Statutory Review of the Personal Health Information Protection Act | Submission

Statutory Review of the Personal Health Information Protection Act, 2004

August 2008

August 28, 2008

Dr. Shafiq Qaadri MPP
Chair
Standing Committee on Social Policy
Room 1405, Whitney Block
Queen's Park
Toronto, Ontario
M7A 1A2

Dear Dr. Qaadri:

RE: Statutory Review of the Personal Health Information
Protection Act, 2004

The Psychiatric Patient Advocate Office appreciates the opportunity to participate in the first statutory review of the Personal Health Information Protection Act, 2004 (PHIPA or the Act). In light of this occasion to comprehensively review the operation of the Act over the last three years, we believe that our submissions will further the vital purpose PHIPA has in protecting the privacy rights of those who continue to be most vulnerable to discrimination and disadvantage: the one in five Canadian citizens who will be diagnosed with mental illness.^[*] We therefore hope that our recommendations regarding the continued improvement of the statutory regime directing the consent, use and disclosure of personal health information will enhance the equality and freedom as is the common interest of all Canadians.

The PPAO was established in 1983 as an arm’s length program of the Ministry of Health and Long-Term Care to protect the legal and civil rights of inpatients in the current and divested provincial psychiatric hospitals. In 2007, the PPAO addressed 4,140 individual advocacy issues; these included 1,250 therapeutic issues, 842 social issues and 2,048 legal issues. In 2007, the PPAO also received 6,884 requests for rights advice in nine tertiary care psychiatric facilities and one remaining provincial psychiatric hospital. The PPAO’s Community Rights Advice Service received 16,254 requests for rights advice in 2007. The PPAO provided services in 45 languages. This year the PPAO celebrated its 25th anniversary of service provision to the people of Ontario.

The PPAO’s province-wide network of Patient Advocates and Rights Advisors have confronted the pragmatic and practical functioning of the Act in the everyday environment faced by the very patients whose interests it is designed to ameliorate. Concretely realizing the full range of privacy protections and information rights to which patients are entitled remains a daily struggle. It is from this experience, and in context of the particularly sensitive nature of mental health information as defined between the Mental Health Act and PHIPA, that the PPAO raises the following concerns.

The PPAO is pleased that our participation in earlier promulgation of PHIPA resulted in meaningful additions to it, and we are hopeful that our recommendations will be given due consideration as you seek to improve and strengthen this Act and its regulations. In this spirit, we encourage the government to act on the recommendations presented here as informed by our experience with the actual functioning of the Act. As a rights protection organization, we are committed to ensuring that any legislation operating with respect to personal health information does in fact provide the protection that our clients want and need.

Sincerely,

original signed by

Vahe Kehyayan
Director

[*] Mental Health Commission of Canada, MHCC Applauds Ottawa’s Increased Support for Improving Mental Health in Canada, citing Minister of Health Tony Clement (August 18, 2008). Available online: www.mentalhealthcommission.ca/English/News/Pages/August182008.aspx.

SUMMARY OF RECOMMENDATIONS

Regarding “lockbox” rights and protections, the PPAO submits that:

legislative amendments clarify the presumptive entitlement of a patient to restrict lockbox access only to those who are explicitly granted access by the patient, or whose access is clinically required;
legislative amendments clearly define how information flows with the “circle of care” and what constitutes confidentially within the circle of care; by default, not everyone within the circle of care needs the same access rights and information should be limited to its therapeutic context alone;
legislative amendments affirm that the “circle of care” does not automatically extend to family members unless the patient has explicitly directed;
legislative amendments address the “grey area” between defined “health information custodians” and community agencies or landlords;
patients be consulted, when possible, when a health information custodian is unsure what their instructions are;
standards address the transfer of information between institutions and healthcare providers to ensure continuity of privacy rights, entitlements and consent.

Regarding police record checks, the PPAO submits that:

the definition of “personal health information” should be broadened so that police services stop releasing information about non-criminal contact pursuant to the Mental Health Act as part of a police records search; it is mental health information and as such police services should not be able to release it;
that the collection, use, disclosure and retention of personal healthcare information by police services be regulated and standardized province-wide;
that legislative guidance reinforce the applicability of privacy protections by directing the flow of information within mobile crisis intervention units;
that police services and representative organizations be required to consult with human rights, mental health and other advocate stakeholders to ensure the full breadth of possible privacy principles and scenarios are incorporated into any reform efforts;
clear retention schedules be set directing how long personal health information should remain included in police databases;
police are not to be placed in the position of being “psychiatrists in blue” when attempting to determine when mental illness is and isn’t “information of concern” with regards to the “public risk”;
citizens should be entitled to review, comment on, and correct personal health information held by police just as they are with their current information; furthermore, citizen comments should remain affixed to their police records for as long as the records exist.

Regarding the accessibility of patient records and complaints mechanisms, the PPAO submits that:

complaint and appeals mechanisms from the right to access health information records must be streamlined to provide a remedy with a seven day framework;
patients should be presumed to have access to their personal health information records and the onus should be placed back on the health information custodian to show why a record is being withheld;
routine matters, such as the patently erroneous refusal of a health information custodian to permit a patient access to their records, should be open to redress through summary advice from a “compliance advisor” telephone hotline support system operated by the Information and Privacy Commissioner and charged with the mandate of informing HIC’s of their basic obligations under PHIPA;
expectations regarding multiple sets of records and electronic records be defined in the legislation.

Regarding the waiver of access and disclosure fees, the PPAO submits that:

the fees for obtaining copies of, access to, and the review of personal health information be waived completely for particularly vulnerable and disadvantaged groups, including those diagnosed with a mental illness;
where such fees are not waived completely, that PHIPA and its regulations be amended to set out a graded fee schedule specifically to ensure accessibility for disadvantaged groups, and which should be promulgated with community stakeholders;
the complaints and appeals mechanism related to fees be streamlined and clarified, with mandatory response times on the order of seven days and provided with reasons;
the Standing Committee review common sense options that would facilitate patient access to their records, such as waiving direct site access fees as a way to reduce the need for photocopying.

