At the start of June 2016, a number of significant amendments to the Personal Health Information Act, 2004 ("PHIPA") were proclaimed in force. The most significant changes relate to the duties and responsibilities of health information custodians with respect to notification in the event of privacy breaches and the responsibilities of agents. We note that provisions related to electronic health records as well as the new Quality of Care Information Act have not yet been proclaimed in force. The following will highlight some of the key changes to PHIPA now in effect.
New Mandatory Notification Duties
Significant changes were made to the notification provisions found in section 12, which is the section that sets when patients must be notified of certain security breaches. These amendments have expanded the circumstances in which patient notification of privacy breaches is required.
Prior to the amendments, notification was required where information was "stolen, lost, or accessed by unauthorized persons." Under the new section 12(2), however, notification is now also mandatory where personal health information is "used or disclosed without authority". Although "used without authority" is not specifically defined in the Act, it will likely include situations involving snooping or other similar misuses of personal health information ("PHI"). Additionally, health information custodians must explicitly state that “the individual is entitled to make a complaint to the Privacy Commissioner” in the notice letters to patients.
Moreover, health information custodians may also be required to notify the Privacy Commissioner of certain privacy breaches. The regulations setting out when and how the Privacy Commissioner must be notified have not yet been adopted. Overall, however, these amendments are likely to lead to additional investigations and requests for information from the Privacy Commissioner.
Expanded Responsibilities for Agents
The amendments also impose additional responsibilities on health information custodians to monitor agents' (i.e. including medical staff, nursing staff, clerks etc.) access to personal health information as well as restrictions on the ability of agents of health information custodians to collect, use, and disclose personal health information.
For example, section 17(1.1) specifically provides that the health information custodian may impose restrictions on the agent's ability to access and use personal health information. As such, health information custodians will have to consider whether or not to restrict the amount of personal health information that an agent has access to and whether this is technologically feasible.
Further, under section 17(3), health information custodians are required to take reasonable steps to ensure that agents are collecting, using, and disclosing personal health information in accordance with PHIPA. Although the "reasonable steps" required are not defined, the Privacy Commissioner will likely find that random audits of access by agents as well as regular staff training on privacy are required.
Additional restrictions were also imposed on agents themselves. Section 17(2) was amended to specify that agents are only permitted to collect, use, and disclose personal health information if it is "necessary in the course of carrying out his or her duties as agent of the custodian."
Lastly, under section 17.1, health information custodians are now required to report agents who have been subjected to disciplinary action for "the unauthorized collection, use, disclosure, retention or disposal of personal health information" to the agent's college within 30 days. The health information custodian's obligation to report is also engaged where the employee resigns if it has reasonable grounds to believe the resignation is related to an investigation into misuse of personal health information. The impetus for these changes appears, at least in part, targeted towards discouraging snooping.
The overall effect of these amendments to PHIPA is twofold. First, health information custodians will have greater responsibility to notify patients of privacy breaches related to use of personal health information by employees. These amendments are likely to result in an increased number of investigations by the Privacy Commissioner. Second, custodians have an increased responsibility to monitor the actions of their employees with respect to their use of personal health information.
As a result of these amendments, Hospitals and other health information custodians should review their policies and practices to ensure they are in compliance with the new obligations set out in the amendments. For advice on compliance please contact the author.