Overview of the Personal Health Information Protection Act, 2004 (Ontario)

On May 20, 2004, the Ontario Health Information Protection Act, 2004 received royal assent. It consists of two parts: the Personal Health Information Protection Act, 2004 (the “PHIPA”) and the Quality of Care Information Protection Act, 2004. This article will provide an overview of the PHIPA and its impact on the collection, use and disclosure of personal health information in Ontario.Most of the provisions of the PHIPA will come into force in Ontario on November 1, 2004. It can be expected that there will be regulations made that will also impact on the obligations of health information custodians and others under the PHIPA. It is important that health information custodians and others affected by the PHIPA become knowledgeable about the PHIPA and take the appropriate steps so that they will be able to comply with their obligations under the PHIPA starting November 1, 2004.Purposes and Application of the PHIPAOne of the purposes of the PHIPA is to establish rules for the collection, use and disclosure of personal health information about individuals that protect the confidentiality of that information and the privacy of individuals with respect to that information, while facilitating the effective provision of health care. PRIVACY LAW AND HEALTH LAWStarting November 1, 2004, the PHIPA will apply to:

  • the collection of personal health information by a “health information custodian” (see below),
  • the use or disclosure of personal health information by a health information custodian (whether or not the information was collected prior to November 1, 2004),
  • the use or disclosure of personal health information by a person who is not a health information custodian but who has received personal health information from a health information custodian (whether or not the information was received prior to November 1, 2004), and ‘
  • the collection, use or disclosure of a health number by a person.

Health Information CustodiansUnder the PHIPA, a health information custodian (“custodian”) is defined as certain listed persons or organizations. These include a health care practitioner, a person who operates a group practice of health care practitioners, a service provider under the Long-Term Care Act, a community care access corporation, the operator of a hospital, nursing home, independent health facility, pharmacy, laboratory or specimen collection centre, ambulance service, centre, program or service for community or mental health, and the Minister of Health and Long-Term Care. The regulations made under the PHIPA may specify other custodians. The PHIPA includes certain special rules for custodians that, in essence, provide health care (see paragraphs 1, 2, 3 or 4 of the definition of “health information custodian” in subsection 3(1) of the PHIPA). In this article, a custodian that is in paragraphs 1, 2, 3 or 4 of the definition of “health information custodian” is referred to as a “custodian who is a health care provider”. Personal Health InformationPersonal health information is information, in oral or written form, that identifies an individual (or for which it is reasonably foreseeable that it could be utilized, alone or with other information, to identify an individual) and that relates to matters such as:

  • the individual’s physical or mental health,
  • the providing of health care to the individual,
  • payments or eligibility for health care in respect of the individual, or
  • the donation by the individual of a body part or bodily substance. The individual’s health number is also personal health information.

Duties of Custodians With Respect to Personal Health InformationThe PHIPA sets out the duties of custodians with respect to personal health information. These duties include the following:

(a) information practices generally

  • to have information practices that comply with the PHIPA and its regulations; and
  • where the custodian uses electronic means to collect, use, modify, disclose, retain or dispose of personal health information, to comply with any requirements under the regulations.

(b) accuracy

  • to take reasonable steps to ensure that the personal health information is as accurate, complete and upto- date as is necessary for the purposes for which the custodian uses the information; and
  • to take reasonable steps where a custodian discloses personal health information to ensure that the information is as accurate, complete and up-to-date as is necessary for the purposes of the disclosure.

(c) contact person and responsibilities of the contact person

  • to designate a contact person, whose responsibilities include:
  • responding to inquiries from the public about the custodian’s information practices;
  • responding to requests of an individual for access to or correction of a record of personal health information about the individual; and
  • receiving complaints from the public about the custodian’s contraventions of the PHIPA or its regulations.

(d) written public statement

  • to make available to the public a written statement that describes the custodian’s information practices, how to contact its contact person, how an individual can obtain access to or request correction of a record of personal health information about the individual and how to make a complaint to the custodian and to the Commissioner (see below).

(e) security

  • to take reasonable steps to ensure that the information is protected against theft, loss, unauthorized use or disclosure; and
  • to ensure that records of personal health information are retained, transferred and disposed of in a secure manner and in accordance with any requirements made by the regulations.

(f) notification

  • to notify an individual if the information is stolen, lost or accessed by unauthorized persons; and
  • to notify an individual of any uses or disclosures of personal health information about the individual that fall outside the scope of the custodian’s description of its information practices, unless the individual has consented to the use or disclosure.