Regarding the need for privacy rights education, the PPAO submits that:

patient rights and privacy procedures be given a practical and expedient means of redress by creating a “privacy rights hotline” capable of informing health information custodians and patients alike of core privacy protections and processes and resolving issues before they turn into formal complaints;
healthcare facilities falling under the jurisdiction of PHIPA should be required to post standardized posters and information leaflets outlining fundamental patient information rights and providing the name and contact information of the officer in charge of applying PHIPA;
a broad education campaign should be undertaken to advise healthcare providers as to the basic state of privacy and information law and the substantive application of PHIPA entitlements in routine everyday situations;
health educational institutions should include privacy rights training as part of their curriculum;
the government should prioritize a broad-based privacy education initiative across the province and in all healthcare contexts.

Regarding the need to reinforce consent rights, the PPAO submits that:

education efforts be prioritized to reinforce for patients and practitioners alike the legal threshold for valid consent to treatment, with particular emphasis on “knowledgeable” versus “implied” consent.

Regarding the establishment of Quality Care Committees, the PPAO submits that:

the role of Quality Care Committees should be reviewed and defined in law to better serve their function as a check and balance on hospital practices and improve patient centered healthcare.

Regarding the common use of the term “circle of care”, the PPAO submits that:

legislative amendment is required to clarify the use of the “circle of care” concept to be consistent with the operation of PHIPA.

Submissions respecting the Personal Health Information Protection Act, 2004

A. Legislative clarity would improve lockbox rights

The Lockbox Right is Essential

PHIPA s. 20(2) and s,. 37(1)(a) currently provides a patient with the right to direct limits on the disclosure of specific content in their personal health information record from other health care providers or persons of concern who may come into contact with the record. This “lockbox” provision protects the patient from the discrimination, stigma, embarrassment and interference that may occur when their mental health diagnosis or treatment regime is unnecessarily disclosed to family members, employers, neighbours, colleagues, landlords, friends or other public or private institutions beyond the privacy of its therapeutic context.

A high degree of concern for the privacy of such information is well founded. A recent study published by the Canadian Medical Association found that Canadians are far more likely to fear telling relatives and friends about a mental illness than any other health diagnosis, including cancer or diabetes^[1]. It was also shown that one in four Canadians describe themselves as afraid to be around people with mental illness. Despite best efforts and legal protections, the primary response to the disclosure of a mental health illness remains stigmatization, discrimination and misunderstanding.

By delimiting information related to a mental health diagnosis to only those healthcare providers providing for its treatment, a patient’s reasonable expectation to be free from discrimination is protected and enhanced. Some typical examples where a patient would invoke their lockbox right to protect themselves from the potential of prejudice and “information leaks” would include that: a mental health facility not share a diagnosis with a family physician; adult children are protected from having their treatment regime disclosed to family members; a landlord is not told about the mental illness for a patient receiving housing support under a community treatment plan or otherwise; or that a patient’s neighbour working in the treatment facility not be privy to their health information. The value in this provision is self-evident as it proactively delimits the potential that highly sensitive patient information might be inappropriately or unnecessarily shared beyond its therapeutic context. Given the discriminatory potential attached to mental health diagnosis, such a precautionary “opt in” model is both warranted and necessary.

Lockbox Rights Must be Known to be Effective

However, we believe that the lockbox provisions are poorly understood by most health care consumers and that this has resulted in the under utilization of these important provisions. As such, we would encourage the government to make available to patients and families additional information and education about these provisions and how they can in some circumstances be of benefit to patients in safeguarding their personal health information. The PPAO believes that it is imperative that these provisions be strengthened and that the government invest additional resources in helping people to understand this section of the Act.

Legislative Clarity is Required

Furthermore, most health information custodians take an overly generous interpretation of what information within a patient health record is “clinically necessary” to disclose to other healthcare providers, and sometimes against the express direction of the patient. Similarly, health information custodians may wrongly conclude that the lockbox provisions are to be balanced against the “circle of care” principle, and may therefore allow information to flow to family members or other healthcare providers. Additionally, there is a large legislative “grey area” where many community support agencies or landlords operating under a Community Treatment Plan are not considered “health information custodians” under PHIPA but may be considered within the “circle of care” for providing some aspects of care to the patient. Patients may have the expectation that such persons are obligated to observe lockbox protections, or that they will be shielded from lockbox access. However, this is frequently not the case and information designated for protection is routinely disclosed to such agencies and landlords. Although the terminology “circle of care” does not exist in the Act, it has become common language and has been defined broadly, often in violation of a patients’ right to privacy. If this terminology is going to continue to be used, it is important that the Act contain a specific definition and a clear statement of who is considered to be “in the circle of care.”

Lockbox protections can also be usurped when a patient’s psychiatric information follows them beyond the original treatment institution or healthcare context. Complications arising from such a move can include a continuing presumption of consent at the new institution, or a health information custodian with different standards than the patient is accustomed to. In some circumstances, such as when a patient is referred to a specialist, the practitioner may be reluctant to provide care and treatment if they are aware that there is a lockbox provision but are unaware of the information secured in the lockbox, thereby impacting on a patient’s ability to receive service. Such problems are exacerbated by the lack of standardized consent forms and the patchwork of information retention schedules. All of this is onerous if not impossible for patients to anticipate and manage, and becomes yet another barrier to access in a system that is already often slow to respond to mental health care needs.

Recommendations

The PPAO recommends that:

legislative amendments clarify the presumptive entitlement of a patient to restrict lockbox access only to those who are explicitly granted access by the patient, or whose access is clinically required;
legislative amendments clearly define how information flows within the “circle of care” and what constitutes confidentially within the circle of care; by default, not everyone within the “circle of care” needs the same access rights and information should be limited to its therapeutic context alone;
legislative amendments affirm that the “circle of care” does not automatically extend to family members unless the patient has explicitly directed;
legislative amendments address the “grey area” between defined “health information custodians” and community agencies or landlords;
patients be consulted, when possible, when a health information custodian is unsure what their instructions are;
standards address the transfer of information between institutions and healthcare providers to ensure continuity of privacy rights and entitlements.

