Week 4: Privacy

Question 1

Personal Information Protection and Electronic Documents Act (PIPEDA)

Answer 1

Federal privacy law for private-sector organizations

Question 2

What does the PIPEDA law apply to?

Answer 2

Collection, use and disclosure of personal info

Question 3

What is the purpose of PIPEDA? x4

Answer 3

-people have the right to access personal info and to challenge its accuracy

• personal info can only be used for the purposes for which it was collected
• must obtain consent again if being used for diff purpose
  personal info protected by safeguards

-personal info protected by safeguards

Question 4

What is meant by “substantially similar”?

Answer 4

Some provinces have privacy laws deemed substantially similar to PIPEDA and this means that in some circumstances the provincial law applies instead of the federal law but this may differ based on the case

Question 5

Federal privacy act purpose

Answer 5

Extend the present laws of Canada that protect the privacy of individuals personal info held by a governmental institution and that provide individuals w a right to access that info

Question 6

Which selected domains does the federal government run health care?

Answer 6

-Department of national defence
-Correctional service of Canada

Question 7

Canada’s anti-spam legislation (CASL) purpose x2

Answer 7

-To protect consumers and businesses from the misuse of digital technology, including spam and other electronic threats

-To help businesses stay competitive in a global digital marketplace

Question 8

How can you make sure you’re complying with CASL? x4

Answer 8

-Don’t send messages without consent

-Provide an opportunity for clients to say no to commercial electronic messages

-Clearly identify yourself and the organization (ie. business name, your name, current mailing address, phone number/email, an unsubscribe mechanism)

-Be truthful in advertising (ie. specify whether taxes are included)

Question 9

What is the Personal Health Information Protection Act of Ontario (PHIPA)?

Answer 9

Ontario’s health-specific privacy legislation

Question 10

What is the purpose of the Personal Health Information Protection Act of Ontario (PHIPA)? x3

Answer 10

-Governs how personal health info may be collected, used and disclosed within the health sector

-Regulates health info custodians, individuals and organizations that receive health info from custodians

-Gives individuals greater control of how personal info is collected, used and stored

Question 11

PHIPA Terms x3

Answer 11

Collect
Use
Disclose

Question 12

Collect

Answer 12

Gather, acquire or obtain the info by any means from any source
ex. Referral

Question 13

Use

Answer 13

View, Handle or Otherwise Deal w the info

Question 14

Disclose

Answer 14

Make the info available to another health info custodian or another person

Question 15

What does PHIPA require health info custodians to do before personal health info is collected, used or disclosed?

Answer 15

Obtain Consent!

Question 16

What rights does PHIPA provide for individuals? x2

Answer 16

-Right to access and request correction to personal health info

-Independent review and resolution of complaints through the Office of the Information and Privacy Commissioner of Ontario (IPS) when privacy rights have been violated

Question 17

What is a health information custodian (HIC)?

Answer 17

A person who operates an organization that delivers healthcare as a solo practice, group practice or organization (ie.hospital, LTC) that has a reason to know personal health info

Question 18

Examples of HICs x5

Answer 18

-Health Care Practitioners
-LTC Homes
-Hospitals
-Pharmacies
-Psychiatric Facilities

Question 19

Agent of a HIC

Answer 19

A person that with the authorization of the custodian, acts for or on the behalf of the custodian in respect of personal health info for the purposes of the custodian, not the agent’s own purposes

Question 20

Examples of agents of a HIC x2

Answer 20

1. Front Desk Clerk at a Clinic
2. Students

Question 21

Administrative duties of HICs x3

Answer 21

1.Develop and comply with policies with respect to when, how and the purposes for collection, use, modification and disclosure of PHI and the administrative, physical and technical safeguards that are maintained

2.Designate a contact person

3.Display a written public statement

Question 22

What does a contact person do for the HIC? x5

Answer 22

-Facilitate compliance w PHIPA

-Ensure agents are informed of duties

-Respond to public inquiries about policies

-Respond to requests for access or correction

-Receive public complaints about alleged privacy breaches

Question 23

What does the written public statement include? x4

Answer 23

1.Privacy policies of HIC and purpose of collection, use and disclosure of PHI
2.How to contact
3.How to seek access to or correction of a record
4.How to make a complaint to HCI and IPC

Question 24

HIC exceptions- dont need to adhere to PHIPA x2

Answer 24

1.Aboriginal healer or aboriginal midwife that provides treatment to members of aboriginal community

2.A person who provides treatment solely by spiritual means or prayer

Question 25

What is personal health information (PIH)?

Answer 25

Information that can identify and be connected to the health of an individual

Question 26

What must PHI related to to be defined as PHI? x7

Answer 26

-Physical or mental health of an individual, including family health history

-Health care provided or the provider

-Payment for health service or eligibly for health care services (ie. benefits, insurance)

-Health card number

-Donation or testing of body part or bodily substance

-Identification of substituted decision-maker

-Non-health care info mixed in w other PHI

Question 27

Is phone number or home address considered PHI?

Answer 27

Not unless it is part of a reference that includes PHI

Question 28

What is a registered kinesiologists obligations under PHIPA? x3

Answer 28

-Notifying the individual whose info has been stolen, lost, used or disclosed inappropriately

-Notifying the Privacy Commissioner of Ontario when required

-Informing the health info custodian at earliest convenience if the kinesiologist who caused the privacy breach is an agent of a HIC

Question 29

When are kinesiologists that are HIC required to make a report to the appropriate regulatory college? x2

Answer 29

-If disciplinary action is taken against a member of a College, who is an employee or an agent of the HIC, for a privacy breach

-If the employee or agent of the HIC resigns and the HIC has reasonable grounds to believe that the resignation is related to investigation or other action relating to privacy breach

Question 30

What do regulated health professions in Ontario have to comply to?

