Protecting Patient Personal Health Information
As Magenta Health is situated within Ontario, we are governed by the Ontario Personal Health Information Protection Act ("PHIPA") together with its regulations. This is the "Ontario law that governs the collection, use and disclosure of personal health information within the health sector. The object is to keep personal health information confidential and secure, while allowing for the effective delivery of health care." (source). As an organization, we work diligently to ensure compliance with the provisions and spirit of PHIPA, as well as, more generally, taking such measures as are reasonable and appropriate to ensure the practical protection of our patients' personal health information ("PHI").
We discuss herein aspects of our compliance with PHIPA. Questions, concerns, or complaints regarding Magenta Health's handling of personal health information should be addressed to our Chief Privacy Officer at Unit 108, 625 Queen St. E, Toronto, ON M4M 1G7 or by email at firstname.lastname@example.org. He may also be contacted to help obtain access to or to request correction of a record of personal health information that is in the custody or control of Magenta Health. Lastly, while we prefer that issues be raised directly with us first, complaints regarding our conduct may also be directed to the Information and Privacy Commissioner of Ontario at https://www.ipc.on.ca/
Section 11 of PHIPA reads: "A health information custodian that uses personal health information about an individual shall take reasonable steps to ensure that the information is as accurate, complete and up-to-date as is necessary for the purposes for which it uses the information." Magenta Health seeks to ensure compliance with this requirement primarily through the professional conduct of its physicians who are responsible for recording the bulk of all PHI collected. Other systems and processes are also in place. For example, Magenta Health staff are trained to verbally confirm contact information with patients each visit; automated processes have been implemented to query patients for up-to-date information periodically, and certain information, such as most laboratory and test results, are automatically downloaded from external repositories to minimize the likelihood of human error.
Security & Handling of records
Section 12 of PHIPA reads: "A health information custodian shall take steps that are reasonable in the circumstances to ensure that personal health information in the custodian’s custody or control is protected against theft, loss and unauthorized use or disclosure and to ensure that the records containing the information are protected against unauthorized copying, modification or disposal." Section 13 of PHIPA reads: "A health information custodian shall ensure that the records of personal health information that it has in its custody or under its control are retained, transferred and disposed of in a secure manner and in accordance with the prescribed requirements, if any."
These related provisions, although short, are extremely complex as there are not specific requirements prescribed. Instead, health information custodians (e.g. Magenta Health) are directed to "take steps that are reasonable in the circumstances". In our view, relevant factors that affect what constitutes reasonable steps taken by Magenta Health include, for example,
- the sensitivity of the PHI;
- patient convenience;
- the impact on medical care;
- common industry practices;
- cost and effort required; and
- the availability of alternative solutions.
With these and other factors in mind, Magenta Health has sought to undertake and balance administrative, technical, and physical safeguards to ensure good faith compliance with PHIPA in all respects. These safeguards include, without limitation:
- Our systems and processes have been reviewed by accountable individuals, including our Chief Privacy Officer and in-house legal counsel, Keith Chung;
- All staff & students with access to PHI are required to review and execute confidentiality agreements;
- Access to PHI is generally limited to only those requiring access to such PHI through technical means;
- Through formal contracts, privacy policies, and service agreements, all third-parties retained by Magenta Health have committed to complying with those conditions and restrictions necessary to ensure Magenta Health's continued compliance with PHIPA;
- Strong passwords, two-factor authentication, and multiple logins are required to access various sensitive systems;
- Sensitive systems have audit logs to track data access and use;
- Network traffic is monitored and managed using security mechanisms such as routers, switches, firewalls, and anti-virus programs;
- SSL encryption is used to secure the transmission of PHI over insecure electronic networks;
- Whole-disk encryption is used as required to secure physical storage media holding PHI;
- Removable physical media (e.g. paper, CDs, DVDs) holding PHI are destroyed following use;
- Data, applications, and systems are backed up on a regular basis, including offsite, and can be readily restored as required;
- All systems (e.g. operating systems, applications) are regularly patched with security updates;
- All physical electronic systems maintained by Magenta Health are secured with a monitored security system;
- Security cameras have been deployed throughout Magenta Health's physical spaces;
- Physical access to computer servers have been restricted to those staff requiring access; and
- Decommissioned equipment used to process or store PHI is securely disposed of;
Specific examples are discussed immediately below to illustrate steps taken and factors considered in various circumstances:
- Our electronic medical record system is OSCAR EMR. As our core repository of patient PHI, we have secured this system behind multiple levels of security (e.g. multiple logins, whole-disk encryption, firewalls, IP-based filtering) and have elected to disable the option of direct web access. At the same time, as remote access enables physicians to deliver improved and more timely patient care, we have deployed a enterprise-grade remote access solution developed by Microsoft to enable Magenta Health physicians to have secure 24/7 remote access to all Magenta Health systems and processes. This enables, for example, Magenta Health physicians to review patient correspondence such as prescription renewal requests remotely and to act on same in a more timely manner, including outside ordinary business hours. Magenta Health has also retained external third party auditors to review and approve its business and technical processes in respect of its electronic medical record system. It is primarily due to the high sensitivity of the PHI stored within this system that such robust measures have been put in place.