B. Police Records Checks

Currently, there are no standardizing principles, practices or provisions across Ontario to guide police services in conducting Police Record Checks and Vulnerable Position Screenings (PRC/VPS), nor which direct police in the collection, use, retention and analysis of the incredibly broad range of highly sensitive personal information they obtain pursuant to the Mental Health Act and through “non-criminal contact” with persons in need of assistance. The result is that information so gathered creates an unfair and potentially prejudiced profile of persons with mental health, blurs the line between policing and patient care, and which through PRC/VPS checks can unfairly discriminate against such persons with respect to employment, personal privacy, community participation and civil liberties such as travel. As the database grows and as crisis response units become a common way to treat persons suffering mental illness, these information gathering and profiling practices should be regulated as relating to “personal health information” as defined under PHIPA.

Current Practices are Potentially Discriminatory

Police service practice (except in London, Ontario) permits the disclosure of information gathered from non-criminal contact with police as part of a police records check. The sources of such “non-criminal contact” are manifold. Citizens are largely unaware that every incident call to the police results in the creation of a contact record regardless of whether it was out of personal distress, mental health crisis, to obtain support or protection for a victim, or even simply to report an actual or potential investigation. With regard to mental health illness, police are typically involved through non-criminal contact as simply a “mode of transportation” to connect a person in crisis with the health services they need. Nevertheless, such contact is recorded and may be characterized as “information of concern.” Over time, the accumulation of records from such non-criminal encounters with police creates the opportunity for their misuse. It is not uncommon for officers to infer a “pattern of behaviour” from any range of factors, be it a person struggling with mental illness or a neighbour reporting noise by-law violations in their local park every weekend. In turn, these dubious patterns of behaviour may be reported in a PRC/VPS as relevant to the “public safety” as “information of concern” despite the fact such inferences can be misleadingly represented and might be based on assumptions about the meaning of a health diagnosis, prejudice, discriminatory attitudes, criminal profiling, or simply a lack of knowledge and understanding.^[2] The inferential use and potential release of such information is of particular concern for persons facing a concurrent diagnosis of mental health and other disability, or who struggle with the intersection of other qualitative differences such as race, minority status, socio-economic background, substance abuse challenges, or other factors.^[3]

Police services believe that they are entitled to release this information as pertinent to a PRC/VPS check as it is “police information” and not “personal health information.” This is a questionable practice on its face, but also because police record other types of health information (such as injuries, disabilities, etc.) that they would never consider relevant or proper to release as part of a police records check.

It is for this reason that the Ontario Human Rights Commission (OHRC) has released a draft policy indicating their belief that current practice is discriminatory. The OHRC investigated how “information of concern” for the purposes of a PRC/VPS was determined on arbitrary assumptions about non-criminal encounters with persons having a mental illness, and without due consideration to any external referent such as the nature of the background inquiry, the environment in which services are to be provided, or the specific potential risks associated with vulnerable populations within that environ. This resulted in the disclosure of highly sensitive personal health information outside of the specific contexts which would warrant it.

The effect of conclusions about such vulnerable persons can permanently and indelibly gloss their PRC/VPS results with a patina of criminality, based on an intersection of disabilities and differences, that may seriously prejudice their ability to gain employment, travel internationally, volunteer in their community, obtain health insurance, or otherwise enjoy the equality of freedom and opportunity ameliorated by privacy protection legislation. A police records check should not be used to dis-empower people, to squelch opportunities for recovery and reintegration into the community, nor infringe on the rights of some of the most vulnerable amongst us. The fact that the police report this information on a “check” falsely implies that the encounter was criminal in nature or that the police have “information of concern on file.”

Current Practices are Unregulated

Since policing is a municipal government function, every police service in the province can set their own standards and guidelines with respect to the collection, use, retention, analysis and release of information on police records checks. Present practices are so divergent that different jurisdictions retain personal health information from anywhere between six and 35 years. It is therefore disappointing that the Ontario Association of Chiefs of Police has shown little, if any, leadership in correcting this injustice or working with their members to stop a discriminatory practice that violates the Ontario Human Rights Code. They have to date ignored stakeholder groups such as the Mental Health Police Records Check Coalition which is comprised of more than 39 groups and organizations that are seeking to make systemic change to the benefit of all Ontarians.

While privacy laws place some constraints on what information may be disclosed and how it is used, they are not necessarily designed to address the kinds of discriminatory profiling which may occur in a PRC/VPS. In part, this is because such profiles fail to define a test to determine relevancy and risk that would contextualize “information of concern”. It is also related to the fact that there is no guidance on what constitutes “police information” as distinct from “personal health information”. This will be of particular importance in other emerging contexts that continue to blur to line between policing and health care, such as mobile mental health crisis response units.

The PPAO therefore recommends that information gathered from non-criminal contact with police pursuant to the Mental Health Act should be considered as “personal health information” and thus regulated and protected under PHIPA.

PHIPA defines personal health information as:

relates to the physical or mental health of the individual, including information that consists of the health history of the individual’s family,
relates to the providing of health care to the individual, including the identification of a person as a provider of health care to the individual, …..

Based on this definition, it appears that much of the information gathered and released by police services across Ontario related to non-criminal contact would be covered by PHIPA as “personal health information”. It is therefore inappropriate that the release of such information, pursuant to the Mental Health Act, continue as common practice. Information arising from non-criminal contact with police should be considered as personal health information and therefore not subject to release on a police records check. The Act must specifically ban the disclosure of such information.

