Encryption is just one piece of the puzzle when it comes to securing the health information of patients, Toronto health lawyer Mary Jane Dykeman tells CBC News.
Click the link below to read the AdvocateDaily article profiling DDO Health Law’s Partner, Michael Gleeson. Mike talks about the rise of telemedicine and the regulatory regimes that govern it.
Big news last week about CASL (Canada’s anti-spam legislation) – the right of private action, which was scheduled to come into effect on July 1st, was indefinitely delayed by an Order-in-Council issued by the Federal Government on June 7.
This is a relief for every organization, whether for-profit, non-profit, orcharitable. The right of private action was generally being met with dread – it allowed for private litigants to sue for any breach of specific sections of CASL and to claim for significant damages. Those damages included statutory damages of up to $1 million per day for violations.
Enforcement activity since 2014
However, this development doesn’t mean that CASL is toothless. Far from it. Fines under CASL are a maximum of $10 million per violation for businesses/organizations. That’s huge.
I attended an update on CASL put on by the CRTC for the Ontario Bar Association in mid-May. There has been a lot of activity around CASL enforcement since CASL came into effect 3 years ago (July 1, 2014). Here are a few tidbits that I learned about:
- In lieu of prosecutions, the CRTC tends to pursue “undertakings” when an investigated complaint reveals an apparent violation of CASL
- These undertakings require the offender to implement a robust compliance program
- Undertakings are accompanied by a reparation payment (in lieu of a fine/penalty)
- These reparation payments are substantial:
- Porter $150K
- Rogers $200K
- Kellogg’s $60K
- Blackstone $50K
- William Rapanos (individual) $15K
- Compu-Finder $1.1M (being contested)
- The ability of the offender to pay is taken into account as one of the factors in determining an appropriate payment. For example, Blackstone is a small business, resulting in a significantly reduced penalty. Still, $50K is a huge amount for any small business to pay.
Deemed implied consent – 3-year grace period ends July 1
Remember, CASL requires that your organization have consent (express or in some cases implied) when sending commercial electronic messages (CEMs). (To be “commercial”, the email/text must be trying to get people to buy a product or service.)
There was a 3-year grace period in which organizations were allowed to email current and former donors, members, volunteers and those with business relationships. That grace period ends on July 1, 2017. After that, the list of individuals to whom your organization can send CEMs is limited to a 2-year ever-refreshing window – you can only email with implied consent if you have had contact with the individual (as a donor, member, volunteer or for business purposes) for 2 years from the date of that contact.
How to be CASL compliant
What also became evident is that your organization needs to have a CASL policy, undertake and update CASL training of all staff, and monitor CASL compliance. If your organization becomes the subject of a complaint/investigation about CASL, you need to demonstrate good record-keeping – i.e., keeping screenshots of subscribes to newsletter lists and emails containing express consent to receive CEMs.
The CRTC update also offered these additional bits of information:
- Non-profits are “not bubbling to the top” of the enforcement radar, which is good news for the health sector
- Sending a survey is not a CEM.
The CRTC’s slides were available to attendees. If anyone is interested in receiving a copy, please let me know.
DDO’s CASL Toolkit for the non-profit and charitable sectors
DDO Health law published a “CASL – Anti-Spam Toolkit” in June 2014 targeted at assisting non-profit and charitable organizations to become CASL compliant. Copies are available for purchase – please contact me if interested.
Recently here at DDO we were discussing the role and powers of the Patient Ombudsman. The Patient Ombudsman has jurisdiction to resolve complaints about health service organizations such as public hospitals, long-term care facilities, and certain services provided by the LHINs.
The Patient Ombudsman is an office of last resort – so people having complaints must first explore resolution directly with their health service organization. When a complaint is filed, the Patient Ombudsman will ensure that no other body has jurisdiction over the complaint and, with patient consent, will try to facilitate resolution by contacting the health sector organization.
The Patient Ombudsman may investigate complaints where a facilitated resolution is unsuccessful. Health sector organizations such as hospitals and long-term care homes will be well placed to respond to inquiries from the Patient Ombudsman if their internal processes for addressing complaints are robust, thorough, and comprehensive.
For more information about the Patient Ombudsman, for help in crafting a robust complaint process, or for help in responding to an inquiry from the PO, please contact me at email@example.com.
Nurse practitioners (NPs) fill an important gap in our health care system. In 2007, the first Ontario NP-led clinic opened its doors in Sudbury, and dozens more are now in operation in Ontario.
On April 19, 2017, the role of NPs was expanded. Provided the NP successfully completes the required education, NPs have the authority to prescribe medical cannabis and substances that may be used for medical assistance in dying (MAID). The education must be approved by the governing council of the College of Nurses of Ontario and must be specifically designed to educate NPs to safely, effectively and ethically prescribe controlled substances.
Before prescribing can occur:
- there must be a nurse-patient relationship between the NP and the patient;
- the intended use of the substance can only be therapeutic; and
- certain information must be contained in the prescription, a copy of which must be retained as part of the patient’s health records.
To see more information, click here http://www.cno.org/en/news/2017/april-2017/nps-can-now-prescribe-controlled-substances/ or access the Nursing Act general regulation: https://www.ontario.ca/laws/regulation/940275#BK39.
Bill 84, the Medical Assistance in Dying Amendment Act, includes limited immunity for NPs who assist with MAID. NP-led clinics are also given limited immunity in relation to the delivery of MAID. Bill 84 received Royal Assent and became law on May 10th.
For advice concerning NPs in your health care organization, contact Simmie: firstname.lastname@example.org.
Health Sector Privacy Officer Training – to register online
The privacy practices of health care organizations are under increasing scrutiny from patients (and their families), the courts, the media and the regulator, the Information and Privacy Commissioner of Ontario (IPC/O). As Privacy Officer, it is your job to ensure your organization is compliant with privacy laws and IPC/O guidelines. Whether you are new to the Privacy Officer role or are a seasoned privacy professional, you may wonder whether you have the latest information to do your job properly. You may have already discovered that it is not enough to know the technicalities of the law; it is also important that you understand the spirit of the legislation and how to apply the law to specific and sometimes difficult situations.
This is the only course of its kind in Canada.
This course will give you confidence in your role by giving you the information and skills you need to succeed as a Privacy Officer.
- 20 hours of intensive instruction from leading legal educators in the field
- 3 full day sessions each available in person in downtown Toronto or via webcast
- Reassurance that you have the most current information on privacy practices and expectations for health care organizations
- Practical and dynamic skills training for adult learners using scenarios, stories, quizzes and assignments
- Sample tools to adapt to your organization for your everyday use, including (and many more):
- Privacy program checklist
- Privacy policies
- Privacy breach checklist
- Privacy breach notification
- A privacy library
- The primary Ontario privacy resource – “Guide to the Ontario Personal Health Information Protection Act: A Practical Guide for Health Care Providers” (H. Perun, M. Orr, F. Dimitriadis, Irwin Law, 2005)
- Online resources are compiled for you in a few downloadable PDFs so you do not have to find the resources yourself and print them individually
- A reading list to prepare you before each session
- Homework to assist you to work through your own organization’s documents
- A report card you complete yourself at the end of the course to share with your Board or supervisor to demonstrate your organization’s privacy compliance status and remaining privacy gaps, if any
- A letter outlining the training you have received, for your organization’s due diligence
While we focus on Ontario legislation – this course is of value to any health sector Privacy Officer.
For more information go to our online registration platform. And for even more information, contact Franca Latino by phone at: 416-967-7100 x 242 or by email at: email@example.com