e [Music] e personal health information is one of the most highly sensitive types of information collected about a person yet in order to facilitate the effective provision of Health Care and health research and to manage the health system it must be shared among a number of different people and organizations in Ontario the personal health information protection act sets out rules for the collection retention use disclosure and disposal of personal health information the information and privacy Commissioner of Ontario acts independently of government to protect the privacy of individuals with respect to their personal information the commissioner is also responsible for the personal health information protection act including reviewing and resolving complaints under that act hello my name is Anne kavian and I'm the information and privacy commissioner for the province of Ontario as commissioner one of my primary roles under the personal health information protection act is to ensure that individuals privacy rights are respected and an important part of that role is to make sure that the personal health information act or pppa as it's commonly known is understood by the people and organizations affected by it the purpose of this presentation is to help you gain a better understanding p came into effect on November 1 2004 and is designed to balance an individual's right to privacy regarding one's own health information with the legitimate needs of the health care sector to access use and share this information among Health Care Providers pipa achieves this balance by establishing rules for the collection retention use and disclosure as well as disposal of personal health information these rules are primarily intended for persons and organizations defined as health information custodians and their agents these are very important terms both of which I'll explain further in a moment pppa also provides individuals with the right to access and seek correction of their personal health information in the custody or control of health information custodians these rights are subject to very limited exceptions and are extremely important important health information custodians are defined in pipa as certain persons or organizations with custody or control over personal health information they include health care providers who provide health care services and health facilities such as hospitals psychiatric facilities long-term care facilities pharmacies and Laboratories they also include Community Care access corporations ambulance services and medical officers of Health in addition they can include centers programs or services for Community or mental health whose primary purpose is health care so if you are a health information custodian the information on this video is directly applicable to you those who act for or on behalf of health information custodians are known as agents under pppa for example if you are a physician a nurse or Allied Health professional who works for a health information custodian such as a hospital or if you're a volunteer at a long-term care facility then you are an agent under pipa and the information in this video also applies to you an agent could also include an organization that has a contractual relationship with a health information custodian such as a record storage company a paper disposal company or an IT support service provider personal health information is defined as personally identifying information about an individual in oral or recorded form this includes information that relates to the following to one's physical or mental health to the provision of health care or payment or eligibility for health care to the donation of body parts or substances or a health number a plan or service under the long-term care act or information that identifies a substitute decision maker or a provider of Health Care Services phipa allows for the independent review and resolution of complaints regarding the collection retention use disclosure and disposal of personal health information it also allows for the review and resolution of complaints regarding access to or correction of personal health information information protecting the privacy of individuals is vitally important to ensuring public confidence in our Health Care system as the informational privacy commissioner I urge you to become familiar with your duties and responsibilities under the personal health information protection act and I look forward to working with you [Music] my name is Manuela and I'm health law legal council here at the office of the information and privacy commissioner you are about to see four scenarios about the protection of personal health information you will also hear testimonials intended to help reinforce information portrayed in the scenarios I will introduce each scenario individually and discuss each one at appropriate times during the presentation [Music] the first scenario takes place in a pharmacy keep in mind that busy public places where personal health information may be overheard can give rise to breaches of privacy hello hi okay that'll take a couple of minutes Lauren tabic Lauren Lauren tabic Lauren tabic is there a Lauren tabic here yeah I'm here sorry this place is a zoo um I was just looking for something do I pay for this here or do I go to the cashier you can pay for everything here but first I need to go over your prescription with you have you ever taken prenatal supplements before no oh first pregnancy a yeah anyway you need to take two pills one in the morning and one in the evening these are new on the market before you used to take one pill in the morning but women found these very hard in their system make sure you take them on a full stomach they're very high in iron and can make some women feel constipated or nauseous of course that's on top of you already feeling nauseous okay and does this replace the folic acid I've already been taking or no you can stop taking the folic acid this is all a pregnant woman needs in terms of vitamins and minerals coupled of course with good nutrition and rest Alicia here will ring you in okay thank you have a good day oh congratulations on your pregnancy thanks