Privacy Legislation

Question 1

Why was the Personal Information Protection and Electronic Documents Act (PIPEDA) created?

Answer 1

• to protect personal information from being used for another purpose other than what it was collected for
• ensure that personal information is protected by the appropriate safeguards

Question 2

What is the purpose of the Federal Privacy Act?

Answer 2

extend the present laws of Canada that protect the privacy of individuals with respect to personal information held by government institutions as well as providing individuals the right to access that information

Question 3

What is the purpose of the anti-spam legislation (CASL)?

Answer 3

-protect consumers and businesses from the misuse of digital technology (includes spam and electronic threats)
- help businesses stay competitive in a global digital marketplace

Question 4

What is the Personal Health Information Protection Act of Ontario (PHIPA)?

Answer 4

Ontario’s health-specific privacy legislation

Question 5

What is the purpose of PHIPA?

Answer 5

• governs how personal health information may be collected, used, and disclosed within the health sector
• creates a consistent approach to protecting information across the health sector
• gives individuals greater control over how their personal information is collected, used, or disclosed as well as the right the access and request corrections to their information
• provides a means for review and resolution of complaints when privacy rights have been violated

Question 6

Who does PHIPA regulate?

Answer 6

health information custodians, individuals, and organizations

Question 7

How does PHIPA define collect?

Answer 7

gather, acquire, receive, or obtain the information by any means from any source

Question 8

How does PHIPA define use?

Answer 8

view, handle, or otherwise deal with the information

Question 9

How does PHIPA define disclose?

Answer 9

make the information available to another health information custodian or another person

Question 10

What is a health information custodian (HIC)?

Answer 10

person who operates an organization that delivers healthcare as a solo practice, group practice, or organization that has a reason to know personal health information

Question 11

What is a agent of a HIC?

Answer 11

person that acts for or on behalf of the custodian

Question 12

What is considered personal health information?

Answer 12

information that can identify an individual that relates to:
- physical or mental health
- family health history
- care provided to the individual
- payment
- eligibility
- health card number
- donation or testing of body parts/body substances
- identification of the substitute decision maker
- non-health care related personal information

Question 13

How many PHIPA principles are there?

Answer 13

10

Question 14

What is PHIPA principle 1?

Answer 14

Accountability - HIC’s must take steps to ensure that records are kept in a manner that ensures that legislation and professional standards are respected

Question 15

What is PHIPA principle 2?

Answer 15

Identifying purpose - HIC’s and agents must ensure that the purpose for collecting, using, disclosing, or retaining personal health information is clear to the individual

Question 16

What is PHIPA principle 3?

Answer 16

Informed consent - there must be informed consent by the individual or by their substitute decision-maker when information is being collected, used, or disclosed

Question 17

What is PHIPA principle 4?

Answer 17

Limiting collection - HIC’s must ensure that all forms of personal health information are collected for:
a) the purposes for which they are required
b) the purposes for which individuals provide consent

Question 18

What is PHIPA principle 5?

Answer 18

Limiting, use, disclosure, and retention - HIC’s must ensure that use, disclosure, and retention policies and standards are followed

Question 19

What are legally permitted uses of personal health information?

Answer 19

• for the purposes that is was created/collected
• for planning, delivering, or monitoring services for which the custodian allocates funding or other resources
• for risk management or other activities to maintain quality of care
• for educating agents
  for obtaining payment and verifying or reimbursing claims
• for research conducted by the custodian

Question 20

What are legally permitted disclosures of personal health information?

Answer 20

• within the circle of care
• outside the circle of care with consent of the patient
• to the substitute decision maker
  within the organization for audit or accreditation purposes
• to a successor

Question 21

What is PHIPA principle 6?

Answer 21

Accuracy - HIC’s are responsible for ensuring records are accurate, complete, and up to date

Question 22

What is PHIPA principle 7?

Answer 22

Safeguards - HIC’s must take steps against theft, loss, and unauthorized use or disclosure as well as ensuring records are protected against unauthorized copying, modification, or disposal

Question 23

What is PHIPA principle 8?

Answer 23

Transparency - HIC’s must display/have an available written public statement about their privacy policies and patient/client rights

Question 24

What is an example of a privacy breach?

Answer 24

• records are seen by someone who should not see them
• emails, texts, phone calls are sent to the wrong person
• paper records are stolen
• electronic records are accessed by people who should not have access
• conversations being overheard by people outside of the circle of care

Question 25

What is PHIPA principle 9?

Answer 25

Individual access - HIC’s must provide individuals with access to their information upon request

Question 26

What is PHIPA principle 10?

Answer 26

Challenging compliance

Question 27

What are an R.Kin’s obligations in the event of a privacy breach?

Answer 27

• notify the individual whose information has been stolen/lost/used/disclosed
• notify the Information Privacy Commissioner of Ontario if required
• inform the HIC if the individual who caused the breach is an agent of a HIC

Question 28

When should an R.Kin make a report to the appropriate regulatory college in the event of a privacy breach?

Answer 28

• if disciplinary action is taken against a member of the college who is an employee of agent of the HIC
• if the employee of agent of the HIC resigns and there is reasonable ground to believe resignation is related to investigation or other action

Question 29

What is the purpose of the Health Care Consent Act?

Answer 29

• provide rules with respect to consent to treatment that apply in all settings
• facilitate treatment for persons lacking the capacity to consent
• enhance the autonomy of people who are found to be incapable of providing consent
• promote communication and understanding

Question 30

Health practitioners can only provide treatment if…

Answer 30

consent if obtained

Question 31

What are the requirements of consent?

Answer 31

• be related to the treatment being proposed
• be informed
• be voluntary
• not be obtained through misrepresentation or fraud

Question 32

What information needs to be provided before obtaining consent?

Answer 32

• nature of the treatment
• expected benefits of the treatment
• alternative courses of action
• risks/side effects of having treatment
• consequences of not having treatment