Interview with Ken Anderson
April 2006
Interviewee: Ken Anderson, Assistant Commissioner,
Information and Privacy Commissioner/Ontario
Interviewer: Terry McQuay, President of Nymity
Subject: Personal Health Information Protection
Act (PHIPA)
April 10, 2006
Nymity: Ken, please introduce yourself and your role at
the Office of the Information and Privacy Commissioner/Ontario.
Anderson: I am the Assistant Commissioner
for Privacy at the IPC. As such I am responsible for dealing
with general privacy issues under all three pieces of legislation
that the IPC oversees. When the Personal Health Information
Protection Act (PHIPA) took effect, I was delegated the person
at the IPC responsible for implementing PHIPA. I also direct
our professional services such as Legal, Policy and Communications.
Nymity: Please introduce PHIPA and what it covers.
Anderson: The Personal Health Information
Protection Act came into force on November 1, 2004. PHIPA,
as we like to refer to it, sets out rules for the collection,
use and disclosure of personal health information by Health
Information Custodians operating in the province of Ontario.
Health Information Custodians are individuals and organizations
that are involved in the delivery of health care services,
including health care practitioners, health care facilities
and the Ministry of Health and Long Term Care. PHIPA also
sets out rules for persons who receive personal health information
from Health Information Custodians – these are called
recipient rules.
In addition to the rules for the collection, use and disclosure
of personal health information by Health Information Custodians
and the rules for recipients, PHIPA provides individuals with
the right to access and request correction of their own personal
health information. It also allows individuals to complain
to our office about privacy breaches and establishes remedies
for breaches.
And finally PHIPA sets out general privacy requirements for
the retention, organization and secure disposal of personal
health information.
Nymity: How does PHIPA being deemed substantial similar to
PIPEDA affect health care providers?
Anderson: The substantial similarity designation
is very important for all Health Information Custodians operating
in the province of Ontario. Without this designation, that
part of the health care sector that is involved in commercial
activity would have been obliged to follow the rules of PIPEDA,
as well as PHIPA. Although the rules are similar, there are
some subtle but important differences, particularly around
the consent requirements. PHIPA contains clear rules for when
consent may be implied and when it must be express. In addition,
the exceptions to consent permitted under PHIPA are specific
to that which is necessary in the health sector. PIPEDA, on
the other hand, was not designed with the health sector in
mind. With the substantial similarity designation, health
care providers in Ontario are bound by the same privacy rules
and there is only one oversight body for all privacy matters
in the health sector.
Nymity: What have been the major challenges for Healthcare
providers complying with PHIPA?
Anderson: One of the challenges for some
Health Information Custodians has been complying with the
requirement to notify individuals when their personal health
information has been stolen, lost or accessed by unauthorized
persons. With some privacy breaches, the individuals’
identities may not be known, so the custodian may not know
who to notify. In other cases, there may be a large number
of individuals whose personal health information has been
breached and notification of each individual is quite burdensome.
In such cases, a custodian may have to post notices in newspapers,
in practitioners’ offices, and in health care facilities.
In other cases, although it may be clear that personal health
information is missing, it is not clear if an unauthorized
third party has actually been able to access the information.
When notifying individuals of the loss, custodians may not
know what to tell the individual about the situation. Also,
it is important to remember that this is personal health information
and in some cases the individuals that the custodian must
notify may be experiencing life-threatening health challenges.
The last thing a health care provider wants to do is inflict
additional stress on the individual. Accordingly, notification
has to be done in an extremely sensitive manner depending
on the circumstances without raising unnecessary anxiety.
The IPC has been working closely with Health Information Custodians
to help find solutions to these issues.
Another issue for some health care facilities has been implementing
what is referred to as the “lock box”. Under PHIPA,
individuals are permitted to withdraw or withhold their implied
consent to collect, use or disclose personal health information
for the purpose of providing health care and/or give an express
instruction to a Health Information Custodian not to use or
disclose personal health information without their consent
for the purpose of providing health care (in those circumstances
where the custodian is permitted to do so).
Hospitals and other health care facilities that are using
legacy systems that were not designed to accommodate individuals’
consent preferences are have some challenges in implementing
the lock box with their existing systems. However, we are
finding that most hospitals are coming up with creative solutions
to accommodate lock box requests. In some cases, it has been
necessary to implement manual and combined manual/technical
solutions.
Nymity: Provision of healthcare versus protection of personal
health information: does PHIPA strike the right balance?
