Ontario Considers Stronger Personal Health Information Protections

On September 16, the Ontario Government re-introduced legislation to amend the Personal Health Information Protection Act, 2004 (PHIPA). A prior bill containing the amendments that died on the order paper when an election was called by the Liberal Government of Premiere Kathleen Wynne. With the Liberal Government re-elected, the Hon. Eric Hoskins, the minister of Health and Long-Term Care has reintroduced the proposed amendments as part of Bill 119. In addition to amending PHIPA, Bill 119 repeals and re-enacts the Quality of Care Information Protection Act, 2004 (QCIPA). The QCIPA protects confidential quality of care information from disclosure in order to facilitate learning from errors and systemic problems.

In this post, we will examine the amendments to the breach provisions of PHIPA as well as amendments that are directed at clarifying roles and responsibilities in the health information custodian-agent relationship. Future posts will examine the e-health record provisions contained in Bill 119 and the proposed repeal and re-enactment of the QCIPA.

Although Bill 119 has only had a first reading, the government appears serious about making these amendments. Therefore, health information custodians should get ahead of the curve by reviewing their governance programs to:

• Ensure data breach procedures are updated to ensure that agents report breaches to custodians at the first reasonable opportunity if a breach occurs and to ensure that individual notifications contain information on making complaints to the Information and Privacy Commissioner of Ontario (IPC);
• Consider how internal policies and procedures may need to be revised to address mandatory reporting to professional bodies when a regulated health professional’s employment or privileges are terminated or the professional resigns as a result of unauthorized collection, use, disclosure, retention or disposal of PHI;
• Ensure that the duties of agents are well-defined;
• Map data flows against the agents’ duties to ensure that agents only have access to personal health information (PHI) that is necessary to perform those duties;
• Impose conditions and restrictions necessary to control the manner in which the agent performs its duties in order to meet the requirements of PHIPA including the “necessity” requirement;
• Develop a compliance testing and audit program for agents to establish a due diligence defence in the event an agent acts outside of the scope of the agent’s duties, and
• Conform policies and procedures with the new definition of “use,” which includes access to PHI.

Mishandling of PHI by Agents

To understand the provisions of PHIPA and the significance of the amendments in Bill 119, it is necessary to understand the meaning of the terms “health information custodians” and “agents.” Health information custodians are generally (although not exclusively) regulated health professionals and certain types of health and long-term care institutions (s. 3(1)). Regulated health professionals include doctors, nurses, dentists, chiropractors, massage therapists and others. Institutions that qualify as health information custodians include public and private hospitals, psychiatric facilities, laboratories, long-term care homes and others. Agents are individuals or companies that handle PHI for or on behalf of the custodian for the purposes of the custodian and not for the agent’s own purposes (s. 2(1)). Commonly, an agent will be an employee or service provider to the custodian.

There have been numerous scandals in Ontario with respect to inappropriate access and use of PHI by agents. For example, in a case involving Rouge Valley Hospital, the IPC concluded that one clerical employee had accessed PHI of new mothers for the purposes of marketing registered educational savings plans. Another employee was found to have sold information to registered educational savings plans salespersons. The inappropriate access may have affected 14,000 patients. In another case, seven employees of the Peterborough Regional Hospital were terminated for accessing numerous patient files. These are only two of the many incidents to have come to light in Ontario over the past several years.

Many of the amendments to PHIPA that are contained in Bill 119 are directed at the problems associated with misconduct of agents.

Breach Reporting and Notification

PHIPA already contains an individual breach notification provision (s. 12(1)). A custodian must notify an individual if PHI under the custody or control of the custodian is stolen, lost or accessed by unauthorized persons. The notification must occur at the “first available opportunity”.

Bill 119 strengthens the breach reporting obligation in a number of ways. Bill 119 makes clear that the custodian’s responsibility to notify affected individuals extends beyond breaches that involve PHI that is stolen or lost and includes breaches resulting from unauthorized “use” (new s. 12(3)).

Currently s. 2(1) of PHIPA defines “use” to mean “handling” or “dealing” with PHI. Bill 119 extends the definition to include viewing, handling or otherwise dealing with PHI. This amendment clarifies that even viewing PHI (including viewing an electronic health record) will constitute a “use”. Because agents may only “use” PHI within the scope of their delegated responsibilities, the amendment to the definition of “use” implies that if an agent views PHI for any purpose other than acting on behalf of and with the authorization of the custodian (such as an employee snooping on medical records that are not necessary to be accessed to perform that employee’s responsibilities), this activity is not a “use.” Instead, unauthorized viewing, handling or otherwise dealing with PHI would be an unauthorized collection (by the employee) and disclosure (by the custodian).

The custodian is required to notify the individual of an unauthorized use or disclosure of PHI even if there is no risk of harm. This means that an individual must be notified in employee snooping cases, even if there is no disclosure to a third party. Notices to individuals must include a statement that the individual has the right to make a complaint to the IPC. In addition to notifying affected individuals, the custodian may have to report the breach to the IPC. Whether a report to the IPC is required will depend on criteria that will be set out in future regulations if Bill 119 is passed.

Bill 119 also clarifies that agents must notify custodians at the first reasonable opportunity if PHI that is collected, used, disclosed, retained or disposed of on behalf of the custodian is stolen or lost or if it is used or disclosed without authority (s. 17(4)). The service provider’s obligation to report does not depend on whether the breach caused or may cause harm to the individual. This is a strict obligation and will also apply to employee snooping.

