Table Of ContentSharing Accountability
for Personal Health Information
A Privacy Toolkit to Support PHI Sharing
Sharing Accountability for Personal Health Information:
A Privacy Toolkit to support PHI Sharing
Acknowledgements
Consultants
This Toolkit was written and produced for the Erie St. Clair Local Health Integration Network
by the following team from MD+A Health Solutions:
Edward McDonnell, Project Lead
Pat Jeselon, Senior Privacy Consultant
Blair Witzel, Privacy Consultant
Anita Fineberg, Privacy Consultant – Legal
Jeff Ibsen, Privacy Consultant – Technical
Trevor Grace, Project Coordinator
Steering Committee/Privacy Toolkit Working Group
We wish to acknowledge and thank the members of the Steering Committee and Privacy
Toolkit Working Group who contributed to the development of this toolkit:
Steering Committee
Rodney Burns, Chief Information Officer and eHealth Lead, North Simcoe Muskoka LHIN
Gary Hurd, Senior Project Manager, PMO & eHealth, North Simcoe Muskoka LHIN
Dale Maw, Senior Manager eHealth Team, Waterloo Wellington LHIN
Paul Audet, Executive Lead, Consolidated Health Information Services, Erie St. Clair LHIN
Jody Wellings, eHealth Co-ordinator, Central West LHIN
Karen Waite, Chief Privacy & Security Officer, eHealth Ontario
Patrick Lo, Director of Privacy, eHealth Ontario
Neil Smith, Senior Project Manager, eHealth Ontario
Privacy Toolkit Working Group
Judy Farell, Integrated Director Health Information and Privacy, London Health Sciences
Centre
Hilary Halliday, Regional Manager, Business Intelligence and Controller, South West
Community Care Access Centre
Lesley Hoffman, Senior Director Client Services, Canadian Mental Health Association,
Chatham-Ken Branch
Eric Hong, Director of Corporate Development, Yee Hong Centre for Geriatric Care
Karen Waymouth, Director of Health Records, Chatham-Kent Health Alliance
ii © Erie St. Clair Local Health Integration Network
Sharing Accountability for Personal Health Information:
A Privacy Toolkit to support PHI Sharing
Management
Toolkit development was managed by Paul Audet and Zoja Holman from Consolidated Health
Information Systems on behalf of Erie St. Clair LHIN.
eHealth Ontario
We also wish to extend our appreciation to the input of eHealth Ontario for their time and
efforts in reviewing the Toolkit:
Cindy Myers, Adoption Manager, Implementation & Adoption, eHealth Ontario
Neil Smith, Senior Project Manager, eHealth Ontario
Funding
The Ontario LHIN Privacy Project has been funded by eHealth Ontario for Ontario’s Local
Health Integration Networks.
© 2011 Erie St. Clair Local Health Integration Network
iii © Erie St. Clair Local Health Integration Network
Sharing Accountability for Personal Health Information:
A Privacy Toolkit to support PHI Sharing
Disclaimer
• The resource materials provided in this Toolkit are for general information
purposes only. They should be adapted to the circumstances of each Health
Information Custodian using the Toolkit.
• The Toolkit is not intended, and should not be construed, as legal advice or
professional advice and opinion.
• The description of the Personal Health Information Protection Act, 2004, in this
Toolkit is based on the current information at the time of writing.
• The Toolkit should not be relied upon as a substitute for the Personal Health
Information Protection Act, 2004, or its regulations. Provisions of the legislation
were simplified for the purpose of identifying issues for consideration.
• The Toolkit refers to information available from other organizations and their
websites.
• HICs/organizations concerned about the applicability of privacy legislation to
their activities or the interpretation of the legislation are advised to seek legal or
professional advice based on their particular circumstances.
