What is Privacy?
Privacy is a person’s claim to determine for him/herself when, how and to what extent information about him/her is communicated. Simply put, it is the right for an individual to determine who knows what about him/her, and what they do with the knowledge.
What is the Personal Health Information Protection Act?
The Personal Health Information Protection Act, 2004 (PHIPA) is Ontario’s new health-specific privacy legislation which applies to health information custodians such as hospitals. PHIPA governs the manner in which personal health information may be collected, used and disclosed within the health-care system. PHIPA also confirms a patient’s right to access one’s own personal health information.
What is Personal Health Information?
Personal Health Information is “identifying information” collected about an individual. It includes information about an individual’s health or health-care history in relation to:
- The individual’s physical or mental health, including family history;
- The provision of health care to the individual;
- Long-term care services;
- The individual’s health-care number;
- Blood or body-part donations;
- Payment or eligibility for health care; and
- The identity of a health-care provider or a substitute decision maker for the individual.
What is a health information custodian?
A health information custodian is a listed individual or organization under PHIPA that, as a result of their power or duties, has custody or control of personal health information.
Examples of health information custodians include:
- Health care practitioners (such as doctors, nurses, pharmacists, psychologists and dentists);
- Psychiatric facilities;
- Nursing homes and long-term care facilities;
- Retirement homes and homes for special care;
- Community Access Centres;
- Ambulance services;
- Minister (and the Ministry) of Health and Long-Term Care.
What is the “circle of care”?
The “circle of care” is not a defined term under PHIPA. It is a term of reference used to describe health information custodians and their authorized agents who are permitted to rely on an individual’s implied consent when collecting, using, disclosing or handling personal health information for the purpose of providing direct health care.
In a physician’s office, the circle of care includes:
- Specialists or other health-care providers referred by the physician;
- Health care professionals selected by the patient, such as a Pharmacist or Physiotherapist.
In a hospital, the circle of care includes:
- Attending physician
- Health-care team (i.e. residents, nurses, technicians, clinical clerks, and employees assigned to the patient) who have direct responsibilities of providing care to the individual.
PHIPA requires that hospitals obtain an individual’s consent to collect, use and disclose his/her personal health information. How will The Ottawa Hospital obtain such a consent?
In practice, the hospital is not required to obtain an individual’s written or verbal consent every time personal health information is collected, used or disclosed. PHIPA permits the hospital to assume implied consent where information is exchanged between custodians within the circle of care for the purpose of providing direct health care – unless a custodian is aware that an individual has expressly withheld or withdrawn his/her consent.
Consent may never be implied for an individual who specifies that his/her personal health information may not be collected, used or disclosed.
Implied consent is also permitted if a health information custodian, such as The Ottawa Hospital, collects, uses or discloses names or addresses for the purposes of fundraising.
What is the difference between express and implied consent?
Express consent to the collection, use or disclosure of personal health information by a health information custodian is explicit and direct. It may be given verbally, in writing or by electronic means.
Implied consent permits a health-care custodian to infer from the surrounding circumstances that an individual would reasonably agree to the collection, use or disclosure of his/her personal health information.
When is express consent required?
In certain circumstances, express consent will always be required:
- For disclosure of personal health information to an individual or organization that is not a health information custodian and is outside the circle of care. For example, a physician is not able to reasonably infer that an individual would consent to have his/her personal health information disclosed to third party, such as an insurance provider, who is considered to be outside the circle of care.
The physician would be required to obtain the express consent of the individual in order to disclose personal health information to the insurance provider.
- Express consent is required where information is disclosed by one custodian to another for a purpose other than providing or assisting in providing health care.
- Express consent is also required where a custodian:
- Collects, uses or discloses personal health information other than an individual’s name and mailing address for fundraising purposes;
- Collects personal information for marketing research and activities;
- Collects, uses or discloses personal information for research purposes, unless certain conditions and restrictions are met.
What is a breach of Privacy?
Breach of privacy, confidentiality or security refers to the unauthorized access, collection, use, or disclosure of any personal information or personal health information.
Are individuals permitted to access their own personal health information?
With limited exceptions, PHIPA provides individuals with a general right to access their own personal health information held by a health information custodian.
How does an individual obtain access to his/her personal health information?
An individual may request access to his/her own personal health information by submitting a written request to the Health Records Department of the campus where they are receiving care.
Can the husband/wife of a patient access their spouse’s chart?
No, unless he/she has been designated Substitute Decision Maker and the hospital has evidence of that.
Can the hospital refuse to provide access to an individual’s personal health information?
The hospital is responsible to assist individuals by providing access to their health records. However, it may refuse access in limited situations only, where for example:
- The information in question is subject to legal privilege;
- Its disclosure could reasonably be expected to result in a risk or serious bodily harm to a person;
- The information was collected as part of an investigation; or
- Another law prohibits the disclosure of that information.
- PHIPA permits the hospital to remove some of the information to allow partial access to the individual.
Can an individual correct errors in his/her personal health information? How does an individual correct errors?
An individual who believes that his/her personal health information is incomplete or inaccurate, may request the hospital to correct his/her record. An individual seeking a correction to his/her personal health information is required to submit a written request to the hospital that must then respond within 30 days of receiving a correction request.
Can the hospital refuse to correct an individual’s personal health information?
The hospital is obligated to correct personal health information where an individual demonstrates, to the satisfaction of the hospital, that the record is in fact inaccurate or incomplete and the individual gives the custodian the necessary information to correct the record.
However, the hospital may refuse to correct personal health information that is a professional opinion or an observation of the health-care provider.
Is it a breach of privacy if physicians send Personal Health Information to OHIP for billing?
Is it required to obtain consent from the patient to send information to the Workplace Safety & Insurance Board (WS&IB) regarding their treatment?
No, under PHIPA there are disclosures that are allowed without consent, this is one of those disclosures.
If I am referred to a specialist, can my health information be sent to the specialist and back to my family doctor without my consent?
Your health information can be sent to the specialist, who will, in turn, send a report to your referring doctor (i.e. family doctor). It is not necessary to obtain your consent. This is good clinical practice and appropriate for optimizing continuity of care.