Health Sector Flashcards

1
Q

Provinces with no health sector privacy laws

A

Quebec and Nunavat

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Provinces whose laws are considered substantially similar to PIPEDA

A

Ontario PHIPA
Newfoundland and Labrador PHIA
Nova Scotia PIPA
New Brunswick PHIPAA

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Health Information Protection Act

A

Introduced in 2016
Amended Ontario PHIPA
Introduced mandatory breach reporting, increasing transparency, doubling fines to 100k for individuals and 500k for companies.
Also removed requirement to prosecute within 6 months of the alleged offence

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Nonlegal protocol dealing with patient information in certain circumstances

A

Tri-Council Policy Statement: Ethical conduct for research involving humans includes rules regarding privacy and confidentiality in research that are widely endorsed by Canadian health research community.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Personal Health Information

A

Sec 4 of Ontario PHIPA “personal health information” means identifying information about an individual in oral or recorded form, if the information, relates to the physical or mental health of the individual, including information that consists of the health history of the individual’s family, relates to the providing of health care to the individual, is a plan that sets out the home and community care services for the individual to be provided by a health service provider, relates to payments or eligibility for health care, relates to the donation by the individual of any body part or bodily substance of the individual or is derived from the testing or examination of any such body part or bodily substance, is the individual’s health number, identifies an individual’s substitute decision-maker.

Exception
(4) Personal health information does not include identifying information contained in a record that is in the custody or under the control of a health information custodian if,
(a) the identifying information contained in the record relates primarily to one or more employees or other agents of the custodian; and
(b) the record is maintained primarily for a purpose other than the provision of health care or assistance in providing health care to the employees or other agents. 2004, c. 3, Sched. A, s. 4 (

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Purpose of health information privacy laws

A

to control the collection, use and disclosure of personal health information by specified health sector participants. The end goal is to enhance privacy and confidentiality while simultaneously ensuring efficient health service delivery.”

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Applicability of Provincial Privacy Laws

A

Health sector participants are called:
Trustees - Manitoba and Sasketchwan
Custodian or Health Info Custodian - Ontario, Alberta, BC, Newfoundland and Labrador, Nova Scotia, New Burnswick.

Participants include regulated healthcare professionals; hospitals; nursing homes; independent health facilities; laboratories; pharmacies; provincial health departments or ministries; certain community, regional, district or provincial health services; boards, authorities, councils or corporations; and even some colleges, universities and school boards.”

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

BC Approach

A

Regulate patient data not the health info participants. “In British Columbia, the Ministry of Health establishes or designates a patient database as a “health information bank” into which patient data is to be submitted. The minister may then grant individuals, or classes of individuals, the authority to access and use such health information for specific and limited purposes. British Columbia public health officials assert that by creating a framework in which health data can be centralized, citizens will have better access and management options over their private information”

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

HINP

A

Provincial health privacy laws also control the collection, use and disclosure of personal health information by health information network providers (HINPs). HINPs are identified in Ontario’s PHIPA with slightly different names in other privacy laws. HINPs enable custodians to share personal health information through electronic means by providing them with IT services. It is important to note there are differences for HINPs outlined within the law, including, but not limited to, conducting privacy impact assessments (PIAs)/threat risk assessments (TRAs) and entering into written agreements with the custodians.”

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Deidentifying Health Info

A

“The concept of deidentifying health information is found in each law. Therefore, each provides that if information is truly anonymized or deidentified, it is not protected by the law. Ontario’s law defines “identifying information” to mean information that (1) identifies an individual or (2) reasonably could be utilized, either alone or with other information, to identify an individual. It is not sufficient to simply say that information is not associated with the name of an individual. Before an organization can treat the information as not being subject to the law, it must validate that no form of data mining or data manipulation can render the information identifiable.”

