Call today! 1 866 3 NYMITY
Username: Password:
Nymity News
Nymity logo
Home About Us

Interview with Sara Levine

April 2006

 

Interviewee: Sara Levine, Fasken Martineau, DuMoulin


Interviewer: Terry McQuay, President of Nymity


Subject: Agency Requirements under PHIPA

 

April 10, 2006


Nymity: How does PHIPA define an Agent?


Levine: An agent is defined in relation to a health information custodian, so that an entity or individual can be an agent under the PHIPA only if it is acting in relation to the custodian.


It must have the authorization of the custodian, and be acting for or on behalf of the custodian in respect of personal health information, for the purposes of the custodian and not its own purposes. It does not matter whether the agent is being paid, or even whether the agent is employed by the custodian. Nor does it matter whether the agent has "authority to bind the custodian", which is a reference to one of the common law requirements for establishing an agency relationship.


The point is to capture all the relationships among health care providers, employees and volunteers in the sector, as well as the service providers who do administrative things like, for example, store or dispose of records, or provide certain types of I.T. services, courier services or secretarial services.


Nymity: What are some examples of Agents?

 

Levine: Well, the health information custodian must have, in some manner, authorized the entity or individual to do something on behalf of the custodian for the custodian’s purposes. Thus if a laboratory uses a courier service to deliver reports, the courier service is delivering reports on behalf of the laboratory and is thus the laboratory’s agent. The secretary used by the school nurse to manage and administer the records of personal health information will be the nurse’s agent for that purpose. Or to use a more recent example, the record disposal service used by a health clinic is the agent of clinic because the health clinic has a duty to ensure secure disposal and so entered into an agreement with the disposal company, authorizing the disposal company to dispose of the clinic’s records on behalf of the clinic.


Nymity: Would an employer that receives health information on one of their employees from a Custodian become an Agent?

 

Levine: Not unless the employer receives the information in order to do something for or on behalf of the custodian which is authorized by the custodian. The receipt by an employer from a custodian of an employee's personal health information does not otherwise trigger the agency provisions of the PHIPA.


Nymity: What are the Agent’s legislative responsibilities under PHIPA?

 

Levine: Section 17 of the PHIPA applies to the agency relationship. Section 17(1) applies to the custodian, and permits a health information custodian to use agents to collect, use, disclose, retain or dispose of personal health information on the custodian’s behalf only if (i) the custodian is permitted to do the same thing; (ii) the act is in the course of the agent’s duties and not contrary to the limits imposed by the custodian, the PHIPA or any other law; and (iii) the prescribed requirements are met.


Section 17(2) and s. 17(3) apply to agents. Section 17(2) prohibits an agent from collecting, using, disclosing, retaining or disposing of personal health information on a custodian’s behalf unless the custodian permits the agent to do so in accordance with subsection 17(1). Thus the custodian cannot engage the agent to do a thing that the PHIPA would not permit the custodian to do itself, and the agent must ensure that it does only those things that the custodian has granted it authority to do, because to do anything else is a breach of s. 17(2).


Finally, section 17(3) imposes the duty on the agent to notify the custodian at the first reasonable opportunity if personal information handled by the agent on the custodian’s behalf is lost, stolen or accessed by unauthorized persons.


Nymity: Can an Agent be subject to PHIPA and PIPEDA?

 

Levine: An Agent could be an entity that is subject to PIPEDA if it collects, uses and discloses personal information in the course of a commercial activity and still have to comply with PHIPA by virtue of its status as an Agent.


Nymity: In the event of a privacy breach, are both the Agent and the Custodian accountable under PHIPA?

 

Levine: Yes. Under s 17(2) the agent is made independently accountable, for compliance with the requirements imposed by the health information custodian. Any act that is not in accordance with its duties to comply with the requirements imposed by the custodian is thus a breach of s. 17(2) of the PHIPA.


The custodian is accountable because s. 17(1) makes it responsible for personal health information in its custody or control, which includes information in the hands of an agent.


Nymity: How should Custodians control their Agents?

 

Levine: Custodians should control their agents through a written agreement. However, prior to entering into any arrangement with an agent, Custodians should ensure that they are satisfied that the agent’s privacy practices are sufficient to meet the requirements imposed by the PHIPA.


The agreement should specify the nature and extent of the duties to be performed by the agent on behalf of the custodian, the security requirements to be met, the records to be kept demonstrating compliance, and the notices to be provided. The agent should notify the custodian if it is sub-contracting any of the obligations under the agreement, and the custodian may seek, if possible, agreement that its approval of the sub-agent must be obtained prior to the agent entering into the sub-contract. Finally, custodians may also wish to take steps from time to time to verify compliance with the agreement and include provisions enabling them to do so.


Nymity: What security provisions are required related to personal information?

