Consent Requirements Under the Personal Health Information Protection Act Debra Grant Office of the Information and Privacy Commissioner of Ontario EHIL Webinar May 11, 2011 Presentation Outline Consent a Key Principle in PHIPA General Consent Provisions of PHIPA Circle of Care Lock Box General Limiting Principles Pitfalls to Avoid When Obtaining Consent Conclusion 1
Ontario s Personal Health Information Protection Act (PHIPA) Came into effect November 1, 2004 Based on Canada s Fair Information Practices*: Accountability Identifying Purposes Consent Limiting Collection Limiting i i Use, Disclosure, Retention Accuracy Safeguards Openness Individual Access Challenging Compliance *CSA Standard CAN/CSA-Q830, Model Code for the Protection of Personal Information; PHIPA has been deemed to be substantially similar to PIPEDA. Consent in the Context of PHIPA In the absence of PHIPA, at least part of the Ontario health sector would have been covered by federal private sector privacy legislation PIPEDA was drafted to address privacy issues in the commercial sector rather than the health sector (e.g., express consent required in the context of sensitive personal health information); Because substantial similarity designation is necessary to exempt custodians from the application of PIPEDA, PHIPA had to meet the privacy standards set out in PIPEDA (e.g., PHIPA had to be a consentbased); The standard appropriate within the health sector was determined to be knowledgeable consent ; PHIPA was drafted in a manner such that consent would not delay or impede the delivery of health care. 2
Collection, Use and Disclosure Custodians may collect, use and disclose personal health information if: The individual consents, or The Act permits or requires the collection, use and disclosure (Section 29) Type of Consent Consent may be express or implied except where express Consent may be express or implied, except where express consent is specifically required under PHIPA. (Section 18(2)); Consent whether express or implied must meet all of the requirements for a valid consent under PHIPA. 3
Express Consent Required when a custodian discloses to a non-custodian; Required when a custodian discloses to another custodian for a purpose other than providing health care to the individual; Required when a custodian collects, uses or discloses for marketing or market research; Required when a custodian collects, uses or discloses for fundraising (if using more than name and address); (Section 18(3)) Elements of a Valid Consent Must be a consent of the individual or his or her substitute decision-maker; Must be knowledgeable; Must relate to the information; and Must not be obtained through deception or coercion. (Section 18(1)) 4
Knowledgeable Consent A consent to the collection, use and disclosure of personal health information is knowledgeable if it is reasonable in the circumstances to believe that the individual knows, the purpose of the collection, use or disclosure, as the case may be; and that the individual may give or withhold consent. (Section 18(5)) Ensuring that Consent is Knowledgeable Notice of Purposes Unless it is not reasonable in the circumstance, it is reasonable to believe that an individual knows the purpose of the collection, use or disclosure if the health information custodian posts or makes readily available a notice describing these purposes where it is likely to come to the individual s attention. (Section 18(6)) 5
Notice of Purposes A health information custodian may rely on a notice of purposes to support the reasonable belief that the individual knows the purposes of the collection, use, or disclosureof of personal health information; If a health information custodian wishes to rely on a notice of purposes, the notice: Must be posted where it is likely to come to the attention of the individual or must be provided to the individual; Must outline the purposes for which the health information custodian collects, uses or discloses personal health information; and Should advise the individual that he or she has the right to give or withhold consent; A notice of purposes is not required where a health information custodian may assume implied consent but it is a best practice to have a notice of purposes; Written Public Statement Section 16(1) states that a health information custodian shall, in a manner that is practical in the circumstances, make available to the public a written statement that, (a) Provides a general description of the custodian s information practices; (b) Describes how to contact the contact person, if the custodian has one, or the custodian, if there is no contact person; (c) Describes how an individual may obtain access to or request correction of a record of personal health information in the custody or control of the custodian; and (d) Describes how to make a complaint to the custodian and to the Commissioner. 6
information practices defined Section 2 states that information practices, in relation to a custodian, means the policy of the custodian for actions in relation to personal health information, including, (a) when, how and the purposes for which the custodian routinely collects, uses, modifies, discloses, retains or disposes of personal health information, and (b) the administrative, technical and physical safeguards and practices that the custodian maintains with respect to the information. Short Notice Products 7
Circle of Care Assumed Implied Consent Certain custodians who receive personal health information from the individual or another custodian for the purpose of providing health care to the individual is entitled to assume they have the individual s implied consent to collect, use and disclose to another custodian; Exception: Unless the custodian is aware that the individual has withdrawn his or her consent; The inclusion of this provision further emphasizes the fact that the consent requirements should never delay or impede to the provision of health care. Circle of Care: Sharing Personal Health Information for Health Care Purposes The IPC has launched a guide to clarify the circumstances in which a health information custodian may assume implied consent and the options available to a custodian where consent cannot be implied; The term circle of care is not a defined term in PHIPA; The term commonly used to describe the ability of certain health information custodians to assume an individual s implied consent to collect, use or disclose personal health information for the purpose of providing health care, in circumstances defined in PHIPA. 8
Circle of Care Working Group Office of the Information o and Privacy Commissioner; o Ontario Medical Association; Ontario Hospital Association; College of Physicians and Surgeons of Ontario; Ministry of Health and Long Term Care; Ontario Association of Community Care Access Centres; Ontario Long Term Care Association; Ontario Association of Non-Profit Homes and Services for Seniors. Circle of Care: Sharing Personal Health Information for Health Care Purposes Health information custodian must fall within the category of custodians that are entitled to rely on assume implied consent; Information must have been received from the individual, his or her substitute decision maker or another custodian; Information must have been received for the purpose of providing or assisting in the provision of health care to the individual; The purpose of the collection, use and disclosure must be for the purpose of providing health care or assisting in providing health care to the individual; Disclosures must be to another custodian; and Custodian that receives the information must not be aware that the individual has expressly withheld or withdrawn consent to the collection, use or disclosure. Available at www.ipc.on.ca 9
