Interview with Dr. Ann Cavoukian
December 2004
Terry McQuay, Nymity's President, interview with Dr. Ann
Cavoukian deals with specifics relating to Ontario's Personal
Health Information Protection Act (PHIPA). Dr.
Ann Cavoukian is Ontario's first Information and Privacy Commissioner
to be reappointed for a second term. Initially appointed in
1997, her role in overseeing the operations of the freedom
of information and privacy laws in Canada’s most populous
province was extended to 2009. Like the provincial auditor,
she serves as an officer of the legislature, independent of
the government of the day.
She is recognized as one of the leading privacy experts in
the world and is frequently called upon to speak at major
forums around the globe. Her published works include a book
entitled Who Knows: Safeguarding Your Privacy in a Networked
World (McGraw-Hill, 1997), written with Don Tapscott, and,
most recently, The Privacy Payoff (McGraw-Hill Ryerson, 2002),
in which she and the book’s co-author, journalist Tyler
Hamilton, address how successful businesses build customer
trust.
Dr. Cavoukian joined the Office of the Information and Privacy
Commissioner in 1987, during its start-up phase, as its first
Director of Compliance. In 1990, she was appointed Assistant
Commissioner. Prior to joining the IPC, she headed the Research
Services Branch for the provincial Attorney General. She received
her M.A. and Ph.D. in Psychology from the University of Toronto,
where she specialized in criminology and law, and lectured
on psychology and the criminal justice system.
Nymity: Ann, please introduce yourself, PHIPA and
the IPC role.
Cavoukian: I’m Ann Cavoukian, the
Information and Privacy Commissioner of Ontario (IPC). The
IPC has been designated as the independent oversight body,
which is responsible for ensuring that “health information
custodians” collect, use and disclose personal health
information according to the rules set out under the Personal
Health Information Protection Act (PHIPA). The IPC will
play a significant role in ensuring overall compliance with
PHIPA.
The IPC has been granted various powers under PHIPA,
including the authority to investigate and adjudicate complaints.
These include the authority to:
- Require a complainant to try to resolve the issue directly
with the custodian (s.57(1)(b));
- Investigate a complaint initiated by an individual or
in the absence of a complaint, self-initiate reviews (s.57
and s.58); and
- Appoint a mediator to resolve the complaint (s.57(1)(c)).
The IPC also has the authority to issue orders requiring compliance
with PHIPA, such as:
- To disclose personal health information (s.61(1)(a));
- To correct an individual's personal health information
(s.61(1)(b));
- To dispose records of personal health information (s.61(1)(e));
and
- To change or cease a particular information practice
by a health information custodian (s.61(1)(f)).
More importantly, for us, is the ability to provide education,
research and comments on privacy issues (s.66). Our approach
is to do this through consultation, collaboration and co-operation.
Nymity: What is the purpose of PHIPA, and the
Quality of Care Information Protection Act (QOCIPA)?
Cavoukian: PHIPA establishes a
set of uniform rules about the manner in which personal health
information may be collected, used or disclosed, and includes
provisions that:
- Require patient consent for the collection, use and disclosure
of personal health information, with necessary but limited
exceptions that would allow health care providers to provide
efficient care (s.29);
- Require that health information custodians treat all
personal health information as confidential and keep it
secure (s.13);
- Strengthen an individual's right to access his/her personal
health records, as well as the right to correct errors (s.52
and s.55);
- Give a patient the right to instruct health information
custodians not to share any part of his/her personal health
information with other health care providers (s.20(2));
- Establish clear rules for the use of personal health
information for fundraising or marketing purposes (s.32);
- Set guidelines for the use and disclosure of personal
health information for research purposes (s.44);
- Ensure accountability by granting an individual the right
to complain to the IPC about the practices of a health care
organization (s.56); and
- Establish remedies for breaches of the legislation (s.61).
QOCIPA was designed to assist in reducing medical
errors and thereby improving patient safety in hospitals by
encouraging health care professionals to share information
and hold open discussions in order to improve patient safety
and care. Personal health information, collected by a designated
quality of care committee under QOCIPA, that contains
information relating to an adverse event, such as a patient
death or prolonged injury or illness due to a medical error,
may not be disclosed for the purposes of litigation and may
not be accessed by a patient.