(g) limiting collection, use and disclosure

  • not to collect, use or disclose personal health information if other information can serve the purpose; and
  • to collect, use or disclose only as much personal health information as is reasonably necessary for the purpose.

If a custodian collects personal health information in contravention of the PHIPA, the custodian is prohibited from using it or disclosing it unless required by law to do so.ConsentConsent is the underpinning of legislation concerning the privacy rights of individuals. The PHIPA provides certain circumstances under which a custodian may collect, use or disclose personal health information indirectly or without the consent of the individual to whom the personal health information relates. In all other circumstances, the PHIPA prohibits a custodian from collecting, using or disclosing personal health information about an individual unless it has the individual’s consent.Where consent is required under the PHIPA, the consent:

  • must be a consent of the individual,
  • must be knowledgeable,
  • must relate to the information, and
  • must not be obtained through deception or coercion.

Subject to certain exceptions, a consent to the collection, use or disclosure of personal health information about an individual may be express or implied.(a) Implied Consent within the “Circle of Care” Under the PHIPA, a custodian who is a health care provider, that receives personal health information about an individual from the individual, the individual’s substitute decision-maker or another custodian for the purpose of providing health care or assisting in the provision of health care to the individual, is entitled to assume that it has the individual’s implied consent to collect, use or disclose the information for the purposes of providing health care or assisting in providing health care to the individual. If the custodian that receives the information is aware that the individual has expressly withheld or withdrawn the consent, then the custodian cannot assume that it has the individual’s implied consent.(b) LockboxThere is provision for an individual to withdraw consent, whether the consent is express or implied, by providing notice to the custodian. There is also a provision that recognizes that an individual may place a condition on his or her consent to have a custodian collect, use or disclose personal health information about the individual. In effect, these provisions permit an individual to create a “lockbox” with respect to the individual’s personal health information.” There is a provision in the bill called a lockbox, and it’s a provision that perhaps doesn’t enjoy universal support, but a lockbox provides that any Ontarian who so wishes to put a square, a box, a lock, a circle around any of their information to prevent its disclosure is entitled to do so.”1If the individual expressly instructs the custodian not to use or disclose the personal health information (even if the personal health information may be reasonably necessary for providing health care or assisting in providing health care to the individual), the custodian is not permitted to use or disclose the information contrary to the individual’s express instruction. Where an individual consents to a custodian disclosing some but not all the personal health information about the individual to a custodian who is a health care provider and the disclosing custodian considers that disclosure of all of the individual’s personal health information is reasonably necessary for the purpose of the provision of health care to the individual, the disclosing custodian has an obligation to notify the receiving custodian of that fact. The relationship between the “lockbox” and the provisions of the PHIPA that permit a custodian to collect, use or disclose personal health information without consent may present some challenging issues. Public hospitals have, in effect, been provided a one-year period to implement the “lockbox” (that is, by no later than November 1, 2005).(c) Knowledgeable ConsentThe PHIPA provides that a consent is knowledgeable if it is reasonable to believe that the individual knows:

  • the purposes of the collection, use or disclosure, and
  • that the individual may give or withhold consent. The PHIPA permits a custodian to inform an individual about the purposes of the collection, use or disclosure of personal health information by posting or making available a notice where the notice is likely to come to the individual’s attention or providing the individual with such notice. The custodian is entitled to rely on such notice providing the individual with knowledge of the purposes of the collection, use or disclosure unless it is not reasonable in the circumstances to do so.

(d) Express ConsentA custodian must obtain an express consent under the following circumstances:

  • where the custodian makes the disclosure of personal health information to another custodian and the disclosure is not for the purposes of providing health care or assisting in providing health care, or
  • where the custodian makes a disclosure to a person that is not a custodian, unless there is a provision under the PHIPA that permits the disclosure without consent.

(e) Substitute Decision-MakingThe PHIPA provides rules regarding capacity and substitute decision-making. An individual is capable of consenting to the collection, use or disclosure of personal health information if the individual is able:

  • to understand the information that is relevant to deciding whether to consent to the collection, use or disclosure, and
  • to appreciate the reasonably foreseeable consequences of giving, not giving, withholding or withdrawing the consent.

