Personal Health Information
By Anita Jean
Personal information is any information, recorded or not, that can identify you. It does not include information that you make available to the public. For example, your personal information would not include anything that appears on a business card or a telephone book listing.
Under the Personal Health Information Protection Act (PHIPA), personal health information is any information about you that can identify you, your physical or mental health, the health care you receive, what services you are eligible for, and your health card number.
An organization like a hospital, clinic or pharmacy is called a health information custodian under PHIPA since they have some of your personal health information as they provide you with health care services. Community services are not considered custodians of health information, although they may have some of your personal information. The law requires custodians to have a Privacy Officer. The Privacy Officer makes sure all the privacy laws are followed, policies are known and made public, and that the organization’s staff is trained in privacy practices. The name of the Privacy Officer should be available to you to answer your questions and concerns. Usually this information is posted within the agency or posted on their website.
The Information and Privacy Commissioner of Ontario provides the directives on how to treat personal health information. Two major changes have occurred regarding personal health information this year. On March 15th 2017 a document called the “Code of Procedure for Matters under the Personal Health Information Protection Act, 2004” was released. This document consists in a comprehensive single code for all privacy matters for Ontario. As of October 1st 2017, the Commissioner must be notified of the theft, loss or unauthorized use or disclosure of personal health information, when the information is:
- Used or disclosed without authority
- If this information is used after the disclosure
- If there is a pattern of similar losses or unauthorized uses or disclosures
The sensitivity of the information, the volume of the information, the number of patients involved and the number of health organizations involve also come into play when having to report to the Commissioner.
Two additional changes are coming. As of January 1st 2018, health agencies will need to track privacy breach statistics, and provide these to the Commissioner starting in March 2019.
There are a few ways you can protect your personal health information. Your health card number may not be held by someone who is not a health care provider. You could show it for identification, such as when you vote, provided it is voluntary and your health card number is not recorded.
You should be aware that electronic communication outside a health care organizations secure information system may not be secure. While patient portals are usually secure, communication via personal devices, external emails, text, ad instant-messaging, may not be secure. For example, you should be aware that text and instant messages:
- Are not encrypted.
- Could be read by anyone.
- Can be forwarded to anyone.
- Likely stay forever on both the sender’s and receiver’s phone.
- The receiver of the message cannot be authenticated.
If you need to communicate electronically outside of a secure system, you should keep this communication to a minimum and for appropriate exchanges.
You should also think about what you post on social media. The Association of Ontario Health Centres, recently featured a story in their privacy newsletter involving a Saskatchewan nurse who shared her grandfather’s final months of life in the care of a Saskatchewan-based health facility. She posted a comment on Facebook both criticizing and applauding the efforts of the palliative care staff. The province’s Regulatory College for nurses charged her with professional misconduct. This was because she posted her comments identifying herself as a registered nurse and by doing so, she violated the Code of Conduct. Following her hearing, the nurse was found guilty of professional misconduct and slapped with a $26,000 fine.
Anita Jean is Manager of Health and Social Programs and the Privacy Officer at NorWest Community Health Centres.
Feel Better, Live Longer, Be Happier