PHIPA: Personal Health Information Protection Act
HIC: Health Information Custodian
PHI: Personal Health Information
Agent: Any person who is authorized by a HIC to perform services or activities on the custodian’s behalf and for the purposes of the custodian.
Collection: Gathering, acquiring, receiving or obtaining of PHI.
Use: Handling, dealing, accessing or reproducing health information that is in the custody or control of a custodian or its authorized agent within the same hospital.
Disclosure: Release or make available personal health information that is under the control or custody of a health information custodian or its authorized agent to another custodian or organization outside the circle of care.
The Personal Health Information Protection Act, 2004 (PHIPA), is Ontario’s new health privacy legislation that came into force on November 1, 2004. PHIPA governs how we collect, use, retain, transfer, disclose, provide access to and dispose of personal health information (PHI).
PHIPA applies to all individuals and organizations involved in the delivery of health care services under the umbrella term "health information custodian" (HIC), including physicians, hospitals and other health care practitioners listed as health information custodians under PHIPA. This legislation also applies to agents who are authorized to act for or on behalf of a health information custodian.
This legislation gives individuals greater control over how their personal health information is collected, used and disclosed. It also allows health care practitioners to access, use personal health information as necessary to deliver adequate and timely health care.
This legislation also gives the right to the individual to access and/or correct their personal health record with limited exceptions.
The Information & Privacy Commissioner/Ontario (IPC) has been designated as the oversight body responsible for the compliance set out under PHIPA. When privacy rights relating to personal health information have been violated, the individual has a right to address any concerns with the hospital and the IPC office.
Individuals can expect to be informed how their PHI will be collected, used and disclosed by Niagara Health. Individuals can also expect safeguards relating to administrative, technical and physical relating to their PHI to continue to be in place.
PHIPA gives the individual the right to;
NOTE: PHIPA established a formal process for individuals to access and correct their own personal health information, within specified time frames and the right to complain if an access or correction request is denied.
Generally, the rule is to obtain an individual’s express or implied consent to collect, use and disclose PHI. There are also specified circumstances that PHIPA allows the collection, use or disclose without consent.
Implied consentpermits the sharing of personal health information (PHI) with individuals within the "circle of care" who have direct responsibilities in providing patient care and treatment, and only on a "need-to-know" basis to perform their job duties.
Express consent is required to disclose personal health information (PHI) to a non-health information custodian or to another custodian for a purpose other than providing health care. ie – lawyers, insurance companies, employers, family and friends.
NOTE: Under PHIPA consent must be knowledgeable, voluntary, related to the information and given by the individual. The individual must understand why we are collecting, using and disclosing their information. The individual has a right to withdraw their express or implied consent to sharing any information at any time.
A withdrawal of consent is not retroactive. The individual’s withdrawal of consent has no effect on information already collected, used or disclosed before the patient withdrew consent, but has effect from the time it is received.
The HIC must collect personal health information directly from the individual or substitute decision maker, involved and may only collect as much information as is necessary to meet the purpose of the collection. There are exceptions to the rule for the collection of PHI indirectly where by; the individual consents, collection is necessary to provide care in a timely manner, required or permitted by law, for the purpose of planning or management, research (provided certain conditions are met). (refer to Personal Health Information Protection Act, 2004) for the exceptions.
A HIC can rely on implied consent to share PHI with its agents (physicians, nursing, clerical staff), as long as the sharing is related to the provision of healthcare and the individual has not expressly instructed us not to share information.
There are exceptions set out by PHIPA to use PHI without consent for the purpose of, risk management, activities to improve or maintain the quality of care, obtaining payment, research provided that specific requirements and conditions are met. For the exceptions refer to Personal Health Information Protection Act, 2004).
Express consent is always required when disclosing PHI outside the circle of care. A HIC and its agents can rely on implied consent for the disclosure of PHI within the circle of care while providing health care and the individual has not expressly stated otherwise. There are exceptions set out by PHIPA to disclose PHI without consent. For the exceptions refer to Personal Health Information Protection Act, 2004.
An individual may request access to his/her PHI by completing Request for Access to Personal Health Information Form #900148, available on Source•net, or in the Health Records Department. The Health Records Department will provide either access or a copy of the record for a cost recovery fee. If a record is not available a written notice to the individual must be provided with the reasons.
All staff members are to follow the same process as any individual requesting access to their personal health records.
A response must be made no later than 30 days after the request was made. In certain instances, extensions beyond this 30 day time frame are allowed and the Health Records Department must inform the individual in writing about the delay and the reasons for the delay.
In certain situations the hospital may refuse access for example; information in question subject to legal privilege; disclosure could reasonably be expected to result in a risk of serious bodily harm to person; information was collected as part of an investigation; another law prohibits the disclosure of that information.
PHIPA permits the hospital to remove some of the information to allow partial access to the individual. If the individual is denied access to their personal health information, the individual has the right to file a complaint with the Information & Privacy Commissioner/Ontario (IPC).
The individual who believes that his/her PHI is incomplete or inaccurate may request the hospital to correct his/her record. It is the responsibility of the hospital to ensure that personal health information is complete and accurate. Contact the Health Records Department to obtain the Request for Correction to Personal Health Information (form #900071).
The hospital must respond within 30 days of receiving a correction request. PHIPA provides limited grounds for extending this 30 day time frame.
The hospital may refuse to correct personal health information that is; a professional opinion or; an observation of the health care provider.
If a correction is refused the individual must be informed of the refusal and reasons for refusal. The individual can exercise his/her right to file a complaint regarding the refusal to the Information & Privacy Commissioner/Ontario (IPC) and the right of the individual to attach a statement of disagreement to the record.
The hospital is obligated to correct personal health information where the patient demonstrates, to the satisfaction of the hospital, that the record is in fact inaccurate or incomplete and the individual gives the custodian the necessary information to correct the records.
Confidential information is information of sensitive nature in any format which is created or received by the organization such as; Information about identifiable patients, medical staff, co-workers, donors and other individuals, To keep privacy or secret, safe from access, use or disclosure by people who are not authorized to handle the personal information.
Everyone’s obligation is to protect personal health information and to ensure that the information is only accessible to those authorized to have access.
A patient’s right to control who has access to his/her personal health information and under what circumstances the information is shared with others.
Implementing reasonable physical, technical and administrative measures to safeguard personal health information by:
A breach of confidentiality intentionally or inadvertently, or unauthorized access to or disclosure to a third party without patient consent. Disclosure can be oral, written, by telephone or fax, or electronically.
All breaches are taken very seriously. If it is determined that a breach of confidentiality of personal health information has occurred, appropriate remedial action shall be taken. Such action may be corrective action, up to and including termination of employment, loss of privileges, termination of a contract, legal action, or any similar action as determined by the hospital. Health information custodians who are members of professional colleges will be reported to their respective college in accordance with that college’s protocols for reporting data protection breaches. Breaches that are criminal in nature may involve the police.
PHIPA is enforced by the Information and Privacy Commissioner/Ontario (IPC). An individual found guilty of committing an offence under the PHIPA can be liable for a fine of up to $50,000. An organization or institution can be liable for a fine of up to $250,000.
Questions or concerns regarding privacy should be directed to your Manager. If more detail is required please contact Niagara Health Privacy Office at (905) 378-4647, ext. 44475.