We have had Personal Health Information Privacy legislation (PHIPA) in Ontario since 2004, and employers regularly emphasise to their staff the perils of indiscriminately viewing personal health records (and conduct random audits to determine compliance). Yet healthcare information privacy violations still occur – sometimes with very serious consequences for both the patient and the healthcare provider(s) involved. You may have heard about the two healthcare workers who looked into (it is actually officially referred to as “snooping”) the late mayor Rob Ford’s electronic health records – even though they were apparently not involved in his care. Well, they have become the first in Ontario to be convicted under PHIPA. Under the Act, looking at even a single healthcare record of a patient if you are not within their “circle of care” is considered to be a crime.
Admittedly, PHIPA does not define what “circle of care” means. However, the Information and Privacy Commissioner of Ontario has created the concept of “circle of care” to guide a healthcare professional when deciding if they are permitted to rely on a patient’s implied consent to collect, use, disclose or handle their personal health information”.[i] And when you think about it, it really is pretty easy to figure out if you are part of a patient’s “circle of care” or not. Do you have a direct responsibility for providing care to that individual? If no, then you are not part of their “circle of care” and have no authority to view their patient records in any way, shape or form.
It always surprises me when I hear that a healthcare professional, while understanding that they are prohibited from looking into a patient’s file if they are not involved in their care, do not appreciate that they cannot use their workplace access to view their own personal health records either. Yet the same “circle of care” concept applies. Do you have a direct responsibility for providing care (in a medical context) to yourself? Not unless you are taking your own blood samples, doing your own x-rays, making your own diagnosis and developing you own treatment plan. As a patient, you have a right to access your own health records but would need to do so via the same process as any other patient.
Being clear about whether you are in a patient’s “circle of care” or not is more important now than ever. Bill 119, an Act to amend PHIPA, was passed by the Ontario legislature earlier this year with the intent to, among other things, establish clear reporting requirements, increase fines and strengthen processes for prosecution in the event of a privacy breach. In addition, the definition of what it means to “use” personal health information has now been expanded to mean “to view, handle or otherwise deal with the information”. The inclusion of the word “view” in the revised definition appears to be aimed at preventing “snooping” by those who are outside of the “circle of care”.
The CRTO has provided a summary of the changes to PHIPA, as they apply to RT practice and this can be found here.
[i] Information and Privacy Commissioner of Ontario. (2015, August). Circle of care: Sharing personal health information for health-care purposes. Retrieved from https://www.ipc.on.ca/wp-content/uploads/Resources/circle-of-care.pdf