Over much of the last decade, we have witnessed dramatic changes in how personal health information is treated in the province of Ontario. Changes in legislation have placed increased responsibility on owners and operators of retirement communities and long-term care homes. While long-term care facilities have been subject to the Personal Health Information Protection Act (“PHIPA”) for some time, PHIPA has only recently been amended to explicitly include operators of retirement homes under the Retirement Homes Act, 2010 as custodians of personal health information. This overview will help you understand the requirements of the privacy legislation, what your responsibilities and obligations are and how to ensure that your business remains compliant with today’s privacy standards.

WHAT IS THE PERSONAL HEALTH INFORMATION PROTECTION ACT?

Retirement communities and long-term care homes in Ontario must comply with legislative requirements for the collection, use, and disclosure of personal health information under the Personal Health Information Protection Act, 2004 (“PHIPA”). The Information and Privacy Commissioner of Ontario (the “Commissioner”) is responsible for ensuring compliance with PHIPA.

PHIPA provides the framework for protecting personal health information under the control or custody of “health care custodians” (“custodians”). Both retirement communities and long-term care homes are considered custodians under PHIPA, and are required to obtain consent for the collection, use and disclosure of an individual’s personal health information, with limited exceptions. In addition, PHIPA places obligations on custodians which generally relate to how personal health information is to be kept.

CONSENT

The main premise of PHIPA is consent. Without consent, a custodian may only collect, use or disclose a resident’s personal health information in limited circumstances, outlined below. If a resident has consented to the collection, use or disclosure of their personal health information, that consent may be withdrawn at any time after it is given.

In order for consent to be valid, the person providing it must be capable to do so. A resident is capable of consenting to the collection, use or disclosure of personal health information if the resident can understand the information relevant to the decision of whether to consent and has the ability to appreciate the reasonably foreseeable consequences of giving or not giving consent. Generally, it can be presumed that a resident is capable of consenting unless there is reason to believe otherwise. Where a resident is incapable of consenting, consent may be obtained from an individual authorized to consent on their behalf, such as a substitute decision-maker.

COLLECTION

A custodian should generally collect personal information directly from the individual. Indirect collection is only permitted if the individual consents, the information is necessary for the provision of health care and direct collection is not reasonably possible, the Commissioner authorizes the indirect collection, the custodian collects the information from someone permitted or required by law to disclose it to the custodian, or, the custodian is permitted by law to collect the information indirectly.

USE

A custodian should generally only use an individual’s personal health information with that individual’s consent. Exceptions to this rule can include: use for the purpose for which it was collected or created, for planning or deriving programs or services that the custodian provides or funds, for the purposes of obtaining payment for health care or related goods and services, for the purposes of risk management, error management or improving the quality of care, for educating agents of the custodian to provide healthcare, for the purpose of research, subject to some conditions, for the purpose of a legal proceeding, or, if permitted or required to by law.

DISCLOSURE

The disclosure of an individual’s personal health information also requires their consent. However, PHIPA outlines some circumstances where disclosure without consent is permitted but not required. Examples of permissive disclosure include: disclosure of the fact that a resident is at the facility, their general health status, and their location within the facility, disclosure relating to a resident’s death in order to notify next of kin, or, disclosure if the custodian believes on reasonable grounds that disclosure is necessary for the purpose of eliminating or reducing a significant risk of serious bodily harm to a person or group of persons.

There are also circumstances for which PHIPA requires disclosure. For example, PHIPA requires disclosure by a custodian to the Ministry of Health and Long Term Care (“MOH”) in order to monitor or verify claims for payments of any health care funded wholly or in part by MOH, as well to monitor allocation of resources to or planning for the health care system. This could include monitoring with respect to physician access and CCAC care, as well as any service provided by OHIP. Consent for disclosure in permissive or required circumstances may be sought but is not required.

BEST PRACTICES

In order to ensure that a retirement community or long-term care home is compliant with PHIPA, the custodian should:

  1. Appoint a privacy contact person. This role would include informing agents/employees of their duties, responding to public and individual inquiries about PHIPA practices, and receiving complaints from the public about alleged contraventions.
  2.  Have appropriate policies and procedures in place. A custodian should ensure that they have a system in place to record and deal with privacy breaches, and must notify the affected individual at the first reasonable opportunity.
  3. Make available a public statement. A custodian should inform the public of the policies that the organization has in place to comply with PHIPA, and also of the complaints procedure to the Information and Privacy Office of Ontario.
  4. Respond to requests for access. An individual generally has a right to access their own record and request corrections in certain circumstances. Requests for access should be in writing. The custodian normally has 30 days to respond to a request for access, but can be allowed more time if the request is onerous, or less time if the individual provides a convincing case for expedited access. A reasonable fee may be charged for access.
  5.  Respond to requests to correct the record. After obtaining access, an individual may ask the custodian to correct the record. Any incorrect personal health information must then be struck out in a manner that will not destroy it entirely (eg. a line can be drawn through the “struck out” portion, so that the text is still legible). If this cannot be done, the incorrect information should be severed and stored separately in what is called a “lockbox”. A “lockbox” is created when an individual gives the custodian express instructions not to use or disclose their personal health information without consent in limited circumstances. Individuals may request that a custodian not use information for the purposes for which the information was collected or created, not disclose information to another custodian, and/or not disclose where disclosure is necessary for the provision of healthcare to the individual making the request without that individual’s express consent.
  6.  Make sure that records are accurate and handled securely. The custodian must take reasonable steps to ensure that records are kept up to date and complete, and inform the individual requesting access of any limitations regarding the information provided. Custodians must also ensure that records are retained, transferred and disposed of in a secure manner.

While most communities are already practising in a manner that is mindful of privacy regarding personal health information, a review of your community’s privacy practices in the face of the legislation is recommended. It is important to ensure that your community has the proper practices, procedures and technology in place to ensure compliance, and that your community knows how best to respond in the event of a breach. If you require assistance with interpreting or applying your obligations under this legislation, we would be pleased to help.