The Ministry of Health and Long-Term Care should provide the necessary direction either in law, regulation or policy to ensure that privacy barriers between health and police services are respected. Although the police are present at the scene with a crisis intervention worker, a nurse or other support person record their own notes during the incident. These notes should be considered to be part of a “health care intervention” and not a “police intervention.” Likewise, notes of these encounters should not flow freely between the police and the crisis staff without client knowledge or consent. The same privacy protections should be in place to ensure that information is not being misused or supplied to police “through the back door.” The police should not be considered a health information custodian but when attending as part of a crisis care team they should be considered to be part of the provision of a health care service through mobile service provision. As such, the information they collect with respect to non-criminal contact should not be reported on a police records check. It is understood that policing services might wish to collect and retain some types of information but it is the reporting of this information on a police records check that is concerning to most fair minded citizens in Ontario.

Finally, the inclusion of this personal health information at all is questionable in the vast majority of PRC/VPS searches. Other statutes, professional codes of conduct, regulations for persons in positions of authority and the common law already define the myriad of situations in which persons having knowledge of someone who is potentially a risk to themselves or others are obligated to disclose the risk or face censure or liability. Police departments were never designed to centralize this function in society or to make determinations more properly the purview of health, law, public and other regulated professionals. To the extent that they now do so overreaches their jurisdiction to ensure the “public safety” and requires serious study and consideration in context of a comprehensive privacy approach.

Collectively, these changes would also bring police practice in line with the development of the common law since PHIPA came into force. Recently, Ontario Divisional Court unambiguously emphasized the importance of protecting the privacy of an individual’s mental health information as a very high standard. In Ontario Nurses’ Assn. v. St. Joseph’s Health Centre, the test for relevancy and the public safety was set as a difficult one to satisfy before medical information should be disclosed:

A psychiatric or psychological examination is a highly intrusive and sensitive procedure and should only be available to employers in cases where the necessity for it has been firmly established. In Brinks [Canada Ltd and Teamsters Union, Local 141] the arbitrator held that, even though the employee carried a firearm in the course of his duties, it was not reasonable for the employer to demand a psychiatric evaluation as a condition of a return to work.^[4]

Procedures should be developed respecting police investigations

In situations where police are investigating an incident within a facility, staff members are all too often willing to disclose to the investigating officers information contained in a patients health information file. Many facilities are not aware of the rules regarding disclosure and often give the police whatever they want. Patient consent under PHIPA s. 18(3)(a) should be clarified and procedurally reinforced, as should the understanding of health information custodians as to their duties and obligations under s. 43(1). When police requests are received, there should be unambiguous procedures directing whom should be contacted, what questions should be asked to verify and clarify the request so as to delimit it and protect against “fishing expeditions,” what documents should be requested from the patients record, what documentation to include from the patient’s chart, and what, if any, information should be disclosed to the patient regarding the request. Other procedures should be developed to account for situations where police requests are not received but disclosure is appropriate, including the basis for disclosure (such as suspicion on future harm), what information will be included, and the creation of case scenarios to assist staff in better understanding their obligations.

Recommendations

The PPAO recommends that:

the definition of “personal health information” should be broadened so that police services stop releasing information about non-criminal contact pursuant to the Mental Health Act as part of a police records search; it is mental health information and as such police services should not be able to release it;
that the collection, use, disclosure and retention of personal healthcare information by police services be regulated and standardized province-wide;
that legislative guidance reinforce the applicability of privacy protections by directing the flow of information within mobile crisis intervention units;
that police services and representative organizations be required to consult with human rights, mental health and other advocate stakeholders to ensure the full breadth of possible privacy principles and scenarios are incorporated into any reform efforts;
clear retention schedules be set directing how long personal health information should remain included in police databases;
police are not to be placed in the position of being “psychiatrists in blue” when attempting to determine where mental illness is or is not “information of concern” with regards to the “public risk”;
citizens should be entitled to review, comment on, and correct personal health information held by police just as they are with their current information; furthermore, citizen comments should remain affixed to their police records for as long as the records exist.

C. Patient Access to Records requires a Practical Complaints Mechanism

Under PHIPA s. 55(1), individuals have a right to request access to, and correction of, their personal health information, subject to limited exceptions. However, without an effective remedy to review a denial of access to personal health information or to review findings of incapacity regarding the disclosure, collection and use of personal health information (for individuals assessed not capable of treatment and who have a substitute decision maker), PHIPA has not only eroded but rendered the rights of psychiatric patients meaningless.

Unavailability of Substantive Redress

An individual may be denied the right of access to their personal health information based on any number of criteria, including where the access could reasonably be expected to: result in risk or harm to the treatment of recovery of the individual; result in risk of serious bodily harm to the individual or another person; lead to the identification of a person required by law to provide information to the record or its custodian; or lead to the identification of a person who provided information in the record to the custodian explicitly or implicitly in confidence if the custodian considers it appropriate in the circumstances that the name of the person be kept confidential (s. 52(1)(e)).

Prior to the PHIPA amendments to the Mental Health Act ss. 35 and 36, refusal to provide a patient with access to their personal health information placed the onus on the officer in charge to apply to the Consent and Capacity Board (CCB) for permission to withhold the records. They were also required to provide the patient with written notice of their decision and with reasons explaining the grounds for the refusal. This was also on an appropriate timeline: the CCB application had to be submitted by the health information officer within seven days of the patient’s first request, following which the CCB had seven days to review the application and issue a direction.

Under PHIPA this firm two-week timeline has been extended to 60 days or longer. The efficient CCB review process has been replaced by a confusing, cumbersome and laborious process that places the onus on the psychiatric patient to pursue through their health information custodian and then, on appeal, to the Office of the Privacy Commissioner. At that later level a patient may be required to write submissions and engage in a complex mediation and review process that can take months. Furthermore, PHIPA has reversed the presumption that a patient should have access to their health information records; the onus is now on the patient to prove that they should have access to the records they are requesting. Assuming the patient can manage to make an application, the response they are entitled to can refuse to confirm or deny the existence of any record or refuse to provide access based on the grounds specified.