- Magenta Health currently uses SRFAX as our internet fax solution for both receiving and sending faxes. By using an external electronic provider, we are able to ensure better up-time, more reliable delivery and receipt, as well as more efficient and effective processing. From a technical point of view, this vendor specifically discusses their PHIPA compliance along with their own administrative, technical, and physical safeguards. Additionally, Magenta Health, in view of the sensitivity of the information sent and received by fax, has undertaken a number of steps to augment security. For example, the retention of faxes within SRFAX has been shortened to a fixed period of time intended to balance redundancy and privacy; custom software has been developed to enable SSL-secured API access to SRFAX instead of relying on less secure means of electronically communicating with SRFAX.
The issues of fax transmission also helpfully illustrates how it is critical to balance practical considerations with theoretical security risks when evaluating IT security issues. This is because, from a technical point of view, fax is arguably a highly insecure mode of communication. Transmissions are sent un-encrypted between fax machines, received without any authentication, and can be easily misdirected or lost. Moreover, as many organizations continue to rely upon paper fax machines, there is a material risk that PHI transmitted via fax is physically lost or stolen. Indeed, this lack of confidence in fax is one of the reasons why Magenta Health follows up in respect of referrals sent via fax, to both ensure receipt and appropriate handling by third-parties.
Despite such risks, from a practical point of view, fax remains a critical means of communication between Ontario medical health practitioners and it would not be practically possible to operate a family medicine clinic without the capacity to receive and send faxes. While alternatives do somewhat exist, for a large majority of external medical providers, fax transmission remains the only available means of communication therewith. Magenta Health therefore works to mitigate the risks of fax transmission as discussed above, despite its inherent risks.
Section 18 of PHIPA addresses the issue of the consent of individuals to the collection, use or disclosure of PHI. In general, Magenta Health strives to ensure appropriate consent is obtained in all situations.
In some situations, Magenta Health will require express consent. This includes, for example, the use or disclosure of PHI via email, or when disclosing PHI to third-parties such as insurance companies or other medical clinics. That being said, section 20 of PHIPA specifically authorizes Magenta Health, when it receives a copy of a document purporting to record an individual's consent to the collection, use or disclosure to PHI, to assume that the consent fulfils the requirements of PHIPA and that the individual has not withdrawn it, unless it is not reasonable to assume so. Put another way, in reasonable situations, Magenta Health will disclose PHI to third-parties upon the receipt of documents purporting to authorize the disclosure of same, without further verification.
In other situations, Magenta Health will rely upon subsection 18(2) of PHIPA that permits consent to the collection, use or disclosure of PHI to be implied instead of express. For example, if a patient requests a referral to a third-party medical practitioner such as a specialist, we presume there is implied consent for the disclosure of relevant aspects of the patient's PHI to said third-party without further verbal or written confirmation.
Extent of information collection
Subsection 30(2) of PHIPA reads: "A health information custodian shall not collect, use or disclose more personal health information than is reasonably necessary to meet the purpose of the collection, use or disclosure, as the case may be". Magenta Health therefore seeks to minimize the PHI collected, used, and disclosed. For example, only the minimum amount of information necessary to validate a patient's health insurance and to prepare an accurate electronic record for said individual is collected in advance of an initial intake appointment.
Section 13 of PHIPA reads: "A health information custodian shall not collect, use or disclose personal health information about an individual for the purpose of marketing anything or for the purpose of market research unless the individual expressly consents and the custodian collects, uses or discloses the information, as the case may be, subject to the prescribed requirements and restrictions, if any". Magenta Health does not collect, use, or disclose PHI for the purpose of marketing anything or for the purpose of market research.
Right to access
Subsection 52(1) of PHIPA reads: "Subject to this Part, an individual has a right of access to a record of personal health information about the individual that is in the custody or under the control of a health information custodian unless [certain exceptions apply]". Accordingly, as a general principle, Magenta Health patients are entitled to access their own PHI in the custody or under the control of Magenta Health. A nominal cost-recovery fee may apply.
Subsection 55(1) of PHIPA reads: "... if [an] individual believes that [his or her record] is inaccurate or incomplete for the purposes for which the custodian has collected, uses or has used the information, the individual may request in writing that the custodian correct the record". Accordingly, Magenta Health patients are entitled to request the correction of any incorrect information. Indeed, doing so is encouraged and highly recommended.
Subparagraph 6(1) of PHIPA's regulations reads: "Except as otherwise required by law, the following are prescribed as requirements for the purposes of subsection 10 (4) of the Act with respect to a person who supplies services for the purpose of enabling a health information custodian to use electronic means to collect, use, modify, disclose, retain or dispose of personal health information, and who is not an agent of the custodian: 1. The person shall not use any personal health information to which it has access in the course of providing the services for the health information custodian except as necessary in the course of providing the services. 2. The person shall not disclose any personal health information to which it has access in the course of providing the services for the health information custodian. 3. The person shall not permit its employees or any person acting on its behalf to be able to have access to the information unless the employee or person acting on its behalf agrees to comply with the restrictions that apply to the person who is subject to this subsection.".
Magenta Health therefore strives to ensure that its third-party suppliers have adequate policies and contractual guarantees in place that comply with such requirements. In particular, this includes both Canadian and international suppliers of cloud technology such as internet faxing, email, and web hosting.
referrals to specialists
Patient information will be shared across the referral network. This is to ensure patients benefit from the highest level of care from specialists who will understand their full medical history.