CMHA Ontario submission to the Standing Committee on Social Policy regarding the review of the Personal Health Information Protection Act (PHIPA). Our submission addresses: consent; redefining family members under PHIPA; the circle of care and community-based services and supports; collection of personal health information by police officers; fees for accessing personal health records; and electronic health records. (August, 2008)
The Canadian Mental Health Association, Ontario (CMHA Ontario) welcomes the opportunity to make a submission to the Standing Committee on Social Policy regarding the review of the Personal Health Information Protection Act (PHIPA).
CMHA Ontario is a non-profit provincial association, committed to improving services and support for individuals with mental illnesses and their families. We have 32 branches providing community mental health services throughout Ontario.
CMHA Ontario appreciates the spirit of the PHIPA, in which an individual’s express consent is required to disclose their personal health information to a person or agency who is not a health information custodian, or for a purpose other than the delivery of health services, while simultaneously seeking to facilitate the collection, use and disclosure of personal health information to support the delivery of health care services.
Our submission addresses the following issues:
- Consent, including standardization of consent forms and time limitations to consent.
- Redefining family members under PHIPA.
- The circle of care and community-based services and supports.
- Collection of personal health information by police officers.
- Fees for accessing personal health records.
- Electronic health records, including issues around access, consent and privacy impact assessments.
1. Consent
Consent forms should be standardized to make the process more knowledgeable, streamlined and protective of individual privacy.
The elimination of standardized forms for the release of information under PHIPA has created confusion among both health information custodians and organizations in other sectors who are not health information custodians (such as police, court services and employment) but who are involved in the provision of services and supports. Some community mental health agencies have experienced cases where their agency consent forms have been refused by other health information custodians (e.g. hospitals), as well as by non-health information custodians. As a result, this has slowed the process of the disclosure of information and inconvenienced both consumers of mental health services and health service providers.
The standardization of consent forms would have several other benefits beyond ensuring that consent requests are accepted by partnering entities. First and foremost, a standardized form would entrench an individual’s right to consent to the disclosure of specific components of their own personal health information by recording an individual’s consent regarding what information will be shared, and with whom, under specified terms. Second, standardization of forms will help increase individuals’ familiarity with the components and processes involved in giving consent. Third, standardized consent forms could satisfy the requirements of knowledgeable consent, as defined in subsection 18(5), by providing instructional information around the options to withdraw and/or limit consent, and, if necessary, recording that a discussion was held between the service provider and the client around the foreseeable consequences of giving consent.
Recommendation 1: A standardized consent form for the release of an individual’s personal health information should be developed that includes sufficient information to specify the expiry of consent and other parameters around what consent has been given.
Recommendation 2: A subsection should be added to Part II, subsection 18, “Consent Concerning Personal Health Information,” that requires a standardized consent form to be used for giving express consent.
Consent forms should be reviewed at previously established periods of time and when health status changes.
PHIPA subsection 20(1), Assumption of validity, stipulates that obtained consent may be assumed as ongoing, unless it is not reasonable for the health information custodian to assume so.
Consumers may remain clients of community mental health agencies for significant periods of time, receiving on-going services and/or episodic care when health status changes. Some community mental health agencies have built the review of consent into case management services as a component of the review of the care plan. Although reviewing consent may be seen as an onerous task, it has served as an important tool for building trust within a client-service provider relationship.
Recommendation 3: Insert a subclause to section 20(1) that stipulates that implied and express consent should be reviewed with the individual or substitute decision-maker after a time period as determined by the Committee.
Recommendation 4: Insert a second subclause to section 20(1) that stipulates that implied and express consent should be reviewed with the individual or substitute decision-maker when the individual’s health status and/or diagnosis changes.
Recommendation 5: Insert a third subclause to section 20(1) stating that the above recommended subclauses do not preclude individuals from specifying other time limitations to their consent.
2. Redefining Family Members under PHIPA
Family members and friends often serve as caregivers to people with mental illnesses, providing informal case management, crisis intervention and assistance with system navigation, while also observing health changes and maintaining records of previous treatment and medication regimes.1
PHIPA legislation recognizes a potential role for families in decision-making around the provision of health care in two specific instances:
- Subsection 26(1), Incapable Individual: persons who may consent, identifies an individual’s spouse or partner, child or parent, brother or sister, or other relative, as persons who may consent in the absence of a substitute decision-maker or appointed guardian, attorney or representative.
- Subsection 38(1)(c), Disclosures related to providing health care, permits health information custodians to disclose personal health information “for the purpose of contacting a relative, friend or potential substitute decision-maker of the individual, if the individual is injured, incapacitated or ill and unable to give consent personally.”
