Call today! 1 866 3 NYMITY
Username: Password:
Nymity News
Nymity logo
Home About Us

Interview with Fraser Milner Casgrain LLP

 

May 2004

 

Terry McQuay, Nymity's President, interview with Curtis McDonnell a Consultant at Fraser Milner Casgrain LLP, discusses the collection, use and disclosure of Personal Health Information (PHI) in a private sector organization, the focus of his upcoming presentation at Nymity's Employee Privacy Conference on May 17th and 18th. 

 


Nymity:  Mr. McDonnell, what personal health information (PHI) do employers collect and for what purpose?

McDonnell:

  • Work related injury information
  • Absence due to illness
  • Qualifications for health/life insurance benefits
  • Qualification for work with certain physical requirements

 

Nymity:  What are the issues that arise and what are the privacy considerations?

McDonnell:

  • Safeguarding of information and access by supervisors and others who may not have a need to know or right to access sensitive Personal Health Information (PHI)
  • Unauthorized access where safeguards are inadequate
  • Disclosure to third parties e.g., insurers, WSIB, benefit providers; related companies and other organizations
  • Retention of information or the length of time that an organization is permitted to keep PHI
  • Access by individual to his/her personal health information and requirement in some cases that medical information be provided by a doctor rather than the employer
  • Potential for discipline issues to be complicated if personal health information is disclosed or used without consent
  • Additional complications for human rights claims where personal health information is used or withheld by or from the employer
 
Nymity:  What are privacy consideration that arise from disclosure of personal health information?

McDonnell:

  • Express consent of the employee is always required. Consent should be written consent owing to the sensitive nature of personal health information.
  • The purpose of the disclosure must be clear and explicit and made known at the time of the request for consent to disclose. The employer can only disclose the PHI to third parties confirmed in the consent and only for the purposes that are consented to.
  • The party receiving the PHI from the employer should be aware of the limited scope or use that is permitted for this information. If the employer is disclosing PHI outside of the organization, the organization should have an agreement in place whereby the third party agrees to follow the employer's privacy policy or has an equivalent policy of its own. The employer will be responsible for the use of the PHI by the third party.
 
Nymity: What operational impact has PIPEDA has had on federal works regarding the collection, use and disclosure of PHI?

 

McDonnell:  There have be several complaints to the Privacy Commissioner of Canada (PCC) which have been reported to the public by the PCC involving personal health information. Federal employers need to have policies and procedures in place to deal with the collection, use and disclosure of PHI. Because it is sensitive information, employers also need to ensure that they have adequate safeguards for this information. A recent report from the PCC has indicated that employers should not require employees to provide PHI to the employer where the employer is only conveying the information to the benefits provider. The employees should have the option to convey the information directly to the benefits provider.

 

Nymity:  What impact might PHIPA (proposed Ontario legislation) have on Ontario employers?

 

McDonnell:  There will not likely be a direct impact unless the employer in Ontario obtains information from a health care professional. If the information is provided by the worker PHIPA will not directly apply. The employer becomes involved if it obtains the information from a Health Information Custodian (HIC). However, if the employer employs a nurse or doctor, PHIPA will regulate PHI disclosed to the employer's nurse and or doctor or other HIC's.

 

Nymity:  What are some considerations when dealing with employees access to their own personal health information?

 

McDonnell:  Employers must be sensitive to the nature of the PHI which has been collected and determine whether the access should be directly provided by the employer or whether it should be provided through a medical practitioner.


Nymity:  What are some of the key considerations when creating privacy policies and procedures for PHI?

 

McDonnell

  • Employers need to appoint a privacy officer responsible for the policy
  • Employers need to be aware that PHI is always considered sensitive information. It requires safeguards which are proportional to its sensitivity.
  • Employers should keep in mind that supervisors often maintain their own "shadow" files on the employees that work for them. These supervisors should be aware that when an employee provides PHI to the supervisor, and the supervisor records it in their own file, there may not be adequate safeguards in place, and there can be no presumption of consent that the supervisor can disclose the information to other employees or other supervisors. Any disclosure should be made subject to the express consent of the employee, obtained at the time the PHI was collected by the supervisor.
  • In addition to having a policy, the employer should ensure that staff are trained in the policy and understand that the employer has certain obligations under PHIPA, PIPEDA and the attendant privacy protection principles.
  

 

 

Now Hiring

 

 

 

 

 

 
Contact Us | Privacy Policy | Terms of Use and Disclaimer © 2003 - 2008 NYMITY