Startups operating in the health IT sector have a legal obligation to safeguard health records in their custody and ensure that they are securely retained and transferred.
Complying with the industry privacy laws can be daunting. In many cases, it can pose a barrier to entry for startups.
Whether you are new to the sector or want to deepen your understanding of the laws, we can help. A question-and-answer period will follow the main presentation.
4. What is PIPEDA?
4
The Personal Information Protection and Electronic Documents Act
(PIPEDA) is federal legislation in Canada which came into force in
2004.
PIPEDA protects the collection, use or disclosure of personal
information in:
• Private sector organizations which collect the information in the
course of commercial activities; and
• Federal works, undertakings and businesses in respect of
employee personal information.
5. What does PIPEDA govern?
5
PIPEDA applies across the country but for private companies that
primarily operate in a single province, PIPEDA will not apply where the
province has already enacted similar provisions to PIPEDA and the
business fits within the scope of the provincial legislation.
These provinces are:
• British Columbia (Personal Information Act);
• Alberta (Personal Information Protection Act);
• Quebec (An Act Respecting the Protection of Personal Information
in the Private Sector);
• Ontario (Personal Health Information Protection Act);
• New Brunswick (Personal Health Information Privacy and Access
Act); and
• Newfoundland and Labrador (Personal Health Information Act).
6. Duties under PIPEDA
6
PIPEDA contains a series of principles which govern the collection and
use of personal data:
1. Accountability
2. Identifying Purposes
3. Consent
4. Limiting Collection
5. Limiting Use, Disclosure and Retention
6. Accuracy
7. Safeguards
8. Openness
9. Individual Access
10. Challenging Compliance
7. Good practices under PIPEDA
7
1. Accountability: Designate an individual within the organization who is
responsible for managing and responding to privacy issues related to the
organization’s operations.
2. Identifying Purposes: Develop a plan which identifies what personal
information you need and explicitly link that information with the purpose for
which it will be used.
3. Consent: Obtain consent from individuals before their information is
collected – explain how the information will be used and disclosed.
4. Limiting Collection: Limit collection of data to only that which is necessary
for the identified purposes.
8. Good practices under PIPEDA
8
5. Limiting Use, Disclosure, and Retention: Only use or disclose information
for identified purposes, and do not retain information for any longer than is
necessary to satisfy those purposes. Dispose of personal information in a
way that prevents privacy breach.
6. Accuracy: Ensure information is accurate, complete and up to date as is
necessary in the interests of the purpose for which the information was
collected and the interests of the individual.
7. Safeguards: Ensure an adequate security policy is in place to protect
information, and that appropriate safeguards are in place.
8. Openness: Staff should be trained to respond to individual inquiries.
9. Individual Access: Provide individuals with access to their information
where appropriate.
10. Challenging Compliance: Provide recourse against complaints about the
organization’s compliance with the above principles.
9. Privacy Toolkit
A Guide for Businesses and Organizations
Canada's Personal Information Protection and Electronic Documents Act
https://www.priv.gc.ca/information/pub/guide_org_e.pdf
9
Recommended Reading
10. PIPEDA and Digital Health
10
PIPEDA does not impose special obligations on digital health
companies.
Under s. 30(1.1), the Act states that the duties imposed on the use of
personal information in the private sector:
…does not apply to any organization in respect of personal health
information that it collects, uses or discloses within a province …
unless the organization … discloses the information outside
the province … .
KEY QUESTION – What is “personal health information”?
12. What is PHIPA?
12
The Personal Health Information Protection Act (PHIPA) is Ontario legislation
which came into force in 2004.
Its purpose, as per s. 1 of the Act, is to:
• establish rules for the collection, use and disclosure of personal health
information;
• provide individuals with a right of access to personal health information
about themselves;
• provide individuals with a right to require the correction or amendment of
personal health information about themselves;
• provide for independent review and resolution of complaints with respect
to personal health information; and
• to provide effective remedies for contraventions of this Act.