that'll be $77.95 there you go have a good day thank you hi there oh hi guess who I just saw who Lauren from the clinic remember the girl you always talking with oh yeah did you talk to her I don't think she recognized me but remember that time she was telling us about her acupuncture class right and I rolled my eyes when you said they were for infertility right she almost bit my head off when I said it was a waste of money yeah well it must have worked she was just in here buying prenatal supplements wow you're kidding she's pregnant oh that's so exciting I'm going to have to email her right away the girls in the office are going to be so thrilled one of them went to school with her cousin in Montreal I think wow that's great yeah yeah so 3 years H anyway listen is your prescription ready yet I'm just going to go check okay I'm going to do some shopping breaches of privacy can happen quickly and unintentionally especially in busy public places where other individuals may be able to overhear personal health information they're not authorized to know health information custodians are responsible for any personal health information in their custody or control whether that information is in paper electronic or verbal form and so you must take reasonable steps to protect individuals from privacy breaches in all forms including the auditory privacy breach portrayed in the scenario what could the pharmacy have done differently in the scenario you just saw to provide what is called acoustic privacy first an inexpensive solution would be for the pharmacy to place some lines on the floor to create a private consultation space for the pharmacist and his patient the pharmacy could also post signs that remind patients to please stay behind the consultation lines unless they're speaking privately with the pharmacist in addition the pharmacy needs to create a more privacy friendly organizational culture where staff are reminded regularly that they are dealing with confidential and sensitive personal health information and that they may need to lower their voices when discussing personal health information and as a health information custodian the pharmacy needs to make available a written public statement the statement should describe its privacy policies and procedures how to contact the Privacy contact person how to obtain access or obtain correction to their personal health information and how to make a complaint to the Ontario information and privacy commissioner when people have confidence that health information custodians understand the importance of protecting their personal health information they are more likely to disclose sensitive medical information to their health care providers this information might be highly relevant to a patient's care safeguards can take on a number of different forms the type of Safeguard use depends on the format of a patient's information for example in our Clinic we make sure all our patients medical records both paper and electronic are never left unattended or in plain view of unauthorized individuals in addition we're careful to store records in a physically secure place such as in inside a locked filing cabinet or in a secure data center our electronic medical record system also ensures that we can monitor and limit access to patient information the kind of patient information that can be accessed depends on the user's role within the clinic finally all staff at our Clinic receive privacy training and sign confidentiality agreements to help ensure that they understand their privacy obligations these types of safeguards are critical to building a patient's confidence in his or her doctor and the Health Care staff information is the lifeblood of the Health Care system if patients don't have confidence and how their health care provider protects the privacy of their personal health information they may be less likely to disclose information about sensitive Health Care conditions problems like psychiatric illnesses or substance abuse or STDs as a physician I know this can have serious consequences for a patient's treatment and care as well as for a patient's over overall health and safety as a busy health care provider you may not always be thinking about patient privacy but it's a critical part of your job especially with the new privacy laws in Ontario the good news is that while P Hippa contains some new rules for Physicians and other health care providers the way in which you are now handling medical information is likely already permissible under P Hippa in this sense the law really just codifies an ongoing trust that has existed between Healthcare Providers and their patients for [Music] decades the next scenario takes place in the office of a surgeon it could be any doctor's office where personal health information is kept two receptionists have received a fax request from a community care access Corporation a wanting a copy of Records on one of the surgeon's patients I'm Mr Novak the receptionists are unsure how to respond Lydia can you take a look at this sure I don't know whether we need a signed consent form or not one of the local ccac's is asking for Mr nox's hip replacement records apparently he needs physio do we have a signed consent form well we have the one from the CCAC but we don't have our own I really don't think that's good enough I've heard that there's a new Privacy Law and I don't think we want to get blamed for sending Mr Novak's health records to the CCAC without having him sign our consent form you know what tell the ccac's that Mr Novak is going to have to sign our release of information forum and that we could fax that over to them later this afternoon oh okay thank you the scenario you've just seen reflects some important Concepts in both pppa and in privacy in general concepts such as the type of consent health information custodians must seek in certain circumstances and The Circle of Care and need to know principles a health information custodian cannot collect use or disclose personal health information about an individual unless the individual consents or it is permitted or authorized by pipa where consent is required it may be implied except where pipa requires