QOCIPA defines a quality of care committee as a facility
that conducts quality of care and peer review activities.
Quality of care information is defined as information collected
by a quality of care committee for the purpose of carrying
out these activities.
Nymity: Who should be concerned about QOCIPA?
Cavoukian: Anyone who is in a position to
disclose quality of care information as defined by that Act,
should be concerned, as they may only disclose it as permitted
by the QOCIPA. The IPC does not have a role in administering
that Act, so one should refer to the Ministry of Health and
Long-Term Care for further information.
Nymity: What
is a Health Information Custodian?
Cavoukian: A health information custodian
is essentially a health care provider who is a listed individual
or organization under PHIPA that, as a result of
their power or duties, has custody or control of personal
health information. Examples of listed health information
custodians include:
- Health care practitioners, including doctors, nurses,
pharmacists, psychologists and dentists;
- Hospitals;
- Psychiatric facilities;
- Pharmacies;
- Laboratories;
- Nursing homes and long-term care facilities;
- Retirement homes and homes for special care;
- Community care access centres;
- Ambulance services;
- Medical officers of health;
- The Minister of Health and Long-Term Care; and
- Entities that are prescribed by regulation.
A health information custodian does not include:
- An aboriginal healer or midwife who provides traditional
healing services to aboriginal persons or members of an
aboriginal community; and
- A person who provides health treatment by spiritual means
or by prayer.
Nymity: What is personal health information (PHI)?
Cavoukian: Personal health information is
“personally identifiable health information” collected
about an individual. It includes information about an individual's
health or health care history in relation to:
- The individual's physical or mental condition, including
family medical history;
- The provision of health care to the individual;
- Long-term health care services;
- The individual's health card number;
- Blood or body-part donations;
- Payment or eligibility for health care; and
- The identity of a health care provider or a substitute
decision maker for the individual.
Personal health information does not include identifying information
about an employee or agent of the custodian that is not maintained
for the provision of health care. For example, a doctor's
note to support an absence from work in the personnel file
of a secretary employed by a health information custodian
is not considered personal health information. Of course,
this means that we must understand the meaning of “identifying
information.” It is defined as meaning: “information
that identifies an individual or for which it is reasonably
foreseeable in the circumstances that it could be utilized,
either alone or with other information, to identify an individual.”
(s.4(2))
Nymity: PHIPA applies to organizations that receive
PHI from a custodian, please explain.
Cavoukian: Certain organizations, such
as insurance companies, schools and employers, who may have
custody or control of health information, are not governed
by PHIPA.
Although these organizations may hold personal health information
in their files, they are bound by PHIPA only when
they receive personal health information from a health information
custodian. When an insurance company, school or employer receives
personal health information from a custodian, the receiving
entity may only use or disclose the information for the authorized
purpose for which the information was received or for the
purpose of carrying out a statutory or legal duty. (See s.49
in regard to restrictions on these recipients.)
Nymity: Will these organizations, for the PHI they receive,
use and disclose, need to comply with both PIPEDA
and PHIPA?
Cavoukian: If recipient organizations are
subject to PIPEDA, then they may unfortunately have
to comply with both statutes, at the present time. We are
confident that PHIPA will be declared substantially
similar to PIPEDA in the near future. When that happens,
health information custodians, acting within Ontario, will
be governed solely by PHIPA. Other entities that
are still covered by PIPEDA such as non-custodians
collecting, using and disclosing PHI in the course of commercial
activities, will have to comply with the PHIPA recipient
rule as will everyone else in Ontario, when they receive PHI
from custodians.
Nymity: Is an organization that collects PHI directly from
their employees or customers subject to PHIPA?
Cavoukian: No, it is not subject to PHIPA
in regard to the PHI that it collects in that manner, with
one special exception. If the PHI it proposes to collect is
the health number or card, then PHIPA applies. There
are specific provisions regarding the collection, use and
disclosure of the health number and the production of the
health card, in the Act and the Regulation, which apply to
non-custodians (s.34 et al). Generally, these provide strong
restrictions on the collection, use and disclosure of the
health card number.
