Presentation Outline

Similar documents
Scotia Plaza 40 King St. West, Suite 5800 P.O. Box 1011 Toronto, ON Canada M5H 3S1 Tel Fax

Code of Procedure for Matters under the Personal Health

CONSENT, CAPACITY, AND SUBSTITUTE DECISION-MAKERS

A Guide to Ontario Legislation Covering the Release of Students

FOI Legislation and Litigation Update

Exercising Discretion under section 38(b) of the Municipal Freedom of Information and Protection of Privacy Act. A Best Practice for Police Services

BILL NO. 42. Health Information Act

Health Care Consent Act

MANITOBA FREEDOM OF INFORMATION AND PROTECTION OF PRIVACY RESOURCE MANUAL

ACCESS FACT SHEET. Frivolous and Vexatious Requests WHAT IS A FRIVOLOUS OR VEXATIOUS REQUEST?

2ND SESSION, 41ST LEGISLATURE, ONTARIO 66 ELIZABETH II, Bill 114. An Act to provide for Anti-Racism Measures

Nestlé Canada Inc. Privacy Policies and Practices April 13, 2012

FREEDOM OF INFORMATION AND PROTECTION OF PRIVACY POLICY

INTEGRATED ASSESSMENT RECORD DATA SHARING AGREEMENT

Five Year Review of the Personal Information Protection and Electronic Documents Act (PIPEDA)

Access to Information and Protection of Privacy Act

Privacy Guidelines for Municipalities Regulating Businesses Dealing in Second-hand Goods

Order F14-57 OFFICE OF THE POLICE COMPLAINT COMMISSIONER. Ross Alexander Adjudicator. December 23, 2014

Order F17-46 UNIVERSITY OF BRITISH COLUMBIA. Celia Francis Adjudicator. October 19, 2017

Definitions The following terms have these meanings in this Policy: a. Act Personal Information Protection and Electronic Documents Act;

FOIP Bulletin. Definitions. In this issue Introduction 1 1 Definitions. Number 14 June 2003

3RD SESSION, 41ST LEGISLATURE, ONTARIO 67 ELIZABETH II, Bill 14. An Act with respect to the custody, use and disclosure of personal information

Rights & Responsibilities: The Rights of Requesters and the Responsibilities of Richmond County under the Virginia Freedom of Information Act

Privacy and Access in British Columbia

ECHOCARDIOGRAPHY QUALITY IMPROVEMENT PROGRAM FACILITY AGREEMENT

2.16 Freedom of Information and Protection of Privacy Act

The Health Information Protection Act

MENTAL HEALTH ADVANCE DIRECTIVES - GUIDE FOR AGENTS

Law Enforcement Request for Personal Information Procedures - What to do When a Police Officer Asks for Information

ASSOCIATION OF PROFESSIONAL ENGINEERS AND GEOSCIENTISTS OF BRITISH COLUMBIA,

The Year-End Statistical Report for the Information and Privacy Commissioner of Ontario

Privacy, personal information, law enforcement and lawful access

Decision 287/2013 Mr Stewart V. Mackenzie and Perth and Kinross Council

ONTARIO SUPERIOR COURT OF JUSTICE DIVISIONAL COURT. HACKLAND R.S.J., SWINTON and KARAKATSANIS JJ.

GUIDELINE FOR PROTECTION OF PERSONAL INFORMATION

Access to Information

Making a Request for Records from Mathews County Public Schools

Policy To Protect Personal Information

The New Mandatory Data Breach Requirements under Canada s Federal Privacy Act

Making a Request for records from the City of Salem, Virginia School Division

Rights & Responsibilities: The Rights of Requesters and the Responsibilities of King & Queen County under the Virginia Freedom of Information Act

Health Information Privacy Code 1994

MENTAL HEALTH ADVANCE DIRECTIVES

Rights & Responsibilities:

The Health Information Protection Regulations

Criminal Record Check Process

Order P18-01 COMPASS GROUP CANADA LTD. Elizabeth Barker Senior Adjudicator. January 23, 2018

Making a Request for records from Fauquier County Public Schools

Legal Aid Ontario. Privacy policy

ARTICLE 29 DATA PROTECTION WORKING PARTY

Rights & Responsibilities: The Rights of Requesters and the Responsibilities of Southampton County under the Virginia Freedom of Information Act

Disclosure of Personal Health Information to Police

Balancing Privacy Interests of an Incapable Person with the Responsibilities of Attorneys, Guardians and Section 3 Counsel. By Justin W.

