On January 1, 2012, Ontario hospitals will become subject to the Freedom of Information and Protection of Privacy Act ("FIPPA" or the "Act").

Over recent months, most hospitals have taken steps to understand FIPPA and to prepare to implement its requirements.  It is important to note that implementing FIPPA's requirements will involve significant effort by hospital personnel.  Hospitals must utilize the time between now and January 1, 2012 to ensure that they can carry out their obligations under the Act.  Indeed, hospitals should assume that they will receive freedom of information requests on January 1, and should be prepared to handle those requests in accordance with FIPPA.

Operational and Cultural Change

The obligations conferred by FIPPA will require two types of changes to occur within hospitals: operational changes and cultural changes. The degree of operational and cultural changes will partially depend on the hospital's existing policies, procedures and values.

Cultural changes and operational changes are closely related – in fact, one cannot occur without the other.  To effectively implement new policies, procedures, etc., hospital personnel must see access to certain information as a right of the public (and not a privilege).  Similarly, in order to facilitate the shift in thinking (i.e. of seeing access to certain information as a right), the hospital will have to establish parameters for that change by way of new policies, procedures, etc. 

Initial Implementation Steps

If they have not already done so, hospitals will need to take the following initial implementation steps as soon as possible:

  1. Form an implementation team;
  2. Prepare an implementation plan; and
  3. Issue preliminary communications to internal stakeholders.

Each of these items is discussed below.

1. Form an Implementation Team

FIPPA provides little guidance on how its requirements should be implemented. Hospitals will need to determine how to effect operational as well as cultural change in the context of their unique circumstances.  This will require each hospital to form a team to develop and oversee a plan to achieve compliance by January 1, 2012.  The implementation team may be composed of internal or external personnel, but should, collectively, possess the following qualities:

Varied expertise – personnel from different departments, units, etc. should be involved in the team to represent relevant points of view (including senior management, along with records management, information technology and human resources personnel);

Credibility – the team should be regarded by hospital personnel as credible so that the implementation plan will be taken seriously by other hospital personnel;

Leadership – the team should include proven leaders who can drive change across the hospital; and

Vision – the team members must have a strong understanding of the rationale for freedom of information and an appreciation of why FIPPA will apply to hospitals (i.e. fairness, accountability, democratic participation, protection of personal privacy).

2. Prepare an Implementation Plan

Operational and cultural change will require a plan.  A FIPPA implementation plan may be general – in the sense that it establishes, at a high level, the broad tasks to be accomplished by the hospital for the remainder of 2011.  Alternatively, or in addition to a general implementation plan, the hospital may develop a more in-depth implementation plan that describes specific tasks and sets out dates for completion and the responsible hospital personnel. The implementation team should meet frequently to ensure that the hospital (and anyone who has been tasked with responsibilities under the implementation plan) is on track to fulfill its obligations under FIPPA beginning on January 1, 2012. 

An implementation plan must, at a minimum, address the following broad topics:

  • Conduct an inventory of records;
  • Establish one or more offices to coordinate FIPPA compliance;
  • Review, establish and/or amend policies and procedures related to FIPPA compliance (e.g., records management, privacy, security, FOI requests);
  • Adopt/finalize templates and tools to assist in FIPPA compliance; and
  • Educate and train key hospital personnel.

Hospitals can find implementation assistance in the forthcoming Ontario Hospital Association FIPPA Toolkit, of which Fasken Martineau was the lead author.

3. Issue Preliminary Communications to Internal Stakeholders

Communicating with stakeholders is an integral part of initiating cultural change.  Although communications with both internal and external stakeholders will be necessary, initial communications efforts should focus on internal stakeholders (e.g., personnel, board of directors).  These communications should achieve the following:

Establish a sense of urgency. This can be done by drawing attention to the broad range of obligations under the Act, the necessary implementation steps and the effective date of January 1, 2012.  By instilling this sense of urgency, internal stakeholders will be more apt to see their role in FIPPA implementation as a real priority. 

Demonstrate the support of hospital leadership. Senior management and the board of directors should participate in delivering FIPPA related communications both explicitly (by contributing to internal bulletins, notices and training/education seminars) and implicitly (leading by example and actively engaging in their role in FIPPA implementation).  The support of hospital leadership contributes to the sense of urgency and assists in driving change.

Use a variety of available communication tools.  The hospital should use its intranet, the Internet, internal and external hospital publications, etc. to inform stakeholders of the operational and cultural change that is/will be occurring at the hospital. 

What's Next?

Team-building, planning and initial internal communications are merely the early steps preparing to implement FIPPA's requirements.  Executing the implementation plan will take time and resources, and it is important that hospitals commence their implementation activities early to avoid the risk of non-compliance with the Act.