We would encourage the Committee to restore the rights that our clients previously enjoyed and significantly shorten the time period that health information custodians have to respond to requests to access personal health information. A seven day response time is more appropriate for those who are inpatients and where the information is readily available.

Multiple and Electronic Records

Patients also face great difficulty where records are contained by a variety of institutions or individual healthcare providers, or even across different sites or outpatient clinics of the same health care institution. It is not uncommon for a physician or social worker to maintain a separate set of records on the client which may never be included in the overall record. This is particularly true with sessional staff or where the patient is seen in a clinic attached to a facility. At times this leaves a patient wondering if they have seen their full, complete and true record of personal health information. It does not appear that there is a standard process in place for alerting patients to look to other sources or locations for information that the health information custodian may keep in other places or in other formats. Perhaps a legal requirement that patients be advised of this and what constitutes a full a complete record would be helpful.

While possible that the establishment of electronic records could contribute to the remediation of this problem, such systems raise their own set of concerns. As the government increases the pace at which healthcare records are collected, stored, transmitted, duplicated and manipulated, it will be increasingly important to provide guidelines directing the accessibility of such records to patients. Problems under this framework would include standardization and disabled accessibility of user interfaces and document types; policies on access conditions, including the availability of patient record review terminals within institutions; the use of encryption to ensure file security, consistency and integrity; retention, consolidation and long-term storage timelines; and how the problem of information “segmentation” will be addressed, i.e., the extension of “lockbox” provisions into the digital realm. The adoption of electronic records also makes it significantly more difficult for a patient to make a “statement of correction” on the file. The statement of correction is a key check and balance in the system and it is important that patients continue to be able to make corrections to their record of personal health information, should they see fit. This Act essentially erodes a patient’s right to correct their personal health information while most procedural safeguards and processes protect the health information custodian and the health practitioner.

It is also unclear how these access and correction rules should apply in the context of an electronic health record that is accessed and created by multiple health information custodians. For example, should individuals be able to access their record from any custodian, only the custodian who created the information, or should access be handled in a more centralized fashion? Who should be responsible for notifying the affected individuals in the event that a privacy breach occurs in the context of an electronic health record that is accessed and created by multiple custodians?

The rules for correction must be clear, simple, easy to understand and easy to operationalize. Every patient must be told that they have the right to make such corrections and they must be advised of the process to do so. Information contained in the record of personal health information can have far reaching implications and consequences as these records will be accessible to both the system and health care practitioners over time. Having the right of correction is integral and essential to a health care system that demands fairness and accountability.

Recommendations

The PPAO recommends that:

complaint and appeals mechanisms from the right to access health information records must be streamlined to provide a remedy with a seven day framework;
patients should be presumed to have access to their personal health information records and the onus should be placed back on the health information custodian to show why a record is being withheld;
routine matters, such as the patently erroneous refusal of a health information custodian to permit a patient access to their records, should be open to redress through summary advice from a “compliance advisor” telephone hotline support system operated by the Information and Privacy Commissioner and charged with the mandate of informing HIC’s of their basic obligations under PHIPA;
expectations regarding multiple sets of records and electronic records be defined in the legislation.

D. Access and Disclosure Fees should be Waived

The discretion to charge “reasonable fees” under PHIPA ss. 35 and 54 for the disclosure and review of personal health information records often makes access practically unavailable. Many mental health consumers in Ontario have an income below the poverty level and may only be in receipt of government assistance. Many more are “working poor” who can not afford fees that frequently reach hundreds of dollars. Under such conditions, even token levies represent prohibitive expenses and insurmountable barriers that prejudice the possibility of fully informed consent; confound a patient’s right to review errors, omissions and make corrections to their file; and impede efforts by advocates or lawyers to adequately advise or act on behalf of a patient with the full breadth of their legal entitlements and options. Collectively, fees levied for accessing, disclosing and reviewing personal health information operate as both a health risk and a violation of fundamental rights.

The fees for obtaining copies of, access to, and the review of personal health information should be waived completely for particularly vulnerable and disadvantaged groups, including those diagnosed with a mental illness and those in receipt of the Personal Needs Allowance, Ontario Disability Support Program or any other form of government pension or regular or disability benefits.

Access Fees Unduly Accumulate

We are further concerned that fees unduly accumulate where a health information custodian compounds additional administrative levies. These can be for the time required of a health information custodian to retrieve and prepare the records sought; the time required to determine if a record contains information to which access may be refused; or where a health information custodian provides supervision of (or practical assistance to) a patient while they are accessing their records. It doesn’t take long for such fees to amass into a prohibitive obstacle that denies patients access to their personal health information.

We must remember that the personal health information belongs to the individual and access to it should be simple, timely and with minimal cost. It is our opinion that a client should not be charged for having the health information custodian assess their file or supervise them while reading their record. These two functions must be considered as an obligation and responsibility of the custodian and as part of the total provision of health services for which they already receive public funding. The PPAO recommends therefore that these two provisions be struck entirely from the regulation.

Unpredictable Discretion Obviates a Patient-Centered Ethic

While the custodian of information may waive any allowable fees, the nature of this discretion as operating unpredictably on a case-by-case basis causes confusion and apprehension, is open to abuse, and contributes to undue delay in processing the request. In the face of such barriers it is easier for the patient to choose not to exercise their rights. Sometimes this outcome can be intentional. Where a healthcare provider identifies a patient or their advocate as “troublesome”, a full panoply of excessive fees can be levied against them as a way of controlling the flow of information.

Fees Prejudice Legal Rights

Accordingly, there should be no charge for access to a record of personal health information by the patient and/or his/her legal counsel for the purposes of preparation for a hearing before the Consent and Capacity Board or the Ontario Review Board. A fee should not be charged for supervision while the record is reviewed or for photocopies for use at the hearing. There should be no charge to have a custodian review the file to assess if some information should be withheld. In each of these cases any fee may disadvantage individuals to the extent that they are denied access to justice as this financial encumbrance may prevent them from being adequately prepared to appear before the Board.

