We have an ethical and a legal responsibility to maintain the confidentiality and privacy of client health information obtained while providing care. One way we maintain boundaries and build client relationships based on trust is by respecting clients rights around confidentiality and privacy.

This document provides an overview of Ontario current legislation, clarifies our standards for confidentiality and privacy of personal health information, and replaces the Confidentiality practice guidelines (#41045). It also updates the information on security and confidentiality of personal health information in the Documentation practice standard and the Ethics practice standard.

A. Personal Health Information Protection Act

The Personal Health Information Protection Act (PHIPA), 2016, governs health care information privacy in Ontario. Information privacy is defined as the client right to control how her/his personal health information is collected, used and disclosed. PHIPA sets consistent rules for the management of personal health information and outlines the client rights regarding his/her personal health information. This legislation balances a client's right to privacy with the need of individuals and organizations providing health care to access and share health information.

PHIPA permits the sharing of personal health information among health care team members to facilitate efficient and effective care. The health care team includes all those providing care to the client, regardless if they are employed by the same organization. PHIPA requires that personal health information be kept confidential and secure. Security refers to the processes and tools that ensure confidentiality of information.

B. Quality of Care Information Protection Act

The Quality of Care Information Protection Act 2016(QCIPA) is another piece of legislation for the health care sector. This Act provides broad protection to quality of care information produced by a health care facility or a health care entity, or for a governing or regulatory body. Its purpose is to promote open discussion of adverse events, peer review activities and quality of care information, while protecting this information from being used in litigation or accessed by clients. This means that nurses activities and records associated with the College Quality Assurance Program cannot be used in legal proceedings.

UNDERSTANDING THE PERSONAL HEALTH INFORMATION PROTECTION ACT

What is Personal Health Information?

Personal health information is any identifying information about clients that is in verbal, written or electronic form. This includes information collected by nurses during the course of therapeutic nurse-client relationships. Such information relates to the following:

• Physical or mental health, including family health history;

• Care previously provided (including the identification of people providing care);

• A plan of service (under the Long-Term Care Act, 1994);

• Payments or eligibility for health care;

• Donation of body parts or substances (e.g., blood), or information gained from testing of these body parts or substances;

• A person health number; or

• The name of a client substitute decision-maker.

Clients do not have to be named for information to be considered personal health information. Information is identifying if a person can be recognized using it, or when it can be combined with other information to identify a person. Personal health information can also be found in a mixed record, which includes personal information other than that noted above.

A personnel record containing a note from a physician or a Registered Nurse in the Extended Class [RN (EC)] supporting an absence from work is not considered personal health information. However, a description of the employee symptoms and treatment noted by an occupational health nurse (OHN) when providing care is considered personal health information. If the OHN records contain health information and non-health information, then it is a mixed record. For example, the record contains a note substantiating the absence and the employee symptoms and treatment. The note substantiating the absence can be shared with the employer only if the health information is separated from the note.

Application Throughout the Health Care Continuum

PHIPA applies primarily to personal health information in the hands of health information custodians (called HICs in the legislation, but custodians throughout this standard). A custodian is an organization that provides care within the health care continuum. People providing care can also be custodians under this legislation. Health care providers and consultants who receive information from custodians are responsible for complying with the legislation. They can only use the information for the purposes they identified when requesting it from the custodians.

In general, health care providers and consultants who are employees or volunteers, or contracted or credentialed by health care organizations (e.g., clinics, laboratories, LHINs, hospitals, and long-term care facilities), are considered agents of a custodian. The legislation defines agents as people authorized to act for or on behalf of, a custodian. An agent cannot act on his/her own behalf with regard to personal health information.

Custodians are responsible for practices and policies that ensure the confidentiality and security of personal health information. Custodians are also responsible for complying with the Act, and ensuring that all agents are informed of their duties under PHIPA.

Health care providers and consultants (e.g. nurse) in independent practice, or those employed in health services in non-health care settings (e.g. OHNs), are considered custodians. Health care providers and consultants (nurses) in these settings are responsible for the personal health information in their custody and control, and must take certain steps to safeguard it. Compliance under the Act includes the following:

• designating a contact person to facilitate compliance with the Act and to respond to requests, inquiries and complaints from the public;

• providing a written public statement generally describing information practices, how to reach the contact person, the process for accessing records or requesting corrections, and the complaint process for clients;

• ensuring information practices comply with the Act and its regulations;

• ensuring information is accurate, complete and up-to-date; and

• ensuring information is secure.

A health care provider and consultant (e.g. nurse) is responsible for ensuring that she/he uses client information only for the purpose(s) for which it was collected. A health care provider and consultant (e.g. nurse) should ensure that it remains secure within the health care team. Health care providers also have an obligation to ensure that personal health information used by the health care team or disclosed outside the team is as accurate, complete and up-to-date as possible. If a complete record is not transmitted or transferred for any reason, health care providers must communicate this to the person to whom they are sending the record.

PHIPA defines collection as the gathering, acquiring, receiving or obtaining of personal health information. A health care provider and consultant (e.g. nurse) may only collect as much information as is needed to meet the purpose of the collection. Information may be collected indirectly without consent (e.g. from a relative or significant other) when the client cannot provide it (e.g. he/she is unconscious), if there is a question as to the accuracy of the information that the client provides, or when obtaining consent would affect the timeliness of the care. The Act lists provisions that permit collection of information from someone other than the client.

