OHA BACKGROUNDER Bill 78, the Electronic Personal Health Information Protection Act, 2013

Transcription

1 OHA BACKGROUNDER Bill 78, the Electronic Personal Health Information Protection Act, 2013 July 2013 On May 29, 2013 the Honourable Deb Matthews, Minister of Health and Long-Term Care (Minister), introduced Bill 78, the Electronic Personal Health Information Protection Act, 2013 (EPHIPA). EPHIPA proposes to amend three statutes, and create a new Part V.1, Electronic Health Records, under the Personal Health Information Protection Act (PHIPA).A summary of EPHIPA is set out below. A copy of the draft legislation is available here. Enabling the Creation of the EHR In addition to proposing a number of amendments to the existing provisions of PHIPA to ensure alignment with new requirements, EPHIPA proposes to create a new Part V.I which is intended to provide a framework for electronic health records (EHRs)(described in detail below). This includes enabling a prescribed organization(s) to create and maintain the EHR, defining the EHR, and specifying parameters for the creation and maintenance of the EHR. Creating or maintaining the EHR is broadly defined to include: Administering, creating, integrating, managing, maintaining or servicing the EHR; Conducting data quality assurance activities on the personal health information (PHI) provided by a health information custodian (HIC) to a prescribed organization; and Conducting analyses of the PHI in the EHR in order to provide alerts and reminders to HICs for the HICs use in the provision of health care to individuals. EHR is defined to mean the record of PHI created or maintained in electronic form by a prescribed organization, to enable HICs to use electronic means to disclose PHI to one another for the purpose of providing or assisting in the provision of health care to the individuals whose PHI is in the record.

2 EPHIPA proposes to amend section 34 of PHIPA to permit prescribed persons who are not HICs to collect and use health numbers for the purpose of creating or maintaining the EHR. In addition, regulations may specify data elements that HICs may collect, use and disclose for the purposes of uniquely identifying individuals in order to collect PHI. EPHIPA also provides the Minister with regulation-making authority specifying data elements that may not be made subject to a consent directive. Our understanding is that these provisions eliminate the ability of a patient to opt out the EHR in its entirety. While PHI could be subject to a consent directive, the patient would continue to exist in the EHR, identified by their health number and any other data elements prescribed by the Minister through regulation. By ensuring all patients are in the EHR, these provisions help enable unique patient identification for the purpose of health record reconciliation. Prescribed Organizations This will be an organization, or organizations, prescribed (by regulation) for the purposes of the new Part V.I. Prescribed organizations will be required to assume all responsibilities relating to the creation and maintenance of the EHR. While these organizations have not yet been identified, the legislation sets out parameters in which they can manage PHI as non-hics. Existing regulations under PHIPA clarify that ehealth Ontario has the authority as a Health Information Network Provider (HINP) to create and maintain EHRs. This authority expires as of December 31, 2013, and our understanding is that ehealth Ontario will be named as the initial prescribed organization under this new legislative framework. Access and Correction Requests PHIPA (Part V) already provides individuals with a right to access records of PHI in the custody or control of a HIC and the ability to request a correction to a record if the individual believes the record is inaccurate or incomplete. PHIPA also outlines the responsibilities of HICs in responding to such requests for access and correction. EPHIPA proposes to extend these responsibilities to prescribed organizations for two groups of records: Records of PHI, available through the EHR created or maintained by prescribed organizations; and Consent directives, overrides, and records of instances where PHI in the EHR is viewed, handled or otherwise dealt with (all discussed in detail below).