13. What does PHIPA govern?
13
PHIPA applies to the collection, use and disclosure of personal health
information by health information custodians (whether or not in the
course of commercial activities).
14. PHIPA – Key Definitions
14
“Personal health information” is “identifying” information collected about an
individual, whether oral or recorded if the information:
• relates to the physical or mental health of the individual, including information
that consists of the individual’s family health history,
• relates to the providing of health care to the individual, including the identification
of a person as a provider of health care to the individual
• is a plan of service within the meaning of the Long-Term Care Act, 1994 of the
individual,
• relates to payments or eligibility for health care in respect of the individual,
• relates to the donation by the individual of any body part or bodily substance, or
is derived from testing of such body part or substance,
• is the individual’s health number, or
• identifies the individual’s substitute decision-maker: s. 4(1).
15. PHIPA – Key Definitions cont.
15
Information is “identifying” when it identifies an individual or when it is reasonably
foreseeable in the circumstances that it could be utilized, either alone or with other
information, to identify the individual. It is not necessary for the individual to be
actually named for the information to be considered personal health information.
Generally, “personal health information” does not include identifying information
held by health information custodians as employers, i.e. personal health
information relating to an employee maintained primarily for a purpose other than
the provision of health care to the employee.
16. “Health Information Custodians” are persons or organizations who have custody or
control of personal health information such as primary health care providers and
related services, including:
- health care practitioners
- community care service providers
- Hospitals
- long-term care homes
- Pharmacies
- retirement homes
- medical officers, etc.
16
PHIPA – Key Definitions cont.
17. Are you an “agent” of a custodian?
You are considered to be an agent if, with respect to personal health
information:
• you are authorized to act on behalf of a custodian; and
• you perform activities for the purposes of a custodian rather than your own
purposes;
• whether or not you have the authority to bind the custodian;
• whether or not you are employed by the custodian; and
• whether or not you are receiving remuneration.
17
PHIPA – Key Definitions cont.
18. PHIPA – Key Definitions cont.
18
Service Providers and Health Information Network Provider
If you are not an agent of the custodian, but provide goods or services that enable
the custodian to use electronic means to collect, use, modify, disclose, retain or
dispose of personal health information, you are a service provider and must
comply with certain restrictions on the use and disclosure of that information that
are set out in the regulations that accompany PHIPA
IF you perform services for multiple Health Information Custodians, the service
provider is called a Health Information Network Provider
19. Recipient
PHIPA applies to the use and disclosure of personal health information by persons
who receive the information from a Health Information Custodian.
For example, an insurance company that receives personal health information
from a hospital is a Recipient.
If I submit the same information to the insurance company, it is not considered
personal health information because I am not a health information custodian.
19
PHIPA – Key Definitions cont.
20. Applicability of Statutes
20
PHIPA applies to everyone regarding the collection, use or disclosure of OHIP
numbers.
PIPEDA will apply to collections, uses and disclosures of personal information by
health information custodians outside Ontario in the course of commercial
activities. For example, PIPEDA will apply to the disclosure of personal information
by health information custodians in Ontario to persons in other provinces when
done in the course of commercial activities
21. Duties under PHIPA
21
PHIPA includes a wide variety of duties, which are very similar to the obligations
under PIPEDA. Examples of duties under PHIPA include:
• Minimum - collect only the information you need to do the job
• Knowledgeable consent – except in specific circumstances where the law
authorizes healthcare providers to collect, use or share a person’s information
without consent (such as reporting for public health safety), consent must be
obtained before information is collected, used or disclosed, consent can be
express or implied;
• Accuracy – a duty to take reasonable steps to ensure information collected is
accurate, complete and up-to-date as necessary in relation to the purpose for
which it was collected;
22. Duties under PHIPA
• Security – a duty to take reasonable steps to ensure that personal health
information is protected against theft, loss and unauthorized use or disclosure;
and
• Accountability – a duty to ensure there is an ultimately responsible person at the
company who ensures compliance with the Act.