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Key Obligations

A

Accountability
Openness
Consent
Oversight
Access and right to correct information
Safeguards

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Access not permitted

A

Not permitted:
an act or order of court order prohibits disclosure to the individual
the information in the record was collected or created primarily in anticipation of or for use in a proceeding, and the proceeding, together with all appeals or processes resulting from it, have not been concluded;
the following conditions are met:
 (i) the information was collected or created in the course of an inspection, investigation or similar procedure authorized by law, or undertaken for the purpose of the detection, monitoring or prevention of a person’s receiving or attempting to receive a service or benefit, to which the person is not entitled under an Act or a program operated by the Minister, or a payment for such a service or benefit, and
(ii) the inspection, investigation, or similar procedure, together with all proceedings, appeals or processes resulting from them, have not been concluded;
 4.granting the access could reasonably be expected to,
 i) result in a risk of serious harm to the treatment or recovery of the individual or a risk of serious bodily harm to the individual or another person,
 (ii) lead to the identification of a person who was required by law to provide information in the record to the custodian, or
 (iii) lead to the identification of a person who provided information in the record to the custodian explicitly or implicitly in confidence if the custodian considers it appropriate in the circumstances that the identity of the person be kept confidential; or

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Accountability

A

Each law places the onus on the entity covered to remain accountable for the proper use, retention, safeguarding and disposal of the health information under its custody or control. This obligation remains even when the covered entity uses a third party to outsource some of its functions. For example, in Ontario, a health information custodian may use an agent to collect, use, disclose, retain or dispose of health information only if:

i. “The custodian is permitted or required to collect, use, disclose, retain or dispose of the information in the first place
ii. The collection, use, disclosure, retention or disposition of the information is in the course of the agent’s duties and not contrary to the limits imposed by the custodian or any other law
iii. The requirements prescribed by regulation are met”

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Consent

A

Different than other information laws because of involvement of central gov. Consent must be meaningful. Although not every law defines “meaningful consent,” the Ontario law provides some guidance.
i.) It must be the consent of the individual concerned,
ii) it must be knowledgeable,
iii) it must relate to the information at issue, and
iv) it must not be obtained through deception or coercion.

“Knowledgeable” consent requires the individual to fully understand the purpose for which the information will be collected, used and disclosed or all three.”

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Assumed Consent

A

Ontario PHIPA allows for inferred consent with the circle of care for providing healthcare to the individual.

Essentials for assumed implied consent:
Health information custodian must fall within the category of custodian that can rely on assumed consent. Healthcare practitioners fall under this.
Info must be received from individual, substitute decision maker, or another HIC.
Info must have been used, collected, or disclosed to provide healthcare and assist in providing healthcare
No assume consent if info is disclosed to someone or organization that is not a HIC.
HIC receiving info must not be aware that individual has withheld or withdrawn consent.
“In addition, a custodian that operates a healthcare facility can imply consent to release information consisting of a patient’s name and location in the facility to a representative of a religious or other organization with which the individual is affiliated—if the individual has not exercised an entitlement to opt out of the disclosure

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Safeguarding

A

Organisation must take necessary administrative, technical, and physical measures to protect confidentiality, security, accuracy, and integrity.

17
Q

Breach

A

Privacy legislation, including PHIPA, PHIA and PHIPAA mandate the custodian to notify the privacy commissioner in situations where a custodian reasonably believes there has been a material breach involving the unauthorized collection, use or disclosure of personal health information. The obligation to notify includes any instance where health information is handled in a way that does not conform to the custodian’s published policy statement on its information-handling practices

18
Q

Openness

A

Generally, the provincial laws do not strictly adhere to the same standards as, for example, PIPEDA in terms of an organization’s obligation to develop comprehensive privacy policies and make them accessible. However, the Saskatchewan commissioner recommended during a review of a particular healthcare facility’s program that printed materials and website content concerning that program should describe:
i.) “The legal authority for the program
ii). The meaning of “privacy”
iii). The role of consent
iv) What the opt-out procedure is and the consequences of opting out
v) The security procedures
vi) Where the information at issue would be disclosed
vii) The linkage between the program and family physicians

The laws that more closely resemble the general privacy principle of openness belong to Ontario, Newfoundland and Labrador, and British Columbia. In these provinces, health data authorities are required to make available information that describes:

i)The data authorities’ information practices
ii)How to contact the appropriate data authority
iii)How to obtain access to or request correction of personal health information (except for British Columbia) 
iv)How to file a complaint”