Reporting to Professional Bodies

Consistent with the “get tough” on misuse of PHI initiative, the government has proposed a requirement for mandatory reporting of misconduct to professional regulatory bodies. New s. 17.1(2) requires that a custodian that employs a healthcare practitioner who is a member of a college of the health profession under the Regulated Health Professions Act, 1991 (e.g., doctors, nurses, dentists, chiropractors, massage therapists and others) or the College of Social Workers must make a report to the applicable college within 30 days of either:

• The employee’s termination, suspension or disciplinary action as a result of the unauthorized collection, use, disclosure, retention or disposal of personal information by that employee, or
• The employee’s resignation, and the custodian has reasonable grounds to believe that the resignation is related to an investigation into that type of misconduct in relation to PHI.

A custodian has similar obligations with respect to healthcare practitioners and social workers who have privileges to practice at the custodian’s establishment (e.g., a doctor with privileges at a hospital) or who are affiliated with the custodian (new s. 17.1(3)) even though the healthcare practitioner or social worker is not an employee.

Strengthening Custodian Responsibilities

Although custodians are responsible for controlling the activities of agents, the government wants to strengthen these provisions to ensure custodians implement adequate controls to protect PHI.

When custodians share PHI with agents, this is considered to be a “use” for the purposes of PHIPA and not a “disclosure” by the party sharing the information or a collection by the party receiving the information (s. 6(1)). The intention of s. 6(1) is to facilitate information flows in ordinary business models through which modern medical practices operate without requiring the consent of the individual. This provision allows a receptionist to transcribe medical notes and permits a third-party service provider to handle medical and financial records relating to the practice.

Section 17 of PHIPA already creates a number of preconditions with respect to delegation by a custodian to an agent and provides the custodian with a number of statutory rights and also makes the agent subject to a number of statutory responsibilities. Currently, s. 17 of PHIPA constrains the scope of delegation by requiring (a) that the custodian cannot delegate powers to collect, use, disclose, retain or dispose of PHI that the custodian itself does not have and (b) the activities delegated in respect of the PHI are performed in the course of the agent’s duties and not contrary to limits imposed by the custodian, PHIPA or other laws. Bill 119 narrows this permission by providing that the PHI must be “necessary in the course of the agent’s duties.” Custodians would be well-advised to review data flows to ensure that agent access is strictly limited to what is necessary.

In addition, Bill 119 imposes a positive obligation under new s. 17(3) to take steps that are reasonable in the circumstances to ensure that no agent of the custodian collects, uses, discloses, retains or disposes of PHI unless it is in accordance with these provisions. Even if the agent acts outside of the agent’s duties or the custodian’s conditions and restrictions, the custodian “shall” remain responsible for the PHI. It is not clear what this means or is intended to mean. It seems to be an effort to counter an argument advanced in the Peterborough case that a service provider or employee is not an “agent” if they are acting outside of the scope of the agent’s duties. If that is the government’s intent, the provision is merely a clarifying provision to foreclose an argument that was not very convincing in the first place.

However, if the intention is to modify the common law and make the custodian vicariously liable for an agent’s conduct outside of the agent’s duties, this is another matter altogether. It would put a custodian in the untenable position of being held to a standard of reasonable care for its own conduct but vicariously liable for its agent’s conduct irrespective of whether the custodian itself met the standard of care. If that is the intention, it suggests a type of strict liability that surely will be subject to a due diligence defence. It is doubtful that this is the legislative intent; however, irrespective of the intended meaning of this provision, organizations should implement sound compliance testing and auditing of agents. In Hopkins v. Kay, the Ontario Court of Appeal provided the green light to individuals to sue for breaches for unauthorized use and disclosure of their PHI holding that PHIPA was not a complete code. If this case stands, custodians may be sued by affected individuals for common law remedies in addition to any investigation and orders that may be made under PHIPA.

Positive Obligation to Limit Collection without Consent

New s. 11.1 would impose a positive obligation for a personal health information custodian to “take steps that are reasonable in the circumstances” to ensure that PHI is not collected without “authority.” This new positive obligation has a number of governance obligations for custodians. First, custodians will need to implement administrative controls to ensure that agents collecting personal information on the custodian’s behalf do not “over collect” outside of the authority of PHIPA.  

For example, custodians may wish to revisit whether they have appropriate controls in place to ensure narrow collection of PHI without consent. There are a number of existing provisions that allow custodians to collect PHI without consent in order to satisfy this obligation. For example, if the custodian cannot obtain information in a timely manner and the collection is reasonably necessary for the provision of healthcare services (s. 36(1)(b) and s. 36(2)). New s. 11.1 imposes a positive obligation to use appropriate procedures to prevent collection of PHI that exceeds the authority granted by these provisions.

Concluding Thoughts

Given the sensitivity of PHI in the context of healthcare, where the sharing and creation of PHI is frequently only superficially voluntary in light of the overriding health needs of the patient, it is critical that the information is strictly protected. Misconduct by regulated professionals should be reported. Whether that misconduct is sanctioned by the applicable college is for the college to determine when regulating members’ conduct in the public interest.

Other provisions are equally sensible. “Use” is generally accepted to include access and a custodian’s responsibilities shouldn’t end just because the agent breached the agent’s own responsibilities. Individuals should know about the breach and how to complain to the IPC.