• Policy - provide a written description of the practices you use to protect
information, and the name of the person to contact if someone has a question or
concern about their personal health record.
22
Duties under PHIPA cont.
23. Duties under PHIPA
Regarding Policy and Related Practices:
• Health Information Custodians must take steps that are reasonable in the
circumstances to ensure that Personal Health Information in the custodian’s
custody or control is protected against theft, loss and unauthorized use or
disclosure.
• Health Information Custodians must take similar steps to ensure that the records
containing the information are protected against unauthorized copying,
modification or disposal.
• An Agent is required to notify the Health Information Custodian at the first
reasonable opportunity if Personal Health Information handled by the Agent on
behalf of the custodian is stolen, lost or accessed by unauthorized persons
23
Duties under PHIPA cont.
24. Duties under PHIPA
A developer from Ontario developed an app that collects an Ontario user’s heart
rate in combination with the band from the user’s watch and the information is
stored on a server in Ontario. The user purchased the app from an app store.
The heart rate is “personal health information” as defined by PHIPA.
QUESTIONS
1. Is the app developer a “health information custodian”?
2. Is the app developer an “agent” of a health information custodian?
3. Is the app developer a “service provider” or “health information network
provider” to a health information custodian?
4. What if the app developer is a person who supplies services for the purpose of
enabling an Ontario doctor or hospital to collect and use personal health
information? What if the doctor or hospital is from Alberta? New York?
5. What if the app was purchased and used by an end user in New York?
24
Hypothetical Questions
25. ANSWERS:
1. The developer does not fall within the definition of health information custodian.
2. The developer is not an agent because the developer is not authorized by a
health information custodian but by the user who purchased the app.
3. The developer is providing a service to the user of the app and not a health
information custodian so the developer is not a service provider or health
information network provider.
4. Seems like the developer is a service provider to the Ontario doctor/hospital,
but would want more information to confirm. If it was a doctor/hospital in
Alberta, PIPEDA might apply as it is interprovincial. If it was a doctor/hospital in
California, PIPEDA might apply to the developer as it is international, but US
laws may apply as well.
5. PIPEDA might apply as the commercial activity of buying the app would be an
international transaction.
25
Hypothetical Answers
26. Contact:
Stephen Whitney
Of Counsel
Norton Rose Fulbright Canada LLP / S.E.N.C.R.L., s.r.l.
51 Breithaupt Street, Suite 100
Kitchener, Ontario N2H 5G5 Canada
Royal Bank Plaza, South Tower, Suite 3800
200 Bay Street, P.O. Box 84, Toronto, ON M5J 2Z4 Canada
T: +1 226.868.9125
stephen.whitney@nortonrosefulbright.com
26
28. Disclaimer
Norton Rose Fulbright LLP, Norton Rose Fulbright Australia, Norton Rose Fulbright Canada LLP, Norton Rose Fulbright South Africa (incorporated as Deneys Reitz Inc) and Fulbright & Jaworski LLP,
each of which is a separate legal entity, are members (‘the Norton Rose Fulbright members’) of Norton Rose Fulbright Verein, a Swiss Verein. Norton Rose Fulbright Verein helps coordinate the
activities of the Norton Rose Fulbright members but does not itself provide legal services to clients.
References to ‘Norton Rose Fulbright’, ‘the law firm’, and ‘legal practice’ are to one or more of the Norton Rose Fulbright members or to one of their respective affiliates (together ‘Norton Rose
Fulbright entity/entities’). No individual who is a member, partner, shareholder, director, employee or consultant of, in or to any Norton Rose Fulbright entity (whether or not such individual is
described as a ‘partner’) accepts or assumes responsibility, or has any liability, to any person in respect of this communication. Any reference to a partner or director is to a member, employee or
consultant with equivalent standing and qualifications of the relevant Norton Rose Fulbright entity.
The purpose of this communication is to provide information as to developments in the law. It does not contain a full analysis of the law nor does it constitute an opinion of any Norton Rose Fulbright
entity on the points of law discussed. You must take specific legal advice on any particular matter which concerns you. If you require any advice or further information, please speak to your usual
contact at Norton Rose Fulbright.