Answer 30

PHIPA and CASL

Question 31

What do regulated professionals who also engage in commercial activities outside of Ontario have to comply to?

Answer 31

PIPEDA

Question 32

What is the Health Care Consent Act intended to do? x5

Answer 32

1.Provide rules w respect to consent to treatment that apply in all settings

2.Facilitate treatment and enhance role of family members for persons lacking capacity to make decisions

3.Enhance autonomy for person receiving proposed treatment

4.Promotes communication and understanding

5.Permit intervention by Public Guardian and trustee as last resort to make decisions on behalf of incapable person

Question 33

How does the Health Care Consent Act enhance autonomy? x2

Answer 33

-Allowing persons found to be incapable to apply to Consent and Capacity Board for a review

-Allowing incapable persons to choose a representative to be appointed to make decisions on their behalf

Question 34

What is required under the Health Care Consent Act before a health practitioner in Ontario can provide treatment?

Answer 34

CONSENT

Question 35

What must the consent be? x4

Answer 35

1.Related to the treatment being proposed
2.Informed
3.Voluntary
4.Not obtained through misrepresentation or fraud

Question 36

What must information must be provided for an individual to give informed consent? x5

Answer 36

1.The nature of the treatment
2.The expected benefits
3.Alternative courses of action
4.Risks and side effects
5.Consequences of not having treatment

Question 37

PHIPA principles x10

Answer 37

1.Accountability
2.Identifying purpose
3.Informed consent
4.Limiting collection
5.Limiting, use, disclosure and retention
6.Accuracy
7.Safeguards
8.Transparency
9.Individual access
10.Challenging compliance

Question 38

Principle #1: Accountability

Answer 38

HICs must take reasonable steps to ensure that records are kept in a manner that ensures legislation and professional standards are respected

Question 39

Principle #2: Identifying purpose

Answer 39

HICs and their agents ensure that the purpose for which they routinely collect, use, disclose, or retain PHI is clear to the individuals whose PHI they’re managing

Question 40

Principle #3: Informed consent

Answer 40

When PHI is being collected, used, disclosed there must be informed consent, either by the individual whose PHI or by their substitute decision maker (SDM)

Question 41

Principle #4: Limiting collection

Answer 41

HICS must ensure that all forms of PHI are only collected for the purposes for which they are required and the purposes for which individuals provide consent

Question 42

Principle #5: Limiting, use, disclosure and retention–> legally permitted uses of PHI x5

Answer 42

-For the purposes for which PHI was created or collected

-For planning, delivering or monitoring services for which the custodian allocated funding

-For risk management or other activities to maintain quality of care

-For educating agents to provide care for obtaining payment, verifying or reimbursing claims etc.

-For research conducted by the custodian

Question 43

Principle #5: Limiting, use, disclosure and retention–> legally permitted disclosures of PHI are…

Answer 43

-Within the circle of care

-Outside the circle of care with the consent of the patient
to the SDM of an incapable person

-Within the organization for certain audit or accreditation purposes

-To a “successor” (person taking over as HIC) with an attempt to gain consent and an attempt to contact patients to inform them

Question 44

Principle #6: Accuracy

Answer 44

HICs are responsible for ensuring that reasonable steps are taken to ensure records are accurate, complete, and up-to-date

Question 45

Principle #7: Safeguards

Answer 45

HICs must take reasonable steps against theft, loss and unauthorized use or disclosure and to ensure that the records containing the info are protected against unauthorized copying, modification or disposal

Question 46

Safeguards examples

Answer 46

1.Physical measures
2.Administrative/organizational
3.Technological

Question 47

Safeguard examples- Physical measures

Answer 47

-Locked rooms/cabinets

-Writing “confidential” on envelopes sent out

-Securely shredding documents when it comes time for disposal

-Secure lockable file box for travelling and carrying the minimal necessary documents with you

Question 48

Administrative/Organizational x3

Answer 48

-Systems of who has access to physical locations and electronic systems

-Providing private areas for conducting conversations in person or by phone

-IT policies and processes

Question 49

Technological measures

Answer 49

1.Passwords on files, encryption
2.Ensuring data is backed up
3.Secure channels for transfers
4.Being clear about who the voicemail message is for limiting info

Question 50

Principle #8: Transparency

Answer 50

HICs must display or make available a written public statement about their privacy policies and patients/clients’ rights

Question 51

Examples of privacy breaches x4

Answer 51

-Records are seen by someone who should not see them

-Email, text messages or phone messages are sent to wrong person or are intercepted

-Paper records stolen

-Electronic records are accessed by people who should not have access

-Conservations are overheard by people outside the ‘circle of care’

Question 52

Principle #9: Individual access

Answer 52

Custodian must provide individuals w access to their personal health information upon request with rare expectations, and a valid request for access can be oral or in writing

Question 53

Principle #10: Challenging compliance

Answer 53

There are multiple powers granted to the Info and Privacy Commissioner of Ontario (IPC-O) and regulatory health colleges to investigate complaints from the public and to enforce penalties on practitioners who fall short of the expectations under the law

Question 54

Principle #5: Limiting, use, disclosure and retention–> retention policies

Answer 54

HICs responsible for ensuring that retention policies and standards are followed