Privacy and Confidentiality Education
In this document:
Definitions under PHIPA
Personal Health Information Protection Act
Health Information Custodian
Personal Health Information
Any person who is authorized by a HIC to perform services or activities on the custodian’s behalf and for the purposes of the custodian.
Gathering, acquiring, receiving or obtaining of PHI.
Handling, dealing, accessing or reproducing health information that is in the custody or control of a custodian or its authorized agent within the same hospital.
Release or make available personal health information that is under the control or custody of a health information custodian or its authorized agent to another custodian or organization outside the circle of care.
PHIPA (Personal Health Information Protection Act), 2004
The Personal Health Information Protection Act, 2004 (PHIPA), is Ontario’s new health privacy legislation that came into force on November 1, 2004. PHIPA governs how we collect, use, retain, transfer, disclose, provide access to and dispose of personal health information (PHI).
PHIPA applies to all individuals and organizations involved in the delivery of health care services under the umbrella term "health information custodian" (HIC), including physicians, hospitals and other health care practitioners listed as health information custodians under PHIPA. This legislation also applies to agents who are authorized to act for or on behalf of a health information custodian.
This legislation gives individuals greater control over how their personal health information is collected, used and disclosed. It also allows health care practitioners to access, use personal health information as necessary to deliver adequate and timely health care.
This legislation also gives the right to the individual to access and/or correct their personal health record with limited exceptions.
The Information & Privacy Commissioner/Ontario (IPC) has been designated as the oversight body responsible for the compliance set out under PHIPA. When privacy rights relating to personal health information have been violated, the individual has a right to address any concerns with the hospital and the IPC office.
Our responsibility under PHIPA
- Obtain the individual’s consent when collecting, using and disclosing PHI, except in limited circumstances as specified under PHIPA;
- Collect PHI appropriately (by lawful means and for lawful purposes) and no more than is reasonably necessary;
- Take reasonable precautions to safeguard PHI;
- against theft or loss,
- unauthorized use, disclosure copying, modification or destruction,
- notification to an individual at the first reasonable opportunity if the information is stolen, lost or accessed by an unauthorized person.
- Ensure health records are as accurate, up-to-date and complete as necessary for purposes which they use or disclose PHI;
- Ensure health records are stored, transferred and disposed of in a secure manner;
- Designate contact person who is responsible for;
- responding to access/correction requests;
- responding to inquires about the hospital’s information practices
- receiving complaints regarding any alleged breaches of PHIPA
- ensuring overall compliance with PHIPA
- Provide a written statement that is readily available to the public and describes;
- NHS information practices;
- how to reach the contact person
- how an individual may obtain access, request a correction or make a complaint regarding his/her personal health information.
- Inform an individual of any uses and disclosures of PHI without the individual’s consent that occurred outside the hospital’s practice;
- Ensure that all agents of the hospital are appropriately informed of their duties under PHIPA.
Individuals right under PHIPA
Individuals can expect to be informed how their PHI will be collected, used and disclosed by the NHS. Individuals can also expect safeguards relating to administrative, technical and physical relating to their PHI to continue to be in place.
PHIPA gives the individual the right to;
- understand the purpose for the collection, use and disclosure of PHI;
- refuse to give consent to the collection, use and disclosure of PHI, with limited exceptions, specified in PHIPA;
- withdraw consent by providing notice to the hospital;
- request access to one’s own PHI;
- request corrections to be made to one’s own PHI
- complain to the Information & Privacy Commission/Ontario (IPC) about any breach of PHIPA in the manner in which PHI has been collected, used, disclosed or handled.
NOTE: PHIPA established a formal process for individuals to access and correct their own personal health information, within specified time frames and the right to complain if an access or correction request is denied.
Consent under PHIPA
Generally, the rule is to obtain an individual’s express or implied consent to collect, use and disclose PHI. There are also specified circumstances that PHIPA allows the collection, use or disclose without consent.
Implied consentpermits the sharing of personal health information (PHI) with individuals within the "circle of care" who have direct responsibilities in providing patient care and treatment, and only on a "need-to-know" basis to perform their job duties.
Express consent is required to disclose personal health information (PHI) to a non-health information custodian or to another custodian for a purpose other than providing health care. ie – lawyers, insurance companies, employers, family and friends.
NOTE: Under PHIPA consent must be knowledgeable, voluntary, related to the information and given by the individual. The individual must understand why we are collecting, using and disclosing their information. The individual has a right to withdraw their express or implied consent to sharing any information at any time.
A withdrawal of consent is not retroactive. The individual’s withdrawal of consent has no effect on information already collected, used or disclosed before the patient withdrew consent, but has effect from the time it is received.
Collection, Use and Disclosure of PHI
Rules for Collection of PHI under PHIPA
The HIC must collect personal health information directly from the individual or substitute decision maker, involved and may only collect as much information as is necessary to meet the purpose of the collection. There are exceptions to the rule for the collection of PHI indirectly where by; the individual consents, collection is necessary to provide care in a timely manner, required or permitted by law, for the purpose of planning or management, research (provided certain conditions are met). (refer to Personal Health Information Protection Act, 2004) for the exceptions.
