Protecting Patient Personal Health Information

As Arbour Family Medical is situated within Ontario, we are governed by the Ontario Personal Health Information Protection Act ("PHIPA") together with its regulations.  This is the "Ontario law that governs the collection, use and disclosure of personal health information within the health sector. The object is to keep personal health information confidential and secure, while allowing for the effective delivery of health care." (source). As an organization, we work diligently to ensure compliance with the provisions and spirit of PHIPA, as well as, more generally, taking such measures as are reasonable and appropriate to ensure the practical protection of our patients' personal health information ("PHI"). 

We discuss herein aspects of our compliance with PHIPA.  Questions, concerns, or complaints regarding Arbour Family Medical's handling of personal health information should be addressed to our Chief Privacy Officer at  281 Stone Rd E, Guelph, ON N1G 5J5, or by email at afmciadmin@afmci.com. They may also be contacted to help obtain access to or to request correction of a record of personal health information that is in the custody or control of Magenta Health. Lastly, while we prefer that issues be raised directly with us first, complaints regarding our conduct may also be directed to the Information and Privacy Commissioner of Ontario at https://www.ipc.on.ca/

Accuracy

Section 11 of PHIPA reads: "A health information custodian that uses personal health information about an individual shall take reasonable steps to ensure that the information is as accurate, complete and up-to-date as is necessary for the purposes for which it uses the information."  Arbour Family Medical seeks to ensure compliance with this requirement primarily through the professional conduct of its physicians who are responsible for recording the bulk of all PHI collected. Other systems and processes are also in place. For example, Arbour Family Medical staff are trained to verbally confirm contact information with patients each visit; automated processes have been implemented to query patients for up-to-date information periodically, and certain information, such as most laboratory and test results, are automatically downloaded from external repositories to minimize the likelihood of human error.

Security & Handling Of Records

Section 12 of PHIPA reads: "A health information custodian shall take steps that are reasonable in the circumstances to ensure that personal health information in the custodian’s custody or control is protected against theft, loss and unauthorized use or disclosure and to ensure that the records containing the information are protected against unauthorized copying, modification or disposal." Section 13 of PHIPA reads: "A health information custodian shall ensure that the records of personal health information that it has in its custody or under its control are retained, transferred and disposed of in a secure manner and in accordance with the prescribed requirements, if any."

These related provisions, although short, are extremely complex as there are not specific requirements prescribed. Instead, health information custodians (e.g. Arbour Family Medical) are directed to "take steps that are reasonable in the circumstances". In our view, relevant factors that affect what constitutes reasonable steps taken by Arbour Family Medical include, for example,

• the sensitivity of the PHI
• patient convenience
• the impact on medical care
• common industry practices
• cost and effort required
• the availability of alternative solutions

With these and other factors in mind, Arbour Family Medical has sought to undertake and balance administrative, technical, and physical safeguards to ensure good faith compliance with PHIPA in all respects. These safeguards include, without limitation:

• Our systems and processes have been reviewed by accountable individuals, including our Chief Privacy Officer and the Guelph Family Health Team
• All staff & students with access to PHI are required to review and execute confidentiality agreements
• Access to PHI is generally limited to only those requiring access to such PHI through technical means
• Through formal contracts, privacy policies, and service agreements, all third-parties retained by Arbour Family Medical have committed to complying with those conditions and restrictions necessary to ensure our continued compliance with PHIPA
• Strong passwords, two-factor authentication, and multiple logins are required to access various sensitive systems
• Sensitive systems have audit logs to track data access and use
• Network traffic is monitored and managed using security mechanisms such as routers, switches, firewalls, and anti-virus programs
• SSL encryption is used to secure the transmission of PHI over insecure electronic networks
• Whole-disk encryption is used as required to secure physical storage media holding PHI
• Removable physical media (e.g. paper, CDs, DVDs) holding PHI are destroyed following use
• Data, applications, and systems are backed up on a regular basis, including offsite, and can be readily restored as required
• All systems (e.g. operating systems, applications) are regularly patched with security updates
• All physical electronic systems maintained by Arbour Family Medical Center are secured with a monitored security system
• Security cameras have been deployed on external portions of the building only
• Physical access to computer servers have been restricted to those staff requiring access
• Decommissioned equipment used to process or store PHI is securely disposed of

