|Megan Brister||Michelle Gordon||Alain Rocan||Miyo Yamashita|
In 2012, Ontario will usher in a new era of transparency and oversight by including all public and private hospitals under the scope of the Freedom of Information and Protection of Privacy Act (FIPPA). On December 8, 2010, the Ontario government passed legislation to broaden the scope of FIPPA and designate hospitals as “institutions” under the act. This gives hospitals approximately one year to comply with FIPPA, the changes to which will be effective on January 1, 2012.
“In my 2004 Annual Report, I urged the Ontario government to compile and review institutions that are primarily funded by government but not yet covered by the Acts. One of the foundations underlying FOI is the principle that organizations that exist by virtue of public funding should be subject to public scrutiny through FOI laws. Now, the Ontario Hospital Association has asked the province to place Ontario hospitals under the act.”
—Commissioner Ann Cavoukian, 2009 Annual Report
FIPPA will apply to all records held or under the control of the hospitals. The act will apply retroactively to January 1, 2007. Under the amended FIPPA, the general public will have a right of access to hospital administration, financial and other records, unless the records are excluded from the right of access or subject to an exemption under FIPPA, as would be the case for patients’ personal health information.
Unlike the Personal Health Information Protection Act, which allows a person to access only records about him or herself, the right of access under FIPPA applies to records about every person. The newly revised legislation will allow anyone to access any record held or controlled by an institution on any issue, subject to the exclusions and exceptions set out in the act. A record may include any information concerning procurement, employees, strategic plans and budgets.
What do hospitals need to do to comply?
Hospitals will need to complete a number of operational tasks this year to ensure they are ready for their new obligations under FIPPA in 2012.
“A record number of Freedom of Information requests were filed across Ontario in 2010. A total of 38,903 requests were filed in 2010, eclipsing the previous record of 38,584, set in 2007. The spike in 2010 represented the first increase in FOI requests in three years.”
—Commissioner Ann Cavoukian, 2010 Annual Report
Conduct an inventory of records subject to FIPPA
Deloitte recommends that a hospital begin its FIPPA implementation by conducting an inventory of records that are subject to the act. Records are defined as any information, however recorded, and include correspondence (e.g. e-mails, faxes), notes and working copies of documents. The inventory of records enables a hospital to
- identify which records are covered by FIPPA and which fall under the mandatory and discretionary exemptions listed in sections 12 through 23 of the act;
- develop a Directory of Records, including a description of its Personal Information Banks, which makes publicly known the types of records that the hospital holds and enables individuals to better direct their requests for records, and
- understand where records are located so that the hospital can respond to individuals within the required time limits (i.e. generally 30 days) to make records available or, if appropriate, deny access, cite the extraordinary circumstances that are causing the delay, forward or transfer the request.
Appoint a freedom of information coordinator
Although the responsibilities for requests for access fall to the head of the institution (i.e. the chair of the board of a public hospital or superintendent of a private hospital), organizations typically appoint a freedom of information (FOI) coordinator or manager to ensure compliance with FIPPA. The FOI coordinator’s responsibilities will typically include
- developing procedures to receive and manage requests for records and requests to correct personal information;
- working with business areas to compile records to respond to requests;
- providing notice to individuals to whom information in the record relates and managing any representations made by the individual concerning why the information may not be disclosed;
- calculating and collecting fees;
- training business areas on the FOI procedures;
- communicating the process to request access to the public through, for example, the hospital’s website;
- making routine disclosures (i.e. those records that may be disclosed without any internal consultation);
- responding to appeals and liaising with the information and privacy commissioner of Ontario (IPC/Ontario) should an investigation occur, and
- preparing the annual report that must be submitted to the IPC/Ontario.
The FOI coordinator will also need to evaluate requests to determine whether the request may be filled. This means determining if the records requested fall within the exemptions. For example, records related to law enforcement proceedings; records that reveal a trade secret or scientific, technical, commercial, financial or labour relations information; records that would put the financial interest of the hospital or its staff at risk; records that could reasonably be expected to seriously threaten the safety or health of an individual, or records that are under solicitor-client privilege. When information falls under one of the exemptions, the FOI coordinator may also sever the record and provide only that information that is not exempt to the requestor.
Set up a FOI office to receive and respond to requests for records
Hospitals will need to set up an office to handle requests for information. In some cases, hospitals may choose to expand their health records department to address new access-to-information requirements or expand the function of the privacy office. The FOI office will
- be the single point of contact for requests for information and investigations concerning requests for records;
- maintain access to information policies and procedures and monitor compliance with those policies and procedures;
- work with different areas of the hospital to locate and retrieve records;
- determine how to respond to requests and liaise internally with business units or externally with experts to determine how to handle requests;
- manage routine disclosures and provide information in an annual report to the IPC/Ontario, and
- report to management on the operational effectiveness of access-to-information policies and procedures, nature and disposition of requests and any issues or investigations that may arise.
Make certain information publicly available
Under FIPPA, hospitals will be required to make certain information about the records they retain available to the public and to the ministry. Specifically, hospitals must
- make a directory of records available to the ministry;
- publish its personal information banks;
- make manuals, instructions, directives, guidelines and program applications easily available to the public, and
- make its annual report to the IPC/Ontario publicly available.
Prepare and submit an annual report
Hospitals will be required to prepare and submit an annual report each year to the IPC/Ontario. This report includes
- a description of any inconsistent use of personal information;
- number of requests for personal information and general records completed and the time it took to fill the requests;
- number of notices of extension of time to fill a request issued;
- number of notices issued to individuals to whom information in the record relates;
- the disposition of each request (e.g. filled, withheld, severed, withdrawn, abandoned);
- the exemptions that were applied to those requests that were not filled;
- total additional fees collected or waived and the reasons for collecting or waiving, and
- number of requests for correction received, processed, withdrawn and denied.
The IPC/Ontario will provide hospitals with an online statistical report tool to submit annual reports.
Evaluate the FOI program before the compliance deadline
Hospitals will need to review their FOI programs and ensure they meet all the requirements under the amended act before the January 1, 2012, compliance deadline. This means not only confirming that the hospital meets its new legal requirements but also testing processes to ensure that the hospital can respond in a timely manner to requests for information, including locating records, consulting internally and communicating with requestors.
The authors are from Deloitte. Megan Brister is senior manager of enterprise risk. Michelle Gordon is senior consultant, enterprise risk. Alain Rocan, CIPP/C, is associate partner of enterprise risk, and Miyo Yamashita is partner, enterprise risk.