28
29. What’s up eDoc?: A Privacy Primer for
Health IT at MaRS
HIPAA and State Laws
Kimberly J. Gold
September 30, 2015
30. Bio
Kimberly Gold is a Senior Associate in Norton Rose Fulbright's New York Office. Her practice focuses on
healthcare transactions, regulatory compliance, and privacy and security matters.
Kimberly has extensive experience in the areas of privacy, information security, cybersecurity and information
management. She regularly advises clients on matters involving privacy and security of patient information
under HIPAA and state laws. She also represents clients in the health information technology area and has
counseled pharmaceutical and mobile app companies on privacy and FDA regulatory issues.
Kimberly is currently working on-site with the Global Privacy Office of a global pharmaceutical company on
various legal matters, including negotiating vendor agreements, providing advice on marketing and clinical trial
initiatives, and developing privacy notices, consent documents, and internal policies.
Kimberly's transactional experience includes mergers and acquisitions, joint ventures, and affiliations of
hospitals, group practices and other provider entities. She also represents not-for-profit and tax-exempt
organizations on a broad range of matters, and regularly advises clients on issues relating to accreditation by
the Accreditation Council for Graduate Medical Education (ACGME) and the Liaison Committee on Medical
Education (LCME).
Kimberly is a frequent writer and speaker on privacy and health care issues. She has appeared before the
American Bar Association, American Health Lawyers Association and New York State Bar Association,
speaking on topics such as health information technology, HIPAA compliance, and data breaches. Kimberly
also has written articles about breach notification requirements and state privacy laws for national publications,
including the American Journal of Health-System Pharmacy and HCCA Compliance Today.
Kimberly is a Certified Information Privacy Professional (CIPP/US) through the International Association of
Privacy Professionals.
30
Kimberly Gold
Senior Associate
Norton Rose Fulbright
New York
+1 212 318 3103
kimberly.gold@nortonrosefulbright.com
31. Agenda
• Overview of HIPAA
• Terms and Definitions
• Protected Health Information (PHI)
• Covered Entity
• Business Associate
• Core Privacy and Security Requirements
• Business Associate obligations
31
32. What is HIPAA?
HIPAA Security Rule establishes standards for protection of PHI
32
HIPAA Privacy Rule defines and limits circumstances in which
protected health information (PHI) can be used and disclosed
Consists of the Privacy Rule and Security Rule.
A law enacted by U.S. Congress in 1996
33. What is HIPAA (cont’d)?
• In general, HIPAA permits
covered entities to use and
disclose protected health
information for their own
treatment, payment and health
care operations purposes.
• Specific patient authorization is
required for use/disclosure for
other purposes.
33
34. Three Subsets of the HIPAA Rules
Enforcement Rule
• Compliance & Enforcement
• Civil Monetary Penalties
Security Rule
• Administrative, Physical and Technical Safeguards
• Breach Notification
Privacy Rule
• Uses and Disclosures of PHI
• Requirements for interacting with patients
34
35. What is HITECH?
• The Health Information Technology
for Economic and Clinical Health
Act (HITECH) was passed in 2009
as part of the American Recovery
and Reinvestment Act (ARRA), the
“stimulus bill.”
• US $20 billion+ in incentives to
encourage doctors and hospitals
to use HIT
• Recently updated provisions apply
to digital data.
35
36. HIPAA Omnibus Rule – 2013 Updates
• Important changes:
• Business Associates
• PHI Storage
• HITECH Breaches
• Penalties & enforcements
36
37. What is a HIPAA Covered Entity?
• Covered Entities:
• Health Care Providers
• Health Care Clearinghouses
• Health Plans
• Business Associates of 1-3 above
…That perform electronic transactions covered by HIPAA.