Specific examples are discussed immediately below to illustrate steps taken and factors considered in various circumstances:

Our electronic medical record system is Telus Health. As our core repository of patient PHI, we have secured this system behind multiple levels of security (e.g. multiple logins, whole-disk encryption, firewalls, IP-based filtering) and have elected to disable the option of direct web access. At the same time, as remote access enables physicians to deliver improved and more timely patient care, we have deployed a enterprise-grade remote access solution developed by Microsoft to enable Magenta Health physicians to have secure 24/7 remote access to all Magenta Health systems and processes. This enables, for example, Magenta Health physicians to review patient correspondence such as prescription renewal requests remotely and to act on same in a more timely manner, including outside ordinary business hours. Magenta Health has also retained external third party auditors to review and approve its business and technical processes in respect of its electronic medical record system. It is primarily due to the high sensitivity of the PHI stored within this system that such robust measures have been put in place.

Our web hosting is provided by Tymbrel In contrast to our electronic medical record system that is designed to be a long-term repository of PHI, no PHI is stored within Tymbrel. Instead, we have specifically limited our use of Tymbrel in respect of patient PHI to acting as a means of collecting (but not storing) certain PHI of relatively low sensitivity. For example, prospective patients are asked to register to be a patient of Magenta Health via a Squarespace hosted form that primarily requests only a health insurance number and an individual's contact information. Once this form is submitted (via SSL encryption to ensure transport-level security), this information is immediately and automatically transferred to a separate system and not otherwise stored within Squarespace. These technical safeguards are complemented by other measures, including, for example, the Squarespace Privacy Policy (that has been reviewed by TRUSTe) that provides robust safeguards in respect of their own internal processes.
Magenta Health currently uses SRFAX as our internet fax solution for both receiving and sending faxes. By using an external electronic provider, we are able to ensure better up-time, more reliable delivery and receipt, as well as more efficient and effective processing. From a technical point of view, this vendor specifically discusses their PHIPA compliance along with their own administrative, technical, and physical safeguards. Additionally, Magenta Health, in view of the sensitivity of the information sent and received by fax, has undertaken a number of steps to augment security. For example, the retention of faxes within SRFAX has been shortened to a fixed period of time intended to balance redundancy and privacy; custom software has been developed to enable SSL-secured API access to SRFAX instead of relying on less secure means of electronically communicating with SRFAX.

The issues of fax transmission also helpfully illustrates how it is critical to balance practical considerations with theoretical security risks when evaluating IT security issues.  This is because, from a technical point of view, fax is arguably a highly insecure mode of communication.  Transmissions are sent un-encrypted between fax machines, received without any authentication, and can be easily misdirected or lost.  Moreover, as many organizations continue to rely upon paper fax machines, there is a material risk that PHI transmitted via fax is physically lost or stolen. Indeed, this lack of confidence in fax is one of the reasons why Magenta Health follows up in respect of referrals sent via fax, to both ensure receipt and appropriate handling by third-parties.

Despite such risks, from a practical point of view, fax remains a critical means of communication between Ontario medical health practitioners and it would not be practically possible to operate a family medicine clinic without the capacity to receive and send faxes. While alternatives do somewhat exist, for a large majority of external medical providers, fax transmission remains the only available means of communication therewith. Arbour Family Medical therefore works to mitigate the risks of fax transmission as discussed above, despite its inherent risks.

Consent

Section 18 of PHIPA addresses the issue of the consent of individuals to the collection, use or disclosure of PHI.  In general, Magenta Health strives to ensure appropriate consent is obtained in all situations.