iv © Erie St. Clair Local Health Integration Network
Sharing Accountability for Personal Health Information:
A Privacy Toolkit to support PHI Sharing
Table of Contents
Section 1: Preface..................................................................................................................... 1
1 Introduction ...................................................................................................................... 2
Section 2: Introduction to Personal Health Information Privacy in Ontario ........................ 8
2 Introduction to Personal Health Information Privacy in Ontario ................................... 9
3 Understanding Your Role ................................................................................................ 21
Section 3: Health Information Management ....................................................................... 30
4 A Primer on Health Information ..................................................................................... 31
5 How You Share Information Now .................................................................................. 39
6 New Models for Sharing Client Information .................................................................. 40
Section 4: New Initiatives ..................................................................................................... 44
7 Integrating Privacy into Your Initiative ......................................................................... 45
Section 5: First Steps ............................................................................................................ 59
8 Governance and Accountability ..................................................................................... 60
9 Establishing Consent ...................................................................................................... 73
Section 6: Ongoing Privacy ................................................................................................... 85
10 Collecting, Using, and Disclosing PHI ........................................................................ 86
11 Managing Privacy Incidents and Complaints ................................................................ 95
12 Monitoring Compliance ............................................................................................ 104
13 Safeguarding PHI ....................................................................................................... 112
Section 7: Appendices .......................................................................................................... 125
Toolkit Tools and Templates ................................................................................................. 126
Glossary of Terms and Acronyms ......................................................................................... 129
v © Erie St. Clair Local Health Integration Network
Sharing Accountability for Personal Health Information:
A Privacy Toolkit to support PHI Sharing
Section 1: Preface
In this section you will learn about:
• Intended audience for the Toolkit
• Goals of the Toolkit
• General terms used in the context of this Toolkit
• How to use the Toolkit
1 © Erie St. Clair Local Health Integration Network
Sharing Accountability for Personal Health Information:
A Privacy Toolkit to support PHI Sharing
1 Introduction
This Privacy Toolkit was prepared by the Ontario LHINs Privacy Project (OLPP) as a
general guide to support Local Health Integration Networks (LHIN)-based health service
providers in meeting their obligation to protect health information privacy, while effectively
participating in eHealth projects or initiatives involving the exchange of personal health
information (PHI).
With the introduction of the Personal Health Information Protection Act in 2004, health
service providers were required to develop or update existing privacy initiatives to meet new
standards for the handling and exchange of PHI. New concepts such as a health information
custodian (HIC) and a health information network provider (HINP) were introduced.
Through the support of other toolkits, for example the Ontario Hospital Association’s
Hospital Privacy Toolkit and Community Care Information Management (CCIM) Privacy
Toolkit, health care providers developed internal privacy programs to govern information
handling and protect the privacy of clients and other individuals.
Since 2004, there has been a dramatic increase in the use of shared health information
systems and eHealth solutions that involve multiple organizations. The concept of a client
record that resides solely within a single organization or health care practice is evolving.
There is increasingly shared accountability for PHI used in the course of treatment and care.
Research by OLPP indicates that there is often significant confusion among health care
providers about privacy roles and responsibilities in this new environment.
At the same time, the effective implementation and adoption of eHealth solutions are critical
to supporting Ontario’s health system agenda and ensuring LHINs meet their strategic
objectives as part of Integrated Health Service Plans.
Therefore, it is important that health service providers understand how to use new eHealth
solutions to share or exchange PHI, and participate effectively in related initiatives while
meeting privacy protection obligations in an inter-organizational environment.
This Toolkit and its resources can help you and your organization build upon your existing
privacy program and feel more confident in participating in provincial, regional, and local
eHealth initiatives.
2 © Erie St. Clair Local Health Integration Network
Sharing Accountability for Personal Health Information:
A Privacy Toolkit to support PHI Sharing
1.1 Background to the Ontario LHINs Privacy Project
A joint eHealth Ontario-LHIN needs assessment process in fall 2009 identified a number of
privacy management issues and needs common to numerous LHINs.
• Variation in privacy approaches slowing implementation of eHealth initiatives
• Lack of clarity on privacy roles: HIC, Agent, HINP, and other important roles
• Knowledge and capacity gaps creating “privacy fatigue” among HSPs
• Need for a common privacy vocabulary, practices, tools, and templates
• Lack of understanding of implications of cross-sectorial legislation (e.g., FIPPA)
• Challenges in dealing with other sectors such as support housing, education, and
justice
Such gaps and needs were reinforced by research undertaken by OLPP prior to the
development of this Toolkit. The research included an online survey of health service
providers in all 14 LHINs, as well as direct consultation with major Ontario health service
1
associations and eHealth delivery organizations. Among the key findings:
• Privacy has often been perceived as a barrier to PHI sharing among health
service provider organizations
• Confusion exists about privacy roles and responsibilities in relation to eHealth
• Certain tools would be helpful, but having a “recommended” set of tools of
resources would be especially beneficial
• Resources need to be “user-friendly” and meet the needs of a diverse audience
with widely varying privacy and eHealth knowledge
• Certain sectors such as Mental Health and Addiction have different privacy
concerns and sensitivities
• Resources need to serve a variety of PHI sharing patterns
To respond to these issues and needs, the Ontario LHINs Privacy Project was established
and included the objective of creating a common set of privacy tools and resources that
would be useful and available to health service providers in all major LHIN sectors:
• Hospitals
• Long-Term Care
1
Response rate and other relevant background to be added as footnote
3 © Erie St. Clair Local Health Integration Network
Sharing Accountability for Personal Health Information:
A Privacy Toolkit to support PHI Sharing
• Community Care Access Centres
• Community Support Services
• Mental Health and Addiction
• Community Health Centres
These findings and other important insights gained through the survey and direct discussion
with provincial and regional health service representatives and eHealth delivery
organizations were critical to the design and development of this Toolkit.