Express consent however regardless of whether a consent is expressed or implied it must satisfy the requirements of pipa namely the consent must be obtained from the individual or his or her substitute decision maker it must be knowledgeable it must relate to the information and it must not be obtained through deception or coercion Express consent is a consent that has been explicitly provided by the individual such as a written permission form or a verbal consent Express consent must be obtained before disclosing personal health information to a person who is not a health information custodian it must also be obtained before personal health information is disclosed to a health information custodian for purposes other than providing Health Care finally Express consent must be obtained prior to the collection use disclosure of personal health information for marketing market research and for fundraising if you are using more than the person's name and address because the surgeon a health information custodian who was being asked to disclose personal health information about a patient to another health information custodian the CCAC in order for the CCAC to provide Health Care to the patient Express consent was not required this is an illustration of what is often referred to as The Circle of Care principle in this type of situation consent may be implied implied consent is a consent that you conclude has been given from an individual's action or an action in particular factual circumstances consent may be implied to disclose personal health information to another health information custodian for the purpose of providing Health Care also some custodians who are referred to in section 20 sub 2 and whose core function is the direct provision of Health Healthcare may assume implied consent to collect use or disclose personal health information for the purpose of providing Healthcare in certain circumstances however they cannot assume it when they are aware that the individual has withheld or withdrawn consent for this reason Lydia one of the receptionists in the scenario was incorrect in assuming that she needed Express consent from the patient before disclosing personal health information to the CCAC finally let's talk about the need to know principle we know that health information custodians need certain information in order to deliver safe and effective Healthcare however health information custodians may not need to know all the personal health information about an individual in all situations in order to deliver safe and effective healthare pipa provides that a health information custodian cannot collect use or disclose personal health information if other information will serve the purpose no nor can a custodian collect use or disclose more personal health information than is reasonably necessary to meet the purpose let's summarize the lessons learned from this scenario first pppa generally allows health information custodians to rely on implied consent when disclosing personal health information to another custodian for the delivery of Health Care however when collecting using or disclosing personal health information health information custodians still need to apply the need to know principle by asking whether the personal health information is necessary for their purposes and if so how much is [Music] necessary no one wakes up in the morning saying today I'm going to breach someone's privacy we work in a very challenging and Dynam dnamic environment and our first priority is to provide highquality care to our patients this is our mission we must achieve this priority at the same time as we comply with a number of regulatory Provisions such as privacy our philosophy in the Privacy office at the Ottawa Hospital is one of balance we provide our employees with the information and tools that they need to meet their privacy obligations we also provide our patients with the necessary information they need so that they can be confident in knowing that we have policies and procedures in place to ensure that their information is protected pppa provides Clarity around roles and responsibilities of Health Providers to our patients in a very practical and transparent way a critical element embedded within pppa is The Circle of Care concept The Circle of Care allows those health professionals engaged in delivering patient care including any member of The healthc Care team within a hospital Community program or long-term care setting to share the health information necessary to provide that care unless the patient has instructed otherwise this reflects how our patients experience care not from one provider or institution but from a collection of health professionals and organizations the IPC has been of great assistance to our organization by helping us realize our objectives our accomplishments of the past two years are a direct result of their lead ership and balanced approach as a result the Ottawa Hospital strongly supports the work and guidance provided by the [Music] IPC my name is Deborah Grant and I'm the senior health privacy specialist with the information and privacy commissioner's office in this next scenario a laptop and a Blackberry containing personal health information are left unattended and is stolen from a doctor's office note where and how the personal health information was left and what the participants did after the theft was discovered so Dr Robbins is the one that worked with that patient uh are you still wanting that chart yeah that would be good okay we'll just uh step in my office and then I'll get that for for you I have to go for another consult in 20 minutes I'll just get you that chart that's right over here and what is going on here I think my desk has been ransacked Kim are you sure look at this they took my computer my Blackberry oh my goodness what am I going to do if I don't have my Blackberry oh my wallet I wonder my wallet's here okay all right so my wallet's here so I don't need to replace my license and my credit cards but look at this like I have to be at another console in 20 minutes okay you go ahead and will handle this okay you call Jerry and file a security report thank you so much