3 It is unclear whether patient access requests related to the patient s record in its entirety will be handled by prescribed organizations. HICs will be expected to process access requests related to information in the EHR that they originally collected and provided to the prescribed organization. Our understanding is that, as currently drafted, HICs will be responsible for responding to all requests for correction to the EHR, although the level of this responsibility (i.e., only for information provided to the EHR) requires additional clarification. Collection, Use and Disclosure of PHI in the EHR Context Section 2 of PHIPA already provides direction as to what constitutes collection, use and disclosure with respect to PHI. EPHIPA proposes to offer clarification as to how these terms should be interpreted in the EHR context. Collecting PHI A HIC collects PHI on the initial instance it views, handles or otherwise deals with PHI in the EHR (other than PHI it provided to a prescribed organization for the creation of the EHR). Additional views or handling of the PHI will not be considered collection unless additional information is viewed, handled or otherwise dealt with by the HIC. A HIC shall not collect PHI from the EHR except to provide/assist in providing health care to an individual, or to eliminate or reduce a significant risk of serious bodily harm to a person/group of persons. PHI collected to eliminate or reduce a significant risk of serious bodily harm may only be used for the purpose for which it was collected. Where the PHI is subject to a consent directive (described below), this collection is only permitted from the EHR if a consent override exists to disclose the information. Disclosing PHI Where a HIC provides PHI to a prescribed organization for the purposes of creating or maintaining the EHR, the HIC is not considered to have disclosed the PHI. Disclosure will occur when the PHI is viewed handled or otherwise dealt with by someone other than that HIC or a prescribed organization. It is important to note that EPHIPA explicitly provides that prescribed organizations will not be considered to be collecting information when they receive PHI from a HIC for the purposes of creating or maintaining the EHR. As such, notwithstanding consent directives (described below) to mask PHI from any or all HICs, prescribed organizations will be authorized to receive PHI and the HIC to provide it. For example, even PHI masked by a consent directive will go from a HIC to a prescribed organization (and subsequently into the EHR) as this is not disclosure as defined in PHIPA.

4 Use of PHI Any second or subsequent views, handling or other dealings of PHI in the EHR will be considered use, as long as no new additional information is viewed, handled or otherwise dealt with. This applies to PHI provided by the HIC to a prescribed organization. Transferring of PHI If a HIC requests a prescribed organization to transfer PHI to the HIC, the HIC is required to take steps that are reasonable in the circumstances to ensure that the PHI in the HICs custody or control is protected against theft, loss and unauthorized use or disclosure and to ensure that the records containing the information are protected against unauthorized copying, modification or disposal. The requirement to notify an individual (as set out in section 12 of PHIPA) if the information is stolen, lost, or accessed by unauthorized persons also applies. Authority of the Patient to Withhold Information Consent Directives Patients already have the authority under PHIPA to withhold or withdraw their consent to the collection, use or disclosure of their PHI by HICs for the purposes of providing or assisting in providing health care, and may provide express instructions to HICs not to use or disclose their PHI for health care purposes without consent in the circumstances set out in sections 37(1) (a), 38(1)(a) and 50(1)(e) of PHIPA. These provisions have come to be referred to as the lock-box provisions, although lock-box is not a defined term in PHIPA. EPHIPA proposes consent directives, formalized lock-box provisions in the context of the EHR. An individual may at any time (subject to any limitations prescribed in regulation), make a directive that withholds or withdraws, in whole or in part, the individual s consent to the collection, use and disclosure of their PHI for the purposes of providing or assisting in the provision of health care to the individual. A directive may be modified or withdrawn at any time. EPHIPA sets out the process by which consent directives are made, modified or withdrawn. Individuals interested in making consent directives may submit them to prescribed organizations, which are responsible for offering assistance to the individual to ensure that the consent directive contains sufficient detail to enable implementation. If a HIC seeks to collect PHI that is subject to a consent directive, a prescribed organization shall notify the HIC that an individual has made a consent directive (provided that no PHI that is subject to the directive is provided). While EPHIPA provides that an individual may make a consent directive by submitting the directive to a prescribed organization, additional clarity is required as to whether consent directives, as they apply to users of the EHR, can also be made by application to a HIC or whether the responsibility to manage consent directives rests exclusively with prescribed organizations.

