Tag Archives: PHIPA

Who’s the HIC?

28 Sep

Who is the “health information custodian” when an institution with an educational mandate provides health care? PHIPA gives institutions choice. Here’s a presentation I gave yesterday in which I argue that the institution (and not its employed practitioners) should assume the role of the HIC. Also includes some simple content on the new PHIPA breach notification amendment.

Advertisements

Consent form decision imposes strict transparency requirement for handling employee medical information

9 Aug

Disputes about employer medical information consent forms are now common. It’s not hard to pick apart a form, and employers tend to suffer “cuts and bruises.” In once such case an arbitrator has recently held that an employer must identify “anyone with whom the information would be shared” in a consent form. The arbitrator also held that an employer must subsequently (and seemingly proactively) give notice of who is handling information:

I agree with the employer that it is not practical to obtain a new consent every time a manager or HR Specialist who is absent is temporarily replaced. However, the employer must advise the employee of the employer’s need and intention to share health information with a replacement and identify that individual by name and title. This would enable the employee to revoke the consent if he/she does not wish the health information to be shared with the individual replacing the manager or HR Specialist. If and when it becomes necessary to share health information with HR or legal services in order to seek advice, or to obtain approval from senior management with delegated authority, the employee should be informed of the title or office only of the person with whom information will be shared. The employee’s consent would not be required for the employer to be able to do so.

While there’s no debating an employee’s right of control, the degree of transparency required here is very high and operationally challenging in the least. “Person-based consents” (as opposed to “purpose-based consents”) can also restrict important flows of information in subtle yet problematic ways.

The best argument against person-based consents is one that refers to the public policy that is reflected in the Personal Health Information and Protection Act (which does not govern employers acting as employers except via section 49). Even in the health care context – where the standard should be higher, not lower than in the employment context given the limited range of information processed by employers – consent is deemed to exist for a certain purpose and information can flow to any health care provider for that purpose. This is subject to a “lock box” that gives patients the ability to shield their information from specific individuals, but the lock box essentially functions as an opt out. (For the nuances of how PHIPA’s “circle of care” concept works, see here.) Transparency is satisfied by the publication of a “written public statement” (a policy really) that “provides a general description of the custodian’s information practices.” There’s no reason to require more of employers.

OPSEU and Ontario (Treasury Board Secretariat), Re, 2017 CarswellOnt 11994.

IPC says a physician acting as assessor is not a health information custodian

5 Sep

On August 25th the IPC/Ontario held that a physician retained to complete a Custody and Access Assessment Report was not acting as a health information custodian, thereby giving helpful guidance on an issue that has been subject to great confusion.

The IPC explained:

The definition of “health care practitioner” in section 3(1) is premised on the fact that the health care practitioner must be providing health care. Further, “health care” as defined in section 2 of PHIPA must be for a “health-related purpose.” In my view, on the facts of this particular case, the service provided by Dr. Morris was not provided for a health-related purpose, but rather for the purpose of assisting the parents, and possibly the courts, to develop a parenting plan which would function in the best interests of the child. Therefore, and for the further reasons set out below, I find that Dr. Morris was not providing health care when he provided a service in this capacity. Consequently, I find that Dr. Morris was not a “health information custodian” as defined in section 3(1) for the purpose preparing the Custody and Access Assessment Report. As set out below, this interpretation of PHIPA is consistent with the decision of this office in complaint number HC-050014-1, with the policy behind subsection 20(2) of PHIPA, with the decision of the Federal Court of Appeal in Wyndowe v. Rousseau, and with public guidance provided by the Ministry of Health and Long-Term Care in relation to the definition of “health care.”

The IPC also dealt with the Divisional Court decision that has contributed to the confusion – Hooper v College of Nurses of Ontario. The IPC said:

The Divisional Court held that pursuant to section 76 of the Health Professions Procedural Code, being Schedule 2 to the Regulated Health Professions Act, 1991, the investigator appointed by the College of Nurses of Ontario had the jurisdiction to request and use the records from the Sunnybrook and Women’s College Health Sciences Centre.  The Divisional Court further held that the Sunnybrook and Women’s College Health Sciences Centre had the jurisdiction to disclose these records to the College of Nurses of Ontario.  The Divisional Court stated that the Occupational Health and Safety Department was providing health care and therefore the information contained in the records at issue was personal health information as defined in section 4 of PHIPA. This decision does not discuss how this interpretation of “health care” would more broadly affect the collection, use, and disclosure of personal health information on the basis of assumed implied consent pursuant to section 20(2) of PHIPA.