How the Personal Health Information Protection Act Affects Nurses

The new legislation does not change the health care provider and consultant (e.g. nurses) responsibilities to protect their clients confidentiality and privacy. Nor does it greatly affect their ability to collect and use personal health information to deliver care. In PHIPA, use is a defined term. In this context, use means to handle or deal with personal health information in the custody or under the control of a custodian. Sharing information among members of the health care team to provide care is one use of information under PHIPA. Generally, consent to use information to provide care can be assumed by the health care team. A client should be made aware of his/her right to withhold or withdraw consent to the sharing of his/her personal health information with other members of the health care team.

Circumstances in which a health care provider and consultant (e.g. nurse) may have to obtain explicit consent for disclosure of information are outlined in the section on disclosure in this document. The legislation also outlines permitted disclosures that do not require client consent.

A. Implied Consent

PHIPA specifies that several conditions must be met to assume a client implied consent. It is a custodian obligation to fulfill these conditions by posting a notice or providing a brochure that describes the purposes for the collection, use and disclosure of personal health information. This kind of notice is one way to fulfill the conditions for implied consent.

B. Express Consent

PHIPA does not require a specific form of express consent, which may be given verbally or in written form. It may be provided over the telephone or electronically if a health care provider and consultant (e.g. nurse) is sufficiently able to identify the person; however, express consent that is written helps to avoid ambiguity. The content and format of the consent need not be elaborate. Express consent is required in the following situations:

• personal health information is to be disclosed outside the health care team (e.g. submitting personal health information on a claim form to an insurance company);

• information is to be disclosed (within the health care team) for purposes other than providing, or helping to provide, care;

• personal health information is used for fundraising (e.g., contact information can be provided without express consent); and

• personal information is being collected for marketing research or marketing activities.

If a client cannot provide consent, then a substitute decision-maker may make decisions and provide health information. Rules for who may act as a substitute decision-maker are similar to those in Ontario health care consent law. For example, a substitute decision-maker may be a spouse or the parent of a child under 16 who is unable to answer health questions or make decisions about treatment. PHIPA also contains directions for substitute decision-makers when considering decisions of consent; appeal routes for clients found incapable; and means to deal with conflicts between people acting as client representatives.

Personal Health Information Belongs to the Client

The legislation recognizes that personal health information belongs to the clients and is simply being housed in health care facilities. Clients have the right to give, refuse or withdraw their consent to the collection, use and disclosure of their personal health information.

Clients also have the right to instruct that a part of their personal health information not be shared with other providers. This is referred to as the lockbox provision. If a client instructs a health care provider and consultant (e.g. nurse) not to release a part of his/her health information to another practitioner, the nurse must advise the practitioner that some relevant information has been withheld at the direction of the client.

Although clients have the broad right of access to their personal health information under PHIPA, they may be refused access. Possible grounds for refusing access include the following:

• the information is Quality Assurance information or that generated for a regulatory college Quality Assurance Program;

• it is raw data from standardized psychological tests or assessments;

• it may present a risk of serious harm to the treatment or recovery of the client, or of serious bodily harm to another person; or

• access to the information would reveal the identity of a confidential source of information.

Clients also have the right to correct their personal health information. This means clients can request changes if they believe the record is inaccurate or incomplete. Requests for corrections can be made verbally or in writing; however, only those requests made in writing warrant the correction procedures set out in the Act. Clients can only request corrections to their information if access has been provided. They may not restrict the collection, use or disclosure of their personal health information that is required by law or professional standards.

Client requests to correct personal health information may be refused in the following circumstances:

• the request is frivolous, vexatious or made in bad faith;

• the custodian did not create the record and does not have sufficient knowledge, expertise or authority to make the correction; or

• the information is a professional opinion or observation made in good faith.

To comply with this legislation, procedures and policies must be in place to process client requests for access and corrections. Specific procedures for handling access and correction requests are outlined in the legislation.

Clients can complain to an organization contact person or to the Information and Privacy Commissioner about refusals to access requests or other breaches of PHIPA.

Disclosure

Disclosure is defined as making information available or releasing it to another custodian or person. Express consent is needed when personal health information is disclosed outside the health care team or is not used to provide health care.

However, PHIPA includes provisions that permit a custodian to disclose personal health information without the consent of the client. Some of these include disclosure of personal health information for the following reasons:

• to manage risk;

• to support quality of care programs;

• to allocate resources;

• to obtain payment; and

• to do research, where a research plan has been approved by a research ethics board.

The Act also permits practitioners to disclose personal health information without obtaining consent in the following circumstances:

• if disclosure is needed to provide health care, and consent cannot be obtained quickly;

• to contact a relative or friend of an injured, incapacitated or ill client for consent;

• to confirm that a client is a resident or client in a facility, provide his/her location and comment on his/her general health status (unless there is an express request not to do so); or

• to eliminate or reduce a significant risk of serious bodily harm to another person or the public.

Please see PHIPA or information from the Office of the Information and Privacy Commissioner of Ontario (IPC) for a more complete listing.

Professional Misconduct

One of the definitions of Professional Misconduct in the Nursing Act (1991) is giving information about a client to a person other than the client or his or her authorized representative, except with the consent of the client or his or her representative, or as required or allowed by law.