Nymity: When can an organization or individual that is
outside the list of Custodians as defined in the Act, be deemed
a custodian?
Cavoukian: I am not aware of any situation
where an organization or individual that is not in the list
of custodians as defined by the Act (which includes those
designated as such by the Regulation) would be deemed to be
a custodian. It may be that those who work for non-custodians
generally, e.g. a secretary at a manufacturing company, could,
at times, be agents of custodians. This would happen where
such a person acts on behalf of an in-house custodian, such
as a nurse, who provides health care on site to employees
of the manufacturing company. To the extent of those duties,
such a secretary could be considered to be the agent of the
custodian, but it would be incorrect to say he or she would
be deemed to be a custodian.
Nymity: Does PHIPA apply to non-custodians that
are providing PHI to a custodian, or any organization, for
example providing PHI to WSIB or an insurance company?
Cavoukian: No, unless the organization
is collecting, using or disclosing the health card number.
If the transaction relates to the health card number, then
the special health card number restrictions in PHIPA
would apply, even to non-custodians, unless they fit within
the s.34(5) exceptions to those provisions i.e. where:
- the person who collects, uses or discloses the health
number does so for the purpose of a proceeding;
- a s.45 prescribed entity collects, uses or discloses
a health number in the course of carrying out its functions
under s.45; or
- a health data institute collects, uses and discloses
the number in the course of carrying out its s.47 and 48
functions.
Also, see sections 1, 11, 12 and 14 of the Regulation for
further particulars with respect to dealing with the health
number, that apply to various types of entities.
Nymity: When does PHIPA apply to employees of custodians
or non-custodians?
Cavoukian: As noted above, certain provisions
of PHIPA regarding the health number, as well as
the recipient rule, can apply to anyone, including employees
of custodians and non-custodians. More generally, PHIPA
applies to employees of custodians and non-custodians, when
they act as agents of custodians. Then they are governed by
the s.17 restrictions on dealing with PHI on the custodian’s
behalf.
Nymity: What is an agent?
Cavoukian: PHIPA defines an agent
to include any person who is authorized by a health information
custodian to perform services or activities on the custodian's
behalf and for the purposes of that custodian.
An agent may include an individual or company that contracts
with, is employed by or volunteers for a health information
custodian and, as a result, may have access to personal health
information. PHIPA permits custodians to provide
personal health information to their agents only if the custodian
is permitted to collect, use, disclose, retain or dispose
of the information.
For example, an agency relationship under PHIPA includes
a nurse who is employed by, or a medical student who volunteers
at, a hospital. An agency relationship may also include a
physician who is not employed by a hospital but has admitting
privileges to use the hospital's equipment or facilities.
In such cases, the custodian hospital is permitted to authorize
the agent to handle or deal with personal health information
on its behalf so long as the agent complies with PHIPA
and adopts the information practices of the custodian.
Nymity: Does an agent include 3rd party suppliers that
provide services to a custodian? Are third-party suppliers
subject to PHIPA, PIPEDA or both?
Cavoukian: Third-party suppliers will be
considered to be agents of custodians, if they fit within
the definition of “agent” as set out in PHIPA.
That will depend on the particular facts of the relationship.
If they are agents then they will have to follow the PHIPA
rules that relate to them. If they are engaged in commerce,
they will also be covered by PIPEDA.
Nymity: What is the “circle of care” and why
is this concept important?
Cavoukian: The “circle of care”
is not a defined term under PHIPA. It is a term of
reference used to describe health information custodians and
their authorized agents who are permitted to rely on an individual’s
implied consent when collecting, using, disclosing or handling
personal health information for the purpose of providing direct
health care.
For example,
- In a physician’s office, the circle of care would
include: the physician, the nurse, a specialist or other
health care provider referred by the physician and any other
health care professional selected by the patient, such as
a pharmacist or physiotherapist;
- In a hospital, the circle of care would include: the
attending physician and the health care team (e.g., residents,
nurses, technicians, clinical clerks and employees assigned
to the patient) who have direct responsibilities of providing
care to the individual.
