Presentation Outline Consent a Key Principle in PHIPA General - - PDF document

1

Consent Requirements Under the Personal Health Information Protection Act Debra Grant Debra Grant

Office of the Information and Privacy Commissioner

• f Ontario

EHIL Webinar May 11, 2011

Presentation Outline

• Consent a Key Principle in PHIPA
• General Consent Provisions of PHIPA
• Circle of Care
• Lock Box
• General Limiting Principles
• Pitfalls to Avoid When Obtaining Consent
• Conclusion

2

Ontario’s Personal Health Information Protection Act (PHIPA)

• Came into effect November 1 2004
• Came into effect November 1, 2004
• Based on Canada’s Fair Information Practices*:
• Accountability
• Identifying Purposes
• Consent
• Limiting Collection

Li i i U Di l

• Safeguards
• Openness
• Individual Access
• Challenging Compliance
• Limiting Use, Disclosure,

Retention

• Accuracy

*CSA Standard CAN/CSA-Q830, Model Code for the Protection of Personal Information; PHIPA has been deemed to be substantially similar to PIPEDA.

Consent in the Context of PHIPA

• In the absence of PHIPA, at least part of the Ontario health sector would

have been covered by federal private sector privacy legislation

• PIPEDA was drafted to address privacy issues in the commercial sector

rather than the health sector (e.g., express consent required in the context

• f sensitive personal health information);
• Because “substantial similarity” designation is necessary to exempt

custodians from the application of PIPEDA, PHIPA had to meet the privacy standards set out in PIPEDA (e.g., PHIPA had to be a consent- based);

• The standard appropriate within the health sector was determined to be

“knowledgeable consent”;

• PHIPA was drafted in a manner such that consent would not delay or

impede the delivery of health care.

3

Collection, Use and Disclosure

• Custodians may collect, use and disclose personal

health information if:

• The individual consents, or
• The Act permits or requires the collection, use

and disclosure and disclosure (Section 29)

Type of Consent

• Consent may be express or implied except where express
• Consent may be express or implied, except where express

consent is specifically required under PHIPA. (Section 18(2));

• Consent whether express or implied must meet all of the

requirements for a valid consent under PHIPA.

4

Express Consent

• Required when a custodian discloses to a non-custodian;
• Required when a custodian discloses to another custodian for a

purpose other than providing health care to the individual;

• Required when a custodian collects, uses or discloses for marketing or

market research;

• Required when a custodian collects, uses or discloses for fundraising

(if using more than name and address); (Section 18(3))

Elements of a Valid Consent

• Must be a consent of the individual or his or her substitute

decision-maker; decision maker;

• Must be knowledgeable;
• Must relate to the information; and
• Must not be obtained through deception or coercion.

(Section 18(1))

5

Knowledgeable Consent

• A consent to the collection, use and disclosure of

personal health information is knowledgeable if it is personal health information is knowledgeable if it is reasonable in the circumstances to believe that the individual knows, – the purpose of the collection, use or disclosure, as the case may be; and that the individual may give or withhold consent – that the individual may give or withhold consent. (Section 18(5))

Ensuring that Consent is Knowledgeable – Notice of Purposes

• Unless it is not reasonable in the circumstance, it is

reasonable to believe that an individual knows the purpose of reasonable to believe that an individual knows the purpose of the collection, use or disclosure if the health information custodian posts or makes readily available a notice describing these purposes where it is likely to come to the individual’s attention. (Section 18(6))

6

Notice of Purposes

• A health information custodian may rely on a notice of purposes to

support the reasonable belief that the individual knows the purposes of the collection use or disclosure of personal health information; the collection, use, or disclosure of personal health information;

• If a health information custodian wishes to rely on a notice of purposes,

the notice:

• Must be posted where it is likely to come to the attention of the

individual or must be provided to the individual;

• Must outline the purposes for which the health information

custodian collects, uses or discloses personal health information; and

• Should advise the individual that he or she has the right to give

Should advise the individual that he or she has the right to give

• r withhold consent;
• A notice of purposes is not required where a health information

custodian may assume implied consent but it is a best practice to have a notice of purposes;

Written Public Statement

• Section 16(1) states that a health information custodian shall, in a

manner that is practical in the circumstances, make available to the public a written statement that, (a) Provides a general description of the custodian’s information practices; (b) Describes how to contact the contact person, if the custodian has

• ne, or the custodian, if there is no contact person;

(c) Describes how an individual may obtain access to or request correction of a record of personal health information in the custody or control of the custodian; and (d) Describes how to make a complaint to the custodian and to the Commissioner.

