By Megan Brister and Michelle Gordon
The Ontario government recently introduced new legislation—Bill 78, the Electronic Personal Health Information Protection Act, 2013 (EPHIPA)—that would, if passed, modernize Ontario’s health privacy legislation, the Personal Health Information Protection Act, 2004 (PHIPA), to enable the transition to electronic health records (EHRs) while protecting the personal health information of patients.
In spring 2013, EPHIPA passed first reading in the Ontario legislature, which has adjourned for the summer but will proceed with the bill this fall. Once enacted, the legislation would impose privacy and security requirements on organizations involved in the sharing of EHRs, defined as “prescribed organizations” under EPHIPA. These organizations may include the regional clusters—comprised of local health integration networks and funded by eHealth Ontario to integrate healthcare systems and give healthcare providers timely and secure access to personal health information—Northern and Eastern Ontario, Greater Toronto Area, South Western Ontario and eHealth Ontario, which are implementing EHRs to enable personal health information to be shared between hospitals and other healthcare providers. EPHIPA also includes detailed consent management requirements, which EHR vendors should be prepared to address in the design of their software.
Proposed Privacy and Security Requirements
PHIPA currently imposes specific privacy and security requirements on organizations that provide EHR services, such as health information network providers, service providers and eHealth Ontario. For example, health information network providers are required to notify all health information custodians using their services of breaches; provide custodians and the public a description of their services and safeguards; perform privacy impact assessments and threat and risk assessments; maintain audit logs of all accesses and transfers of personal health information; manage third-party and employee compliance with privacy and security requirements, and enter into agreements with health information custodians outlining these requirements.
EPHIPA provides significantly more granular requirements for “prescribed organizations,” which are responsible for “creating or maintaining the electronic health record.” EPHIPA would amend PHIPA to require prescribed organizations to comply with the following privacy and security obligations:
Notify the custodian if personal health information is stolen, lost or improperly accessed.
Maintain an electronic record of all instances where a consent directive is made, withdrawn or modified and comply with regulations when managing consent directives.
Limiting Use and Disclosure
Take reasonable steps to limit the personal health information received; limit how its employees and/or contractors view, handle or otherwise deal with personal health information, and ensure third parties comply with necessary restrictions and conditions.
Maintain a detailed electronic record of all instances where personal health information in the EHR is viewed, handled or dealt with; audit and monitor required electronic records and conduct both a privacy impact assessment and threat and risk assessment for each system that retrieves, processes or integrates personal health information in the EHR, making these assessments available to health information custodians and a summary of the assessments available to the public.
Make available to the public and to health information custodians a plain-language description of the electronic health record and any directives, guidelines and policies that apply to the personal health information in the EHR.
Put in place practices and procedures for responding to individual requests regarding personal health information in the EHR or maintained by a prescribed organization.
The most significant requirements for prescribed organizations are those regarding the role of the Ontario Information and Privacy Commissioner (OIPC). Specifically, prescribed organizations will need to put in place practices and procedures that protect individual privacy in the context of the EHR and that are approved by the OIPC every three years. This is similar to the role the OIPC plays in prescribed entities and registries, which are also required to have their practices and procedures reviewed and approved every three years. Further, prescribed organizations will also be required to notify the OIPC of potential breaches within the EHR. Currently, health information network providers are the only organizations required to notify of data breaches, and notification is made to the health information custodians to whom they are providing services. Finally, prescribed organizations will be required to submit an annual report to the OIPC on every instance in which personal health information was disclosed in a given year.
Consent Management Requirements
Under PHIPA, individuals may currently block some of their personal health information from being accessed by certain healthcare providers by requesting a “lock-box” be placed on their health records. EPHIPA formalizes this process within EHRs by introducing “consent directives” provisions. These provisions enable an individual to provide to a prescribed organization a directive that withholds or withdraws the individual’s consent to the collection, use and disclosure of his or her personal health information contained in the EHR for the purpose of providing or assisting in the provision of healthcare to the individual. The prescribed organization would be responsible for implementing the directive and would be required to assist the patient in amending and/or modifying the directive to ensure it is clear.
The prescribed organization would be exempt from following the directive—and, therefore, permitted to disclose personal health information identified in the directive—if there was a significant risk of serious bodily harm to the patient or someone else and consent could not be obtained in a timely manner. In this situation, the prescribed organization would notify the health information custodian, who would then be responsible for notifying the patient. The consent directive may also be used if necessary to provide an alert to health information custodians about potentially harmful medication interactions, as long as the personal health information that is subject to the directive is not revealed.
This means that prescribed organizations will need to have in place consent management procedures to accommodate consent directives from patients. Moreover, the technology supporting EHRs must enable prescribed organizations to technically implement these provisions.
Next Steps for Organizations Providing EHRs
Prescribed organizations and EHR vendors will want to monitor developments in the legislation as it proceeds through the Ontario legislative process. Before EPHIPA can become law, the bill must undergo further readings and debate by the House and a committee review and report.
EPHIPA formalizes several of the leading practices that organizations providing EHRs are following. Nonetheless, organizations will want to consider the proposed privacy and security requirements as they are developing local, regional and provincial policies and practices to govern EHRs to avoid costly rework when legislation is passed and policies are reviewed and approved by the OIPC.
Megan Brister, CISSP, PMP, is a senior manager at Deloitte who has over 13 years of experience advising executive and project teams on privacy and information security strategies to support major business transformations and IT implementations. Megan has worked as a privacy officer in healthcare and has advised clients in the health, government, gaming and consumer business sectors.
Michelle Gordon, LLB, LLM, is a privacy lawyer in the Enterprise Risk practice at Deloitte who has a specialized understanding of Canadian privacy legislation and advises clients on privacy and legal compliance, policies, consent management and information governance.