An individual is presumed to be capable of consenting to the collection, use or disclosure of personal health information. A custodian may rely on the presumption of capacity unless the custodian has reasonable grounds to believe that the individual is incapable of consenting to the collection, use or disclosure of personal health information. If an individual is incapable of ivingconsent, a substitute decision-maker may give consent. The PHIPA sets out a list of substitute decision-makers for an incapable individual and a ranking of substitute decision-makers. Collection, Use or Disclosure of Personal Health Information without ConsentThe PHIPA permits the collection, use and disclosure of personal health information about an individual without consent under certain circumstances. The following are some of the circumstances under which a custodian may collect personal health information about an individual indirectly:

  • where the information is reasonably necessary for providing health care or assisting in providing health care to the individual and it is not reasonably possible to collect the information in a timely manner or to collect personal health information that can be relied on as accurate; or
  • the custodian is permitted or required by law or by a treaty, agreement or arrangement made under an Act or an Act of Canada to collect the information indirectly.

The PHIPA permits the use of personal health information about an individual without consent under a number of circumstances. These circumstances include the following:• for planning or delivering programs or services, allocating resources to such programs or services, evaluating or monitoring such programs or services, or detecting, monitoring or preventing fraud related to such programs or services;

  • for risk management, error management or activities to improve or maintain the quality of care;
  • for educating agents to provide health care;
  • for the purpose of a proceeding in which the custodian (or the custodian’s agent) is a party or witness;
  • for research conducted by the custodian, subject to compliance with certain requirements; or
  • if permitted or required by law or by a treaty, agreement or arrangement made under an Act or an Act of Canada.

The PHIPA permits the disclosure of personal health information by a custodian without consent under a number of circumstances. These include:

  • for the purpose of providing health care to an individual if it is not reasonably possible to obtain the individual’s consent in a timely manner (but not if the individual has instructed the custodian not to disclose the information);
  • for the purpose of contacting a relative, friend or substitute decision-maker if the individual is unable to give consent personally;
  • if the custodian is a facility that provides health care, for the purpose of confirming that an individual is a patient, the individual’s general health status, and the location of the individual in the facility, unless the individual has objected to such disclosure after being provided an opportunity to do so;
  • for the purpose of determining an individual’s eligibility to receive publicly funded health care or related goods, services or benefits;
  • for the purpose of an audit or an accreditation application or review, subject to compliance with certain requirements;
  • to a person prescribed by the regulations, who compiles or maintains a registry of personal health information for purposes of facilitating or improving the provision of health care or that relates to the storage or donation of body parts or bodily substances;
  • for public health protection purposes;
  • for the purpose of eliminating or reducing a significant risk of serious bodily harm to a person or a group of persons;
  • to a College that regulates a health profession or social workers and social service workers, for the purpose of the administration or enforcement of the legislation governing such College;
  • if permitted or required by law or by a treaty, agreement or arrangement made under an Act or an Act of Canada;
  • to a researcher if the stated requirements are met, which include approval by a research ethics board of a research plan and entering into an agreement with the researcher; or
  • to an entity prescribed by the regulations, for the purpose of analysis or compiling statistical information with respect to the management of, evaluation or monitoring of, the allocation of resources to or planning for all or part of the health system, if the entity meets certain requirements.

The Minister of Health and Long-Term Care may require a custodian to disclose personal health information to a health data institute approved by the Minister for analysis with respect to the management of, evaluation or monitoring of the allocation of resources to or planning for all or part of the health system, if certain requirements are met.Individual’s Right of Access to a Record of Personal Health InformationThe PHIPA provides that, except in certain enumerated circumstances, an individual is entitled to access to a record of personal health information about the individual that is in the custody or under the control of a custodian. The custodian has an obligation to reply to a request for access no later than 30 days after receiving the request. The 30-day time limit may be extended for a further period not to exceed 30 days under certain circumstances.The custodian has an obligation to take reasonable steps to be satisfied as to the individual’s identity before making a record of personal health information available to an individual or providing a copy of it to an individual. A custodian may charge the individual a fee for access if the custodian first gives the individual an estimate of the fee. The amount of the fee may not exceed the amount set out in regulation, or, if no regulation is made, the amount of reasonable cost recovery.CorrectionAn individual who has been granted access to a record of his or her personal health information and who believes that the record is inaccurate or incomplete may request, in writing, that the custodian correct the record. Within a period of not more than 30 days, the custodian must either grant or refuse the request to correct the record. Under certain circumstances, the custodian may extend the deadline for replying for a further period of not more than 30 days. The custodian is obliged to correct the record if the individual demonstrates that the record is incomplete or inaccurate. A custodian is not required to correct the record of personal health information if:

  • it consists of a record that was not originally created by the custodian and the custodian does not have sufficient knowledge, expertise and authority to correct the record; or
  • it consists of a professional opinion or observation that a custodian has made in good faith about the individual.