5 Hospitals have been successful in implementing lock-box policies and procedures in a paperbased record system to ensure that where patients request portions of their health records to be segregated, it can be accomplished. The electronic environment continues to present a number of challenges as software often does not have lock-box functionality built it. In these cases, some hospitals with EHRs have had to resort to having a flag on the EHR and keeping any PHI subject to a lock-box in paper format. How these kinds of arrangements will interface with the proposed provincial EHR is somewhat unclear. The extent to which HICs will be required to forward existing lock-box requests/consent directives to a prescribed organization, and the manner in which this will occur, particularly where those consent directives (and patient records) exist exclusively in paper format, requires clarification. While HICs will likely have responsibilities to invoke consent directives for PHI that the HIC itself has collected for its own use, the extent to which HICs will be required to do the same for PHI it supplies to the EHR is not fully understood. Consent Overrides Similar to PHIPA, which provides a number of instances in which the lock-box can be broken, EPHIPA sets out the following parameters for overriding an individual s consent directive. A HIC may disclose PHI (that is subject to a consent directive) to another HIC if the other HIC: 1) Obtains the express consent of the individual to whom the information relates; 2) Believes on reasonable grounds, that the collection is necessary for the purposes of eliminating or reducing a significant risk of serious bodily harm to the individual to whom the information relates and it is not reasonable for the other HIC to obtain consent in a timely manner; 3) Believes on reasonable grounds, that the collection is necessary for the purposes of eliminating or reducing a significant risk of serious bodily harm to a person other than the individual to whom the information relates or to a group of persons. When this occurs, a prescribed organization would be required to immediately provide written notice (in accordance with the regulations) to the HIC who collected the information (the HIC who effected the consent override), and the HIC would be required (at the first reasonable opportunity) to notify the individual to whom the information relates. Given that this disclosure would occur through the EHR via a prescribed organization, the HIC who originally collected the information (and subsequently provided it to a prescribed organization for the purposes of creating or maintaining the EHR) may not be aware that another HIC has disclosed information subject to a consent directive.

6 Where the overrides is due to #3 above, the HIC shall not provide identifying information to the individual about the persons/group of persons at significant risk of serious bodily harm. Where PHI has been collected in accordance with #3 above, the HIC that collected the information (through the override) is required to give written notice to the Information and Privacy Commissioner (IPC). As is the case above, the HIC shall not provide identifying information to the IPC about the persons/group of persons at significant risk of serious bodily harm. Medication Interaction Checks As noted above, EPHIPA outlines the rules respecting an individual s right to mask their PHI through a consent directive. Despite this, the legislation also proposes to permit a prescribed organization to use PHI to provide alerts to HICs about potentially harmful medical interactions. Any resulting alerts provided to HICs cannot reveal PHI that is subject to the consent directive. As noted above, the provision of PHI from a HIC to a prescribed organization is not deemed to be disclosure or collection under PHIPA, making medication reconciliation possible at the prescribed organization level despite the existence of a consent directive. This ensures that accurate medication information is available across the continuum of care and reduces the risk of adverse events for patients. Functions and Responsibilities of Prescribed Organizations EPHIPA proposes to impose numerous obligations on prescribed organizations with respect to the EHR. A number of these restrictions are similar to what s currently in place for HICs, such as limiting the PHI it receives to that which is reasonably necessary for the purpose of creating or maintaining the EHR. Additional obligations include: 1) Employee responsibility Employees (or other persons acting on behalf of a prescribed organization) shall only be permitted to view, handle or otherwise deal with the PHI received for the purposes of creating or maintaining the EHR provided the employee agrees to comply with the restrictions that apply to a prescribed organization. 2) Information available to the public Prescribed organizations are required to make available to the public and each HIC that provided PHI for the purpose of creating or maintaining the EHR, a plain language description of the EHR including: A description of the administrative, technical and physical safeguards in place to:

7 o Protect against theft, loss and unauthorized collection, use and disclosure of PHI in the EHR; o Protect the EHR against unauthorized copying, modification or disposal; o Protect the integrity, security and confidentiality of the PHI in the EHR; and Any directives, guidelines, and policies of a prescribed organization that apply to the PHI in the EHR (provided they do not reveal a trade secret or confidential scientific, technical, commercial or labour relations information). 3) Electronic record of views/handling of EHR Prescribed organizations are required to keep a record of instances where all or part of an EHR is viewed, handled or otherwise dealt with. The record must ensure that the individual to whom the information relates is identified, as is the type of information that is viewed handled, all persons who have viewed/handled the information, and the date, time and location of the viewing/handling. Where a HIC has requested a transfer from a prescribed organization, the prescribed organization must also keep a record of the transfer (including all the parameters described above for viewing/handling records). While the record-keeping requirements for prescribed organizations are set out in EPHIPA, the extent to which HICs will be required to do the same is not specified. Whether HICs will also be required to keep their own records of all instances where the EHR is viewed, handled, or otherwise dealt with requires additional clarity. Even with access-parameters/limits in place for access to PHI within the custody and control of a HIC, the extent to which HICs will be responsible for determining and managing levels of access by their employees within the broader EHR context will need to be explored. 4) Consent directives A prescribed organization must keep a record of all instances where a consent directive is made, withdrawn or modified, including the individual who made, withdrew or modified the directive, the instructions, the HIC to whom the directive was made, withdrawn or modified, and the date. 5) Consent directive overrides Where information that is subject to a consent directive is disclosed, a prescribed organization must keep a record of the HIC that disclosed the PHI, the HIC that collected the PHI, the individual to whom the information relates, the type of information that was disclosed, and the date, time and purpose of the disclosure. 6) Audit and monitoring Audit and monitor the electronic records it s required to keep as per #3, #4, and #5 above.

8 7) Provide information to the IPC upon request The IPC may request the records kept as per #3, #4 and #5 above and a prescribed organization must provide them. 8) Provide information to a HIC HICs have requirements under PHIPA to audit and monitor their own compliance with PHIPA. A HIC may request the records kept by a prescribed organization in #3, #4, and #5 above to assist in satisfying this requirement. 9) Assessments for systems that retrieve, integrate or process PHI For each system that retrieves, integrates or processes PHI in the EHR, prescribed organizations must perform assessments respecting the threats, vulnerabilities and risks to the security and integrity of the PHI, and how each system may affect the privacy of the individuals to whom the information relates. 10) Notification to HIC in the event of a breach Where a HIC provides PHI for the creation and maintenance of the EHR, and the PHI is stolen, lost or accessed by unauthorized persons, a prescribed organization must notify the HIC at the earliest opportunity. Additional clarity is required as to how, and by whom, patients will be notified in the event of a breach. The extent to which this notification will be required by the HIC that originally collected the information (and provided it to a prescribed organization), the HIC or other person/entity responsible for the breach, or a prescribed organization, requires additional consideration. 11) Third party compliance Any third parties retained by a prescribed organization to assist in providing services for the purpose of creating or maintaining the EHR must agree to comply with the restrictions and conditions necessary to enable a prescribed organization to comply with the requirements under PHIPA. 12) Practices and policies Prescribed organizations must have in place and comply with practices and procedures that protect the privacy of individuals whose PHI it receives and maintain confidentiality of the information. A prescribed organization s policies and procedures must be approved by the IPC every three years. 13) Notification to IPC Notification is required if PHI is viewed handled or otherwise dealt with, or made available or released by a prescribed organization, other than in accordance with PHIPA or its regulations. 14) Annual Report A prescribed organization must submit an annual report at least once annually to the IPC, in the form and manner specified by the IPC. Information in the annual report will be based on or contain information that is kept as part of the consent override record requirement (see #5 above) respecting every instance in which PHI was disclosed since the time of the last annual report.