Furthermore, subsection 36, Indirect Collection, allows health information custodians to indirectly collect personal health information (e.g. to collect from non-health information custodians such as family members) under specific circumstances, such as when:
(a) the individual consents to the collection being made indirectly;
(b) the information to be collected is reasonably necessary for providing health care or assisting in providing health care to the individual, and it is not reasonably possible to collect, directly from the individual,
(i) personal health information that can reasonably be relied on as accurate and complete, or
(ii) personal health information in a timely manner.
Any other involvement of family members in the collection or disclosure of an individual’s personal health information must continue to take place within the context of express consent, as per the current PHIPA legislation. It is our role as community mental health organizations to educate and encourage our staff and related health service providers to broach with consumers the subject of consent for disclosure to family.
Although supportive of the current direction of PHIPA regarding disclosure and collection of personal health information from family, we find that the terminology of “partner,” “spouse” and “relative” is too narrow. People with mental illnesses have the right to define who is included in their own “family;” this personal identification may extend beyond those they are related to by biology, adoption or marriage.2
Recommendation 6: Except where in contradiction with other legislation, the term “family” should replace the terms “partner,” “spouse” and “relative” to reflect a more inclusive and individual-focused definition of who constitutes a person who is of primary importance in an individual’s life.
Recommendation 7: The definition of “family” should be added to section 2 to read: “Family describes people with a strong emotional, psychological and/or economic commitment to one another, regardless of the nature of their relationship, including those connected by biology, adoption, marriage or friendship.”3
3. The Circle of Care
Community-based services and supports for people with mental illnesses must be responsive to the unique needs of individuals, providing a continuum of services that often extend beyond health care. These services and supports often address the broad determinants of health. Some of these services may be provided within a health intervention but more often are provided outside of a direct health care setting. Services may be provided onsite by community mental health agencies and/or in partnership with organizations from non-health sectors.
Common examples of services and supports that may form the circle of care for an individual with a mental illness include:
- Employment supports that enable consumers to return to work or maintain employment through training, coaching, vocational services and assistance with accommodation in the workplace;
- Housing services that assist consumers in locating affordable or subsidized housing, and provide ongoing support and advocacy around tenant rights;
- Peer Support programs and Consumer/Survivor initiatives that provide self-help, advocacy and social enterprise programs by and for people with mental illnesses;
- Court Support and Diversion services that support people who have committed minor offences to receive alternate help outside of the judicial system; and
- Joint Police-Health Care Mobile Crisis Intervention teams that provide multidisciplinary services to assist individuals in crisis.
Current PHIPA legislation requires an individual’s express consent for their health care providers to collect, disclose or use that individual’s personal health information with service providers who are not health information custodians. Similar requirements guide the disclosure of personal information held by providers covered under other privacy legislations.
Service providers within a consumer’s broader circle of care need guidelines on how they can communicate to coordinate effective and seamless services. Consideration must be given to how to facilitate these working relationships while maintaining an individual’s ability to consent. As these partnerships and services within and across the community mental health and other sectors evolve, the balance between the disclosure of information for the delivery of care and consumer rights to privacy will grow more complex.
Recommendation 8: Consultations with a range of stakeholders, including service providers, consumers and families, should be held to review opportunities for PHIPA to enable the sharing of information across a broader circle of care, while maintaining individual rights to privacy.
4. Personal Health Information Held by Police Officers
Currently, information collected by police officers during an apprehension under the Mental Health Act is classified as “personal information” and subject to the privacy regulations under the Municipal Freedom of Information and Protection of Privacy Act (MFIPPA). Similarly, information recorded by police officers participating in multidisciplinary mobile crisis outreach and support teams alongside health service providers are being held under MFIPPA. As part of a police record, this health information is available for disclosure in a police record check, as legislated by various municipal by-laws.
Section 4(1) of PHIPA defines personal health information as:
“identifying information about an individual in oral or recorded form, if the information,
(a) Relates to the physical or mental health of the individual, including information that consists of the health history of the individual’s family,
(b) Relates to the providing of health care to the individual, including the identification of a persona as a provider of health care to the individual […]”
We are very concerned that information being collected by the police relating to (a) the mental health of an individual and/or (b) the provision of health care to an individual (such as through a police/health care provider partnership or a police escort to an emergency department) has been excluded from PHIPA. This information clearly fits within the definition of personal health information set out by the Act.
We are also concerned that an individual’s personal health information can be accessed through consent for a police record check for educational, employment or volunteer activities. The disclosure of information pertaining to an intervention in the context of access to health care for non-health care purposes contravenes an individual’s right to privacy of their personal health information.