Frequently Asked Questions for Municipalities LOCAL GOVERNMENT BODIES RECORDS

PIPEDA and Your Practice

AP3. APPENDIX 3 CONTROLLED UNCLASSIFIED INFORMATION

Data Protection Policy

INDEX. A Access and correction requests, see also Access to and correction of personal information. .. Part 8 of the Act, 110

Privacy Law Update. Ontario Connections: Access, Privacy, Security & Records Management Conference, June 7, 2016

Rights & Responsibilities: The Rights of Requesters and the Responsibilities of Town of Victoria Under the Virginia Freedom of Information Act

TekSavvy Solutions Inc.

Decision Notice. Decision 005/2015: Mr M and the Chief Constable of the Police Service of Scotland

AIA Australia Limited

Freedom of Information Act 2000 (FOIA) Decision notice

Implications of changes to the Privacy Act 1988 for the market and social research industry

You have the right to request to inspect or receive copies of public records, or both.

Code of Practice on the discharge of the obligations of public authorities under the Environmental Information Regulations 2004 (SI 2004 No.

INDEX. A Access and correction requests, see also Access to and correction of personal information. .. Part 8 of the Act, 115

Bill C-58: An Act to amend the Access to Information Act and the Privacy Act and to make consequential amendments to other Acts

Making a Request for Records from the Clerk s Office

Rights & Responsibilities:

BEST PRACTICES FOR RESPONDING TO ACCESS REQUESTS

Making a Request for records from the Town of Drakes Branch

Order COLLEGE OF DENTAL SURGEONS OF BRITISH COLUMBIA

PERSONAL INFORMATION PROTECTION ACT

FREEDOM OF INFORMATION ACT 2000 (SECTION 50) DECISION NOTICE. Dated 5 June Public Authority: Newry and Mourne Health and Social Services Trust

RIGHTS & RESPONSIBILITIES:

Telecommunications Information Privacy Code 2003

ONTARIO SUPERIOR COURT OF JUSTICE DIVISIONAL COURT FERRIER, SWINTON & LEDERER JJ. ) ) ) ) ) ) ) ) ) ) ) ) ) ) ) ) ) Applicant.

Five questions about blowing the whistle

ACCESS TO PORT PUBLIC RECORDS

Order F Ministry of Justice. Hamish Flanagan Adjudicator. March 18, 2015

MUTUAL FUND DEALERS ASSOCIATION OF CANADA PROPOSED AMENDMENTS TO MFDA RULE (CONTENT OF ACCOUNT STATEMENT)

Information exempt from the subject access right (section 40(4) and

OFFICE OF THE INFORMATION & PRIVACY COMMISSIONER for Prince Edward Island. Order No. FI Re: Department of Finance.

ALBERTA OFFICE OF THE INFORMATION AND PRIVACY COMMISSIONER ORDER F June 4, 2018 ALBERTA HUMAN RIGHTS COMMISSION. Case File Number F8587

Order F16-15 DISTRICT OF WEST VANCOUVER. Ross Alexander Adjudicator. March 15, 2016

PROPOSED LEGISLATIVE REVISIONS FOR 2010 FLORIDA BAR ADVANCE DIRECTIVES AND HIPAA COMMITTEE HEALTH CARE SURROGATE FOR A MINOR

RFx Process Terms and Conditions (Conditions of Tendering)

Order COLLEGE OF OPTICIANS OF BRITISH COLUMBIA

Search Warrant. Appendix H (ii)

ORDINANCE NO Citation. This Division may be cited as the San Bernardino County Sunshine Ordinance or the Sunshine Ordinance.

