Medical privacy now law

DAVID CANTON - For the London Free Press - November 20, 2004 Read this on Canoe

Ontario's new law on the privacy of health information will affect every person in the province.

The Personal Health Information Protection Act (PHIPA), which became law Nov. 1, applies to individuals and organizations involved in the delivery of health-care services.

Some organizations that may not consider themselves in the health-care sector will be subject to PHIPA -- it reaches beyond the traditional hospital/doctor setting.

PHIPA goes into far more detail than the federal PIPEDA privacy legislation. It provides individuals with more control over how their personal health information is collected, used and disclosed by health information custodians -- defined in general as anyone who has custody or control of personal health information as a result of or in connection with performing prescribed powers, duties or work.

Many of the definitions in PHIPA are very broad, applying to certain individuals and activities that may take some by surprise.

"Health care" is defined as any observation, examination, assessment, care, service or procedure done for a health-related purpose. The definition of "health-care practitioner" is equally far-reaching and includes anyone whose primary function is to provide health care for payment.

For example, personal training activities at a fitness club could meet the definition of "health care." Thus a personal trainer advising a person on health strategies for his or her physical condition may be a "health-care practitioner" or "health information custodian" and subject to PHIPA's privacy protections.

Another way PHIPA may take some organizations by surprise is that if personal health information has been collected by a health information custodian, PHIPA applies to that information wherever that information goes. An employer who requests a doctor's note from a sick employee must abide by the act concerning that information. Insurance companies who are allowed in a contract to look into a policy subscriber's medical status must also abide by PHIPA.

If that same information is collected by the employer or insurer directly from the individual, it may not be subject to any privacy laws at all, not even PIPEDA.

PHIPA contains a concept referred to as a circle of care for which no explicit consent is required to exchange health information. For example, a doctor needn't get specific consent to transfer a patient's records to the patient's specialist or to a hospital where the patient is being treated. Patients who don't want certain details of their records transferred in that manner must specifically request it.

PHIPA is overseen by the Ontario Information and Privacy Commissioner. People may file complaints with the commissioner against anyone covered under the act who is believed to have improperly collected or used their private health information. If the complaint can't be settled informally, through mediation for example, the commissioner may conduct a review of it.

Anyone affected by conduct giving rise to a conviction for an offence can sue for damages for actual harm, and PHIPA has substantially higher penalties than PIPEDA. Individuals may be fined up to $50,000 and organizations may be fined up to $250,000 if found guilty of an offence -- usually for wilfully breaching PHIPA.