Rules for Use of PHI under PHIPA
A HIC can rely on implied consent to share PHI with its agents (physicians, nursing, clerical staff), as long as the sharing is related to the provision of healthcare and the individual has not expressly instructed us not to share information.
There are exceptions set out by PHIPA to use PHI without consent for the purpose of, risk management, activities to improve or maintain the quality of care, obtaining payment, research provided that specific requirements and conditions are met. For the exceptions refer to Personal Health Information Protection Act, 2004).
Rules for Disclosure of PHI under PHIPA
Express consent is always required when disclosing PHI outside the circle of care. A HIC and its agents can rely on implied consent for the disclosure of PHI within the circle of care while providing health care and the individual has not expressly stated otherwise. There are exceptions set out by PHIPA to disclose PHI without consent. For the exceptions refer to Personal Health Information Protection Act, 2004.
Individual request to obtain access to his/her Personal Health Information
An individual may request access to his/her PHI by completing Request for Access to Personal Health Information Form #900148, available on Source•net, or in the Health Records Department. The Health Records Department will provide either access or a copy of the record for a cost recovery fee. If a record is not available a written notice to the individual must be provided with the reasons.
Staff member request to obtain access to their Personal Health Information
All staff members are to follow the same process as any individual requesting access to their personal health records.
Responding to an individual’s request for access
A response must be made no later than 30 days after the request was made. In certain instances, extensions beyond this 30 day time frame are allowed and the Health Records Department must inform the individual in writing about the delay and the reasons for the delay.
Refusal to provide access to the individual’s Personal Health Information
In certain situations the hospital may refuse access for example; information in question subject to legal privilege; disclosure could reasonably be expected to result in a risk of serious bodily harm to person; information was collected as part of an investigation; another law prohibits the disclosure of that information.
PHIPA permits the hospital to remove some of the information to allow partial access to the individual. If the individual is denied access to their personal health information, the individual has the right to file a complaint with the Information & Privacy Commissioner/Ontario (IPC).
Individual’s request to a correction to their Personal Health Information
The individual who believes that his/her PHI is incomplete or inaccurate may request the hospital to correct his/her record. It is the responsibility of the hospital to ensure that personal health information is complete and accurate. Contact the Health Records Department to obtain the Request for Correction to Personal Health Information (form #900071).
Responding to an individual’s request for correction
The hospital must respond within 30 days of receiving a correction request. PHIPA provides limited grounds for extending this 30 day time frame.
Refusal to provide correction to the individual’s personal health information
The hospital may refuse to correct personal health information that is; a professional opinion or; an observation of the health care provider.
If a correction is refused the individual must be informed of the refusal and reasons for refusal. The individual can exercise his/her right to file a complaint regarding the refusal to the Information & Privacy Commissioner/Ontario (IPC) and the right of the individual to attach a statement of disagreement to the record.
The hospital is obligated to correct personal health information where the patient demonstrates, to the satisfaction of the hospital, that the record is in fact inaccurate or incomplete and the individual gives the custodian the necessary information to correct the records.
What is confidentiality?
Confidential information is information of sensitive nature in any format which is created or received by the organization such as; Information about identifiable patients, medical staff, co-workers, donors and other individuals, To keep privacy or secret, safe from access, use or disclosure by people who are not authorized to handle the personal information.
Everyone’s obligation is to protect personal health information and to ensure that the information is only accessible to those authorized to have access.
What is privacy?
A patient’s right to control who has access to his/her personal health information and under what circumstances the information is shared with others.
What is security?
Implementing reasonable physical, technical and administrative measures to safeguard personal health information by:
- prevent unauthorized use, copying or disclosure of the information,
- protect the information during collection, storage, transfer and disposal,
- protect the integrity of the information by preventing unauthorized modification or disposal.
What is a breach of confidentiality?
A breach of confidentiality intentionally or inadvertently, or unauthorized access to or disclosure to a third party without patient consent. Disclosure can be oral, written, by telephone or fax, or electronically.
Consequences of breaching confidentiality
All breaches are taken very seriously. If it is determined that a breach of confidentiality of personal health information has occurred, appropriate remedial action shall be taken. Such action may be corrective action, up to and including termination of employment, loss of privileges, termination of a contract, legal action, or any similar action as determined by the hospital. Health information custodians who are members of professional colleges will be reported to their respective college in accordance with that college’s protocols for reporting data protection breaches. Breaches that are criminal in nature may involve the police.
PHIPA is enforced by the Information and Privacy Commissioner/Ontario (IPC). An individual found guilty of committing an offence under the PHIPA can be liable for a fine of up to $50,000. An organization or institution can be liable for a fine of up to $250,000.
If you have questions or concerns regarding privacy
Questions or concerns regarding privacy should be directed to your Manager. If more detail is required please contact the Niagara Health System Privacy Office at (905) 378-4647, ext. 44475.