Ontario’s IPC launches new resources to guard against snooping and other unauthorized access to personal health information

The Information and Privacy Commissioner of Ontario launched a new campaign yesterday called “Is snooping on patients worth It?” See video and other resources.

Also included in this campaign is a new resource document for health care organizations called “Detecting and Deterring Unauthorized Access to Personal Health Information”.  This is a must read for all health care Privacy Officers.

The IPC/O’s tips for preventing or reducing the risk of unauthorized access include:

  • Develop and implement comprehensive privacy policies and review those policies on an annual basis
  • Provide mandatory privacy training for all staff – which includes initial orientation as well as ongoing privacy training and maintain a log of attendance
  • Prominently display privacy notices reminding staff of their privacy obligations
  • Include privacy warning flags in electronic health records to remind staff of their privacy obligations
  • Require all staff and other agents to sign confidentiality agreements on a regular basis
  • Have end-user agreements for anyone using your electronic information systems
  • Develop and implement a policy to restrict access to health information on a need-to-know basis only
  • Log, audit and monitor all accesses to electronic health records
  • Follow the IPC’s guidelines on privacy breach management with respect to patient notification and maintain a log of privacy breaches
  • Impose consistent, appropriate and proportionate disciplinary action for privacy breaches

DDO provides privacy coaching, breach management advice and on-site privacy training for health care organizations. If you haven’t reviewed your privacy policies lately or engaged your staff in formal privacy training in a number of years, call us to assist you. Mary Jane Dykeman mjdykeman@ddohealthlaw.com  416-967-7100 x 225


Bill 21: Legislation safeguarding health care integrity receives Royal Assent

On July 22, 2014, the Ontario government introduced Bill 21, the Safeguarding Health Care Integrity Act, 2014. Bill 21 received Royal Assent on December 11, 2014.

Blood Donations:

This legislation intends to safeguard health care integrity by enacting the Voluntary Blood Donations Act, 2014In relation to Ontario’s voluntary blood donor model, the legislation prohibits payments or offers of payment to individuals for their blood, including any forms of compensation or reimbursement of expenses. Inspection and enforcement provisions are also provided for, including compliance orders.


The Drug and Pharmacies Regulation Act will be mended to give the Ontario College of Pharmacists the authority to regulate hospital pharmacies in the same way it currently regulates community pharmacies. This change has not yet been proclaimed. We will let you know when it is in force.

Mandatory Reports to Regulatory Colleges for Restrictions of Practice:

In addition, the Regulated Health Professions Act, 1991 and the Public Hospitals Act will be amended, intending to enhance communication among health system partners and enable health regulatory colleges to more readily share information with hospitals and public health authorities. Existing mandatory reporting requirements will be strengthened in order to respond more quickly and effectively to issues regarding a health professional’s practice. In particular, when they come into force, the amendments to the Public Hospitals Act will make it mandatory for hospital administrators to report to the College of Physicians and Surgeons where a physician restricts his or her practice and there is reason to believe the restriction is related to the physician’s competence, negligence or conduct, or if the restriction takes place during the course of, or as a result of, an investigation into the physician’s behaviour. This is an important change for hospital Chiefs of Staff and Medical Advisory Committees to know. We are waiting for these changes to be proclaimed before they come into effect – we will let you know.

CASL Update #1: CRTC issues clarification for registered charities

Canada’s Anti-Spam Legislation (CASL) came into force on July 1. With many organizations still working on complying with the new legislation, the CRTC has begun to issue interpretative guidance. Most recently, the CRTC released updated FAQs that clarified the fundraising exemption and its application to commercial electronic messages (CEMs) “whose primary purpose is that of fundraising”.

What is fundraising?

The fundraising exemption under CASL enables registered charities to freely send CEMs where the primary purpose of the message is fundraising. Until recently and in the absence of additional information from either the CRTC or Industry Canada, clients struggled to understand:

1)      what activities constituted fundraising; and

2)      what “primary purpose” meant to qualify an email for the fundraising exemption.