In some situations, Arbour Family Medical will require express consent.  This includes, for example, the use or disclosure of PHI via email, or when disclosing PHI to third-parties such as insurance companies or other medical clinics.  That being said, section 20 of PHIPA specifically authorizes Arbour Family Medical, when it receives a copy of a document purporting to record an individual's consent to the collection, use or disclosure to PHI, to assume that the consent fulfils the requirements of PHIPA and that the individual has not withdrawn it, unless it is not reasonable to assume so.  Put another way, in reasonable situations, Arbour Family Medical will disclose PHI to third-parties upon the receipt of documents purporting to authorize the disclosure of same, without further verification.

In other situations, Arbour Family Medical will rely upon subsection 18(2) of PHIPA that permits consent to the collection, use or disclosure of PHI to be implied instead of express.  For example, if a patient requests a referral to a third-party medical practitioner such as a specialist, we presume there is implied consent for the disclosure of relevant aspects of the patient's PHI to said third-party without further verbal or written confirmation.

Extent Of Information Collection

Subsection 30(2) of PHIPA reads: "A health information custodian shall not collect, use or disclose more personal health information than is reasonably necessary to meet the purpose of the collection, use or disclosure, as the case may be". Therefore Arbour Family Medical seeks to minimize the PHI collected, used, and disclosed.  For example, only the minimum amount of information necessary to validate a patient's health insurance and to prepare an accurate electronic record for said individual is collected in advance of an initial intake appointment.

Marketing

Section 13 of PHIPA reads: "A health information custodian shall not collect, use or disclose personal health information about an individual for the purpose of marketing anything or for the purpose of market research unless the individual expressly consents and the custodian collects, uses or discloses the information, as the case may be, subject to the prescribed requirements and restrictions, if any". Arbour Family Medical does not collect, use, or disclose PHI for the purpose of marketing anything or for the purpose of market research.

De-identification Of Data

There are situations where PHI may be de-identified for various purposes, most commonly, to facilitate the development and testing of IT systems and the like. Such de-identification is carefully done to ensure there is no serious possibility that the data can be connected with a specific individual absent access to the original data. In such circumstances, the de-identified data is no longer considered PHI, nor subject to PHIPA.

Right To Access

Subsection 52(1) of PHIPA reads: "Subject to this Part, an individual has a right of access to a record of personal health information about the individual that is in the custody or under the control of a health information custodian unless [certain exceptions apply]".  Accordingly, as a general principle, Arbour Family Medical patients are entitled to access their own PHI in the custody or under the control of Arbour Family Medical.  A nominal cost-recovery fee may apply.

Correction

Subsection 55(1) of PHIPA reads: "... if [an] individual believes that [his or her record] is inaccurate or incomplete for the purposes for which the custodian has collected, uses or has used the information, the individual may request in writing that the custodian correct the record".  Accordingly, Arbour Family Medical patients are entitled to request the correction of any incorrect information. Indeed, doing so is encouraged and highly recommended.

Third Party Suppliers

Subparagraph 6(1) of PHIPA's regulations reads: "Except as otherwise required by law, the following are prescribed as requirements for the purposes of subsection 10 (4) of the Act with respect to a person who supplies services for the purpose of enabling a health information custodian to use electronic means to collect, use, modify, disclose, retain or dispose of personal health information, and who is not an agent of the custodian: 1. The person shall not use any personal health information to which it has access in the course of providing the services for the health information custodian except as necessary in the course of providing the services. 2. The person shall not disclose any personal health information to which it has access in the course of providing the services for the health information custodian. 3. The person shall not permit its employees or any person acting on its behalf to be able to have access to the information unless the employee or person acting on its behalf agrees to comply with the restrictions that apply to the person who is subject to this subsection.".  

Magenta Health therefore strives to ensure that its third-party suppliers have adequate policies and contractual guarantees in place that comply with such requirements. In particular, this includes both Canadian and international suppliers of cloud technology such as internet faxing, email, and web hosting.

Referrals To Specialists

Patient information will be shared across the referral network. This is to ensure patients benefit from the highest level of care from specialists who will understand their full medical history.