Trust in Digital Health

“There is nothing permanent except change.” - Heraclitus

These famous words of the Greek philosopher, Heraclitus, have never rung truer than they do today.

As with everything else in life, the delivery of health care continues to change and evolve, especially over the last two decades, during which we have seen exponential growth in digital technologies. Catapulted by the pandemic, the digitization of health care services has accelerated even more rapidly to adapt to the virtual world in which we all find ourselves currently living. The ravaging impacts of COVID-19 on peoples’ lives have reminded us all of the indispensable need to share health information in a coordinated, efficient and timely manner, and of the critical role that public health officials and researchers play in understanding illness and developing effective treatments.

That’s why my office selected Trust in Digital Health as one of the four strategic priorities that will focus our efforts now and into the future in order to enhance our positive impact and our value added for Ontarians. Our goal is to promote confidence in the digital health care system by guiding custodians to respect the privacy and access rights of Ontarians, and by supporting the pioneering use of personal health information for research and analytics to the extent it serves the public good.

While change is inevitable, custodians remain obligated to comply with Ontario’s health privacy law, the Personal Health Information Protection Act (PHIPA). But then, even PHIPA has undergone significant changes recently.

Ontario’s health privacy law is a living document that has transformed over time, adapting to changes in society and technology. Nearly twenty years ago, when PHIPA was first enacted, the most advanced features of smartphones — for those of us who even had one — were email and text, on a monochrome screen, no less. Today, you can browse the internet, watch movies, and order dinner on your smartphone. You can even use it to meet virtually with your health care provider. You can sync it to wearable devices that monitor your health and store biometric information about your heart rate, temperature, respiratory data, sleep patterns, movements, and exercise levels.  You can even share this data with clinical researchers or with your health care providers, and the sharing of digital health information among custodians to deliver more efficient and effective health care has become routine practice.

To reflect these advances in technology, various changes to PHIPA have come into effect. In March 2020, amendments were made to address the ways personal health information is increasingly being collected, used, and disclosed in digital formats. These changes may be incremental, but they are nonetheless consequential.

To further our goal of promoting trust in digital health, the IPC has issued a new publication called Digital Health under PHIPA: Selected Overview.

This new publication is designed to help health information custodians navigate the recent round of PHIPA amendments. It provides an overview and explanation of these recent changes, hopefully in a manner that custodians will find easily accessible. Topics include the electronic health record (EHR), interoperability of digital health assets, electronic audit logs, consumer electronic service providers, and access to records in electronic format.

Public trust in how our personal health data is processed for good purpose is critical for the successful adoption of digital health technologies and ultimately improving health care outcomes for everyone. I recommend that all health information custodians read our new publication and familiarize themselves with the new provisions to remain in compliance with PHIPA as they integrate digital information technologies into their health care delivery practices.

Our office is always here to help if you have any questions about this publication or other matters related to health information and privacy.

Patricia

• Download Digital Health under PHIPA: Selected Overview 

Today, I had the pleasure of presenting at the annual PHIPA Connections Summit. This year, the summit presenters explored emerging issues related to personal health information management in a pandemic. In my presentation, I shared some health sector statistics from 2020, touched on the recent changes to Ontario’s health privacy law, PHIPA, and introduced our new guidance for professionals in the health care sector, Privacy and Security Considerations for Virtual Health Care Visits. Hopefully, this guide will be a helpful resource for health information custodians (custodians) currently delivering or planning to deliver virtual health care to their patients.

With the onset of COVID-19, and the requirement to adhere to social distancing guidelines, virtual health care has become a convenient alternative for custodians to connect with, and care for, their patients. Virtual health care includes digital communications such as secure messaging, telephone consultation, and videoconferencing.

In May 2020, the Canadian Medical Association (CMA) polled 1,800 Canadians and found that almost half had used virtual care to access a physician and were highly satisfied with the results. The same study found that almost half (46%) who accessed virtual care since the COVID-19 outbreak would prefer a virtual method as the first point of contact with their doctor.  Bearing in mind that this survey was conducted only two months into the global pandemic, one might expect those numbers to be even higher today as people have increasingly adjusted to their digital lives.

While research points to a widespread acceptance of virtual health care, it is important to consider the privacy and security risks posed by the technology used to deliver this type of care. It is also important for Ontario-based custodians to be aware that PHIPA applies equally to virtual care as it does to in-person care.

In addition to providing a brief refresher on PHIPA, our virtual health care guidance explores various considerations for secure videoconferencing sessions and provides tips on how custodians can help patients navigate electronic medical record systems, such as patient portals.

Many studies and discussion papers have signalled that virtual health care is here to stay. For example, in a national survey conducted through the month of September 2020, Environics Research found that 70% of Canadians agreed that virtual healthcare represents the future of health care. This is also a takeaway from the CMA poll, affirming that Canadians would like to see virtual care options continued, improved, and expanded after the COVID-19 crisis subsides.

There is no doubt that virtual health care can provide much-needed advice, consultation, and peace of mind, especially in these changing and uncertain times. However, it is important for custodians to have the appropriate technical, physical, and administrative safeguards in place to ensure that virtual health care platforms are secure and privacy-protected for their patients, today and in the future.