9 15) Practices and procedures to manage access and correction requests A prescribed organization must have practices and procedures, approved by the Minister, for responding to or facilitating a response to an access and correction request under Part V. 16) Compliance with regulatory requirements Compliance is required with all practices and procedures set out in the regulations when managing consent directives and any other requirements that may be set out in regulation. Roles and Functions of the Ministry of Health and Long-Term Care EPHIPA provides the Minister with the authority to issue directives to a prescribed organization with respect to the carrying out of its responsibilities and functions. Before making a directive, the Minister is required to send a draft to the IPC and the Advisory Committee (discussed below) for a 30 day consultation period, and consider any recommendations made in determining whether to amend the directives. The timeframe for consultation can be shortened if the Minister believes there are urgent circumstances involving a significant risk to privacy or the confidentiality of PHI. Collection, Use and Disclosure of Information by the Ministry 1) General Principles In addition to the collection, use and disclosure rules for HICs related to the EHR, EPHIPA also permits the Minister to collect PHI from the EHR for the purposes of: Funding, planning or delivery of health services (funded by or allocated to by the Government); and Detecting, monitoring or preventing fraud or inappropriate receipt of a payment, service or good (including any subsidy or benefit funded by the Government where the payment, service or good is health-related or prescribed in the regulations). A prescribed organization may be required (through a direction) to provide the Minister with the information noted above. The direction may specify the form, manner and timeframe in which the information must be provided. The authority for the Minister to collect, use and disclose PHI will only be permitted where the Lieutenant Governor in Council (LGIC) has set out in regulation the specific unit of the Ministry that will collect PHI on the Minister s behalf, and the unit has put in place policies and procedures (approved by the IPC every three years) to protect the privacy and maintain the confidentiality of the information. Where information is collected by a Ministerial unit, a record must be created. The record must contain the minimal amount of PHI (which must be subsequently de-identified) necessary to de-

10 identify the information and linking it to other information in the custody or control of the Minister. That de-identified PHI can then be linked to other de-identified PHI in the custody and control of the Minister. 2) Audit EPHIPA also proposes an auditing function for the Minister, in situations where there are reasonable grounds to believe there has been an inappropriate receipt of a health-related payment, service or good (including any subsidy or other benefit) funded by the Government. Auditing is permitted subject to the same parameters (i.e., LGIC approval of Ministry unit and review of policies and procedures every three years by the IPC). PHI used in an audit may only be disclosed by the Minister in limited instances: Where the disclosure is required by law; For the purpose of a proceeding/contemplated proceeding where the Minister/agent is expected to be a party or witness (provided the information relates to or is a matter in issue in the proceeding); or To a law enforcement agency in Canada to aid in an investigation undertaken for an existing or anticipated law enforcement proceeding. Provision of Information for Purposes other than Health Care (Secondary Use) Despite the limitations for disclosure in PHIPA, EPHIPA proposes to extend the Minister s authority to direct a prescribed organization to disclose PHI in the EHR to a person if: The person has requested the information in accordance with the provisions in PHIPA related to the Chief Medical Office of Health or Ontario Agency for Health Protection and Promotion (ss.39(2)), registries (clause 39(1)(c)), research (s. 44), or the planning and management of the health system (s. 45); The PHI requested was provided by more than one HIC to a prescribed organization for the purpose of creating or maintaining the EHR; A prescribed organization submitted the request to the advisory committee (discussed below) for 30 days (subject to specific situations in which the Minister can shorten the timeframe) and considered the recommendations made by the advisory committee; and The Minister has determined that the disclosure would be in accordance with one of the above-mentioned sections under which a person has made a request. The direction may specify the form, manner and timeframe in which the information must be provided, and the Minister shall not direct the disclosure of more PHI than is reasonably necessary.

