Patients’ consent to collect personal health information via virtual care tech should be obtained
Ontario’s information and privacy commissioner has issued guidelines for health information custodians to better protect patients’ privacy and security on virtual health care visits, which may entail forms of digital communication like messaging, telephone consultation, and videoconferencing.
“The timing of these guidelines is fitting, as this month Ontarians mark the anniversary of the Covid-19 pandemic, which has accelerated the adoption of virtual health care options across the province,” wrote Clancy Catelin, a lawyer at Rosen Sunshine LLP, in a blog post dated Mar. 23.
The provincial health privacy law, the Personal Health Information Protection Act, 2004, SO 2004, c 3, Sch A, applies to virtual care the same way it does to in-person care. The commissioner’s guidelines explained the key requirements in the legislation pertaining to all custodians, including those offering virtual health care, and provides practical steps to custodians to safeguard personal health information in the virtual health care context.
Ontario’s health privacy law requires that custodians not collect, use or disclose personal health information if other information can serve the purpose of the collection, use or disclosure or if the info affected is more than is reasonably necessary to meet the objective. Custodians should also take reasonable steps to safeguard personal health information against theft, loss and unauthorized use or disclosure, and ensure that records are protected against unauthorized copying, modification, and disposal and securely retained, transferred, and disposed.
If an electronic service provider is involved, the custodians and the electronic service provider face additional obligations, which will depend on whether the provider is the custodian’s agent.
As for practical steps for health information custodians, these include determining which statutory, professional, or regulatory rules govern them and understanding their obligations. The guidelines also advise custodians to conduct privacy impact assessments and develop a virtual health care policy addressing the specifics for the provision of virtual health care, identifying any conditions or restrictions in doing so and setting out the administrative, technical and physical safeguards to be implemented. These custodians should also have a robust information security management framework and ensure that their employees and agents participate in ongoing privacy and security training.
The guidelines also direct custodians to inform patients, in plain language, of the limitations and risks of virtual health care visits and to document this discussion. Custodians should acquire patients’ consent to collect, use and disclose personal health information via virtual care technologies and services and tell patients that they may withdraw consent anytime. Custodians should then implement and ensure the compliance of technical, physical, and administrative safeguards for the protection of personal health information and additional safeguards for emails while keeping in mind that this protection is an ongoing obligation.
While virtual health care delivery has the benefit of convenience, it gives rise to new privacy and security concerns and cybersecurity risks, considering that it relies on technologies, communication infrastructures, and remote environments, said the news release.
Ontario Health has designed a standard that aims to help custodians as they select a vendor of virtual visits solutions and provides the requirements for a product or service to be verified by Ontario Health.