On May 5, the Ontario legislature voted on and passed Bill 119, the Health Information Protection Act, 2016. HIPA will come into force on a date to be set by the government. As previously reported in Tracker, HIPA makes important amendments to the Ontario Personal Health Information Protection Act, 2004, including strengthening breach reporting provisions and introducing new provisions for electronic health records. In addition, HIPA enacts a new regime for the protection of quality-of-care information that is created when examining adverse events in hospitals. The government must set a date for these provisions to come into force.
Fines for snooping to increase
The maximum fine under the current provisions of PHIPA is CA$50,000 in the case of an individual and CA$250,000 in the case of an organization. Once the amendments in HIPA come into force, those amounts will double to CA$100,000 and CA$500,000 for individuals. Importantly, the six-month limitation on prosecutions under the Ontario Provincial Offences Act will not apply to a prosecution under PHIPA. Instead, there will be no limitation period.
Ontario has seen a rash of long-running scandals involving hospital workers snooping on patient records. The same week that HIPA was enacted, news broke that two health workers have been convicted under s. 70(1)(a) of PHIPA for “wilfully collecting, using or disclosing personal health information” in contravention of PHIPA and fined CA$2,505. The convictions stem from alleged inappropriate access to former Toronto Mayor Rob Ford’s patient records. Ford was undergoing treatment for cancer. According to news reports, the hospital workers pleaded guilty. The fines levied against the workers are relatively light when compared to the statutory maximums.
Breach notification expanded
PHIPA currently requires individual breach notification when personal health information is lost, stolen or accessed by an unauthorized person (ss. 12(2) and 12(3). HIPA amends those provisions to extend the circumstances requiring notification to include any unauthorized access or use. Furthermore, hospitals and other health information custodians will have mandatory reporting obligations to professional regulatory bodies. For example, a hospital will be required to report a nurse to the College of Nurses if the nurse has committed or is suspected of having committed an unauthorized collection, use, disclosure, retention or disposal of personal health information and either there has been disciplinary action or the individual resigned instead of disciplinary action.
Electronic health records
HIPA also creates a new Part V.1 of PHIPA to enable province-wide electronic health records. A prescribed organization will have the power to develop and maintain provincial EHRs. It is expected that eHealth Ontario (a government agency) will be the initial prescribed organization. The prescribed organization has a number of duties, including:
- managing and integrating personal health information it receives from health information custodians;
- ensuring that the EHR functions properly;
- ensuring the accuracy and quality of the personal health information accessed through the EHR; and
- conducting analyses of the data in the EHR to provide alerts and reminders to health information custodians.
All access to the EHR will be logged. Logs must identify the individual who accessed the EHR, the data that was viewed, and the date and time that the data was viewed. All transfers from the EHR must be recorded. Health information custodians have immunity for any unauthorized viewing or handling of personal health information that they provide to eHealth Ontario whether by eHealth Ontario staff or staff of another health information custodian.
An individual has the right to obtain access to personal health information in the custody or control of a health information custodian. It is unclear whether the combined data in an EHR will be directly available to an individual. Part V of PHIPA refers to data in the custody or control of a health information custodian. eHealth Ontario is not a health information custodian but HIPA empowers the minister of health and long-term care to establish an advisory committee for the purpose of making recommendations regarding eHealth Ontario’s practices and procedures for responding to or facilitating a response to an access and correction request.
Currently under PHIPA, an individual has the right to withhold or withdraw consent to the collection and use of personal health information and can prohibit the disclosure of all or part of their personal health information to other health information custodians (subject to certain exceptions). In the EHR context, HIPA provides that an individual may issue a consent directive to opt out of the use of EHRs in whole or in part.
However, HIPA permits the government to prescribe data elements that may not be made subject to a consent directive. It is possible that the government will specify certain basic information that is excluded from being able to be subject to a consent directive so that every Ontarian will have some form of skeletal EHR.
In addition, HIPA specifically provides for certain consent directive overrides. For example, eHealth Ontario may use information in the EHR to provide alerts regarding harmful medication interactions so long as the alerts do not reveal personal health information that is the subject of a consent directive. If prescribed medication is a data element that must be provided to the EHR irrespective of a consent directive, this will ensure that there can be appropriate surveillance of drug interactions across the entire patient care team.
The ability of the government to prescribe data elements that cannot be excluded by a patient from their EHR may become a concern for the information and privacy commissioner of Ontario and patient privacy rights advocates. Over time, this type of provision is likely to become the subject of function creep as research advocates argue for more data to be placed in the EHR to track medical trends and improve the delivery of health care overall.
Protecting quality-of-care information
The purpose of quality-of-care information protection legislation is to provide a zone of confidentiality for health professionals to discuss errors and systemic problems in order to develop improvements. Ontario enacted the current quality-of-care information protection legislation in 2004. However, since that time, there have been a number of criticisms of the legislation. There was a perception that the legislation was being used to obstruct access to information by patients and their families following adverse events. In 2014, the government appointed a review committee to make recommendations with respect to whether amendments should be made to improve the legislation. The review committee made a number of recommendations to improve transparency and to limit the use of the confidentiality protections in the legislation to situations in which the nature of the contributing causes to a critical incident is unclear.
The government responded with a new Quality of Care Information Protection Act, 2016. The QCIPA significantly limits what may be considered quality-of-care information and, therefore, protected from an access request by the patient or their authorized representative. In particular, the following are now expressly excluded from quality of care information:
- facts of what occurred with respect to the incident;
- the cause or causes of the incident as identified by the quality-of-care committee;
- the consequences of the incident for the patient;
- the actions taken and recommendations to address the consequences of the incident for the patient;
- any systemic changes or recommendations; and
- information that consists of facts contained in a record of an incident.
The move to greater transparency in the context of investigations into critical incidents follows the appointment in December 2015 of the first ever provincial patient ombudsman. The role of the patient ombudsman is to respond to complaints regarding care provided by public hospitals, community care access centres and long-term care facilities. The patient ombudsman office will not be in effect until the coming into force of the Excellent Care for All Act, 2010, which is expected to come into force on July 1.
photo credit: Close-up of hands taking blood pressure via photopin(license)