11 Required Provision of Information The Minister may make regulations requiring classes of HICs or specific HICs to provide PHI to a prescribed organization for the purposes of creating or maintaining the EHR and specifying what PHI they are required to provide. Additional clarity as to the extent to which the HIC would be required to collect specific PHI to satisfy this requirement, and the form in which the information will be required (electronically and in compliance with the standards) to be provided is needed. Advisory Committee EPHIPA proposes to establish an advisory committee whose role it would be to make recommendations to the Minister on matters related to EHRs, including: Practices and procedures a prescribed organization must have in place to protect the privacy of individuals (whose PHI is received for the purposes of creating and maintaining the EHR) and for responding to an access and correction request; Administrative, technical and physical safeguards a prescribed organization should have in place to protect the privacy of individuals; The role of a prescribed organization in assisting a HIC in fulfilling its notification requirements under section 12 (security breach) of PHIPA in the event that PHI in the EHR created or maintained by a prescribed organization is stolen, lost or accessed by unauthorized persons; The provision of notice to individuals whose PHI in the EHR is lost, stolen or accessed by unauthorized persons; Any other matter referred to the advisory committee by the Minister. The Minister will be responsible for appointing members of the advisory committee in accordance with requirements prescribed by regulation, if any and shall also determine the terms of reference and provide administrative support. The Ministry will have custody and control of the records of the advisory committee for the purposes of the Freedom of Information and Protection and Privacy Act. Our understanding is that the advisory committee membership will include sector-based representation (e.g., hospitals). We expect that the requirements and qualifications for membership will be set out in regulation or in the committee terms of reference.

12 Fines PHIPA currently prescribes fines of not more than $50,000 (for individuals) and $250,000 (for corporations) found guilty on an offence. EPHIPA proposes to double these fines. Amendments to the Regulated Health Professions Act EPHIPA also proposes to make a number of amendments to the Regulated Health Professions Act (RHPA). These amendments would provide the Minister with the authority to make regulations that would require health regulatory Colleges to collect prescribed information from their members that the Minister believes is necessary for creating or maintaining the EHR, specifically for the identification of clinicians within the EHR. Where the College is required to collect information from its members, a prescribed organization would be required to post a notice (in accordance with the notice provisions subsection 39(2) of the Freedom of Information and Protection of Privacy Act) on its website and the College would be required to cross-post within 20 days. The Colleges would then be required to provide this information to a prescribed organization in the form, manner and timeframe specified in the regulations. Regulations made under this section are also subject to the 60-day public consultation period (as set out in section 74 of PHIPA). A prescribed organization can only collect, use and disclose for the purpose provided for in the regulation, shall not use or disclose more than is necessary, and shall not use or disclose the information collected if other information will serve the purpose. Regulation-Making Authority for Additional Requirements and Exceptions Access and Correction The proposed amendments expand the existing regulation-making authority to include regulations which prescribe exceptions and additional requirements to the new access and correction provisions. While any proposed regulations would need to conform to the public consultation process (i.e., 60 days notice and the opportunity to provide comments as set out in s. 74 of PHIPA), a new level of review is being proposed. Prior to public consultation on any proposed regulation, the Minister would be required to submit a draft regulation to the IPC, consider the recommendations of the IPC, and make any changes the Minister considers appropriate.

13 Regulation-Making Authority of the Lieutenant Governor in Council The authority of the LGIC to make regulations (currently set out in section 73 of PHIPA), is expanded to include: prescribing organization(s) for the purposes of the new Part V.I; additional functions and requirements of a prescribed organization(s); respecting consent directives (including the level of specificity in which PHI may be subject to a directive); notice requirements of consent overrides; prescribing Ministry units permitted to collect, use and disclose PHI; and respecting the provision of services related to the EHR by a prescribed organization. Every regulation related to the specificity at which PHI may be made subject to a consent directive, including whose collection, use and disclosure of the information may be restricted, must be reviewed by the Minister at least once every three years. All regulations made by the LGIC are subject to the 60-day public consultation period (as set out in section 74 of PHIPA). For more information or to provide comments, please contact Jeff Bagg at jbagg@oha.com or