The Canadian Bar Association

Dewhirst offers training in evolving health privacy compliance

The legal role and importance of a privacy officer is growing in every health-care facility and case law is now assessing financial penalties for non-compliance and errors, says Toronto health lawyer Kate Dewhirst.

"In Ontario, every health-care organization has to have a privacy contact person, that's a requirement of the Personal Health Information Protection Act (PHIPA)," says Dewhirst, principal of Kate Dewhirst Health Law

To help facilitate the growing capacity of a privacy officer's function, Dewhirst tells she is hosting privacy officer training seminars in October to prepare those appointed to the position in health-care institutions as big as hospitals and as small as a rural doctor's practice.

She describes a privacy officer as an administrative position to help clinical staff and health-care institutions respect patient privacy rights, fielding enquiries from patients, families and practitioners.

The role includes explaining the law to clinicians, patients, family and vendors. Ontario is also shifting to a universal electronic health record system that would eventually allow access to real-time information wherever a person receives care.

Privacy officers are often the point person to learn and adopt new systems and how they affect personal information, she says.

"That point person needs to do five things, facilitate compliance with the Act, ensure everyone understands their responsibilities, answer enquiries from the public, answer questions from patients and receive complaints," Dewhirst says. 

A hospital may have a group of people to deal with privacy issues but often in small offices, such as a midwifery or dental practice, the duty may fall on the lone administrator who also handles phone calls, she says.

But there are more responsibilities tied to the position that aren't listed in PHIPA, she says.

"Nowhere in the Act does it describe all of the other things someone responsible for privacy does, so I made a list of all of the other practical things an privacy officer and there are 17 things," Dewhirst says.

That list includes overseeing the design, implementation, monitoring and reporting on the privacy compliance program and control measures to comply with legislation and best practices, and considers disciplinary action.

"It is more complicated," she says. "Exercising common sense goes a long way but there are some nuances that privacy officers need to understand, there are standards that one needs to know and implement in the organization to be compliant with the changing standards."

She says understanding the law and the issues surrounding privacy "is now the price of entry into health care. You can't provide services without grasping the practices and obligations.

"Privacy is so fundamental to the work we do in health care," Dewhirst says. "When people come into any kind of health-care environment they are sharing information that is fundamentally confidential and private to them and it could create vulnerability."

She says information is one of the key services within the health-care system, both controlling its use to benefit patients and protecting it from intrusion. Health information "is so related to who we are," Dewhirst says.

Health-care providers are in a unique position where they are told the personal and sensitive information by patients and base lifestyle decisions on those intimate details usually only shared with family and confidantes, she explains.

To embrace the provincial electronic health information system is necessary, "but it also comes with complexities," Dewhirst says.

"Everyday citizens think Ontario already has a co-ordinated information system, which we don’t. And at the same time, they also are worried about oversharing of their health information," she says.

Many privacy officers originally took on the role by default as the legislation was enacted in 2004 and has evolved, without specific training for the position. Dewhirst says case law has been developing, especially after 2012, and it's difficult to keep up with the changes.

She says there are penalties and financial risks for organizations that make errors in privacy law in health care.

"My course keeps people up to date and creates community among people in similar situations and organizations," Dewhirst says. "The goal is to make people more confident in their roles. 

"The program offers the latest information based on changing case law," she says. "In the past few years, we've seen financial consequences for poor information practices. We've seen cases go to court, there are fines for individuals who have breached privacy."


To Read More Kate Dewhirst Posts Click Here
Lawyer Directory
Janus ConferencesToronto Lawyers AssociationMKD InternationalFeldstein Family LawInfoware Canada Morrow Mediation Shekter Dychtenberg LLPJanice Quigg International Inc.