February 23, Dear Ms. Ursulescu, Re: Legislative Model for Lobbying in Saskatchewan

SECTION 1: GENERAL INFORMATION

Data Protection Act 1998 Policy

FREEDOM OF INFORMATION: Federal and New York State Laws

REVIEW REPORT

Order F13-01 MINISTRY OF HEALTH AND MINISTRY OF CITIZENS SERVICES AND OPEN GOVERNMENT. Michael McEvoy, Assistant Commissioner.

Access to Personal Information Procedure

ALBERTA OFFICE OF THE INFORMATION AND PRIVACY COMMISSIONER ORDER F November 12, 2014 ALBERTA JUSTICE AND SOLICITOR GENERAL

Transcription:

Consent Requirements Under the Personal Health Information Protection Act Debra Grant Office of the Information and Privacy Commissioner of Ontario EHIL Webinar May 11, 2011 Presentation Outline Consent a Key Principle in PHIPA General Consent Provisions of PHIPA Circle of Care Lock Box General Limiting Principles Pitfalls to Avoid When Obtaining Consent Conclusion 1

Ontario s Personal Health Information Protection Act (PHIPA) Came into effect November 1, 2004 Based on Canada s Fair Information Practices*: Accountability Identifying Purposes Consent Limiting Collection Limiting i i Use, Disclosure, Retention Accuracy Safeguards Openness Individual Access Challenging Compliance *CSA Standard CAN/CSA-Q830, Model Code for the Protection of Personal Information; PHIPA has been deemed to be substantially similar to PIPEDA. Consent in the Context of PHIPA In the absence of PHIPA, at least part of the Ontario health sector would have been covered by federal private sector privacy legislation PIPEDA was drafted to address privacy issues in the commercial sector rather than the health sector (e.g., express consent required in the context of sensitive personal health information); Because substantial similarity designation is necessary to exempt custodians from the application of PIPEDA, PHIPA had to meet the privacy standards set out in PIPEDA (e.g., PHIPA had to be a consentbased); The standard appropriate within the health sector was determined to be knowledgeable consent ; PHIPA was drafted in a manner such that consent would not delay or impede the delivery of health care. 2

Collection, Use and Disclosure Custodians may collect, use and disclose personal health information if: The individual consents, or The Act permits or requires the collection, use and disclosure (Section 29) Type of Consent Consent may be express or implied except where express Consent may be express or implied, except where express consent is specifically required under PHIPA. (Section 18(2)); Consent whether express or implied must meet all of the requirements for a valid consent under PHIPA. 3

Express Consent Required when a custodian discloses to a non-custodian; Required when a custodian discloses to another custodian for a purpose other than providing health care to the individual; Required when a custodian collects, uses or discloses for marketing or market research; Required when a custodian collects, uses or discloses for fundraising (if using more than name and address); (Section 18(3)) Elements of a Valid Consent Must be a consent of the individual or his or her substitute decision-maker; Must be knowledgeable; Must relate to the information; and Must not be obtained through deception or coercion. (Section 18(1)) 4

Knowledgeable Consent A consent to the collection, use and disclosure of personal health information is knowledgeable if it is reasonable in the circumstances to believe that the individual knows, the purpose of the collection, use or disclosure, as the case may be; and that the individual may give or withhold consent. (Section 18(5)) Ensuring that Consent is Knowledgeable Notice of Purposes Unless it is not reasonable in the circumstance, it is reasonable to believe that an individual knows the purpose of the collection, use or disclosure if the health information custodian posts or makes readily available a notice describing these purposes where it is likely to come to the individual s attention. (Section 18(6)) 5