Anderson: Yes, in my view, PHIPA does strike
the appropriate balance. PHIPA was designed to allow personal
health information to flow among health care providers, but
at the same time protect the privacy of individuals. In the
health care context, consent may be implied for the collection,
use and disclosure of personal health information. But, of
course, that implied consent may be withheld or withdrawn
at any time by the individual. Outside the health care context,
express consent is generally required. Our office has received
some complaints but none that question this balance.
Nymity: Does PHIPA achieve anticipated results for patients?
Anderson: Yes, in my view, PHIPA does achieve
the anticipated results for patients. For patients there is
certainly more transparency around the collection, use and
disclosure of personal health information since PHIPA came
into force. Every Health Information Custodian is required
to have a written statement of information practices available
to the public. In addition, Health Information Custodians
can fulfill part of the consent requirements by posting or
making available written notices of the purposes for which
personal health information is collected, used and disclosed.
There is also more accountability since Health Information
Custodians are required to appoint a contact person to facilitate
compliance with PHIPA.
Also, under PHIPA individuals have a right to withdraw or
withhold their implied consent for the collection, use and
disclosure of personal health information for health care
purposes. They can also instruct a custodian not to use and
disclose personal health information without consent for health
care purposes. The fact that some custodians were opposed
to individuals being given these rights under PHIPA suggests
that individuals did not have these rights in the past.
Under PHIPA, individuals also have a clear right to access
and request correction of their own personal health information.
They can also complain to the IPC about any contraventions
of PHIPA.
Nymity: Are there changes that need to be made to PHIPA?
How would PHIPA be changed?
Anderson: Overall, I would say that PHIPA
is working very smoothly. It is business as usual in the health
sector in Ontario.
However, as is the case with every piece of legislation there
is always room for improvement. Fortunately, PHIPA contains
fairly broad regulation-making powers, so it is possible for
the government to tweak the legislation as the need arises.
The second set of regulations was published for public consultation
on March 11. The proposed regulations will, among other things,
specify the amount of fees that custodians may charge individuals
for access to their own personal health information; amend
some of the provisions relating to fundraising, and add two
more prescribed registries to the existing list.
From time to time it may be necessary to list new entities
as Health Information Custodians; other than those minor proposed
amendments, I cannot think of anything in PHIPA that needs
to be changed.
Nymity: Have there been many complaints? What are the primary
areas of patient concerns?
Anderson: As of March 15, 2006, we have
opened a total of 256 files, but only 171 of those files were
actual complaints from members of the public. The other files
were Health Information Custodian self-reported breaches or
Commissioner-initiated complaints. The majority of our complaints
from members of the public have been about access to and/or
correction of personal health information. Other complaints
are about the collection, use and disclosure of personal health
information, and a few have been about fees. To date, we have
issued only one Order.
Nymity: Please explain your offices order making powers
and how it differs from the Federal Privacy Commissioners
office.
Anderson: The federal Privacy Commissioner
does not have order-making powers. She operates more or less
as an ombud and makes recommendations. Our office, on the
other hand, can issue orders that are binding on government
institutions and Health Information Custodians and their agents.
It’s a power we use as a last resort, but it’s
a useful tool to address privacy concerns.
Nymity: Please explain how your order making powers extends
past healthcare providers to their service-providers.
Anderson: The Commissioner's powers in relation
to service providers may arise in one of two ways.
First, if the service provider is an "agent" of
a Health Information Custodian, that is, the service provider
acts for or on behalf of the custodian in respect of the personal
health information and not for its own purposes, then the
Commissioner may make an order against the custodian, who
is accountable for the actions of its agents, in accordance
with section 61(1) of PHIPA. In addition, where the Commissioner
makes an order against the custodian in accordance with section
61(1), the Commissioner may further make the same order against
a service provider who is an agent of the custodian if it
is necessary to ensure the custodian complies with the order
issued against the custodian.
Second, where the service provider is not an agent and has
contravened or is about to contravene a provision in PHIPA,
the Commissioner has the power to make an order directing
any person (not just a Health Information Custodian) whose
activities the Commissioner reviewed to perform a duty imposed
by PHIPA or its regulations; to cease collecting, using or
disclosing personal health information in contravention of
PHIPA or its regulations; and to dispose of records of personal
health information if the records were collected, used or
disclosed in contravention of PHIPA or its regulations.
Again, I emphasize the fact that we attempt to resolve matters
without using an Order. Our mediation has been very successful
at resolving issues.
Nymity: The first order under PHIPA extended to the service-provider.
Please provide our subscribers a review of the order and the
impact it had on the service-provider.