Recommendation 9: Interventions by police to support an individual in accessing health care should be regarded as health care interventions and be governed under the terms of PHIPA.
5. Reduction of Fees to Access Personal Health Records
Subsections 54(10-12) of PHIPA allow a health information custodian to charge a fee when presenting an individual with a record of their personal health information. Although subsection 54(11) stipulates that the fee “shall not exceed the prescribed amount or the amount of reasonable cost recovery,” we are aware that the fee structure varies significantly based on the size of the organization. For example, the cost of staff time in locating a chart in a hospital may be significantly higher than the cost of locating a chart in a smaller community organization. We have heard anecdotally that some larger institutions charge up to one dollar per page to make a client’s chart available.
Many people with mental illnesses live in poverty. Approximately one in three clients of the Ontario Disability Support Program have a mental illness;4 ODSP rates are 34% below the low income cut off (LICO).5 Passing the costs to the consumer for accessing their own personal health records can serve as a significant barrier of access to one’s own health information. Ease of access to one’s own health information is an important step in enabling choice and self-determination for consumers.
PHIPA has provided for a waiver of access fees, in section 54(12). The clause is vague and leaves the choice to the custodian to determine when it would be fair and equitable to waive the fees. We feel this clause must be strengthened to outline conditions when the fee should be waived.
Recommendation 10: Amend subsection 54(12) to add the following clause 54(12)(a): “The fees for accessing personal health records should be waived for people on Ontario Disability Support Program (OSDP), Personal Needs Allowance, or any other sole dependence on government pension or disability benefits.”
6. Preparing for Electronic Health Records
The development of a comprehensive Electronic Health Record will have implications on the way that privacy and consent are implemented. Some community mental health agencies in Ontario are already working with common electronic client records shared among several health information custodians, and/or are participating in e-health initiatives that introduce new ways of collecting and sharing personal health information electronically, such as the Community Mental Health Common Assessment Project and the eReferrals and Access Tracking Project.
An unequal implementation of Electronic Health Records can have unintended consequences.
Electronic Health Records are designed to provide better care by enabling health service providers to be more informed about an individual’s health status. However, a non-uniform implementation of the system can lead to unintended consequences, of which the Committee should be cognizant. This potential for unintended outcomes is not directly under the purview of PHIPA; however, it sets the context for the consideration of privacy and electronic records.
For example, the Drug Profile Viewer has been rolled out in emergency departments across Ontario to provide health service providers with access to people’s prescription histories. The system was implemented to assist health service providers to identify and prevent adverse drug interactions in emergency settings and enable more informed emergency care.6 Due to the ready availability of data and the targeting of the program to seniors, as well as many other reasons, the first iteration of the system to be implemented has been populated with data from the Ontario Drug Benefit (ODB) Program. The medication records of individuals who pay out of pocket or who receive private health insurance are not currently included in the system. The system is compliant with PHIPA requirements.
One in four Ontarians receive pharmaceutical coverage from ODB.7Qualification for ODB coverage is extended to people who are: seniors (66% of ODB beneficiaries); residents of a home for special care of long-term care (4%); recipient of home care services (3%); enrolled in the Trillium Drug Program (5%); or on social assistance (26%).8
As a result of the way in which the Drug Profile Viewer has been populated with ODB prescription records only, there is a potential that people whose records are located in the viewer and who are under the age of 65 will be perceived to be on social assistance (as the majority group of ODB recipients, with the exclusion of seniors). This unintended disclosure or assumption of disclosure creates an inequitable release of information about a person’s income or employment status. Consumers have expressed concern regarding stigma and discrimination they face due to being labelled by their mental illness. They should not face further real or perceived stigma for being inadvertently identified as beneficiaries of social assistance.
Access to Electronic Health Records needs to be based on consent and role.
The Auditor General has recently cautioned that, “In the [Ministry of Health and Long-Term Care eHealth] blueprint, there is a plan for patients to give instructions about what items of their personal health information they will allow to be shared, what items they want withheld, and the circumstances under which either is to occur… Until this safeguard is developed and incorporated into electronic health records, patient privacy may be compromised…”9
Privacy and protection against unnecessary access of an individual’s health record is of particular concern for people with mental illnesses. Consumers have expressed significant concerns that their experiences with health care change and can become stigmatizing or discriminatory once their diagnosis of a mental illness becomes known.