Notice of Purposes A health information custodian may rely on a notice of purposes to support the reasonable belief that the individual knows the purposes of the collection, use, or disclosureof of personal health information; If a health information custodian wishes to rely on a notice of purposes, the notice: Must be posted where it is likely to come to the attention of the individual or must be provided to the individual; Must outline the purposes for which the health information custodian collects, uses or discloses personal health information; and Should advise the individual that he or she has the right to give or withhold consent; A notice of purposes is not required where a health information custodian may assume implied consent but it is a best practice to have a notice of purposes; Written Public Statement Section 16(1) states that a health information custodian shall, in a manner that is practical in the circumstances, make available to the public a written statement that, (a) Provides a general description of the custodian s information practices; (b) Describes how to contact the contact person, if the custodian has one, or the custodian, if there is no contact person; (c) Describes how an individual may obtain access to or request correction of a record of personal health information in the custody or control of the custodian; and (d) Describes how to make a complaint to the custodian and to the Commissioner. 6

information practices defined Section 2 states that information practices, in relation to a custodian, means the policy of the custodian for actions in relation to personal health information, including, (a) when, how and the purposes for which the custodian routinely collects, uses, modifies, discloses, retains or disposes of personal health information, and (b) the administrative, technical and physical safeguards and practices that the custodian maintains with respect to the information. Short Notice Products 7

Circle of Care Assumed Implied Consent Certain custodians who receive personal health information from the individual or another custodian for the purpose of providing health care to the individual is entitled to assume they have the individual s implied consent to collect, use and disclose to another custodian; Exception: Unless the custodian is aware that the individual has withdrawn his or her consent; The inclusion of this provision further emphasizes the fact that the consent requirements should never delay or impede to the provision of health care. Circle of Care: Sharing Personal Health Information for Health Care Purposes The IPC has launched a guide to clarify the circumstances in which a health information custodian may assume implied consent and the options available to a custodian where consent cannot be implied; The term circle of care is not a defined term in PHIPA; The term commonly used to describe the ability of certain health information custodians to assume an individual s implied consent to collect, use or disclose personal health information for the purpose of providing health care, in circumstances defined in PHIPA. 8

Circle of Care Working Group Office of the Information o and Privacy Commissioner; o Ontario Medical Association; Ontario Hospital Association; College of Physicians and Surgeons of Ontario; Ministry of Health and Long Term Care; Ontario Association of Community Care Access Centres; Ontario Long Term Care Association; Ontario Association of Non-Profit Homes and Services for Seniors. Circle of Care: Sharing Personal Health Information for Health Care Purposes Health information custodian must fall within the category of custodians that are entitled to rely on assume implied consent; Information must have been received from the individual, his or her substitute decision maker or another custodian; Information must have been received for the purpose of providing or assisting in the provision of health care to the individual; The purpose of the collection, use and disclosure must be for the purpose of providing health care or assisting in providing health care to the individual; Disclosures must be to another custodian; and Custodian that receives the information must not be aware that the individual has expressly withheld or withdrawn consent to the collection, use or disclosure. Available at www.ipc.on.ca 9

Lock Box: Withdrawal of Consent If an individual consents to have a custodian collect, use or disclose personal health information, the individual may withdraw consent, whether the consent is express or implied, by providing notice to the health information custodian, but the withdrawal of the consent shall not have retroactive effect (section 19(1)); Certain custodians who receive personal health information from the individual, the individual s substitute decision-maker or another custodian, are entitled to assume that they have the individual s implied consent to collect, use or disclose the information for the purpose of providing health care to the individual, unless the custodian is aware that the individual has expressly withheld or withdrawn consent (section 20(2)); Note that withdrawal of consent or express instructions need not be in writing custodians should document individual s request. Lock Box: Express Instructions Custodians may use personal health information, without consent, for the purpose for which it was collected, but not if the individual expressly instructs t otherwise (section 37(1)(a)); )) Custodians may disclose personal health information, without consent, to certain custodians, if the disclosure is necessary to provide health care and it is not possible to obtain consent in a timely manner, but not if the individual has expressly instructed the custodian not to make the disclosure; (section 38(1)(a)); Custodians may disclose personal health information, without consent, if the disclosure is necessary to provide health care, but not if the individual has expressly instructed the custodian not to make the disclosure (section 50(1)(e)). 10