On my review of this decision, it was not necessary for the Divisional Court to decide whether or not the Occupational Health and Safety Department was providing health care and therefore that the information contained in the records was personal health information.  If they were not records of personal health information, the disclosure would not be subject to PHIPA.  Alternatively, if they were records of personal health information, the disclosure would be permitted, as the Divisional Court noted, pursuant to sections 9(2)(e) and 43(1)(b) of PHIPA.  As a result, the statement by the Divisional Court that the Occupational Health and Safety Department was providing health care and that the information in the records was personal health information is obiter dicta as it was unnecessary to the decision in the case.

The decision in Hooper is difficult to reconcile with that in Wyndowe, where the Federal Court of Appeal confirmed that physicians performing an independent medical examination are not “health information custodians” for the purpose of PHIPA.  I note that in the Hooper case, the Divisional Court did not have this office’s interpretation of section 20(2) of PHIPA or the findings in HC-050014-1 before it.  In all these circumstances, I am satisfied that the decision in Hooper, as it relates to what constitutes health care and personal health information, is not binding on me.

This is very helpful, in particular to employers who often face an argument that the health care practitioners they retain as assessors and consultants as subject to the “custodial” duties in PHIPA. The only section of PHIPA that typically binds employers and their assessor/consultants is section 49.

Morris (Re), 2015 CanLII 54751 (ON IPC).

IPC tweaks data security guidance from HO-013

30 Jan

Yesterday the Information & Privacy Commissioner/Ontario issued a paper called “Detecting and Deterring Unauthorized Access to Personal Health Information.” The paper adjusts and augments the detailed guidance on hospital data security the IPC provided in December when it issued HO-013.

In issuing HO-013 the IPC articulated numerous requirements in near checklist form. The IPC adds new requirements in Detecting and Deterring. Hospitals that are currently using HO-013 to conduct a gap analysis should now refer to Detecting and Deterring.

One exception to the augmentation is the IPC’s handing of “search controls” – controls that rest on limiting the search functionality of patient record systems. The IPC has backed off noticeably from HO-013 in Detecting and Deterring, which states:

With respect to search controls, it is important to note that open-ended search functionality may facilitate unauthorized access to personal health information in electronic information systems. For example, in the privacy breach involving the use and disclosure of personal health information for the purpose of selling or marketing RESPs, agents of the hospital were able to obtain lists of women who had recently given birth by performing open-ended searches of a patient index. To prevent this, custodians should ensure that the amount of personal health information that is displayed as a result of a search query is limited, while still enabling agents to carry out their employment, contractual or other duties. Open-ended searches for individuals should be prohibited by the search functionality and search capabilities of electronic information systems containing personal health information. Ideally, electronic information systems should be configured to ensure that search criteria return only one record of personal health information. If that is not feasible, then electronic information systems should be configured so that no more than five records of personal health information are displayed as a result of a search query.

The withdrawal makes sense. Search controls can put patient safety at risk, yet even rigid search controls are a questionable deterrent to intentional unauthorized access. Are bad actors really more likely to engage in unauthorized access because information is easy to find?

Hospitals should beware of the distinction between prescriptions that are recommendatory and prescriptions the IPC has the power to enforce. This is most important in considering the heavily-augmented breach response section of Deterring and Detecting. The IPC, for example, returns to an accountability-related idea it has pressed since making order HO-010 in 2010 by suggesting that hospitals should provide affected individuals with the name of “the agent that caused the privacy breach” in a breach notification letter. The IPC has the power to enforce breach response requirements that are derived from section 12 of PHIPA. A number of the prescriptions it makes on breach response (not necessarily the one I have identified above) have a tenuous connection to section 12 and can reasonably be viewed as recommendatory.

HO, HO, HO-013 – Big order for Ontario hospitals lands just before the holidays

20 Dec

On December 16th the Information and Privacy Commissioner/Ontario issued its 13th order under the Personal Health Information Protection Act. It contains very detailed prescriptions pertaining to the PHIPA data security standard in section 12. The standard is contextual – i.e., the standard of care is always based on all the “circumstances.” However, given Ontario hospitals face similar foreseeable risks, hospitals should pay very close heed to the prescriptions in HO-013.

I’ll spare you a description of the background and get to the point. Here is a bulleted summary of the data security prescriptions in HO-13. Rather than describe each in detail I will give you very short (synthesized) descriptions and page references.