Complaints Mechanisms are Practically Unavailable

Practically speaking, complaints mechanisms available for the review of access and disclosure fees are slow and inadequate. Complaints to professional bodies for the excessive charging of a fee, per s. 35 of the PHIPA and other professional Codes of Conduct, are practically inaccessible and cause undue delay amounting to months.^[5] Complaints to the Privacy Commissioner under PHIPA s. 56 are onerous and can also take months to resolve. This again places patient information rights accorded under PHIPA beyond practicable reach.

Recommendations

The PPAO recommends that:

the fees for obtaining copies of, access to, and the review of personal health information be waived completely for particularly vulnerable and disadvantaged groups, including those diagnosed with a mental illness;
where such fees are not waived completely, that PHIPA and its regulations be amended to set out a graded fee schedule specifically to ensure accessibility for disadvantaged groups, and which should be promulgated with community stakeholders;
the complaints and appeals mechanism related to fees be streamlined and clarified, with mandatory response times on the order of seven days and provided with reasons;
the Committee review common sense options that would facilitate patient access to their records, such as waiving direct site access fees as a way to reduce the need for photocopying.

E. Privacy Rights Education is Required

Several statutes and regulations in Ontario safeguard the privacy of medical information to ensure that medical information is only disclosed in narrow circumstances. This legislative scheme includes – but is not limited to – at least the following statutes:

Personal Health Information Protection Act, S.O. 2004, c. 3 – see ss. 18. 23-24, 29-35 (requirements for consent) and s. 36 (limits on the collection of personal health information);
Regulation under the Public Hospitals Act – Hospital Management, R.R.O. 1990, Reg. 965 – see s. 22 (limits on collection, use and disclosure of personal health information);
Regulation under the Medicine Act, 1991 – Professional Misconduct, Ont. Reg. 856/93 – see s. 1(1) para. 9 (requirement for consent) and para. 10 (limits on disclosure)
Regulation under the Nursing Act, 1991 – Professional Misconduct, Ont. Reg. 799/9 – see s. 1, para. 9 (requirement for consent) and para. 10 (limits on disclosure)
Mental Health Act, R.S.O. 1990, c. M.7 – see ss. 35 – 35.1 (limits on disclosure of personal health information)

While the government of Ontario is to be commended for attempting to create a comprehensive legislative scheme for the protection of privacy, the breadth of this effort has placed these protections in a confusing array of interrelated and overlapping statutes. The practical difficulty in accessing, analyzing and applying the panoply of these privacy provisions in the real world is one of the most serious barriers to their full recognition and compliance, and particularly confounds the ability of a medical practitioner to consider privacy from the specific perspective of patients diagnosed with mental illness.

In an effort to ensure compliance, many large healthcare institutions have compiled legislative and regulatory obligations and duties into practically defined policies and procedures respecting patient information rights. Gaps remain, however, in adequately ensuring that staff are fully apprised of these policies and procedures and are capable of acting on them proactively when dealing with patients. Furthermore, the move away from standardized approaches such as a province-wide consent form has created additional liability risks for healthcare lawyers as well.

Patients often find that the lack of standardized consent forms across the various components of the health care sector leads to confusion about what they are being asked to consent to and for what purposes. The Act should require the use of a standard consent form for the collection, use and disclosure of personal health information and it should be time limited and require that the nature of the disclosure be specifically stated on the form. This would serve to protect the privacy rights of the individual and provide for the release of only such information as they permit. Issues related to consent are further compounded because of the provisions for implied consent and express consent and how these legal concepts are both understood and applied by health practitioners.

This gap between legislation and actualization grows outside of the major institutional settings. There is often a total lack of knowledge on the part of most independent or non-institutional health information custodians (doctors, dentists, etc.) as to their duties. In some cases there is a total lack of awareness of the conditions under which patients have a right to review their records. This can lead to instances in which patient rights are incorrectly interpreted and arbitrarily applied.

Accordingly, for the full range of legislative protections to be actually engaged and applied in everyday situations, the government must undertake a broad-based education initiative that will translate statute into practicable practice standards. Particular emphasis should be placed on reaching out to small and non-institutional healthcare with support materials, best practices guides, and ongoing education initiatives. At a minimum, a set of fundamental principles of patient rights should be developed that will assist healthcare providers in making correct decisions when confronted with unfamiliar privacy issues. Such fundamental principles would direct medical practitioners to proactively inform patients about basic rights to attend and view their records; that patients may both obtain copies and review original files; that patients are not required to obtain the entire record if they only want one item; and the requirement to obtain consent before speaking to a patient’s family.

In furtherance of the goal of normalizing privacy rights as a key component in everyday healthcare practice, the government should also require that health educational institutions include privacy rights training as a mandatory part of their curriculum. Such education should not only be limited to specific courses but included in every course, and thereby made an integral part of providing healthcare in Ontario.

Furthermore, it has been the experience of the PPAO that patient privacy rights are frequently obviated in very routine situations simply because practitioners and health information custodians are confused about basic privacy principles. In these instances, it is unclear why a patient should have to go through a laborious, onerous and protracted complaint resolution process that may involve multiple professional organizations and government ministries. This could be remedied by creating a privacy rights “compliance advisor hotline” that would act as a resource for health information custodians and patients alike by summarily clarifying fundamental rights and processes. Such a hotline would also likely reduce the number of formal complaints, improve patient access, reinforce correct privacy practices, and be a practical form of redress.

Broad based education for families, patients and other stakeholders would be an important and key investment if this Act and its regulations are to be fully understood and implemented by the government of Ontario. We would encourage the Ministry of Health and Long-Term Care to immediate update and release its “Rights and Responsibilities” guide which was a helpful publication for those wishing to both understand and exercise their rights.