problem oh my God Jerry can you come in please yeah Jerry Kim's office has been broken into can you please call the security I'll give him a call I'll be right back just called security they're on their way they told me we shouldn't touch anything until they arrive but do you know what's missing well her BlackBerry and her laptop is gone didn't we lock the front door during the staff meeting I thought we did but let me check with Penny why don't I deal with security and you can deal with your 10: a.m. appointment oh Mr Blackwell he's already here yeah Diane's already prepped him well have you pull out his charts yet yep he's all set to be seen by the way did Kim have any charts in her office not that I know I know she takes notes on her CBD study and that's about it other than that I don't think so but you know she's going to be really mad when she knows like knowing that her BlackBerry is gone well you better get going or you're going to fall behind on your day so why don't you take off and I'll deal with security good thanks Hi how are you fine thanks I'm from security thanks for coming so quickly uh so what do I need to do um you just need to give me some information on the items that were stolen okay um then I'm going to collect information take it downstairs and compile an in report and for that information off to my supervisor um we'll also inform the police services and they'll come and get some more information from you okay so what was stolen well we know for sure that a laptop and a BlackBerry device was stolen out of this Physician's office okay and what time was uh what time did the Physicians last see the laptop it was about a couple hours ago uh she just came back from a meeting and realized that someone had broken in okay was the office door left open or did they actually break through break into the we thought we locked it but uh really to be honest we're not really sure okay while some thefts are unavoidable P Hippa requires health information custodians to take reasonable steps to protect personal health information against theft loss and unauthorized use or disclosure P Hippa also requires health information custodians to notify individuals at the first reasonable opportunity if personal health information about them is stolen lost or accessed by unauthorized persons what could the clinic have done differently in the scenario you just saw for starters the clinic should have made sure it had appropriate safeguards in place to protect personal health information from theft like locks on Clinic entrances and windows and a proc procedure for checking that all doors and windows are locked if staff are in a meeting health information custodians must think proactively about these safeguards to this end you might find it helpful to develop privacy and security checklists to ensure that you have implemented appropriate safeguards if a theft does occur it's easy to worry first about whether your money credit cards or other identification has been stolen especially with identity theft On The Rise it's also natural to start woring about the cost of any stolen equipment like laptops or blackberries which can be expensive to replace however health information custodians must also think about the risk to patient privacy and their Duty under pppa to inform affected individuals about the incident you can contact our office or visit our website to learn about a variety of simple cost-effective ways to inform individuals about these incidents if you're the subject of a theft don't assume that that stolen equipment is valuable only for its Hardware remember that the doctor's Blackberry contained personal health information on Research subjects and the laptop may have also contained other personal health information even if you believe your equipment was stolen only for its Hardware value individuals privacy may still be at risk finally it's important to remember that leadership is necessary to establish a privacy sensitive culture within your organization while the phans in the scenario you just watched May review the incident report this isn't clear it's also unclear whether any senior staff will help deal with building security and the police in order for health information custodians to learn from these experiences senior staff needs to be involved in the handling and followup of major privacy and security breaches health information custodians should develop formal policies and procedures for dealing with privacy breaches and complaints policies and procedures should include information about what steps to follow when a privacy breach or complaint occurs who should respond to privacy complaints and how the organization should deal with the information privacy commissioner and the media Bakr has always taken very seriously its commitment to individual privacy and the confidentiality of health information pipa has given us the opportunity to revisit some of these issues issues and to make our policies and procedures more responsive to our clients and the needs of the health system pipa has given healthc Care organizations such as Bakr a common framework for dealing with privacy issues this is especially important when it comes to privacy complaints or breaches for example before pipa came into effect we experienced a minor privacy breach fortunately we had policies and procedures in place for dealing with this breach and we were able to immediately and appropriately contact the affected patients or their family members because the incident also involved information from patients at another hospital we also had to work jointly with that hospital to address the breach while Bakr has been fortunate not to experience significant privacy complaints or breaches we recognized how important it is for healthcare organizations to have a plan in place if one occurs as Ontario Healthcare organizations share an increasing amount of patient information over a broader Continuum of Care pipa ensures that we all follow consistent rules for dealing with privacy breaches among other things Bess policies and procedures outline how to contain a privacy breach how to notify patients or their substitute decision makers about the breach and how