Just prior to the coming into force of CASL, Imagine Canada released an issue alert based on advice received from Industry Canada (see Imagine Canada, Issue Alert: Update and clarifications on Canada’s Anti-Spam Law; http://www.imaginecanada.ca/node/2798 as well as their Frequently Asked Questions (FAQs) specific for registered charities at http://www.imaginecanada.ca/node/2799) that clarified the scope of fundraising covered by CASL. According to the alert, fundraising included all activities under the Canada Revenue Agency’s definition of fundraising as well as a number of other activities such as offering and/or promoting services to individuals on a cost-recovery basis and sending newsletters that promoted upcoming fundraising events.

More recently, the CRTC has provided additional updated FAQs outlining when a CEM has fundraising as its primary purpose and therefore falls under the exemption.

When is fundraising the primary purpose of a CEM?

The CRTC did not provide any hard and fast rules about when fundraising would be found to be the primary purpose of a message. Rather, the CRTC illustrated its understanding by way of example. To summarize, according to the CRTC:

  • A CEM that promotes a fundraising event where the proceeds from ticket sales flow to the registered charity has as its primary purpose the raising of funds.
  • An e-mailed charitable newsletter that does not contain any material that could be construed as encouraging the recipient to participate in commercial activity has as its primary purpose the raising of funds.
  • An e-mailed charitable newsletter that mentions corporate sponsors who support the charity (but does not encourage the recipient to participate in a commercial activity with that sponsor) has as its primary purpose the raising of funds. According to the CRTC, while this message may be considered a CEM under CASL, the primary purpose of the message may be viewed as raising funds; therefore, the fundraising exemption would apply.

In contrast, the CRTC explained that an e-mailed charitable newsletter providing information about the charity’s activities may not have fundraising as its primary purpose when the newsletter contains advertising from corporate sponsors and also encourages the recipient to participate in commercial activity with that sponsor.

The CRTC enforcement approach and registered charities

Our advice to clients has been and continues to be to interpret the fundraising exemption as broadly as possible within reason. Registered charities acting in good faith while attempting to comply with CASL are not the main focus of this legislation. Our position is validated by the CRTC, which has said that that its goals is “… to promote compliance with the CASL in the most efficient way possible while preventing recidivism.” While the CRTC acknowledges that it has the authority to impose administrative monetary penalties, it also outlined a number of key factors that will be taken into account when assessing a measure or penalty for non-compliance including:

  • demonstrations of due diligence (such as an organization’s tracking of how email addresses and consents have been obtained and the inclusion of an unsubscribe option);
  • the number of complaints and/or severity of the non-compliance related to a particular organization; and
  • whether or not an organization is willing to provide of an undertaking to comply with the CRTC (eliminates the possibility of private lawsuits).

Getting additional help with/information about CASL compliance

DDO Health Law’s Toolkit on CASL compliance is now available. For more information or to obtain a copy, please contact Kathy O’Brien at kob@ddohealthlaw.com or 416.967.7100 ext 227. Additionally, the CRTC FAQs can be found here.

DDO’s CASL (Anti-Spam) Toolkit is now available

Even though July 1 has come and gone, it is a safe bet that many of you will still not be 100% CASL compliant. Just because your organization is in the non-profit sector does not mean that you are not required to comply with CASL.  Likely some of your electronic messages have a commercial element – and therefore must comply with CASL. Read More

What’s keeping CIOs awake at night? DDO Health Law presents its eHealth Risk Management Conference

On May 22nd, DDO Health Law (DDO) hosted its eHealth Risk Management Conference in Toronto. The conference was an opportunity to highlight the opportunities and challenges associated with the increasing role of technology in health care delivery, e.g., managing databases of personal health information and using devices and electronic processes to collect, share and deliver health information. Technology is now being used to communicate with and engage patients and clients (e-mail, apps, social media, discussion boards); to coordinate health care delivery (shared electronic health information systems); and to increase provider efficiency (use of mobile devices at work).

Taking a practical approach to balancing organizational needs and potential risks, speakers from the Healthcare Insurance Reciprocal of Canada (HIROC), eHealth Ontario (eHO) and DDO shared their expertise with a packed audience representing a broad cross-section of the health sector including academic health centres, other hospitals, community mental health agencies, shared services organizations, government agencies, and family health teams.

Conference Themes

We asked our attendees – what is keeping your Chief Information Officer awake at night?