  1. Ensure that patient information systems support audits and investigations of system misuse. Collect reliable data on all access, copying, disclosure, modification and disposal of patient records. Retain data for a reasonable period of time. Pages 23 to 29.
  2. Conduct periodic audits for patient information system misuse: “Audits are essential technical safeguards for electronic information systems.” Conduct random audits on all system activity. Run a special audit program for “high profile” patients. Pages 32 to 34.
  3. Ensure that patient information systems feature reasonable search controls. Search controls should limit the ability of agents to perform “open-ended” searches. Pages 29 to 32.
  4. Ensure that patient information systems feature a login notice that appears on its own screen and requires express acknowledgement. Page 22.
  5. Conduct regular and comprehensive privacy training pursuant to a privacy training program policy. Require pre-authorization training and annual re-training. Training materials should be detailed and contain certain information prescribed in HO-013. Pages 34 to 36.
  6. Communicate regularly about privacy compliance and compliance duties pursuant to a privacy awareness program policy. Page 36.
  7. Administer a “pledge of confidentiality” that contains certain information prescribed in HO-013. Require agents to sign pre-authorization and annually. Pages 37 and 38.
  8. Maintain and administer a privacy breach management policy that meets particular requirements specified in HO-013. Pages 40 and 41.

Most hospitals will already have data security programs that feature many of the elements in the list above. Regardless, there are detailed requirements in HO-013 (not included in the summary above) that invite hospitals to conduct a broad gap analysis. Some gaps are likely to be closed easily and others may require the investment of additional ongoing resources – e.g., gaps with respect to training and communication programming. The most problematic prescriptions in HO-013 are those related to the modification of patient information systems. The prescriptions regarding search controls, for example, seem problematic and may create system usability (search) problems. The responding hospital did raise concerns about usability that the IPC dismissed.

Order HO-013 (IPC Ontario).

Ontario arbitrator partly allows medical information management grievance

25 Oct

On October 8th, Arbitrator Goodfellow partly allowed a grievance that challenged various ways in which an employer administered its sick leave program. In doing so, he held that:

  • absent an express prohibition in a collective agreement, an employer is entitled use a third-party disability management administrator; and
  • absent specific collective agreement authorization, an employer cannot deprive employees of sick pay pending proof of entitlement as a matter of routine.

Arbitrator Goodfellow also made the following statement on the application of Ontario PHIPA to employers:

We agree with the Employer that it is not bound by PHIPA in its relationship to its employees. Qua long-term care provider the Employer is a “health information custodian”; qua employer it is not: see e.g. City of Kingston and Canadian Union of Public Employees, Local 109, supra.  The same is therefore true of Acclaim. PHIPA is aimed at health care providers, not employers. Neither of the cases referred to by the Union establish otherwise. While both discuss the statute, and while Sanofi Pasteur appears to accept its application, there is no indication that the matter was the subject of any submissions in those cases as it was here and in City of Kingston. Having said that, like those arbitrators, we would view the terms of PHIPA as reflecting the kinds of privacy interests to which the Employer may be held accountable under the terms of the collective agreement.

This is a helpful statement given the confusion in the case law to which Arbitrator Goodfellow refers.

Revera Long Term Care Inc (Stoneridge Manor) v Canadian Union of Public Employees, Local 2564, 2014 CanLII 58768 (ON LA).

In dispute over custodianship of medical files, balance favours established clinic

5 Jun

On May 22nd the Ontario Superior Court of Justice ordered medical files to be returned to a clinic by a departing doctor who claimed she had an independent practice and was the legal custodian of the files.

Justice Perell dismissed the defendant’s argument that a corporation could not be a “health information custodian” under the Personal Health Information Protection Act and held that the plaintiff clinic had made out a strong prima facie case that it had such status. His suggestion that the defendant was also a health information custodian could best be understood as a function of the qualified burden of proof on an interlocutory motion given, under PHIPA, there can be only one custodian of a record of personal health information.

Justice Perell’s balance of convenience analysis is noteworthy. He said the following about the public interest in providing patients with access to their personal health information pending final resolution of the dispute:

In considering the balance of convenience, it is appropriate to consider the interests of the patients whose health records have been removed from a health clinic to the home of a health care practitioner. In my opinion, a patient will have better access to his or her health records and the health care practitioner who will treat the patient during Dr. Simon’s semi-retirement will have better access to the health records if the records are at professional offices with normal business hours and full-time staff.

A plaintiff in a similar situation could similarly attempt to make a case for return of records based on a claim to relatively superior security measures, though the stakes of pursuing such an approach would be high.

Note that the plaintiff consented to a term permitting the defendant doctor to make copies of any file relating to a patient she had treated. This is a sensible thing to offer in a dispute over custodianship, but again, is inconsistent with the single custodian rule.

1615540 Ontario Inc. carrying on business as Healing Hands Message v Simon, 2013 ONSC 2986 (CanLII).