37
38. What is Protected Health Information (PHI)?
• Protected Health Information (PHI):
Medical records or other health
information that:
• Identifies an individual
• Could be used to identify an
individual
• Created or received by a HIPAA
covered entity
38
39. Protected Heath Information - Identifiers
39
• Name
• Social Security Number
• Driver’s License or other government-
issued identification number
• Telephone/Fax Number
• Email Address
• Geographic Subdivision Smaller Than
States (such as street address, city,
county, and 5-digit ZIP code)
• Certificate/License Number
• Financial Account Number (such as
bank accounts and payment card
accounts)
• Medical Record Number
• Health Plan Beneficiary Number
• IP Address
• URL
• Dates Directly Related to Individuals
(such as date of birth, date of death,
admission and discharge date, and
any age over 89)
• Biometric Identifiers (including
fingerprints and voice prints)
• Device Identifiers
• Vehicle Identifiers and Serial Numbers
(including license plate numbers)
• Full-face Photographs (or comparable
images)
• Other individually identifiable code or
number
40. De-identified information
• PHI may be de-identified by removing all details that could
reasonably be used to identify an individual.
• De-identification can be accomplished by:
• Removing all individually identifiable information listed above; or
• Acquiring certification from a qualified statistician that
information cannot be re-identified.
• Vendors may seem to use de-identified information for own
purposes. The data may be used for comparative
effectiveness studies, policy assessments, and other
endeavors.
40
41. What is a Business Associate?
• A person or entity that performs or assists a covered entity with
functions that involve the use or disclosure of protected health
information.
• Examples:
– Cloud vendors
– Providers of data transmission services
– Subcontractors of Business Associates
• HIPAA requires covered entities to enter into agreements with
Business Associates, called Business Associate Agreements.
• Covered entities can be held liable for HIPAA violations by
Business Associates in some cases.
• Where a vendor is acting as a Business Associate, the vendor is
directly liable for compliance with many aspects of the Privacy rule,
and all of the Security Rule.
41
42. Are you a Business Associate?
• In the course of business, is PHI:
• Created
• Received
• Maintained
• Transmitted
• For or on behalf of a covered entity?
42
Are you
a BA?
43. What are Business Associates Liable for?
• HITECH breaches
• Failure to provide breach notification to the covered entity
• Failure to provide electronic access to PHI
• When requested by the individual
• When requested by the Covered Entity
• Failure to provide an accounting of disclosures
• …and more
• PLUS, contractual liability for breaches of Business
Associate Agreements
• BAAs contain terms and conditions for access and use
of PHI.
43
44. Is Patient Data Secure on the Cloud?
• When electronic PHI (ePHI) is stored/
maintained in the cloud:
• Healthcare Providers/Covered Entities
are “disclosing it” to the cloud vendor
• Cloud vendor becomes a business
associate
• Cloud vendor must comply with HIPAA
and HITECH provisions
• Challenges when cloud provider does
not know what data it is maintaining
44
45. The HIPAA Security Rule
• Establishes safeguards to ensure
the confidentiality, integrity and
security of ePHI
• Administrative safeguards
• Physical safeguards
• Technical safeguards
45
47. Data Breaches
• A data breach is any acquisition, access, use, or
disclosure of PHI in a manner not permitted by the
HIPAA Privacy Rule, whether internal or external
• Does not have to result in confirmed identity theft
before legal obligations are triggered
47
49. What to do?
• Risk analysis
• Risk management program
• Security official
• Policies & procedures
• Employee training
• Subcontractor BAAs
• Document compliance
• NOTE: No HITECH mandate that data be encrypted.
• But penalties for breaches can be avoided if data is
strongly encrypted.
49
50. HIPAA and Mobile Devices
• HIPAA applies to any mobile device that receives,
transmits, or stores PHI.
• OCR and ONC suggest measures to ensure that
PHI is secure on mobile devices:
• Use a password or other user authentication. You
can also activate a screen lock after the device
has not been used for a period of time.
• Install or enable encryption.
• Install or activate remote wiping and/or disabling.
• Disable or do not use file-shared applications.