While health care may be going virtual, patient trust should remain real.

On behalf of the IPC, thank you to all those in the health care sector who work tirelessly to help keep us safe.

Stay well.

Patricia

Even before joining the IPC, I always admired Ontario’s Personal Health Information Protection Act (PHIPA) for its “gutsiness.”  PHIPA introduced many novel concepts for its time. These include the first breach notification requirement in the country; a comprehensive code for consent and substitute decision-making; and a research governance framework that integrates a custodian’s data stewardship obligations with applicable national ethics standards and mandatory review by a research ethics board.

PHIPA also introduced the prelude to the “data trust” model. It designated certain prescribed entities and registries with significant latitude to use Ontarians’ personal health information (PHI) entrusted in their care for public good purposes, subject to strict accountability requirements. This includes a detailed review of their privacy practices and procedures by the IPC every three years.

PHIPA has evolved over the last 16 years, and in case you missed the memo, it has undergone a whole series of additional changes in 2020. These have been incremental but consequential.

Enhanced rights and responsibilities; stronger enforcement

For instance, last March, Bill 188 doubled the size of fines for offences under PHIPA, now up to $200,000 for individuals and $1,000,000 for corporations.

Bill 188 also introduced administrative penalties for the Information and Privacy Commissioner – a very first in Canada – whereby my office will be able to impose administrative monetary penalties directly against persons who contravene PHIPA. The penalty amounts and their administration have yet to be determined by regulation.

Along with new “teeth,” Bill 188 ushered in new rights and responsibilities:

• rights for individuals to obtain access to their PHI in electronic format (pursuant to regulations to be prescribed) so they could take steps to manage their own health information, including potentially through patient portals and health apps;
• responsibilities for the providers of these patient portals and digital health apps (new entities called “consumer electronic service providers”) to comply with certain requirements that have yet to be defined in regulations.

Also, the bill sets out explicit requirements for all custodians to maintain and monitor an electronic audit log of all instances where PHI is viewed, handled, modified, or otherwise dealt with, and to provide a copy of this log to my office on request (not yet in force).

Ontario’s Electronic Health Record at long last

On October 1, 2020, new regulations designated Ontario Health as the prescribed organization responsible for bringing to life the province’s long-awaited-for electronic health record (EHR) under Part V.1 of PHIPA.  One of the main goals of the EHR is to ensure that Ontarians’ comprehensive health information is brought together in a consistent format under a single, virtual ‘roof.’ This will make the information readily accessible to a broad range of health care providers across a wide spectrum of care settings, enabling more efficient and better-integrated care.

Part V.1 establishes a comprehensive privacy and accountability framework for the EHR. It defines an extensive role for Ontario Health as the administrator of the EHR subject to oversight by my office. It allocates shared responsibilities among multiple custodians using the EHR, to establish “who’s on first.”  For example, it clarifies the rules for custodians seeking to upload or download PHI, to or from the EHR; rules for honoring an individual’s consent directives and rules for overriding them, subject to notice requirements. There are also new rules for breach notification adapted specifically for the EHR context.

There are new rules that allow coroners, medical officers of health, and the ministry of health data integration unit (designated under Part III.1 of FIPPA) to collect PHI from the EHR. The Minister of Health may also direct disclosure of PHI from the EHR to others (for example, researchers) on request, subject to consultation with a yet-to-be- established advisory committee. This concept of an advisory committee is yet another interesting aspect of PHIPA.

Interoperability Specifications

Other PHIPA regulations relating to the digitization of PHI will come into force on January 1, 2021. These regulations set out a framework for establishing, monitoring, and enforcing compliance with interoperability specifications. Interoperability helps ensure that custodians’ electronic information systems, or “digital health assets,” can “speak to one another” making it easier for custodians to share PHI seamlessly across institutions.

Ontario Health has been charged with making these interoperability specifications, in consultation with my office (particularly where individuals’ privacy and access rights are at issue), and subject to approval by the Minister of Health. Ontario Health will also be required to publish these specifications, develop a certification process to green light electronic systems that meet the required specifications, and monitor custodians’ compliance with these specs.

2020 – A big year for PHIPA

Looking back, 2020 was a big year for PHIPA. These significant amendments speak to the intricacies of our new digital health reality. They demonstrate how incredibly complex the health system has become as it strives to deliver highly personalized digital health solutions at the individual level, while also increasing data sharing across different entities to help solve broader public health issues, like those we have seen with COVID-19, for example.

The elephant left standing in the room is how best to regulate the increasing number of private sector actors becoming inextricably linked into Ontario’s digital health system.  PHIPA has already shown itself ready to hold some private sector players (like health information networks providers and consumer electronic service providers) to certain obligations, but what about others? This must certainly be on the mind of many as Ontario continues to consult on a possible made-in-Ontario private sector privacy law.  Such a law, if adopted, would need to jive well with the growing tentacles of PHIPA to create a seamless and integrated regime, that is both practical and coherent.

Letter to Michael Maddock regarding Installing COVID Alert app on OPS-issued mobile devices

Letter to Mayor Tory regarding Installing COVID Alert app on City of Toronto mobile devices