. This would include disclosure to faith healers, insurers, and employers.

On the other hand, the Act allows consent to be implied for the important purpose of providing health care. In this way, implied consent is limited by the purpose for which the information is used. A health information custodian who receives PHI about an individual directly from the individual or substitute decision-maker, or another health care custodian for the purpose of providing health care may assume that the individual implicitly consents to the collection, use or disclosure of such information for the purpose of providing health care, unless the custodian is aware that the individual has expressly withheld or withdrawn consent. Implicit consent attempts to ensure the effective delivery of health while upholding the mainstay of consent in the handling of a patient’s PHI.

Part IV of the Act lays out the specific rules governing collection, use and disclosure. With regards to collection, the Act considers both the collection of information directly from an individual and indirectly from a third party source. For indirect collection, consent is generally required, subject to certain exceptions where pre-conditions must be met. Information may be collected indirectly without the consent of the patient where it is not reasonably possible to collect it directly from the individual in a timely manner, or where the information would likely not be accurate, and the information to be collected is reasonably necessary for the provision of health care.

In considering the “use” of PHI, more latitude is given to Custodians presumably on the grounds that it mostly deals with the internal use of such information within a single organization. A custodian is permitted to use PHI for the purpose for which the information was collected or created and for all the functions reasonably necessary for carrying out that purpose. However, where a patient gives consent or the information is collected indirectly when consent is not adequate or feasible, a patient has the right to later expressly instruct that the information not be used.

Similarly with respect to disclosure, a Custodian is generally required to obtain consent. However, there are certain exceptions. The custodian may disclose information to specified health care custodians (a health care practitioner, a service provider under the Long-Term Care Act, 1994, a Hospital, nursing home, pharmacy and other specified institutions) when it is reasonably necessary for the provision of health care and where it is not reasonably possible to obtain the individual’s consent in a timely manner. Interestingly, the Act allows an individual to expressly instruct an individual not to make disclosure. In that case, a Custodian is prevented from disclosing what may be important information in providing health care, rather than extraneous information. The receiving Custodian may be notified of this non-disclosure.

The exception to overriding a refusal to disclose information is in cases where there are reasonable grounds that disclosure is needed to eliminate or reduce a significant risk of serious bodily harm to a person or group of persons. In those cases, a Custodian has the discretion to disclose PHI without a patent’s consent, but is not mandated to do so.

The right of a patient to prohibit a Custodian from using or disclosing PHI may raise practical concerns on a day to day level for health care professionals. Where a Custodian is notified that certain relevant information has been excluded from the medical charts, the question arises as to whether there is a specific risk of serious bodily harm to an identifiable person or group of persons. If this threshold is not met, any consequences from the absence of the PHI in the provision of care is an important consideration. Although recourse may be had for disclosure of such PHI to the Information and Privacy Commission, concerns are not alleviated where care must be provided immediately. It is unclear what impact the right of patients to withhold PHI will have in a clinical setting. However, the tension between the effective delivery of health care and the privacy interests of patient needs to be delicately monitored and navigated. It is important that the Commissioner, regulatory bodies, and institutions provide guidance and direction to health care professionals in balancing what may be competing interests.

Administration and Enforcement

The oversight body for the Act is the Information and Privacy Commissioner established under the Freedom of Information and Protection of Privacy Act.

There are a number of ways that a person may obtain relief under the PHIPA:

• The most formal method is to initiate a complaint. A person who has reasonable grounds to believe a person has or is about to contravene a provision of the Act may make a written complaint to the Commissioner one year after the subject matter of the complaint came to the attention or should have come to the attention of the complaint. The Commissioner may extend the limitation period where it does not result in prejudice to a person.
• The Commissioner also has the right to initiate an investigation without a complaint, where it has reasonable grounds that a person has or is about to contravene the Act. 
• The Commissioner has a number of options in dealing with a complaint which involves both informal resolution or a formal review process. In a recent privacy conference, the Assistant Commissioner has indicated that alternate dispute resolution is stressed as the first option and order-making powers are used as a last resort. This is reflected in the Act. A Commissioner may direct the complainant and the person against whom the complaint was made to try effect a settlement, with or without the assistance of a mediator.
• Importantly, the Commission has a discretion not to review a complaint “for whatever reason the Commissioner considers proper.” The discretion of the Commissioner not to consider a complaint is broad and largely unfettered. There is also no statutory right of review set out in the Act. A complainant is only entitled to notice of the decision not to review and reasons. The Act does provide a non-exhaustive list of criteria to be considered in the exercise of the Commissioner’s discretion: whether the complaint could more appropriately be dealt with in another forum; the delay in filing a complaint and whether it would likely result in undue prejudice; whether the complainant does not have a sufficient personal interest in the complaint; and whether the complaint is otherwise frivolous and vexatious.