Conditions on Consent Individual must provide notice to the custodian (can be provided verbally or in writing); An individual may not place a condition on his or her consent to have a custodian collect, use or disclose personal health information that prohibits or restricts any recording of personal health information that is required by law or by established standards of professional practice or institutional practice; There are no other conditions or restrictions placed on an individual who wishes to withdraw or withhold consent or provide an express instruction. Alternatives When You Cannot Rely of Assumed Implied Consent Some collections, uses and disclosures of personal health information are permitted without consent; Custodians may rely on implied consent for most purposes custodians must ensure that all elements of consent are met this cannot be assumed; When collected using or disclosing personal health information for a purpose other than providing health care or when disclosing to a person other than a health information custodian, that is not otherwise permitted without consent, express consent must be sought. 11

General Limiting Principles Custodians may not collect, use or disclose personal health information if other information will serve the purpose of the collection, use or disclosure (section 30(1)); Custodians may not collect, use or disclose more personal health information than is reasonably necessary to meet the purpose of the collection, use or disclosure (section 30(2)); Don t forget that these principles continue to apply when a custodian relies on assumed implied consent. Consent to Treatment Versus Notice of Collection, Use and Disclosure Some custodians include in their consent to treatment form, notices about the purposes for the collection, use and disclosure of personal health information without distinguishing between the two; This may be confusing because individuals may believe that they are providing express consent for the collection, use and disclosure of personal health information, when in fact the custodian may be relying on implied consent or assumed implied consent; Custodians should ensure that individuals understand that the express consent relates to treatment and that personal health information will be collected, used and disclosed for the purposes of providing health care, unless the individual expressly withholds or withdraws their consent. 12

Consent to Treatment and Other Purposes Some custodians include in their consent to treatment form, consent for the collection, use and disclosure of personal health information for secondary purposes p (e.g., research) without distinguishing g between the two; If individuals want to receive treatment, they must also agree to the collection, use and disclosure of their personal health information for other purposes not directly related to the provision of health care; This type of consent may not fulfill all of the required elements of consent, in particular the requirement that consent must not be obtained through coercion; Custodians should ensure that individuals understand that they may ygive or withhold their consent to the collection, use and disclosure of personal health information for each purpose and that treatment is not dependent upon their consenting to the collection, use and disclosure of their personal health information for other purposes not directly related to the provision of health care. Consent Versus No Consent Notices Some custodians combine notices to ensure that consent is knowledgeable with notices of the purposes for which personal health information may be collected, used and disclosed without consent without distinguishing between the two; This may be confusing as individuals may believe that they may withhold or withdraw consent for the collection, use or disclosure of personal health information for purposes that may permitted without their consent under PHIPA (e.g., research); Custodians should ensure that individuals understand the circumstances in which they may withhold or withdraw consent or give an express instruction not to use or disclose personal health information. 13

Conclusions The consent provisions of PHIPA were drafted in manner such that consent should not delay or impede to the delivery of health care; Custodians may rely on implied consent in most circumstances, as long as all of the elements of consent are met (including knowledgeability); In some circumstances, certain custodians within the circle of care, may rely on assumed implied consent when collecting, using and disclosing personal health information for the purpose of providing health care; Whether a custodian is relying on express consent, implied consent, assumed implied consent or no consent the general limiting principles apply; In the context of the provision of health care, individuals may withhold or withdraw consent or instruct custodians not to use or disclose personal health information for health care purposes; Notices of purposes should ensure that individuals not only understand the purposes but also the circumstances in which consent may be withheld or withdrawn. How to Contact Us Information & Privacy Commissioner of Ontario 2 Bloor Street t East, Suite 1400 Toronto, Ontario, Canada M4W 1A8 Phone: (416) 326-3333 Web: www.ipc.on.ca 14

2024 © lawsdocbox.com Privacy Policy | Terms of Service | Feedback