Consent Requirements Under the Personal Health Information Protection Act Debra Grant Debra Grant Office of the Information and Privacy Commissioner of Ontario EHIL Webinar May 11, 2011 Presentation Outline • Consent a Key Principle in PHIPA • General Consent Provisions of PHIPA • Circle of Care • Lock Box • General Limiting Principles • Pitfalls to Avoid When Obtaining Consent • Conclusion 1
Ontario’s Personal Health Information Protection Act (PHIPA) • Came into effect November 1 2004 • Came into effect November 1, 2004 • Based on Canada’s Fair Information Practices*: • Accountability • Safeguards • Identifying Purposes • Openness • Consent • Individual Access • Limiting Collection • Challenging Compliance • Li i i Limiting Use, Disclosure, U Di l Retention • Accuracy *CSA Standard CAN/CSA-Q830, Model Code for the Protection of Personal Information ; PHIPA has been deemed to be substantially similar to PIPEDA. Consent in the Context of PHIPA • In the absence of PHIPA, at least part of the Ontario health sector would have been covered by federal private sector privacy legislation • PIPEDA was drafted to address privacy issues in the commercial sector rather than the health sector (e.g., express consent required in the context of sensitive personal health information); • Because “substantial similarity” designation is necessary to exempt custodians from the application of PIPEDA, PHIPA had to meet the privacy standards set out in PIPEDA (e.g., PHIPA had to be a consent- based); • The standard appropriate within the health sector was determined to be “knowledgeable consent”; • PHIPA was drafted in a manner such that consent would not delay or impede the delivery of health care. 2
Collection, Use and Disclosure • Custodians may collect, use and disclose personal health information if: • The individual consents, or • The Act permits or requires the collection, use and disclosure and disclosure (Section 29) Type of Consent • Consent may be express or implied except where express • Consent may be express or implied, except where express consent is specifically required under PHIPA . (Section 18(2)); • Consent whether express or implied must meet all of the requirements for a valid consent under PHIPA. 3
Express Consent • Required when a custodian discloses to a non-custodian; • Required when a custodian discloses to another custodian for a purpose other than providing health care to the individual; • Required when a custodian collects, uses or discloses for marketing or market research; • Required when a custodian collects, uses or discloses for fundraising (if using more than name and address); (Section 18(3)) Elements of a Valid Consent • Must be a consent of the individual or his or her substitute decision-maker; decision maker; • Must be knowledgeable; • Must relate to the information; and • Must not be obtained through deception or coercion. (Section 18(1)) 4
Knowledgeable Consent • A consent to the collection, use and disclosure of personal health information is knowledgeable if it is personal health information is knowledgeable if it is reasonable in the circumstances to believe that the individual knows, – the purpose of the collection, use or disclosure, as the case may be; and – that the individual may give or withhold consent. that the individual may give or withhold consent (Section 18(5)) Ensuring that Consent is Knowledgeable – Notice of Purposes • Unless it is not reasonable in the circumstance, it is reasonable to believe that an individual knows the purpose of reasonable to believe that an individual knows the purpose of the collection, use or disclosure if the health information custodian posts or makes readily available a notice describing these purposes where it is likely to come to the individual’s attention . (Section 18(6)) 5
Notice of Purposes • A health information custodian may rely on a notice of purposes to support the reasonable belief that the individual knows the purposes of the collection use or disclosure of personal health information; the collection, use, or disclosure of personal health information; • If a health information custodian wishes to rely on a notice of purposes , the notice: • Must be posted where it is likely to come to the attention of the individual or must be provided to the individual ; • Must outline the purposes for which the health information custodian collects, uses or discloses personal health information ; and • Should advise the individual that he or she has the right to give Should advise the individual that he or she has the right to give or withhold consent; • A n otice of purposes is not required where a health information custodian may assume implied consent but it is a best practice to have a notice of purposes; Written Public Statement • Section 16(1) states that a health information custodian shall, in a manner that is practical in the circumstances, make available to the public a written statement that, (a) Provides a general description of the custodian’s information practices; (b) Describes how to contact the contact person, if the custodian has one, or the custodian, if there is no contact person; (c) Describes how an individual may obtain access to or request correction of a record of personal health information in the custody or control of the custodian; and (d) Describes how to make a complaint to the custodian and to the Commissioner. 6
“information practices” defined • Section 2 states that “information practices,” in relation to a custodian, means the policy of the custodian for actions in custodian, means the policy of the custodian for actions in relation to personal health information, including, (a) when, how and the purposes for which the custodian routinely collects, uses, modifies, discloses, retains or disposes of personal health information , and (b) the administrative, technical and physical safeguards and practices that the custodian maintains with respect to the practices that the custodian maintains with respect to the information. Short Notice Products 7
Circle of Care – Assumed Implied Consent • Certain custodians who receive personal health information from the individual or another custodian for the purpose of from the individual or another custodian for the purpose of providing health care to the individual is entitled to assume they have the individual’s implied consent to collect, use and disclose to another custodian; • Exception: Unless the custodian is aware that the individual has withdrawn his or her consent; • The inclusion of this provision further emphasizes the fact • The inclusion of this provision further emphasizes the fact that the consent requirements should never delay or impede to the provision of health care. Circle of Care: Sharing Personal Health Information for Health Care Purposes • The IPC has launched a guide to clarify the circumstances • The IPC has launched a guide to clarify the circumstances in which a health information custodian may assume implied consent and the options available to a custodian where consent cannot be implied; • The term “circle of care” is not a defined term in PHIPA ; • The term commonly used to describe the ability of certain health information custodians to assume an individual’s implied consent to collect, use or disclose personal health information for the purpose of providing health care, in circumstances defined in PHIPA. 8
Circle of Care Working Group • Office of the Information and Privacy Commissioner; O ce o t e o at o a d vacy Co ss o e ; • Ontario Medical Association; • Ontario Hospital Association; • College of Physicians and Surgeons of Ontario; • Ministry of Health and Long Term Care; • Ontario Association of Community Care Access Centres; • Ontario Long Term Care Association; • Ontario Long Term Care Association; • Ontario Association of Non-Profit Homes and Services for Seniors. Circle of Care: Sharing Personal Health Information for Health Care Purposes • Health information custodian must fall within the category of custodians that are entitled to rely on assume implied consent; entitled to rely on assume implied consent; • Information must have been received from the individual, his or her substitute decision maker or another custodian; • Information must have been received for the purpose of providing or assisting in the provision of health care to the individual; • The purpose of the collection, use and disclosure must be for the purpose of providing health care or assisting in providing health care to the individual; • Disclosures must be to another custodian; and • Custodian that receives the information must not be aware that the individual has expressly withheld or withdrawn consent to Available at www.ipc.on.ca the collection, use or disclosure. 9
Recommend
More recommend