 

Levine: Section 12 of the PHIPA imposes on Custodians the obligation to take reasonable steps to ensure the security of personal health information that is in its custody or control and protect against theft, loss and unauthorized use or disclosure, and to ensure that the records containing personal health information are protected against unauthorized copying, modification or disposal. In such circumstances, the custodian is obliged by s. 12(2) to notify the individual at the first reasonable opportunity.


Section 13 requires the health information custodian to ensure that the records of personal health information that it has in its custody or control are retained, transferred and disposed of in a secure manner and in accordance with the prescribed requirements. But care should be taken with the application of any disposal schedule, because s. 13(2) requires the custodian to ensure that upon receipt of an access request, the personal information is retained until the individual has exhausted all recourse with respect to the request. And recall that under s. 17(3), agents must notify custodians in the event of a breach.


Nymity: What does this mean in practice?

 

Levine: Well, to the extent possible, the Custodian may wish to scrutinize standard form agreements with its service providers, to ensure they are satisfied that the agreement clearly specifies the duties to be undertaken, that it complies with the requirements imposed by PHIPA and that the steps taken to protect personal health information as specified in the agreement are reasonable. Similarly, service providers may wish to clearly specify the scope of their duty to Custodians to ensure that they are capable of meeting those obligations. Specifically with respect to security issues, custodians and agents will have to ensure that the personal health information in their custody or control is protected throughout its life cycle. This means that physical security measures such as locks and organizational restrictions should be mandated, technological security measures should be used, including encryption, passwords, backups and audit trails, and it should all be subject to administrative controls, including written rules, training, scrutiny, audits and review. Often, the use of confidentiality agreements is also useful.


Of extreme importance is ensuring security at the end of the life cycle. Order HO-001 taught us that when disposing of personal health information, custodians and agents must ensure that the personal health information in the record is obliterated, which means that it is rendered impossible to read. If the record is in paper form, the custodian should ensure that it is irreversibly shredded using a method called “cross-cut” shredding. If the record is in electronic form, the information should be permanently “wiped” from the drives used, or, if that is not reasonably possible, the drives themselves should be physically destroyed. When destroying records containing personal information, an accurate record of destruction must be kept, and an attestation confirming the destruction, including the date, time and location of the destruction, and the name and signature of the employee who performed the destruction, must be kept. Health information custodians should therefore ensure that their written agreements include a requirement for the provision by their agents of an attestation of destruction.


It is important for agents to remember that Order HO-001 also taught us that when they use sub-agents to carry out any portion of the work they do on behalf of the custodian, they must have a written agreement with the sub-agent which clearly specifies the work the sub-agent is to do, and ensures that the duties imposed on the agent by the PHIPA and by the agreement between the custodian and the agent are met by the sub-agent. The agent must also notify the custodian that a sub-agent will be handling personal information.


Nymity: What should an agent do in event of a breach?


Levine: Section 17(1) requires the agent of a health information custodian to notify the custodian at the first reasonable opportunity. Agents should also ensure that they obtain legal advice immediately upon suspecting a breach. They should investigate to determine the circumstances of the breach, try to contain it to the extent possible, and institute a privacy breach protocol which should include administrative, organizational, legal and public relations strategies.


And of course, they should review their contract with the Custodian to ensure that they comply with the obligations imposed in the contract.


Nymity: In closing, what new liabilities do Agents have as a result of PHIPA, and what might they do to minimize their risk?

 

Levine: If an agent breaches its agreement with its customer who is a health information custodian, the agent will be subject to investigation by the Information and Privacy Commissioner/Ontario, and may be the subject of an Order. The Commissioner has been very clear that, from and after November 1, 2005, all organizations or individuals subject to an Order will be identified by name. Thus there is a reputational imperative on all organizations that provide services involving personal health information to health information custodians, to ensure that they are aware of, and comply with, the obligations imposed by the PHIPA.


There is also a statutory right of action available. If the Commissioner makes an Order which becomes final as a result of there being no further right of appeal, a person affected by the Order may commence an action for damages for actual harm. Furthermore, willful contravention of many of the provisions of the PHIPA or the regulations is an offence, which may result in prosecution, conviction and fines of up to $50,000 for individuals and $250,000 for corporations. A person affected by the conduct that gave rise to the offence may also sue for damages for actual harm. In addition, up to $10,000 may be ordered as damages for mental anguish if the defendant is found to have acted willfully or recklessly.


As far as mitigating risk, agents should ensure that their privacy practices and procedures meet the requirements of the PHIPA and the requirements imposed by the agreements they have with health information custodians. They should deliver ongoing training to their staff to ensure that front-line workers clearly understand their responsibilities. And they should periodically review and audit their own practices to ensure that they are continuing to meet the standard required of them.

 

 

 

Now Hiring

 

 

 

 

 

 
 
Contact Us | Privacy Policy | Terms of Use and Disclaimer © 2003 - 2008 NYMITY