Ontario Legislature: Bill 119 to Update PHIPA, QCIPA
Last month, Health Minister Eric Hoskins introduced Bill 119, the Health Information Protection Act, 2015, in the Ontario Legislative Assembly. The bill is aimed at amending the Personal Health Information Protection Act (PHIPA) and replacing the Quality of Care Information Protection Act (QCIPA), two pieces of legislation from 2004 that govern health care providers’ collection and use of medical information about patients. According to the Minister, the new legislation will introduce a new framework for managing health records, as well as “greater accountability and transparency in the health system about privacy breaches and critical incidents.” Though the bill has not yet been made into law, health professionals, medical labs, hospitals, and their lawyers are bracing for significant changes to the way they handle matters relating to patient privacy. The following information is drawn from a non-final version of the bill and is subject to further amendments before the Health Information Protection Act becomes law.
The new bill will aim to create greater openness and transparency by mandating that custodians of health information – that is, hospitals, health centres, physicians, and other health professionals report privacy breaches to the patient as well as to the Information and Privacy Commissioner. Privacy breaches include theft, loss, or any unauthorized use or disclosure of health information.
Prosecution and penalties for PHIPA offenses are also being strengthened, with maximum fines being increased by 100 percent. In addition, a previously existing six-month time limitation on prosecuting PHIPA offenses will also be removed under the bill. Health information custodians will also be obligated, when an employee is terminated or censured for a privacy violation, to report the incident to any professional college that the employee may be a member of.
In addition to these tighter privacy rules, provisions under the new QCIPA, the section of the bill replacing the 2004 QCIPA, aim to improve the quality of healthcare through better information sharing. Facts regarding medical errors that result in serious harm or injury must be disclosed to patients or their families in cases where accidents have resulted in death.
At the same time, a new electronic privacy framework will be implemented to allow healthcare providers instant access to patient records while ideally keeping the data safe from unauthorized access. At the same time, the bill cautions that organizations should limit the amount of information shared and received to what is “reasonably necessary for developing and maintaining the electronic health record.” Records must also be kept of all instances where personal health information is accessed, including a list identifying the individuals who accessed the information and the time and date of access. The electronic health record will also be mandated to provide both health information custodians and the general public with “a plain language description of the electronic health record” complete with information on what safeguards are in place to inhibit unauthorized use or theft of information; prevent unauthorized copying or disposal; and to protect the confidentiality of the personal health information contained within the record.
In order to ensure that the new QCIPA continues to stay up-to-date with developments in privacy standards and technological developments, the Minister of Health and Long-Term Care has been given the responsibility of reviewing the QCIPA once every five years.
What does all this mean for patients? It provides them with greater access to information about their own health care; prevents health information custodians from withholding information about medical mistakes and other critical incidents; and adds provisions that aim to update the system every five years, hopefully maintaining the spirit of the bill through technological advances. The Ontario Ministry of Health and Long-Term care itself released a statement announcing that the new legislation would form part of a wider initiative to “put patients first” and ensure greater privacy and accountability in cases of breaches. If the bill in its current state becomes law, patients seeking information about critical incidents will gain the legal right to be given the information relevant to their case. In this case, healthcare providers may be forced to prepare for some embarrassing disclosures.
For the latest version of the bill, see: http://www.ontla.on.ca/web/bills/bills_detail.do?locale=en&BillID=3438&detailPage=bills_detail_the_bill