If the Commissioner decides to review a complaint, the Commissioner has wide powers to investigate and consider evidence including the power to enter and inspect premises without a warrant or court order, require that evidence be given under oath, demand the production of documents, or inquire into information or information practices held by a custodian. After conducting a review, a Commissioner has the authority to issue orders to require compliance with the Act. This includes the following orders:

• directing a custodian to grant individual access or to make a correction in response to a request;
• directing any person whose activities the Commissioner reviewed to perform a duty imposed by the Act;
• directing any person to cease collecting, using, or disclosing personal health information, or to dispose of records where the custodian has contravened the Act;
• directing a custodian to change, cease, not commence an information practice or to implement an information practice specified by the Commissioner.

When the Commissioner makes an order, apart from an order relating to complaints respecting access or corrections, there is a statutory right of appeal by a person affected by the order to the Divisional Court only on a question of law within 30 days. Further, where the Commissioner makes an order, an individual affected by the order may bring an action in the Superior Court of Justice for damages for actual harm suffered as a result of a contravention by a health information custodian of obligations under the Act. However, the right to pursue damages is curtailed under the Act. The Act provides protection from liability to health information custodians and their agents, for acts and omissions made in good faith and reasonably in the circumstances, in the exercise of their powers and duties under the Act.

At a recent privacy conference, the Assistant Commissioner has stated that orders and summaries of mediations will be public documents and available on the website at http://www.ipc.on.ca. In addition, he indicated that relevant information such as the number of complaints and common issues will be made available to the public and health care professionals. In reviewing the website, there is no indication to date how many complaints the Information & Privacy Commissioner has received. The Commissioner has made general comments about inquiries from the Public.

There is however a section under the PHIPA section, entitled PHIPA: Resolutions, Reports and Orders. This section sets out cases that the Commissioner has considered. The majority of cases have been resolved without issuing a formal order. Most of the cases involve Personal Health Information which was lost, stolen, or otherwise went missing. For example, in File No. HI-040001-1, two computers containing patient information were stolen from the physiotherapy department of a Hospital. The Hospital advised the Commissioner of this incident. The computers contained progress notes which identified the patient, the services provided, and the outcome for the patient. The computer also contained a list of each patient’s full name and ward within the Hospital. Although there was a practice of saving this PHI on an internal organizational network, which was password protected, the investigation revealed that this practice had not been used on every occasion. In other words, some PHI may have been saved on the local hard drive, which was accessible. The Commissioner considered two issues: whether the Hospital notified patients that the PHI had been stolen as required under section 12(2) of the PHIPA; measures to reduce the risk of a similar incident in the future or other breaches of privacy.

On the first issue, the Hospital verbally notified patient of what had happened and the steps taken to deal with the situation. In terms of preventive measures, the Hospital advised staff dealing with computer information on computers not to save PHI on local hard drives and department managers were asked to remove any PHI from local drives. As well technological measures were taken, such that there was a system or program installed that would result in various applications being automatically saved to the network as a default - to reduce human error.

Another interesting case was a complaint lodged by an individual against a Hospital based on a news release, that the Hospital would be working with a US Company to develop a strategy to streamline the delivery of health record information between health care providers. As well, the strategy also involved a pilot study to test the market for an electronic “continuity of care record”. The complainant was concerned that PHI of Canadian citizens or residents would be accessible to the US Government due to the US Patriot Act. The Hospital provided an explanation. It indicated that the pilot design was in the preliminary stages and was only interested in studying the model of record management used by the US company. The Hospital also stated it would not be engaging the US company to conduct the pilot program, nor would PHI be shared outside Ontario. Further, participation in the pilot program would be based on the “positive consent” of patients. At this stage the complainant agreed to withdraw the complaint on the basis of the explanation provided by the Hospital and the file was closed. Although there was no apparent breach, it was unclear whether any evidence was provided to substantiate the explanation.

Conclusion

With its inception on November 1, 2004, the PHIPA is still in the early phases. As designated Custodians under the PHIPA, health care professionals must now consider not only professional responsibilities but the obligations under the Act.

In that regard, it is important that Hospitals and other health care institutions ensure systemic practices throughout the facility which comply with the PHIPA. This should be reflected in information practices, as well as continuing education and checks/balances within the system to ensure such practices are translated from “the books” to everyday practice. This may include such things as information recording practices, methodologies to verify consent, and guidelines for dealing with inquiries or communications from the public. This ensures that there is effective compliance with the principles enshrined in the PHIPA on both an institutional and individual level.