The circle of care does not include:
- A physician who is not part of the direct or follow-up
treatment of an individual;
- A medical officer of health or a board of health;
- An evaluator under the Health Care Consent Act, 1996;
- An assessor under the Substitute Decisions Act, 1992;
- The Minister, together with the Ministry of Health and
Long-Term Care; and
- The Canadian Blood Services.
Nymity: What is the relationship with PHIPA and PIPEDA
and should we expect PHIPA be deemed substantially
similar?
Cavoukian: Ontario’s Ministry of
Health and Long-Term Care and my office have requested that
PHIPA be declared substantially similar. Both PHIPA
and PIPEDA are based on the same set of fair information
principles. Jennifer Stoddart, the federal Privacy Commissioner,
has indicated to us that, in her view, PHIPA is substantially
similar to PIPEDA. Similar statutes in British Columbia
and Alberta have now been deemed to be substantially similar,
by the federal cabinet, and we believe that this will occur
soon. So expect PHIPA to be deemed to be substantially
similar to PIPEDA, hopefully sooner than later.
Nymity: What should an organization already compliant with
PIPEDA, now subject to PHIPA, do to comply
with PHIPA?
Cavoukian: Organizations in this situation
should look at the differences between the two laws. Is PHIPA
more stringent or specific in a particular provision? If so,
you must ensure that your organization’s practices and
policies are changed to be in compliance with it.
Nymity: Are there any areas of conflict between PIPEDA
and PHIPA, for example, the consent requirements,
and if so, which would apply?
Cavoukian: Privacy Officers will need to
determine the differences, which may affect their organizations
until a declaration of substantial similarity is obtained.
This is why we are advocating that this declaration be made
as soon as possible. If both laws cover an entity, then adhering
to whichever requirements are most stringent, it will most
likely result in complying with both. The prevailing law over
time in Ontario will be PHIPA.
Nymity: Can the IPC levy fines? If so, what are they and
under what circumstances would a fine be considered?
Cavoukian: No, the IPC cannot levy fines.
Fines can be imposed for offences under PHIPA, but
no person other than the Attorney General or someone acting
on his behalf can commence a prosecution for an offence under
PHIPA.
Offences under PHIPA include:
- Willfully collecting, using or disclosing personal health
information in contravention of PHIPA;
- Obtaining or attempting to obtain health information
under false pretenses;
- Knowingly disposing of health records to avoid providing
access;
- Misusing Ontario health card numbers;
- Obstructing the IPC or one of its delegates in the performance
of its oversight functions;
- Disciplining or harassing an individual who has alerted
the IPC of an alleged contravention; or
- Failing to comply with an IPC order.
An individual found guilty of committing an offence under
PHIPA can be liable for a fine of up to $50,000.
An organization or institution can be liable for a fine of
up to $250,000. Any officer, member, employee or agent of
a corporation found to have authorized or acquiesced to a
breach of PHIPA can be held personally liable. Generally,
health information custodians who have acted reasonably and
in good faith will be protected from liability.
Nymity: In closing, what is the prospect of a private sector
privacy Act for Ontario? Why is it necessary?
Cavoukian: Our office has been deluged
with requests for information and assistance by large and
small businesses, as well as individual consumers who are
interested in provincial legislation for privacy in the private
sector.
Although the prospect for a private sector privacy act is
a matter of legislative prerogative, we continue to believe
that ensuring a consistent approach to organizations developing
“fair information practices” can only advance
the privacy interests of Ontario’s citizens.
Since the IPC already oversees compliance with Ontario’s
two public sector privacy laws, made- in-Ontario private sector
legislation would complete the trilogy. It would also enable
the public to go to one office within the province to address
their privacy questions and concerns. “One-stop-shopping”,
so to speak, would enable us to offer greater service to the
public as well as minimizing any Ontarian’s confusion
as to where to go to resolve their privacy concerns. The public
should not be required to know who has what jurisdiction over
which privacy laws. If they have a privacy concern, they should
be able to direct their question to one office – and
we’re hoping that in Ontario, that will be the IPC.
So we are optimistic that our legislators will see the wisdom
of this approach and that a private sector privacy act will
be introduced hopefully in the Fall of 2005 – that is
our goal.
|
|
|