7

“information practices” defined

• Section 2 states that “information practices,” in relation to a

custodian, means the policy of the custodian for actions in custodian, means the policy of the custodian for actions in relation to personal health information, including, (a) when, how and the purposes for which the custodian routinely collects, uses, modifies, discloses, retains or disposes of personal health information, and (b) the administrative, technical and physical safeguards and practices that the custodian maintains with respect to the practices that the custodian maintains with respect to the information.

Short Notice Products

8

Circle of Care – Assumed Implied Consent

• Certain custodians who receive personal health information

from the individual or another custodian for the purpose of from the individual or another custodian for the purpose of providing health care to the individual is entitled to assume they have the individual’s implied consent to collect, use and disclose to another custodian;

• Exception: Unless the custodian is aware that the individual

has withdrawn his or her consent;

• The inclusion of this provision further emphasizes the fact
• The inclusion of this provision further emphasizes the fact

that the consent requirements should never delay or impede to the provision of health care.

Circle of Care: Sharing Personal Health Information for Health Care Purposes

• The IPC has launched a guide to clarify the circumstances
• The IPC has launched a guide to clarify the circumstances

in which a health information custodian may assume implied consent and the options available to a custodian where consent cannot be implied;

• The term “circle of care” is not a defined term in PHIPA;
• The term commonly used to describe the ability of certain

health information custodians to assume an individual’s implied consent to collect, use or disclose personal health information for the purpose of providing health care, in circumstances defined in PHIPA.

9

Circle of Care Working Group

• Office of the Information and Privacy Commissioner;

O ce o t e

• at o a d

vacy Co ss o e ;

• Ontario Medical Association;
• Ontario Hospital Association;
• College of Physicians and Surgeons of Ontario;
• Ministry of Health and Long Term Care;
• Ontario Association of Community Care Access Centres;
• Ontario Long Term Care Association;
• Ontario Long Term Care Association;
• Ontario Association of Non-Profit Homes and Services for

Seniors.

Circle of Care: Sharing Personal Health Information for Health Care Purposes

• Health information custodian must fall

within the category of custodians that are entitled to rely on assume implied consent; entitled to rely on assume implied consent;

• Information must have been received from

the individual, his or her substitute decision maker or another custodian;

• Information must have been received for the

purpose of providing or assisting in the provision of health care to the individual;

• The purpose of the collection, use and

disclosure must be for the purpose of

Available at www.ipc.on.ca

providing health care or assisting in providing health care to the individual;

• Disclosures must be to another custodian;

and

• Custodian that receives the information must

not be aware that the individual has expressly withheld or withdrawn consent to the collection, use or disclosure.

10

Lock Box: Withdrawal of Consent

• If an individual consents to have a custodian collect, use or disclose

personal health information, the individual may withdraw consent, whether the consent is express or implied by providing notice to the whether the consent is express or implied, by providing notice to the health information custodian, but the withdrawal of the consent shall not have retroactive effect (section 19(1));

• Certain custodians who receive personal health information from the

individual, the individual’s substitute decision-maker or another custodian, are entitled to assume that they have the individual’s implied consent to collect, use or disclose the information for the purpose of providing health care to the individual, unless the custodian is aware that the individual has expressly withheld or withdrawn consent (section the individual has expressly withheld or withdrawn consent (section 20(2));

• Note that withdrawal of consent or express instructions need not be in

writing – custodians should document individual’s request.

Lock Box: Express Instructions

• Custodians may use personal health information, without consent, for the

purpose for which it was collected, but not if the individual expressly i t t th i ( ti 37(1)( )) instructs otherwise (section 37(1)(a));

• Custodians may disclose personal health information, without consent, to

certain custodians, if the disclosure is necessary to provide health care and it is not possible to obtain consent in a timely manner, but not if the individual has expressly instructed the custodian not to make the disclosure; (section 38(1)(a));

• Custodians may disclose personal health information, without consent, if

the disclosure is necessary to provide health care, but not if the individual has expressly instructed the custodian not to make the disclosure (section 50(1)(e)).