• Install or enable firewalls.
• Install or enable security software.
• Keep your security software up to date.
• Research apps before downloading.
• Maintain physical control.
• Use adequate controls when using Wi-Fi.
• Delete all stored PHI before reusing or discarding
a device.
50
51. What happens if I don’t comply with HIPAA?
• Civil and Criminal Penalties
• HITECH Breaches:
• US $50,000 per violation
• US $1.5 million for multiple identical
violations
• No defense based on lack of
knowledge
• Mandatory HITECH audit program
51
52. HITECH Breaches: How Much Will It Cost You?
52
Violation was not known and could
not have been discovered with
reasonable diligence
$1,500,000
Potential Penalty
Per Violation
Degree of
Culpability / “State of
Mind”
Maximum Annual Cap
for All Violations
$1,500,000
$1,500,000
$1,500,000
$100 – $50,000
$1,000 – $50,000
$10,000 – $50,000
$50,000
Reasonable cause for violation, not
due to willful neglect
Violation due to willful neglect, but
corrected in 30 days
Violation due to willful neglect, not
corrected in 30 days
53. HIPAA Violations: Criminal Penalties
53
Violation involving
False Pretenses
$50,000 fine/
1 year imprisonment
Knowing violation
$100,000 fine/
5 years imprisonment
$250,000 fine/
10 years imprisonment
Violation involving intent
to sell, transfer or use
54. OCR Enforcement Results by Year
YEAR NO VIOLATION
RESOLVED AFTER INTAKE
AND REVIEW
CORRECTIVE
ACTION
OBTAINED
TOTAL
RESOLUTIONS
Partial Year 2003 5% 78% 17% 1516
2004 7% 71% 22% 4799
2005 11% 68% 21% 5692
2006 14% 62% 24% 6599
2007 10% 69% 21% 7238
2008 13% 63% 24% 9341
2009 15% 59% 26% 8106
2010 17% 54% 29% 9189
2011 16% 53% 31% 8363
2012 10% 54% 36% 9408
2013 7% 69% 24% 14300
54
55. What We’ve Learned from OCR Resolution Agreements
55
• OCR is monitoring breach notification reports.
• No one is immune from enforcement.
• Heavy emphasis on performance of thorough security risk
analysis and identification of vulnerabilities.
• Having policies and procedures in place is critical…so is
following them.
• Workforce must be trained.
• If devices and equipment aren’t encrypted, you need to
document why.
56. State Laws
• Some state health information laws are stricter than
HIPAA.
– For example, California’s Confidentiality of Medical
Information Act (CMIA).
• A majority of states (47/50) have enacted data breach
notification laws.
56
58. Disclaimer
Norton Rose Fulbright US LLP, Norton Rose Fulbright LLP, Norton Rose Fulbright Australia, Norton Rose Fulbright Canada LLP and Norton Rose Fulbright South Africa Inc are separate legal entities
and all of them are members of Norton Rose Fulbright Verein, a Swiss verein. Norton Rose Fulbright Verein helps coordinate the activities of the members but does not itself provide legal services to
clients.
References to ‘Norton Rose Fulbright’, ‘the law firm’ and ‘legal practice’ are to one or more of the Norton Rose Fulbright members or to one of their respective affiliates (together ‘Norton Rose
Fulbright entity/entities’). No individual who is a member, partner, shareholder, director, employee or consultant of, in or to any Norton Rose Fulbright entity (whether or not such individual is
described as a ‘partner’) accepts or assumes responsibility, or has any liability, to any person in respect of this communication. Any reference to a partner or director is to a member, employee or
consultant with equivalent standing and qualifications of the relevant Norton Rose Fulbright entity.
The purpose of this communication is to provide general information of a legal nature. It does not contain a full analysis of the law nor does it constitute an opinion of any Norton Rose Fulbright
entity on the points of law discussed. You must take specific legal advice on any particular matter which concerns you. If you require any advice or further information, please speak to your usual
contact at Norton Rose Fulbright.
58