The answer – mitigating the risks associated with e-health initiatives.  Common themes were the need for oversight (to protect the privacy of health information) and minimizing liability exposure.  Whether oversight was framed as a governance, contractual compliance, human resources or system security issue, conference participants consistently expressed a need for additional information and resources to meet their obligations. This was especially true in the context of data-sharing, where many new provincial initiatives were mandating the creation and maintenance of large, pooled repositories of personal health information – creating new province-wide risks and liabilities.

Other, more specific concerns raised included:

  • Managing patient/client consent to the creation of databases
  • Developing, implementing and enforcing best practices related to employees, client/patient and family use of technology (e.g., mobile devices, e-mail, social media use in the healthcare workplace)
  • Ensuring documentation quality where information going into shared databases
  • Controlling access to collected information.

The DDO perspective

At the heart of the issues raised at the conference is the age-old problem of how best to safeguard patient/client/staff personal (health) information. In many ways, technology has only increased the scope of oversight required to ensure the security of that information. DDO speakers offered tools (including a Data-Sharing Agreement checklist) as well as best practices and risk management strategies for organizations from a technological and employment standpoint.

If you wish to receive more information about upcoming DDO Health Law conferences and publications, please visit our website at https://ddohealthlaw.com and subscribe to our mailing list.

Commentary on the Supreme Court of Canada’s Decision in Cuthbertson and Rubenfeld v. Rasouli

Commentary on the Supreme Court of Canada’s Decision in Cuthbertson and Rubenfeld v. Rasouli
On Wednesday January 22, 2014, the Ontario Hospital Association (OHA), hosted the Health Links
Conference, bringing together stakeholders from across the healthcare spectrum: the Ministry of
Health and Long-Term Care (MOHLTC), hospitals, the Ontario Medical Association (OMA), local
health integration networks (LHINs), primary care providers, Health Quality Ontario (HQO),
community care access centres (CCACs) and community agencies among others. The conference
was an opportunity to share the implementation challenges and lessons learned from different
Health Links, and to provide attendees with advice, tools and tactics for success going forward.
Launched in December 2012, Health Links are a model of providing better-integrated services to
high-needs patients.  A Health Link is a voluntary partnership that may include a hospital as well as
community support agencies, primary care, home care, and long-term care providers – usually with
an identified lead organization. To date, 47 Health Links have been established across the province
with at least one Health Link in every LHIN. The goal is to have 98 Health Links in place by 2015.
Health Links focus on providing customized and coordinated care to the 1%-5% of the health system’s
so-called high-cost/high-needs users. According to Helen Angus, Deputy Minister of Health, these are
patients with complex conditions who rely heavily on the emergency room (instead of services available
in the community); are more frequently readmitted to hospital; and have trouble navigating the system.
From a system costs perspective, this small percentage of patients account for at least 74% of the
MOHLTC/LHIN operating budget.
Health Link implementation challenges
Privacy: One of the key themes at the conference was the issue of privacy and the sharing of patient
information with partners within the Health Links. In many cases, privacy was seen to be a real barrier
to implementing the coordinated care model. Ontario has very clear rules about when and to whom a
patient’s personal health information can be shared – limiting disclosure without consent to those
within the patient’s circle of care. We understand that the MOHLTC has reconvened its provincial-level
privacy forum to address privacy issues and provide guidance on best practices.
Access to Health Links programs in rural communities: The ability for patients, especially isolated seniors
in rural communities, to access services was another major challenge faced by many Health Links. These
Health Links were attempting to develop strategies to ensure that their resources and programs could be
utilized as intended.
Tool Templates: With coordinated care at the heart of the Health Link mandate, many participants were
eager to access tools that would allow them to capture information and provide real-time data to Health
Link partners. With respect to maximizing the value of patient case conferences and creating a repository
for patient information, we understand that a provincial coordinated care plan template is being developed
though there is no word on when it will be released.
The impact of Health Links
Health Links have been around for fewer than 2 years. Anecdotally, and primarily from the patient
experience perspective, the model has been a success. However, there is a recognized need for real
metrics to assess whether the model is working. A long-term evaluative framework and metrics are being
developed that will put numbers to the ultimate value that Health Links have brought to the system.
As a final point, Health Links, with its need for real time data on patients, may be one of the strongest
levers to date for the accelerated creation of the provincial electronic health record.
Click here for more information about Health Links.