Since the beginning of the COVID-19 pandemic, virtual care has emerged as a primary method of providing health care. Effective as of March 2020, the Ontario Ministry of Health and the Ontario Medical Association (OMA) agreed to temporary OHIP billing codes in the schedule of benefits to facilitate telemedicine and virtual care. In December 2020, Ontario invested an additional $14.5 million to support the expansion of virtual care for Ontario Health Teams and frontline home and community care service providers, and noted that Ontario has seen a significant increase in the number of visits provided virtually across Ontario. Ontario’s additional investment in virtual care may be a signal that virtual care is here to stay, even post-pandemic. It’s clear that virtual care has become a large part of health care delivery, and with it, the need to ensure that such a form of health care delivery adequately protects the privacy and security of the personal health information (PHI) of its patients.
While virtual care, like in-person care, has the same privacy and security requirements for Health Information Custodians (HICs) under the Personal Health Information and Protection Act (PHIPA), there are additional risks in the way that virtual care is delivered that must be accounted for. The most obvious example being that medical appointments taking place by videoconference are subject to electronic security risks in a way that in-person appointments are not.
The Information and Privacy Commissioner of Ontario (IPC) recently published a guidance for the health sector on Privacy and Security Considerations for Virtual Health Care Visits. This guidance is primarily directed at HICs, defined under section 3 of the PHIPA, and includes health care practitioners, hospitals, long-term care homes, and more.
The guidance provides a review of key PHIPA requirements to note, which apply to both virtual care and in-person care. The guidance then provides some practical steps that HICs can take to better protect PHI, especially in the virtual care space where certain privacy and security risks are heightened in comparison to in-person care.
Main PHIPA Requirements
In review, the main PHIPA requirements for HICs, which apply in both virtual and in-person care settings, are as follows:
1. Data minimization:
a. Collect, use, and disclose PHI only when necessary (i.e. other information will not suffice).
b. Collect, use, and disclose PHI only to the extent necessary to fulfill the purpose of such collection, use, and disclosure.
a. Take reasonable steps to protect PHI from theft, loss and unauthorized use, disclosure, copying, modification, and disposal.
b. Ensure records are retained, transferred, and disposed of securely.
3. Ensure that oObligations related to the use of electronic service providers (including health information network providers) are met, as expanded on below.
If a HIC uses an electronic service provider, there are PHIPA requirements that apply to both the HIC and the service provider, which differ depending on whether the service provider is an agent of the HIC, or not.
An agent, defined under section 2 of the PHIPA, is:
(in relation to a HIC) a person that, with the authorization of the custodian, acts for or on behalf of the custodian in respect of personal health information for the purposes of the custodian, and not the agent’s own purposes, whether or not the agent has the authority to bind the custodian, whether or not the agent is employed by the custodian and whether or not the agent is being remunerated.
If the electronic service provider is an agent of the HIC, the HIC:
· remains responsible for any PHI that is collected, used, disclosed, retained, or disposed of by the agent,
· must take reasonable steps to ensure that the agent does not collect, use, disclose, retain, or dispose of PHI unless it:
1. is permitted by the custodian,
2. is necessary for carrying out their duties as an agent,
3. is not contrary to PHIPA or any other law, and
4. complies with any conditions or restrictions imposed by the HIC.
The agent of the HIC must:
· comply with the four conditions above, and
· notify the HIC at the first reasonable opportunity in the event of a privacy breach.
Not an agent
If the service provider is not an agent of the HIC, the following restrictions apply. Unless otherwise required by law, the electronic service provider must not:
· use any PHI to which they have access in providing services for the HIC, except as necessary to provide the services,
· disclose PHI to which they have access in providing services for the HIC, or
· permit their employees, or any person acting on their behalf, to have access to the information, unless the employee or person agrees to comply with the restrictions that apply to the electronic service provider.
If the electronic service provider delivers electronic services to two or more HICs primarily to enable communications between the HICs, they are a health information network provider (HINP). HINPs are subject to additional obligations under PHIPA, such as:
· keeping an electronic log of all access to and transfer of PHI and making it available to HICs on request, and
· performing privacy impact assessments and threat risk assessments and providing copies of the results to HICs.
For a full list of obligations to apply to HINPs, see subsection 6(3) of O. Reg. 329/04: General, under the PHIPA.
Practical Steps for HICs
On pages 4-11 of the guidance, the IPC provides a number of practical steps that HICs can take to better protect the privacy and security of PHI in providing virtual care.
These steps are:
1. Laying the groundwork for a strong privacy and security management program, including developing and implementing a virtual health care policy;
2. Selecting the appropriate vendor for virtual visit solutions, which may be done with the assistance of the Virtual Visits Solution Standard, developed by Ontario Health;
3. Considering the patient’s needs, computer and technical requirements, purpose of the visit, and relevant regulatory guidance, in preparing for virtual visits;
4. Obtaining patient consent to collect, use, and disclose PHI through virtual technologies and services;
5. Putting in place effective safeguards, including technical, physical, and administrative safeguards, to protect PHI. The IPC highlights that proper planning is crucial for ensuring that virtual visits are as private and secure as possible;
6. Address additional considerations when using email or secure messaging to communicate PHI, as one of the unique challenges for HICs using email to communicate with their patients, particularly when they cannot see or hear the patient, is to ensure the exchange is with the correct person;
7. Address additional considerations when using videoconferencing to deliver care to patients. As a best practice, both the HIC and the patient should join the videoconferencing room in a private location using a secure internet connection;
8. Document the virtual visit in the same manner as an in-person visit, but consider seeking feedback from patients to ensure they feel secure and comfortable using digital platforms so they are not withholding information due to lack of trust in the privacy and security of virtual visits; and
9. If HICs employ virtual care platforms such as patient portals, where patients may view their test results and records online for example, HICs should take care to inform patients of the types of information available through the portal, to whom it is accessible, and how long that information will remain in the portal, in addition to any privacy and security implications.
In summary, while the same PHIPA requirements apply to virtual care as they do to in-person care, the greater involvement of technologies and electronic services in delivering virtual care requires HICs to take greater care to ensure the privacy and security of PHI is adequately protected. HICs should consider developing and implementing a virtual care policy to properly consider the privacy, security, and practical considerations of employing technologies to deliver virtual health care to patients.