to take steps to ensure such breaches do not occur in the future our experience to date has shown us that our clients and families have been very appreciative of how we have handled these types of issues it's really important for health information custodians under pppa to have policies and procedures for dealing with privacy complaints and breaches given the potential damage that can result to a patient's privacy and to a patient's faith in the healthcare system Clarity is of the utmost importance in ensuring everyone understands their role in protecting personal health information and how to deal with a [Music] breach in this scenario a local emergency medical services EMS team wants to use personal health information for patient satisfaction surveys educational newsletters and other purposes however in order to do so it must ask local hospitals to disclose personal health information on wait times redirect statistics that's how often ambulances are redirected to other emergency rooms because the hospital's emergency room is full and health outcomes for patients who have received Emergency Medical Services hi I'm Stan Smith oh sure one moment please Stan Smith to reception please stand to reception hi you must be Kristen hi Stan pleased to meet you Kristen um we're just going to be meeting down the hall if you want to follow me that'd be great great Sor here you great thank you first of all thank you very much for coming in today Kristen shann and I would like to talk to you about uh a project in EMS initiative looking at quality of care and uh patient satisfaction in the region but to use it effectively we'd like to get some information from you no problem um I have a bit of information about the initiative from our phone calls uh but can you give me some more details sure well in the past 6 months we've been having some internal discussions regarding implementation of a new call response system on all our ambulances but before we go any further we need information from your hospital and it's in regard to Patient satisfaction levels and also some measure of quality of uh patient care we're also hoping that your hospital will agree to be a pilot site when we do get this new Initiative off the ground that sounds interesting uh what do you need from us well for starters we'd like some basic information on wait times for beds uh through the hospital we would like to look at some patients particularly admitted through the ER and we'd like to get um an idea of Health outcomes for these patients do you know specifically what kind of information you might need no not yet we're hoping to work with you on that we're hoping to gain information that we can apply to a patient information survey and mail it to all the patients in this we're also hoping to to provide uh information brochure um for instance clarifying cardiac information to all our patients we're also wondering if uh we can provide uh information questions in the survey regarding your emergency rooms and we would forward the information back to you well it's not going to be easy information to dig up and we already run um our own patient satisfaction surveys through our Hospital Association but let me talk to my director and see what she thinks this scenario raises issues as to whether pppa permits the disclosure of personal health information by the hospital to the Emergency Medical Service without consent and whether pppa permits the uses of personal health information contemplated by emergency medical services without consent it also raises the issue of whether personal health information is required for all the purposes identified by EMS or whether anonymized or aggregate information is sufficient our office recommends that these issues be addressed in a privacy impact assessment or a Pia a Pia is a risk management tool that will assist a health information custodian to ensure that the collection retention use disclosure or disposal of personal health information is compliant with privacy legislation and identifies effects on privacy and ways to mitigate any privacy risk for for example a Pia will assist the Emergency Medical Service in determining the circumstances in which consent is required prior to any use or disclosure further a Pia will help Emergency Medical Services identify the specific data elements required to ensure personal health information is only collected used and disclosed when necessary and that no more personal health information is collected used or disclosed once the EMS team answers these critical questions and formally outlines privacy risks and risk mitigation strategies associated with this initiative it can work together with local hospitals to implement these this project in a privacy sensitive manner that complies with pipa the information and privacy commissioner's office has developed privacy impact assessment guidelines for the personal health information protection act these are available free of charge on our website there are important rules under P Hippa for the use and disclosure of personal health information for research purposes including the requirement to prepare a research plan and to obtain research ethics board approval pppa now provides concrete consistent rules for researchers wishing to access personal health information for research purposes in Ontario under pppa researchers are required to prepare a written application with a copy of a research plan submitted to and approved by a research ethics board or Reb among other things the research plan must include a description of the of a number of items including a description of the research proposed to be undertaken and the duration of the research the personal health information that is required and the sources the reason the research cannot reasonably be accomplished without personal health information why consent to the disclosure of personal health information is not being sought the reasonably foreseeable harms and benefits that may arise from the use of the personal information and how these will be addressed a description of the persons who will have access to the information why their access is necessary their roles in relation to the research and their related