The Ontario government recently introduced a bill that, if passed, would become law and amend our health privacy laws to account for the evolution from paper to electronic health records.
Our health care system currently involves a mix of both paper and electronic records, with some organizations using a hybrid approach.
The primary health privacy statute, the Personal Health Information Protection Act (“PHIPA”) was written about a decade ago, and no longer reflects the practical realities of 21st century health care.
The proposed legislation – the Electronic Personal Health Information Protection Act, 2013 (“EPHIPA”) – would amend three existing statutes, including PHIPA, to modernize the law and account for the existence of the electronic health record.
What will be different under the new legislation?
Your personal health information is held by a variety of people and organizations – your family doctor, your local hospital, your dentist, etc. These people and organizations are called “health information custodians” and they must meet high legal standards when it comes to the privacy of your health information.
The proposed amendments introduce the concept of “prescribed organizations” – yet to be named or described, these organizations will have certain powers to deal with health information even though they are not health information custodians. For example, they would be entitled to collect and use health cards and health numbers for purposes related to the electronic health record. Based on the role they will play, it appears these “prescribed organizations” may include third party IT service providers.
The proposed law imposes numerous requirements on the “prescribed organizations”, much like the law that currently applies to health information custodians, such as limiting the information collected/received to only what is reasonably necessary, informing the public about how they keep the information safe, keeping records of whenever an electronic health record is viewed, and performing various audits and assessments.
How does the proposed law affect who will have access to my health information?
Currently, when individuals wish to block some of their personal health information from health professionals who would otherwise be entitled to access their file, they can make a request that the information be hidden from view. To use the language of PHIPA, a person could refuse to consent to the use, collection or disclosure of personal health information. This could happen if a patient wishes to conceal sensitive information, such as a history of mental illness.
Practically speaking, this could involve a health care provider physically removing a page from a paper file or using electronic means to block access to an electronic health record. This concept is referred to as a “lock-box”, although that term is not used in PHIPA.
EPHIPA introduces “consent directives”, which appear to formalize the lock-box concept as it applies in the electronic context. The law would allow persons to withhold their consent to the collection, use or disclosure of their personal health information in the electronic health record. In order to share the information with other professionals, patient consent would be required.
The consent directive would be provided to a “prescribed organization”, which would then implement the directive. The patient would have to provide enough detail in the directive for it to be implemented, although the “prescribed organization” would be obligated to help the patient reformulate the directive if it was not sufficiently clear.
The directive would not have to be followed – and information could be disclosed – if there were a significant risk of serious bodily harm to the patient or someone else, and consent could not be obtained in a timely manner. If this occurred, the “prescribed organization” would subsequently notify the health information custodian, which would in turn notify the individual.
Despite the directive, the concealed health information may be used to provide an alert to health information custodians about potentially harmful medication interactions (provided the alerts do not reveal the information subject to the directive). This would help minimize the risk to an individual’s health as a result of the directive.
EPHIPA allows the Minister of Health and Long-Term Care to collect personal health information from the electronic health record for the purposes of funding, planning or delivering health services that the Government of Ontario funds in whole or in part, directly or indirectly, or allocating resources to any of them; or detecting, monitoring or preventing fraud or inappropriate receipt of a payment, service or good.
Is my information more or less secure in an electronic format?
There are security risks presented by both paper and electronic health records. For example, in the event of a natural disaster or a fire, paper records could be destroyed where electronic records would survive. However, electronic records could be exposed to technological risks such as viruses and hackers.
PHIPA already has mechanisms for managing a breach of privacy and numerous practices to protect personal health information that would apply to electronic health records as well. EPHIPA requires “prescribed organizations” to:
- protect the integrity, security and confidentiality of the personal health information in the electronic health record; and
- perform assessments with respect to threats, vulnerabilities and risks to the security and integrity of the personal health information in the electronic health record.
EPHIPA also doubles the fines to $500,000 for organizations, which could create greater incentive to comply.
PHIPA has applied in Ontario since 2004. The proposed EPHIPA would revise PHIPA to specifically address the technological realities of electronic health records.
The first reading of EPHIPA took place on May 29, 2013, and it is but one of many steps before a bill becomes law (if it does at all). We will monitor its status closely and share updates via our blog and Twitter as we receive more information.
Update: Second reading of Bill 78 began on October 10, 2013.
Disclaimer: EPHIPA contains a large amount of information. This blog provides a summary of some of the proposed amendments and is written for an audience without legal training. There are nuances in the law that are not discussed in this blog. As of May 30, 2013, EPHIPA is a bill before the Ontario government; it may or may not become law, or may be amended before becoming law. This blog post does not constitute legal advice.
through a difficult time?