11

Conditions on Consent

• Individual must provide notice to the custodian (can be

provided verbally or in writing); provided verbally or in writing);

• An individual may not place a condition on his or her consent

to have a custodian collect, use or disclose personal health information that prohibits or restricts any recording of personal health information that is required by law or by established standards of professional practice or institutional practice; practice;

• There are no other conditions or restrictions placed on an

individual who wishes to withdraw or withhold consent or provide an express instruction.

Alternatives When You Cannot Rely of Assumed Implied Consent

• Some collections, uses and disclosures of personal health

information are permitted without consent;

• Custodians may rely on implied consent for most purposes –

custodians must ensure that all elements of consent are met – this cannot be assumed;

• When collected using or disclosing personal health

information for a purpose other than providing health care or when disclosing to a person other than a health information custodian, that is not otherwise permitted without consent, express consent must be sought.

12

General Limiting Principles

• Custodians may not collect, use or disclose personal health

information if other information will serve the purpose of the information if other information will serve the purpose of the collection, use or disclosure (section 30(1));

• Custodians may not collect, use or disclose more personal

health information than is reasonably necessary to meet the purpose of the collection, use or disclosure (section 30(2));

• Don’t forget that these principles continue to apply when a

custodian relies on assumed implied consent.

Consent to Treatment Versus Notice of Collection, Use and Disclosure

• Some custodians include in their consent to treatment form, notices about

the purposes for the collection, use and disclosure of personal health information – without distinguishing between the two;

• This may be confusing because individuals may believe that they are

providing express consent for the collection, use and disclosure of personal health information, when in fact the custodian may be relying on implied consent or assumed implied consent;

• Custodians should ensure that individuals understand that the express

consent relates to treatment and that personal health information will be collected, used and disclosed for the purposes of providing health care, unless the individual expressly withholds or withdraws their consent.

13

Consent to Treatment and Other Purposes

• Some custodians include in their consent to treatment form, consent for the

collection, use and disclosure of personal health information for secondary purposes (e.g., research) – without distinguishing between the two; p p ( g , ) g g ;

• If individuals want to receive treatment, they must also agree to the collection, use

and disclosure of their personal health information for other purposes not directly related to the provision of health care;

• This type of consent may not fulfill all of the required elements of consent, in

particular the requirement that consent must not be obtained through coercion;

• Custodians should ensure that individuals understand that they may give or withhold their

y y g consent to the collection, use and disclosure of personal health information for each purpose and that treatment is not dependent upon their consenting to the collection, use and disclosure of their personal health information for other purposes not directly related to the provision of health care.

Consent Versus No Consent Notices

• Some custodians combine notices to ensure that consent is knowledgeable

with notices of the purposes for which personal health information may be collected, used and disclosed without consent – without distinguishing between the two;

• This may be confusing as individuals may believe that they may withhold
• r withdraw consent for the collection, use or disclosure of personal

health information for purposes that may permitted without their consent under PHIPA (e.g., research);

• Custodians should ensure that individuals understand the circumstances

in which they may withhold or withdraw consent or give an express instruction not to use or disclose personal health information.

14

Conclusions

• The consent provisions of PHIPA were drafted in manner such that

consent should not delay or impede to the delivery of health care;

• Custodians may rely on implied consent in most circumstances, as long

as all of the elements of consent are met (including knowledgeability);

• In some circumstances, certain custodians within the circle of care, may

rely on assumed implied consent when collecting, using and disclosing personal health information for the purpose of providing health care;

• Whether a custodian is relying on express consent, implied consent,

assumed implied consent or no consent the general limiting principles apply;

• In the context of the provision of health care, individuals may withhold
• r withdraw consent or instruct custodians not to use or disclose personal

health information for health care purposes;

• Notices of purposes should ensure that individuals not only understand

the purposes but also the circumstances in which consent may be withheld or withdrawn.

How to Contact Us

Information & Privacy Commissioner of Ontario 2 Bl St t E t S it 1400 2 Bloor Street East, Suite 1400 Toronto, Ontario, Canada M4W 1A8 Phone: (416) 326- 3333 Web: www.ipc.on.ca p