qualifications how and when the personal health information will be disposed of or returned to the health information custodian the safeguards the researcher will impose to protect the confidentiality and security of personal information include including an estimate of how long data will be retained in identifiable form and why it is required to be retained for this length of time in reviewing a research plan containing all required items the Reb will address the matters it considers relevant including whether the research can be accomplished without personal health information the public interest in conducting the research and the public interest in protecting the privacy of the individuals to whom the information relates whether obtaining consent is impracticable and whether adequate safeguards are in place to protect the confidentiality of the information and the privacy of the individual to whom the information relates if an Reb approves a researcher's plan you must also comply with any conditions specified by the Reb use the information only for the purpose set out in an approved research plan not publish the information in identifying form not disclose the information except as required by law or as prescribed not contact the individual directly or indirectly unless the health information custodian first obtains the consent of the individual and notify the custodian immediately if you become aware of a privacy breach or a breach of your research agreement if you are a researcher wishing to access personal information health information in Ontario you need to familiarize yourself with these rules you also need to be sensitive to the fact that some data elements such as dates of birth date of admission or discharge and some geographic information such as postal codes can be used to identify individuals and could be governed by the research requirements set out in pppa for more information contact your Reb or organization's privacy contact person P Hippa balances an individual's right to privacy and protection of an individual's personal health information with the legitimate needs of health information custodians to access use and share this information this Balancing Act is not an easy one in the healthcare sector where complex potentially life-saving decisions must often be made in a split second for this reason you are strongly encouraged to take the time to build in appropriate privacy policies procedures and safeguards so that they become part of your organizational culture create a culture of privacy that you can wrap around the delivery of Health Care Services if you are a health information custodian you have certain responsibilities under pppa you are responsible for any personal health information in your custody or control you must have policies and procedures in place with respect to the collection retention use disclosure and disposal of personal health information these are referred to as information practices under pppa you must have policies and procedures in place with respect to the administrative Technical and physical safeguards that you have implemented to protect personal health information you must take reasonable steps to ensure that individual's personal health information is as accurate complete and upto-date as needed for its use or disclosure you must protect personal health information against theft loss and unauthorized use or disclosure in the event that personal health information is stolen lost or accessed by any unauthorized persons you must notify the affected individual at the first reasonable opportunity this requirement to notify of any breaches is especially important you must make available to the public a written statement that describes your policies and procedures how to contact the custodian's Privacy contact person how an individual can obtain access or request a correction to their personal health information and how he or she can make a complaint concerning handling of personal health information to the information and privacy commissioner remember the pppa May apply to to you even if you don't deliver health care services for example you may work in a hospital it department and have access to personal health information on individuals or you may work for a health information custodian in an administrative role or in a housekeeping meal preparation spiritual or security role where you may have access to personal health information so it's very important that you're aware of a patient's right to private Y and of your organization's privacy policy get answers to any questions you may have so that you can clearly understand the rules under pipa and your privacy responsibilities and here are a few simple tips that you can follow don't leave charts computers or other devices containing personal health information unattended or in Clear View avoid conversations in public areas where Others May overhear personal health information public areas such as hallways elevators food courts parking lots or busy nursing stations step away from the nursing station for a few minutes so that you can have a private conversation about your patient or if you must talk about an individual at a crowded location such as a nursing station it's fine to just politely ask other people such as visitors to perhaps just step away for a few moments be open to patient questions about how you protect their personal health information and any requests to access or correct their personal health information remember it's their information if you're not sure how to answer a particular question make sure you know the name of your organization's privacy officer or contact person so that you can direct the inquiry to someone in your organization who can provide them with some help finally I realize that you may have have many questions about pipa which is a relatively new law please remember that my office is here to help you that's our job and we aim to please our contact information is included here so please be sure to call us if you have any questions at all thank you very much for your time today and good luck in adding an element of privacy to the very important work that you do thank you very much [Music]