POLICY MATTERS
Privacy Breaches Addressed
in Proposed Policy
P
College is asking for feedback on expectations
hysicians are generally familiar with the duty
of confidentiality; after all, the importance of
keeping patient’s personal health information
secret can be traced back to the fourth century
BC and the Oath of Hippocrates.
The issues around privacy of personal health infor-
mation are less well-understood, in large part, because
emerging technology – with its many benefits for health-
care delivery – has outpaced efforts to understand its
implications and potential for compromising the privacy
of patient health information. After all,
so much of the information that was
once stored in paper format is now
available in many different ways, in-
cluding through cloud-based servers.
The College is now consulting on
a proposed policy that expands upon
the current policy, Confidentiality of
Personal Health Information. The
current policy’s emphasis on confiden-
tiality and unauthorized disclosure of
personal health information has been
identified as overly narrow, given the
growing recognition and scrutiny of issues relating to
patient privacy in health care.
Re-titled as Protecting Personal Health Information,
the draft policy revises expectations, where appropriate,
to address patient privacy and unauthorized collection,
access, and use of personal health information.
The draft policy and accompanying Advice to the
Profession document make it clear that patients’ personal
health information (PHI) is protected when it remains
confidential and private. The duty of confidentiality
prohibits physicians from sharing information about a
patient without the patient’s consent, unless permitted
or required by law. In contrast, the duty of privacy is
broader and prohibits physicians from accessing PHI
where they have no authority to do so.
These principles are reflected in the Personal Health
Information Protection Act, 2004 (PHIPA), which sets out
a framework for when health information custodians,
including physicians and their agents, are authorized to
collect, use, and disclose PHI. While the legislation is
complex, its general principles impose an obligation on
physicians to only access PHI on a “need to know” basis,
or where otherwise permitted or required by law to do so.
A specific example that is receiving growing recogni-
tion among health-care providers and patients is “snoop-
ing”. Snooping is when a health-care provider accesses a
patient’s PHI without authorization
– in other words, when they have no
need to know as part of their duties,
and are not otherwise permitted or
required by law to access the PHI.
Some health-care providers mistak-
enly believe that they are permitted
to review a patient’s PHI so long as
they maintain the patient’s confiden-
tiality by not sharing it with anyone
else. In reality, snooping is a breach of
patient privacy. Unless authorized by
law, physicians must have the patient’s
express consent to access the PHI where they do not need
it to provide health care. So, for example, physicians with
technical sign-in ability may be snooping if they view
health records where they have no need to know to provide
care to the patient; the authority to sign in to an Electronic
Health Record or Electronic Medical Record is not author-
ity to access all or any records in the system.
Other issues the draft policy addresses include:
Obtaining valid consent for patients who are minors;
Disclosures permitted or required by law;
Security of communications and mobile devices;
Privacy breach reporting requirements.
The issues around privacy and confidentiality are
important and we want to hear what you think about
our draft policy. Please go online at www.cpso.on.ca to
provide feedback.
MD
ISSUE 3, 2019 DIALOGUE
31