Recommendations

The PPAO recommends that:

patient rights and privacy procedures be given a practical and expedient means of redress by creating a “privacy rights hotline” capable of informing health information custodians and patients alike of core privacy protections and processes and resolving issues before they turn into formal complaints;
healthcare facilities falling under the jurisdiction of PHIPA should be required to post standardized posters and information leaflets outlining fundamental patient information rights and providing the name and contact information of the officer in charge of applying PHIPA;
a broad education campaign should be undertaken to advise healthcare providers as to the basic state of privacy and information law and the substantive application of PHIPA entitlements in routine everyday situations;
health educational institutions should include privacy rights training as part of their curriculum;
the government should prioritize a broad-based privacy education initiative across the province and in all healthcare contexts.

F. Consent Provisions should be Reinforced

PHIPA, although intended to protect the privacy rights of all health care consumers in Ontario also went to extraordinary lengths to erode some of those very rights. The government of Ontario made a conscious decision to reduce the threshold for consent from “informed” to “knowledgeable” and in doing so eroded the highest standard that should have been maintained.

PHIPA has also allowed for implied consent without the corresponding safeguards and documentation standards being put in place. That would have ensured that any care or treatment administered with implied consent met the legal threshold of consent and that the decision making and assessment process was documented for historical purposed. Often when patients have severe limitations, cognitive or neurological impairments or a disability, it is too easy to simply state that they gave “implied consent” without there being a really thorough review of their level of understanding of the proposed treatment and their ability to give informed or “knowledgeable” consent. Often this type of consent is confusing for clients as they are afraid to say “no” to those entrusted with providing them care or treatment and often the consent is not meaningful as they haven’t understood the material risk or benefits of a particular treatment. In many cases it would be difficult to say if the individual knew what they were being asked, if they had enough information to make a decision and if in fact it could even be considered consent, taking all aspects into consideration.

The concept of “implied consent” is often misunderstood by patient and practitioner alike. This can lead to abuses, assumptions about consent to treatment and in some cases the individual receiving a treatment they would have preferred not to have received. The definition of “implied consent” needs to be clear, concise and comprehensive so as to reduce the possibility of people being coerced to take treatment they don’t want or would not have given express consent for. In some cases individuals with mental illness are at the low point of their illness when admitted and often this is not the best time to seek consent for very invasive treatments. Perhaps the best practice should be that all invasive treatment required express consent, where possible and that implied consent become the exception and not the rule.

It is for this reason that there needs to be a broad based education campaign about consent, the elements of consent and the legal threshold that must be met for their to be “valid” consent for any treatment. In Ontario the rule is very simple: no treatment without consent, except in emergency circumstances. This needs to be understood by patient and practitioner alike.

Recommendation

The PPAO recommends that:

education efforts be prioritized to reinforce for patients and practitioners alike the legal threshold for valid consent to treatment, with particular emphasis on “knowledgeable” versus “implied” consent.

G. Quality of Care Committees

Quality of Care Committees were established to serve an audit function within the system and to help promote learning, the development of best practices and to afford institutions an opportunity to learn from high profile or highly sensitive situations. However, it appears that these Committees are being used to shield institutions from criticism and to act as part of a risk mitigation strategy and reduce liability for the hospital. All too often matters are immediately referred to the Committee and then anyone seeking to obtain information is told that because the matter has been referred to the Committee no information can be shared or released to those wishing to review the incident or to work to bring about systemic change. The role and function of these committees must be reviewed with accountability, responsibility and transparency as the key cornerstones. Their role must be more clearly defined in law so that the public can have confidence in the work of the committees and the systemic change that they are able to bring about, if allowed to function as an important check and balance within the system.

Recommendation

The PPAO recommends that:

the role of Quality Care Committees should be reviewed and defined in law to better serve their function as a check and balance on hospital practices and improve patient centered healthcare.

H. “Circle of Care”

Although the terminology “circle of care” does not exist in the Act, it has become common terminology and has been embraced by the health care sector. However, they have chosen to define it broadly resulting in many individuals having access to the personal health information of a patient to whom they are not providing direct service. This practice is often in violation of a patients’ right to privacy and confidentiality. If this terminology is going to continue to be used across the sector it is imperative that the Act contain a specific definition and a clear statement of who is considered to be “in the circle of care.” In any case, it is important that health practitioners remember that personal health information is private, personal and worthy of protecting if we are going to have a health care system that respects the rights of patients and zealously guards their privacy. Perhaps this is an opportune time for the “circle of care” to be revisited with the experience of the past four years in mind and how it has often been misused to erode the rights of patients. A broad based consultation with stakeholders could be convened and a “workable” definition for health information custodians that respects the rights of every patient could be developed in consultation with all stakeholders in the sector.

Recommendation

The PPAO recommends that:

legislative amendment is required to clarify the use of the “circle of care” concept to be consistent with the operation of PHIPA.

Footnotes:

[1] Canadian Medical Association, 8th Annual National Report Card on Health Care (August 2008) at page 4. Available online: www.cma.ca/multimedia/CMA/Content_Images/Inside_cma/
Annual_Meeting/2008/GC_Bulletin/National_Report_Card_EN.pdf

[2] The effect of this data retention policy and profiling cuts both ways; a “chilling effect” on the will of citizens to engage the police at all could become very real if the collection of such information begins to impugn the common sense of privacy norms – or it may already do so.

[3] Of course, such claims would no longer be discriminatory if police simply elected to charge persons instead – a potentially abusive practice.

[4] Ontario Nurses’ Assn. v. St. Joseph’s Health Centre (2005), 76 O.R. (3d) 22 at para. 21 (Div. Ct.), citing Brinks Canada Ltd and Teamsters Union, Local 141 (1994), 41 L.A.C. (4th) 422.

[5] See for example regulation under the Medicine Act, 1991 – Professional Misconduct, Ont. Reg. 856/93, s. 1(1) para. 9 (requirement for consent); para. 10 (limits on disclosure); and para. 34(4); regulation under the Nursing Act, 1991 – Professional Misconduct, Ont. Reg. 799/9, s. 1, para. 9 (requirement for consent) and para. 10 (limits on disclosure).

