This bulletin follows our previous bulletin, FIPPA and Ontario Hospitals: Implementing Change, in which we discussed the operational and cultural changes that are required if hospitals are to fulfill their obligations under the Freedom of Information and Protection of Privacy Act ("FIPPA" or the "Act"). This second bulletin is intended to provide a general overview of how hospitals can structure a central office that will be responsible for FIPPA compliance.
Establishing a compliance office will be a significant task in implementing and operationalizing FIPPA's requirements. While a central office is not a requirement under FIPPA, designating a coordinating body is a practical necessity. The OHA Primer: A Practical Guide for Hospitals Preparing for FIPPA Implementation, published in April 2011, sets out numerous action items and priorities for hospitals to complete prior to January 1, 2012, one of which is establishing a FIPPA compliance office. Accordingly, many hospitals may have already begun planning for their FIPPA compliance office.
Core Resources / Attributes of a FIPPA Compliance Office
In order to determine the most effective approach to structuring a FIPPA compliance office, it is important to note the core resources and attributes required. These core resources and attributes are, generally speaking:
- personnel with expertise in FIPPA and who understand the purposes of the Act;
- direct access to authority (e.g., the head and other delegated decision-makers); and
- secure premises and equipment (e.g., dedicated computers, scanners and fax machines; locked filing cabinets; password protected computers).
Structuring the FIPPA Compliance Office
Although these core resources and attributes are clearly required in order to effectively comply with the Act, there are a variety of approaches to creating or designating a FIPPA compliance office. How a particular hospital will structure this office will depend on various factors, including:
- the hospital's approach to governance and existing organizational structure (i.e., how FIPPA functions will fit within that existing structure);
- whether an existing office has the capacity (or can be allocated resources to extend its capacity) to encompass FIPPA compliance activities – for example, the office tasked with coordinating compliance with the Personal Health Information Protection Act ("PHIPA") or the records management department could be candidates to take on freedom of information and/or privacy compliance under FIPPA; and
the potential benefits of participating with another hospital and sharing a common FIPPA compliance office. In order to determine whether this model would be beneficial to the hospital, the hospital should consider (among other factors):
- the scope of the hospital's services – a hospital with a broad scope of services (e.g., a long-term care home, a research institute, multiple sites) would likely align with an in-house office rather than a shared office, as a hospital's own personnel would be better positioned to navigate any records management complexities; and
- other complexities in the hospital's record-keeping systems – the more complex a hospital's record-keeping system, the more likely it will be that the hospital's own personnel should be involved.
Also, it is important to keep in mind that FIPPA has two parts: a freedom of information part (which gives the public a right to access records in the custody or control of the hospital) and a protection of privacy part (which generally protects the privacy of individuals). Depending on the circumstances at a particular hospital, it may make sense to assign the obligations stemming from these two parts to two different offices, or to assign all FIPPA-related obligations to the same office.
Once these and other factors are taken into account, a hospital will likely take one of the following approaches to coordinating FIPPA compliance:
Single Office: This approach involves making a single office responsible for FIPPA compliance (i.e., both freedom of information and protection of privacy). This will involve either creating that office anew or designating an existing office as also responsible for FIPPA compliance. This approach has the advantage of centralizing knowledge, responsibility and accountability, and minimizing the resources needed if multiple offices were involved.
Two Offices: This approach involves making two offices responsible for FIPPA compliance (i.e., one for freedom of information compliance, the other for privacy compliance). Likely, this will involve designating the office responsible for health privacy / PHIPA compliance as also responsible for privacy compliance under FIPPA, with a new or existing office responsible for freedom of information compliance. This approach has the advantage of leveraging existing resources and knowledge to assist with FIPPA compliance. Even so, dividing knowledge and accountability under FIPPA has potential disadvantages, which would require that the hospital take steps to ensure that the two offices were engaged in regular communication.
Shared Office: This approach involves entering into an arrangement with one or more other hospitals to create a shared office that is responsible for FIPPA compliance. This approach could assign the shared office responsibility for full compliance with FIPPA (i.e. both freedom of information and privacy protection), or for only freedom of information compliance (with privacy compliance assigned to an office within each participating hospital). A shared office has the advantage of minimizing costs to participating hospitals, and leveraging their resources and/or expertise. However, a shared office may also have some disadvantages. The FIPPA compliance office would likely be located at one site, without a physical presence at all participating hospitals – this may require additional efforts to ensure that the necessary level of cultural change occurs at all participating hospitals. Another challenge that may arise in using a shared office is ensuring that the FIPPA compliance office understands the operations and structure of all participating hospitals, and is in regular communication with on-site FIPPA personnel at each participating hospital. It is therefore important that the participating hospitals address these issues in a written agreement, as well as the issues of governance and oversight, financial contributions and expectations regarding personnel and equipment.
Hospitals can find further direction on these matters, as well as FIPPA implementation more generally, in the forthcoming Ontario Hospital Association Hospital Freedom of Information Toolkit: A Guide to Implementing the Freedom of Information and Protection of Privacy, of which Fasken Martineau was the lead author.
Determining how to structure the office responsible for FIPPA compliance is one of several early-to-mid stage steps in preparing to implement FIPPA's requirements at the hospital. Assembling the personnel and resources for the FIPPA compliance office will take some time. It is therefore important that hospitals commence their implementation activities early to avoid the risk of non-compliance with the Act.
This bulletin is part of a series of bulletins on the topic of FIPPA implementation. The next bulletin will address the issue of delegation by the head of his or her powers and duties under the Act – a step which is necessary if the FIPPA compliance office (and its staff) are to be able to exercise those powers and duties after January 1, 2012.