Anderson: In October 2005, the Commissioner
received a telephone call from a Toronto Star reporter who
reported that records of personal health information were
strewn across the streets of downtown Toronto as part of a
film shoot. The Commissioner immediately contained the breach
by retrieving the records. Her investigation into the matter
revealed that the records were from a Toronto Clinic that
had passed the records to a Paper Disposal Company that provided
shredding services. Through a miscommunication, the Paper
Disposal Company passed the records to a recycling company
that subsequently sold the records – intact –
to a film company for use on its set.
The Commissioner ordered the Toronto Clinic to review its
information practices and to put into place a written contractual
agreement with any agent it retains to dispose of records
of personal health information. The Paper Disposal Company
was ordered to put into place a written contractual agreement
with any Health Information Custodian for whom it will shred
personal health information that includes the obligation for
it to shred securely and irreversibly and to provide an attestation
of destruction; to ensure that any handling of personal health
information by a third party company be documented in a written
contractual agreement that binds the third party to PHIPA
and its contractual agreement with the custodian; and to put
into place procedures that prevent paper records containing
personal health information designated for shredding from
being mixed together with paper that is being disposed of
through the recycling process.
So you can see that this order had a significant impact on
the information practices of the paper disposal company. The
Commissioner believes that making an order directing the paper
disposal company to change its information disposal practices
was necessary to prevent similar breaches from occurring in
the future.
For the convenience of your readers, we’ve set out the
best practices for the secure destruction of personal information
in a Fact
Sheet on our Web site.
Nymity: What are PHIPA requirements that mandate Health
Information Custodians (and their service-providers) to notify
individuals if their has been a breach of their personal health
information?
Anderson: Section 12 of PHIPA requires Health
Information Custodians to notify the individual at the first
reasonable opportunity if personal health information is stolen,
lost or accessed by unauthorized persons.
Regulation 329/04 requires health information network providers
to notify every applicable Health Information Custodian at
the first reasonable opportunity, if the provider accessed,
used, disclosed or disposed of personal health information
other than in accordance with the requirements of PHIPA or
if an unauthorized person accessed the personal health information.
The custodian would then be required to notify the individual
under section 12.
The IPC has worked with institutions to promote notification
which is effective while recognizing the sensitive context
and needs of individuals whose personal health information
is involved in the breach.
Nymity: What are PHIPA requirements related to cross-border
transfers of personal health information? Has PHIPA had any
impact on outsourcing to foreign service-providers?
Anderson: PHIPA does not prohibit Health
Information Custodians from using personal health information
outside of the province. Therefore, as long as a service provider
is acting as an agent on behalf of the custodian, PHIPA would
not interfere with this activity. In addition, PHIPA generally
permits a Health Information Custodian to disclose personal
health information to a person outside of Ontario certain
circumstances such as:
- if the individual consents,
- if PHIPA permits the disclosure,
- if the recipient performs comparable functions to a
person to whom PHIPA would permit the disclosure under
certain sections of PHIPA,
- if the disclosure is made by custodians that are prescribed
entities and the disclosure of information relates to
health care provided in Ontario to a person who is resident
in another province or territory and the disclosure is
made to the government of that province or territory for
purposes relating to health planning and health administration,
- if the disclosure is reasonably necessary for providing
health care, and
- if the disclosure is necessary for the administration
of payments.
In addition, the Canadian Institute of Health Information
is specifically permitted to disclose personal health information
outside of Ontario to a government of another province or
territory for purposes relating to health planning and health
administration if the information relates to health care provided
in Ontario to a person who is a resident of that other province
or territory. I am not aware of any impact that PHIPA has
had on outsourcing to foreign service providers.
Nymity: Do you see Ontario making changes to the Freedom
of Information and Protection of Privacy Act similar
to the changes British Columbia made to the Freedom of
Information and Protection of Privacy Act (FOIPPA) in
response to concerns related to the USA Patriot Act?
Anderson: The government of Ontario is undertaking
a review of this matter, and my office has had some discussions
with the government around this issue. To date, we do not
know what approach the government will take; however, the
IPC is committed to ensuring that any privacy issues that
come out of the review are addressed.
Our general prescription is to advise organizations to use
universal privacy precautions when outsourcing. This includes
recognition of the continued responsibility of the outsourcer,
good contract language to ensure that the agent is privacy-protective,
and ongoing monitoring to ensure compliance.
Nymity: In closing, do you expect that Ontario will enact
a private-sector privacy law similar to British Columbia and
Alberta?
Anderson: Our Commissioner has long advocated
a private sector privacy law for Ontario. It is my understanding
that there is some interest among members of the Legislature
to enact private sector privacy legislation for Ontario. However
we have no signals as to the strength of such interests nor
timing for change, but we’re hopeful.
|
|
|