Lock Box: Withdrawal of Consent If an individual consents to have a custodian collect, use or disclose personal health information, the individual may withdraw consent, whether the consent is express or implied, by providing notice to the health information custodian, but the withdrawal of the consent shall not have retroactive effect (section 19(1)); Certain custodians who receive personal health information from the individual, the individual s substitute decision-maker or another custodian, are entitled to assume that they have the individual s implied consent to collect, use or disclose the information for the purpose of providing health care to the individual, unless the custodian is aware that the individual has expressly withheld or withdrawn consent (section 20(2)); Note that withdrawal of consent or express instructions need not be in writing custodians should document individual s request. Lock Box: Express Instructions Custodians may use personal health information, without consent, for the purpose for which it was collected, but not if the individual expressly instructs t otherwise (section 37(1)(a)); )) Custodians may disclose personal health information, without consent, to certain custodians, if the disclosure is necessary to provide health care and it is not possible to obtain consent in a timely manner, but not if the individual has expressly instructed the custodian not to make the disclosure; (section 38(1)(a)); Custodians may disclose personal health information, without consent, if the disclosure is necessary to provide health care, but not if the individual has expressly instructed the custodian not to make the disclosure (section 50(1)(e)). 10
Conditions on Consent Individual must provide notice to the custodian (can be provided verbally or in writing); An individual may not place a condition on his or her consent to have a custodian collect, use or disclose personal health information that prohibits or restricts any recording of personal health information that is required by law or by established standards of professional practice or institutional practice; There are no other conditions or restrictions placed on an individual who wishes to withdraw or withhold consent or provide an express instruction. Alternatives When You Cannot Rely of Assumed Implied Consent Some collections, uses and disclosures of personal health information are permitted without consent; Custodians may rely on implied consent for most purposes custodians must ensure that all elements of consent are met this cannot be assumed; When collected using or disclosing personal health information for a purpose other than providing health care or when disclosing to a person other than a health information custodian, that is not otherwise permitted without consent, express consent must be sought. 11
General Limiting Principles Custodians may not collect, use or disclose personal health information if other information will serve the purpose of the collection, use or disclosure (section 30(1)); Custodians may not collect, use or disclose more personal health information than is reasonably necessary to meet the purpose of the collection, use or disclosure (section 30(2)); Don t forget that these principles continue to apply when a custodian relies on assumed implied consent. Consent to Treatment Versus Notice of Collection, Use and Disclosure Some custodians include in their consent to treatment form, notices about the purposes for the collection, use and disclosure of personal health information without distinguishing between the two; This may be confusing because individuals may believe that they are providing express consent for the collection, use and disclosure of personal health information, when in fact the custodian may be relying on implied consent or assumed implied consent; Custodians should ensure that individuals understand that the express consent relates to treatment and that personal health information will be collected, used and disclosed for the purposes of providing health care, unless the individual expressly withholds or withdraws their consent. 12
Consent to Treatment and Other Purposes Some custodians include in their consent to treatment form, consent for the collection, use and disclosure of personal health information for secondary purposes p (e.g., research) without distinguishing g between the two; If individuals want to receive treatment, they must also agree to the collection, use and disclosure of their personal health information for other purposes not directly related to the provision of health care; This type of consent may not fulfill all of the required elements of consent, in particular the requirement that consent must not be obtained through coercion; Custodians should ensure that individuals understand that they may ygive or withhold their consent to the collection, use and disclosure of personal health information for each purpose and that treatment is not dependent upon their consenting to the collection, use and disclosure of their personal health information for other purposes not directly related to the provision of health care. Consent Versus No Consent Notices Some custodians combine notices to ensure that consent is knowledgeable with notices of the purposes for which personal health information may be collected, used and disclosed without consent without distinguishing between the two; This may be confusing as individuals may believe that they may withhold or withdraw consent for the collection, use or disclosure of personal health information for purposes that may permitted without their consent under PHIPA (e.g., research); Custodians should ensure that individuals understand the circumstances in which they may withhold or withdraw consent or give an express instruction not to use or disclose personal health information. 13
Conclusions The consent provisions of PHIPA were drafted in manner such that consent should not delay or impede to the delivery of health care; Custodians may rely on implied consent in most circumstances, as long as all of the elements of consent are met (including knowledgeability); In some circumstances, certain custodians within the circle of care, may rely on assumed implied consent when collecting, using and disclosing personal health information for the purpose of providing health care; Whether a custodian is relying on express consent, implied consent, assumed implied consent or no consent the general limiting principles apply; In the context of the provision of health care, individuals may withhold or withdraw consent or instruct custodians not to use or disclose personal health information for health care purposes; Notices of purposes should ensure that individuals not only understand the purposes but also the circumstances in which consent may be withheld or withdrawn. How to Contact Us Information & Privacy Commissioner of Ontario 2 Bloor Street t East, Suite 1400 Toronto, Ontario, Canada M4W 1A8 Phone: (416) 326-3333 Web: www.ipc.on.ca 14