1.2 Focus on PHIPA
This Toolkit is focused on helping health service providers meet their obligations under
Ontario’s Personal Health Information Protection Act (PHIPA).
PHIPA and the associated regulation define the fundamental requirements that all health
service providers must meet. These legislative requirements are further interpreted through
Orders of the Information and Privacy Commissioner of Ontario (IPC), which has a mandate
that includes responsibility for privacy protection and other obligations under PHIPA.
Privacy requirements in specific situations are also informed by best practices and standards
such as those proposed by IPC, the CSA Model Code for the Protection of Personal
Information, COACH’s Guidelines for the Protection of Health Information, and Canada
Health Infoway’s EHR Privacy and Security Requirements.
It is recognized that the LHIN health and community support service providers are
potentially subject to a variety of privacy and other legislation which include the following:
• New Regulation under the Health Insurance Act, 1990: The Ministry of
Health and Long-Term Care (MOHLTC) is proposing a new regulation under the
Health Insurance Act, 1990 (HIA). The proposed regulation would give the
MOHLTC the authority to disclose PI about physicians to eHealth Ontario for
the purposes of providing electronic health services.
• Regulated Health Professions Statute Law Amendment Act, 2009:
The Ontario government introduced legislation that, if passed, would improve
access to health care for Ontarians by enabling a number of health care
professions to provide more services and improve client safety.
• Health Protection and Promotion Act, Section 22.1: Section 22.1 of the
Health Protection and Promotion Act (formerly “Bill 105”) requires the taking of
blood samples to protect victims of crime, emergency service workers, Good
Samaritans, and other persons.
PHIPA is of primary concern to most health service providers and health information
custodians. It may be viewed as a “gold standard” in privacy legislation. If a health
4 © Erie St. Clair Local Health Integration Network
Sharing Accountability for Personal Health Information:
A Privacy Toolkit to support PHI Sharing
organization or service provider meets its requirements—for example, in relation to
consent—they generally will meet the requirements of other privacy legislation.
Therefore, this Toolkit and related reference material is centered on obligations under
PHIPA while referencing how such obligations are affected when dealing with organizations
that are not HICs and/or potentially subject to other privacy legislation.
1.3 Goals of the Toolkit
This Privacy Toolkit was developed to assist HICs and their agents effectively participate in
programs that share PHI through electronic means with other HICs and non-HICs. It helps
them to practice better privacy management through collaboration among the parties and
securely safeguard PHI in their trust. The toolkit is also intended to reduce costs of the
development and implementation of privacy solutions by using common tools and templates
across all initiatives.
The Toolkit is not intended to replace your current programs, but to act as a resource to
enhance your current programs as you begin to use health information technology or
eHealth solutions to collect and share PHI.
After reading information in the Toolkit, each organization should conduct a review of how
PI and PHI are collected, used, and disclosed within its organization. They should also
consider whether policies and practices need to be modified to conform to current privacy
principles and best practices.
This Toolkit provides guidance on how to begin meeting your privacy requirements for
sharing information.
1.4 Who Should Use this Toolkit
Anyone responsible for overseeing information privacy and security within a health service
provider or supporting organization should use this Toolkit. Anyone who is accountable for
keeping information confidential and who manages privacy and security risks across
multiple organizations would also benefit from this toolkit.
1.4.1 What the Toolkit Should do for You
Through use of the Toolkit and related tools, templates, and other resources you should be
able to achieve the following:
• Reach agreement on data sharing and privacy obligations
• Understand your obligations under PHIPA as a HIC, Agent, or other role
• Maintain the privacy and security of health information
5 © Erie St. Clair Local Health Integration Network
