The issue of patient confidentiality has come to the forefront for healthcare organizations after a number of recent privacy breaches in Ontario hospitals have come to light, including hospital staff improperly accessing the medical records of former Toronto mayor Rob Ford.
It is generally accepted that patients seeking healthcare, treatment or advice should be able to expect that their personal information will be kept confidential, and that it will only be disclosed as necessary for their care. Given the sensitive nature of such information, the Government of Ontario passed the Personal Health Information Protection Act, 2004 (the “Act”), which provides both guidance to healthcare professionals and peace of mind to patients.
When it first came into force ten years ago, the Act was Canada’s first consent-based health statute. In the years following its enactment, the Act has been highlighted as a model for personal health information laws in Canada and the United States. Moving forward, employers in healthcare settings must continue to be cognizant of the Act’s requirements, as well as its application in our increasingly digital and interconnected age. The increased use of electronic health records and digital record-sharing systems, for example, may require employers to take additional precautions in the future. The modernization of healthcare provision will necessitate the modernization of privacy policies.
What is the Personal Health Information Protection Act, 2004?
The Act sets out rules for the collection, use, and disclosure of personal health information by “health information custodians,” which encompasses seven broad categories of individuals or organizations. Healthcare practitioners, such as nurses and doctors, as well as hospitals, fall within the definition of a custodian or the agent of a custodian, and are subject to the Act.
The Act applies to all oral and written information about a patient, if the information:
- relates to the patient’s physical or mental health, including family health history;
- relates to the provision of health care, including the identification of persons providing care;
- is a plan of service for individuals requiring long-term care;
- relates to payment or eligibility for health care;
- relates to the donation of body parts or bodily substances or is derived from the testing or examination of such parts or substances;
- is the patient’s health number;
- identifies the patient’s substitute decision-maker; or
- is about the patient and is included in a record containing personal health information, other than the employee records that are used primarily for purposes other than providing health care.
Under the Act, custodians must implement and follow information practices that comply with the Act and its regulations. “Information practices” are policies that identify when, how, and for what purposes the custodian collects, uses, modifies, discloses, retains or disposes of personal health information, as well as all the safeguards that the custodian has in place.
Custodians who are healthcare practitioners must also take reasonable steps to ensure that any information they retain is as accurate, complete, and up-to-date as necessary for the purpose of providing health care. Furthermore, all records should be retained, transferred and disposed of in a secure manner.
Custodians require patient consent to disclose information, except for certain situations described in the Act. Where the disclosure is made to another custodian for the purpose of providing health care, the consent may be implied. However, if the purpose of disclosure is not to provide health care, the patient must provide express consent for disclosure. If the information is stolen, lost or accessed by unauthorized persons, the custodian must notify the patient at the first reasonable opportunity.
The Information and Privacy Commissioner of Ontario has highlighted a number of important general principles relating to the collection, use and disclosure of personal health information:
- A custodian may only collect, use or disclose personal health information if the individual consents or the collection, use or disclosure is permitted or required by the Act.
- A custodian must not collect, use or disclose personal health information if other information will serve the purpose.
- A custodian must not collect, use or disclose more personal health information than is necessary to meet the purpose.
- Express consent is required to collect, use or disclose personal health information for marketing purposes. There are specific rules surrounding the use of personal health information for fundraising purposes.
The Act provides a complaint mechanism for individuals who believe that another person has contravened or is about to contravene the Act. Upon receiving a complaint, the Information and Privacy Commissioner of Ontario may proceed in a number of ways, including conducting a review of the complaint and issuing binding orders to custodians. Any individual affected by the Commissioner’s order or by a contravention of the Act may sue in court for damages. Wilful or reckless conduct may be punished by an award of up to $10,000 for mental anguish. Furthermore, individual custodians who are convicted of offences under the Act may be fined up to $50,000, and organizational custodians may be fined up to $250,000.
What does the Act mean for employers in healthcare settings?
The Act provides that custodians may avoid actions for damages if they act in good faith and do what is reasonable under the circumstances to carry out their powers and duties under the Act.
The following are steps that employers may consider taking in order to fulfil their obligations under the Act and avoid any possible penalties:
- Establish clear policies regarding the appropriate and inappropriate collection, use, disclosure, and disposal of personal health information.
- Specify that a patient’s personal health information is only to be accessed by individuals in the patient’s “circle of care” – that is, practitioners who are directly involved in the provision of healthcare or treatment to the patient.
- Provide training to all employees regarding the policies, including any possible discipline for non-compliance.
- Conduct periodic audits to determine whether patient files are being accessed inappropriately, and ensure that all employees are aware that such audits will occur.
- Establish a mechanism through which employees may report any inappropriate access by colleagues and supervisors. Establish a system for soliciting and recording patient consent to disclose information.
- Ensure consistent enforcement of the personal health information policies.
There have been a number of cases, in Ontario and elsewhere, in which employees in healthcare settings have been found to have inappropriately accessed and/or disclosed confidential patient information. Even before the passage of the Act, Ontario arbitrators held that nurses (and by extension, other healthcare professionals) who transmit a patient’s personal health information to a third party are guilty of misconduct or a breach of duty warranting discipline by the employer. Similarly, an arbitrator has recently stated that the Act is a “game-changer”, in terms of evaluating the breach of a patient’s privacy, and that the inappropriate access or disclosure of personal health information constitutes serious misconduct warranting significant disciplinary sanction.
When an employer is faced with a breach of patient confidentiality, it will be necessary to assess the totality of the circumstances before proceeding with discipline, including termination. Employers seeking further advice on the best course of action may wish to contact our firm for legal counsel.
Many thanks to Jennifer Bernardo for her assistance in drafting this article.