Persons Who Are Not Health Information Custodians(a) Recipient of personal health information from a custodianWhile most of the provisions of the PHIPA apply to custodians, the PHIPA also applies to a person who is not a custodian and who receives personal health information from a custodian (“recipient”). Under the PHIPA, a recipient shall not, except as permitted or required by law, use or disclose the personal health information received from a custodian for any purpose other than:

  • the purpose for which the custodian was authorized to disclose the information under the PHIPA; or
  • the purpose of carrying out a statutory or legal duty. In addition, a recipient shall not use or disclose more of the information than is reasonably necessary to meet the purpose of the use or disclosure, unless the use or disclosure is required by law.

(b) Health numberThere are specific rules governing the collection, use and disclosure of a health number by a person who is not a custodian. The PHIPA prohibits a person who is not a custodian from collecting or using another person’s health number, except for purposes related to the provision of provincially funded health resources to that individual, for purposes for which a custodian has disclosed the health number to the person and other limited exceptions. Subject to certain exceptions, the PHIPA also prohibits a person who is not a custodian from disclosing a health number, except as required by law. Other than a person who provides a provincially funded health resource to a person who has a health card, a person may not require the production of another person’s health card.While most of the provisions of the PHIPA apply to a custodian, a person who is not a custodian must pay careful attention to the provisions described above. A contravention of these provisions can be the basis for a complaint, a Commissioner’s self-initiated review or a prosecution for an offence (see below Challenging Compliance).Challenging ComplianceThe Commissioner under the PHIPA will be the Information and Privacy Commissioner who is appointed under The Freedom of Information and Protection of Privacy Act (Ontario). A person can make a complaint to the Commissioner under a number of circumstances as follows:

  • if a person has reasonable grounds to believe that another person has contravened or is about to contravene a provision of the PHIPA or its regulations;
  • if a custodian has refused an access request; or
  • if a custodian has refused to correct a record of personal health information.

The Commissioner is also entitled, on his or her own initiative, to conduct a review of any matter if the Commissioner has reasonable grounds to believe that a person has contravened or is about to contravene a provision of the PHIPA or its regulations. The Commissioner has broad inspection powers in connection with conducting a review and may also require that evidence be given under oath, demand the production of documents and enquire into all information, records, information practices of a custodian and other matters that are relevant to the subject-matter of the review. After conducting a review, the Commissioner has the power to order compliance. For example, the Commissioner may:

  • direct a custodian to grant an individual access to a requested record;
  • direct a custodian to make a correction of a record of personal health information;
  • direct a person to perform a duty imposed by the PHIPA or its regulations; or
  • direct a person to implement an information practice that the Commissioner specifies.

There are also a number of offences under the PHIPA. The offences generally relate to wilful non-compliance.They include:

  • wilful collection, use or disclosure of personal health information in contravention of the PHIPA or its regulations;
  • improper collection, use or disclosure of a health number;
  • wilful obstruction of the Commissioner;
  • wilful failure to comply with an order made by the Commissioner; or
  • retaliation against a person who has alerted the Commissioner to a contravention or possible contravention of the PHIPA or its regulations or who has refused to contravene the PHIPA or its regulations.

On conviction for an offence, an individual is liable to a fine of up to $50,000 and a corporation is liable to a fine of up to $250,000.If the Commissioner has made an order under the PHIPA that has become final, a person affected by the order may commence a proceeding in the Superior Court of Justice for damages for actual harm that the person has suffered as a result of a contravention of the PHIPA or its regulations. If a person has been convicted of an offence under the PHIPA and the conviction has become final, a person affected by the conduct that gave rise to the offence may commence a proceeding in the Superior Court of Justice for damages for actual harm that the person has suffered as a result of the conduct.ConclusionMost of the provisions of the PHIPA will come into force in Ontario on November 1, 2004. It can be expected that there will be regulations made that will also impact on the obligations of custodians and others under the PHIPA. It is important that custodians and others affected by the PHIPA become knowledgeable about the PHIPA and take the appropriate steps so that they will be able to comply with their obligations under the PHIPA starting November 1, 2004.