APPENDIX

Vision, Mission, Mandate and Values

Mission

The PPAO provides independent and confidential advocacy services and rights advice to consumers of and those seeking access to psychiatric services. We work to empower our clients to make informed decisions about their care, treatment, and legal rights. We use information, education, negotiation, and referral to conduct instructed, non-instructed, and systemic advocacy. We conduct public education on these issues. We promote self-advocacy and self-determination.

Vision

The vision of the Psychiatric Patient Advocate Office (PPAO) is that persons with mental illness in Ontario be treated with dignity and respect, that their legislated rights and entitlements be upheld at all times, and that they be actively involved in decisions affecting their life, care, and treatment.

Mandate

To advance the legal and civil rights of psychiatric patients by means of both individual case work and systemic advocacy;
To inform the patient, family, hospital staff, and the community about patients' legal and civil rights;
To assist, facilitate (self advocacy), and help resolve the complaints made by psychiatric patients by providing an avenue for resolution through negotiation according to the patient's instructions;
To investigate alleged incidents and to assess institutional and systemic responses to these instances;
To refer patients, when necessary, to outside community advocacy resources such as community organizations, lawyers, or physicians who may offer a second opinion.

Values

In providing services to its clients, the PPAO is guided by the following values:

People:

We believe in the autonomy of all people and in each person's right to make informed choices. We value all people as members of our communities and recognize that we may need a variety of formal and informal supports and services in our lives.

Education:

We believe education is a powerful tool to effect social change and that this is a part of advocacy.

Community:

We believe that with sufficient community options and supports, most mental health consumers are able to remain in their home community if this is their choice.

Process:

We believe that the advocate's first responsibility is to act upon the client's expressed wishes and personal choices, and to promote the safety, quality of life and care of clients who cannot instruct an advocate.

Independence:

We believe that we must be maximally free from actual, potential, or perceived conflicts of interest in order to serve our clients more effectively.

Consumer Participation:

We believe that it is essential for consumers, to the extent that they want to and are able to, participate and have the sense of ownership in the policy development of the PPAO.

Guiding Principles of Advocacy

Advocacy is Client Directed

Unless the client is incapable of instructing an advocate, advocacy is client directed. That is, the actions of the advocate are guided by the instructions of the client. The advocate serves the client on a voluntary and consensual basis. The advocate does not substitute for the client's instructions his or her own personal or professional view of what course of action is in the "best interests" of the client. Central to advocacy is the determination of the client's wishes and the servicing of those wishes, unless the client's instructions are illegal or impossible to carry out.

Advocacy is Independent

Advocacy should be, and be seen to be, independent. In order to avoid any potential or perceived problems with conflict of interest, advocates should be independent both from the psychiatric facilities where and service providers from whom their clients receive care and treatment.

Advocacy is Accessible

For advocates to be able to assist vulnerable clients, they must be readily accessible to them. They must also be assured of the opportunity to communicate with their clients without interference from others.

Advocacy Uses Avenues of Least Contest

Advocates seek to resolve issues at the level of least contest by beginning with the decision-maker closest to the client's problem before escalation to higher authorities. They seek all avenues to promote patients' rights and freedoms including conciliation, mediation and reasoned discussion.

Glossary of Terms

Advocacy
Advocacy is a process that ensures that the rights of vulnerable people are protected, that their self-defined needs are met, and that they are supported to make decisions that affect their lives. It is also a vital component of patient protection, assuring that the vulnerable person's legal and human rights are respected, and that their self-determination, independence and autonomy are maintained. The PPAO differentiates between the concepts of "protection" and "advocacy". "Protection" refers to interventions offered to people with disabilities on the assumption that they are unable to understand their options, express their views or make and take responsibility for choices about their lives, care and treatment. "Advocacy", on the other hand, emphasized a person's capacity for autonomy and ability to make such choices, particularly if offered assistance in understanding the options available, and in communicating personal preferences to others. In the case where a vulnerable person cannot instruct an advocate and is at risk of abuse or neglect, an advocate's intervention may be seen as "protection." Hence, this dimension of "protection" is included within the concept of "advocacy."

Self-Advocacy
Advocacy that is undertaken directly by the individual to achieve a specific goal. This form of advocacy may be enhanced through contact with an advocate who can provide information; resources, and an outline of options and expected outcomes of an individual's actions.

Instructed Advocacy
Advocacy that is undertaken directly by an advocate based on a client instruction. The process is guided by the principles of self-determination, client empowerment and self-advocacy. The advocate outlines options and the client determines the path to issue resolution. The advocate assumes the competency of the client to instruct unless the contrary is indicated.

Non-Instructed Advocacy
In keeping with the principles of self-determination, client empowerment and self-advocacy, non-instructed advocacy is conducted on behalf of an individual who for some reason is unable to instruct an advocate at the given time. Issues may concern the quality of life of an institutionalized person or those where a failure to take action will compromise the health, estate, personal security of dignity of the client.

Systemic Advocacy
Systemic advocacy focuses on issues that affect a broad segment of a particular population. These initiatives may, for example, comprise strategic efforts to change administrative structures and service delivery within the context of psychiatric institutions. This can include law and policy reforms that provide the basis for services provided in the mental health care system. The goal of systemic advocacy is to promote changes that support the legal rights social and therapeutic entitlements of clients; and to address power inequities inherent in institutional settings.

Best Interest vs. Client Instruction

Fundamental to the practice of advocacy is the notion that a client's instructions dictate the actions done on his or her behalf. Reinforcing an individual's right to self-determination, the advocacy relationship must respect the client's ability to make choices that reflect his or her own values. An advocate is neither a gatekeeper nor a decision-maker: his or her own beliefs must not dictate the path taken.

An advocate joins with the voice of the client, strengthening and supporting the position taken. The development of a true advocacy relationship ensures that the ultimate decisions made with respect to a client's care, treatment and quality of life reflect the client's position.