Dialogue Volume 15, Issue 3 2019 | Page 31

POLICY MATTERS Privacy Breaches Addressed in Proposed Policy P College is asking for feedback on expectations hysicians are generally familiar with the duty of confidentiality; after all, the importance of keeping patient’s personal health information secret can be traced back to the fourth century BC and the Oath of Hippocrates. The issues around privacy of personal health infor- mation are less well-understood, in large part, because emerging technology – with its many benefits for health- care delivery – has outpaced efforts to understand its implications and potential for compromising the privacy of patient health information. After all, so much of the information that was once stored in paper format is now available in many different ways, in- cluding through cloud-based servers. The College is now consulting on a proposed policy that expands upon the current policy, Confidentiality of Personal Health Information. The current policy’s emphasis on confiden- tiality and unauthorized disclosure of personal health information has been identified as overly narrow, given the growing recognition and scrutiny of issues relating to patient privacy in health care. Re-titled as Protecting Personal Health Information, the draft policy revises expectations, where appropriate, to address patient privacy and unauthorized collection, access, and use of personal health information. The draft policy and accompanying Advice to the Profession document make it clear that patients’ personal health information (PHI) is protected when it remains confidential and private. The duty of confidentiality prohibits physicians from sharing information about a patient without the patient’s consent, unless permitted or required by law. In contrast, the duty of privacy is broader and prohibits physicians from accessing PHI where they have no authority to do so. These principles are reflected in the Personal Health Information Protection Act, 2004 (PHIPA), which sets out a framework for when health information custodians, including physicians and their agents, are authorized to collect, use, and disclose PHI. While the legislation is complex, its general principles impose an obligation on physicians to only access PHI on a “need to know” basis, or where otherwise permitted or required by law to do so. A specific example that is receiving growing recogni- tion among health-care providers and patients is “snoop- ing”. Snooping is when a health-care provider accesses a patient’s PHI without authorization – in other words, when they have no need to know as part of their duties, and are not otherwise permitted or required by law to access the PHI. Some health-care providers mistak- enly believe that they are permitted to review a patient’s PHI so long as they maintain the patient’s confiden- tiality by not sharing it with anyone else. In reality, snooping is a breach of patient privacy. Unless authorized by law, physicians must have the patient’s express consent to access the PHI where they do not need it to provide health care. So, for example, physicians with technical sign-in ability may be snooping if they view health records where they have no need to know to provide care to the patient; the authority to sign in to an Electronic Health Record or Electronic Medical Record is not author- ity to access all or any records in the system. Other issues the draft policy addresses include: Obtaining valid consent for patients who are minors; Disclosures permitted or required by law; Security of communications and mobile devices; Privacy breach reporting requirements. The issues around privacy and confidentiality are important and we want to hear what you think about our draft policy. Please go online at www.cpso.on.ca to provide feedback. MD ISSUE 3, 2019 DIALOGUE 31