There are several technological options that can be utilized to ensure that Electronic Health Records fully implement PHIPA’s requirements regarding disclosure and consent. First, Electronic Health Records can be designed to facilitate the consent process by which individuals can consent to the sharing or withholding of their personal health information across their circle of care, as in accordance to current PHIPA legislation. Canada Health Infoway has proposed a Consent Directives Management Service that “allows individuals to grant, withhold or withdraw their consent for the collection, use or disclosure of their personal health information… This service allows patients to restrict access to specific components of their [Electronic Health Record] or their complete [Electronic Health Record]… for example, if permitted in legislation, a patient could restrict access to or disclosure of their prescription drug profile.”10
Electronic Health Records can further protect individual privacy through “role-based access.” Role-based access to health care records is broadly defined as “limiting access to those with a need-to-know.”11 Electronic health databases are being increasingly designed using role-based access control mechanisms to enforce privacy and confidentiality of personal health information by restricting access to individual health records based on different user “roles.” Thus, different health service providers working for the same health information custodian would not have the same access to the full Electronic Health Record when this information would not be required for their effective delivery of service (e.g. a lab technician would have different access than a primary care physician). Roles could be further specified through an individual’s consent.
Finally, British Columbia requires a health service provider to attest to an active provider-patient relationship prior to accessing an individual’s lab information, with their responses recorded in the computer system’s audit log.12 This type of check may help to limit inappropriate or non-necessary access to electronically stored personal health information.
Recommendation 11: PHIPA must provide clear and explicit guidelines on access to electronic health information that ensure that access is limited to the minimum personal health information necessary to provide care. The Committee may wish to consider the national standards established by Canada Health Infoway.
Privacy Impact Assessments are critical but costly.
Privacy Impact Assessments (PIAs) are formal risk management processes that identify real or potential implications of a proposed or existing technology or information system on an individual’s privacy. Although not required by legislation, PIAs are recommended best practices by health sector organizations in Ontario and other jurisdictions.13 PIAs can build trust in Electronic Health Records by reducing the risk of privacy breaches. This trust in privacy is essential in developing a service provider-client relationship. This is particularly relevant given the levels of stigma and discrimination facing people with mental illnesses.
However, PIAs can be resource intensive and require IT expertise that may be unavailable to smaller agencies. Some community mental health agencies have conducted PIAs in the development of their shared electronic records, but reported that the costs of both the assessment and the implementation of the resulting recommendations were prohibitive given their limited resources.
Recommendation 12: The Committee should explore options that will make Privacy Impact Assessments more accessible to community sector organizations.
References
- Family Mental Health Alliance, Centre for Addiction and Mental Health, Canadian Mental Health Association, Ontario and Ontario Federation of Community Mental Health and Addiction Programs, Caring Together: Families as Partners in the Mental Health and Addiction System (November 2006),www.ontario.cmha.ca/policy_positions.asp.
- Family Mental Health Alliance, Centre for Addiction and Mental Health, Canadian Mental Health Association, Ontario and Ontario Federation of Community Mental Health and Addiction Programs, Caring Together: Families as Partners in the Mental Health and Addiction System.
- Family Mental Health Alliance, Centre for Addiction and Mental Health, Canadian Mental Health Association, Ontario and Ontario Federation of Community Mental Health and Addiction Programs, Caring Together: Families as Partners in the Mental Health and Addiction System.
- Ontario, special run data, Ministry of Community and Social Services, obtained April 2007 (based on December 2006 figures).
- Canadian Mental Health Association, Ontario, “Backgrounder: Poverty and Mental Illness,”(November 2007), www.ontario.cmha.ca/backgrounders.
- Ontario, “Emergency Department Access to Drug History Project/Drug Profile Viewer (DPV) System,” Ministry of Health and Long-Term Care, Drug Programs Branch, and Canada Health Infoway Factsheet (April 2006),www.health.gov.on.ca.
- Ontario, “2005/06 Report Card for the Ontario Drug Benefit Program,” Ministry of Health and Long-Term Care, www.health.gov.on.ca.
- Ontario, “2005/06 Report Card for the Ontario Drug Benefit Program.”
- Office of the Auditor General of Ontario, “Smart Systems for Health Agency: Report on the Review,” April 14, 2008, pp. 7-8, www.ssha.on.ca.
- Canada Health Infoway, “An Overview of the Electronic Health Record Privacy and Security Conceptual Architecture” (2006), www.infoway-inforoute.ca.
- Debra Grant, “Privacy and Health Information,” presented to the annual CAMRT conference, PEI Association of Medical Radiation Technologies, Charlottetown, PEI, June 10, 2005, www.ipc.on.ca.
- Ontario, “Ontario Laboratory Information System: PIA Summary,” Smart Systems for Health Agency (2007), www.ssha.ca.
- Ann Cavoukian, “Privacy Impact Assessment Guidelines for the OntarioPersonal Health Information Protection Act,” Information and Privacy Commissioner, Ontario (October 2005), www.ipc.on.ca.