Who is the "health information custodian" when an institution with an educational mandate provides health care? PHIPA gives institutions choice. Here's a presentation i gave yesterday in which I argue that the institution (and not its practitioners) should assume the role of the HIC.
1. PHIPA Issues for School Boards
IMPAC Special Meeting
Application of PHIPA to School Boards
and PHIPA Breach Notification
27 September 2017
Dan Michaluk
2. PHIPA Issues for School Boards
Application of PHIPA to School
Boards
3. PHIPA Issues for School Boards
My six part argument
• Ultimate accountability lies with the HIC
• All agents are accountable to the custodian
• There is only a single HIC
• School boards can be HICs
• School boards should be HICs
• Board custodianship is privacy neutral
3
4. PHIPA Issues for School Boards
Ultimate accountability lies with the HIC
• There are a variety of “actors” under PHIPA
• Health Information Custodian or “HIC”
• Agents
• Recipients
• Suppliers
• Contact Persons
4
5. PHIPA Issues for School Boards
Ultimate accountability lies with the HIC
• Subsection 17(3) the key to PHIPA governance
5
6. PHIPA Issues for School Boards
Ultimate accountability lies with the HIC
• Designate “contact person”
• Make a “written public
statement”
• Safeguard PHI
• Take reasonable steps to
ensure accuracy of PHI
• Providing access to PHI
• Correcting PHI
• Providing notification of a
privacy breach
• Maintaining a complaint
process
6
7. PHIPA Issues for School Boards
All agents are accountable to the custodian
• This is established by subsection 17(2)
7
8. PHIPA Issues for School Boards
There is only a single HIC
• This is established by subsection 3(3).1
8
9. PHIPA Issues for School Boards
There is only a single HIC
The PHIPA governance regime is characterized by
exclusivity and hierarchy. Why?
Clarity & Control
9
10. PHIPA Issues for School Boards
School boards can be HICs
• PHIPA does not set requirements to be a HIC
• The Education Act deems school boards to be corporations
– i.e. “persons” under the law
• A person who operates a group practice of health care
practitioners is a HIC
• A person who operates a centre, program or service for
community health whose primary purpose is the provision of
health care is a HIC
10
11. PHIPA Issues for School Boards
School boards can be HICs
• School boards therefore have a choice
• They can take control and “operate” the services that
are subject to PHIPA and be the HIC
• Or they can hire a person to (independently) operate the
services that are subject to PHIPA and not be the HIC
• Both are options, but you must be clear on the chosen
model
11
12. PHIPA Issues for School Boards
School boards can be HICs
• The IPC’s “Health Information Custodians Working for
Non-Health Information Custodians” is misleading
• It refers to a nurse working for a school board as a HIC
but does not make clear that you have choice
• It does not override the statute, which gives boards (and
others) the choice in selecting the governance model
12
13. PHIPA Issues for School Boards
School boards should be HICs
1. Boards have the primary relationship with students
and their parents
2. Boards have the relationship with the IPC based on its
status as an MFIPPA institution
3. Boards have a better ability to facilitate compliance
because they have direct control of resources
13
14. PHIPA Issues for School Boards
School boards should be HICs
4. Installing clinical managers as HICs would give them
with accountability without power
5. Boards who act as custodian have an ongoing identity
14
15. PHIPA Issues for School Boards
School boards should be HICs
• Must a school board be the HIC given it “shall”…?
15
16. PHIPA Issues for School Boards
Board custodianship is privacy neutral
• … and doesn’t create a conflict with member duties
• Information flows are identical
• Within “circle of care” for health care purpose
• Outside of “circle of care” with express consent or as
permitted by PHIPA
• Members should rest easy that a board is (more, not less)
accountable to IPC when it is the HIC
16
17. PHIPA Issues for School Boards
Breach notification to the IPC under
PHIPA
18. PHIPA Issues for School Boards
Intentional misuse
Requirement
• Reasonable grounds to
believe
• Use or disclosure without
authority
• Person knew or ought to
have known
Example
• A social worker snoops
on a neighbour’s child
18
19. PHIPA Issues for School Boards
Theft of information
Requirement
• Reasonable grounds to
believe
• Stolen
Example
• A hacker “exfiltrates” data
• A former employee
refuses to return work
files containing PHI
19
20. PHIPA Issues for School Boards
Containment problems
Requirement
• Reasonable grounds to believe
• After initial loss or
unauthorized use or disclosure
• Was or will be further used or
disclosed without authority
Example
• Accidental fax, problems
containing
20
21. PHIPA Issues for School Boards
Systemic problems
Requirement
• Part of a pattern of similar
losses or unauthorized uses or
disclosures
• IPC says look at time between
incidents and similarities
Example (from IPC)
• “For example, you discover that a letter to a
patient inadvertently included information
relating to a different patient. Over a few
months, the same mistake is repeated
several times because an automated
process for generating letters has been
malfunctioning for some time. This should be
reported to the Commissioner.”
21
22. PHIPA Issues for School Boards
Discipline, discharge or pre-emptive resignation
Requirement
• You terminate, suspend or
discipline as a result of the
breach
• The agent resigns to avoid
discipline…
• Whether or not the employee is
a member of a college
22
23. PHIPA Issues for School Boards
Significant breaches
Requirement
• You deicide it is “significant”
after considering factors
• Sensitivity of PHI
• Volume of PHI
• Number of affected individuals
• Whether more than one custodian
or agent is responsible
Example (from IPC)
• “For example, you are a health care
practitioner who accidentally discloses a
patient’s mental health assessment to other
practitioners on a group email distribution
list, rather than to just the patient’s
physician.”
• “Or, you post detailed information on a
website about a group of patients receiving
specialized treatment for a novel health
issue.”
23
24. PHIPA Issues for School Boards
Dan Michaluk
416-864-7253
daniel-michaluk@hicksmorley.com
www.allaboutinformation.ca
25. PHIPA Issues for School Boards
IMPAC Special Meeting
Application of PHIPA to School Boards
and PHIPA Breach Notification
27 September 2017
Dan Michaluk