Feature Story
Ontario’s privacy laws are in need of an update, U of T panelists say
March 28, 2024
TORONTO – Ontario’s health privacy legislation – the Personal Health Information Protection Act, or PHIPA for short – was designed to protect patients. And in that respect, it works, keeping patient data secure. However, in an era when data is becoming so important, and sharing data can save lives, perhaps the legislation is too strict.
Created in 2004 – before the emergence of the iPhone in 2007 – it’s probably time to for a refresh.
That was the conclusion of a panel at the Future of Health Leadership, Informatics and Policy (FHLIP) conference in February, held at Hart House on the University of Toronto campus. The day-long event was organized by Dr. Karim Keshavjee and Dr. Abbas Zavar, who both teach in the health informatics program at the university.
PHIPA maintains that whoever is treating a patient, whether it’s a family doctor in a clinic or an acute care hospital, that organization cannot share the records of the patient without express consent of the patient. The care provider becomes the ‘custodian’ of the data.
While PHIPA works well to protect the patient’s data, it has unfortunately stymied progress in the development of new technologies that didn’t exist when the law was created, such as artificial intelligence. AI relies on large data sets to train itself, but those data sets aren’t readily available to researchers, let alone private-sector companies, in Ontario.
“The data is siloed,” said Fahreen Walimohamed, implementation manager for OnCall Health, who moderated the panel. “We are unable to aggregate it for AI, for example, to create new solutions.
There are a few, select research agencies that are allowed to work with the patient data, but not to share it. These include the Toronto-based Institute for Clinical Evaluative Sciences (ICES), which analyzes Ontario’s patient data to detect trends and new developments in health and sickness.
However, if ICES researchers find that certain patients are at risk of a disease – such as kidney failure – or that treatments they’re using might cause harm instead of curing them, they’re still not allowed to contact the patients or their care providers.
“We recently issued a report that advised the government on updating PHIPA, so that we’re allowed to contact patients if they are at risk of a disease in the next few years,” said Mahmoud Azimaee, director, Data Quality and Information Management at the Institute for Clinical Evaluative Sciences (ICES). “Currently, with PHIPA, you can’t do this.”
Azimaee noted that it’s not just researchers using advanced technologies like generative AI that require access to data. “Traditional analytics is enough,” he said, to cull new insights from the data. And some of the findings should be shared.
Recognizing the need to re-engineer the health data laws, ICES issued a report last year called “Modernizing Ontario’s Personal Health Information Protection Act: Recommendations for a Data-Driven Health System.” Currently in Ontario, there are four “prescribed entities” that are entitled to conduct population-based analytics without obtaining patient consent. These trusted organizations are the Canadian Institute for Health Information (CIHI), the Pediatric Oncology Group of Ontario (POGO), Ontario Health, and ICES.
Of course, by providing access to patient data without consent, the act expects the four prescribed entities to carefully guard the information. As part of this, they must have their privacy practices reviewed by the provincial privacy commissioner every three years.
But strict guardianship of the data sometimes has unexpected consequences, and sometimes backfires by harming patients instead of protecting them.
For example, Ontario Health operates a program called MyPractice that generates reports for physicians that help them improve their practices.
ICES provides de-identified data related to opioid prescriptions for use in MyPractice reports and can determine whether a patient is receiving opioids from more than one doctor. However, under the current regulations, ICES isn’t allowed to tell the physician which patient it is. ICES is asking for a change in PHIPA, allowing doctors to be informed in such cases about their patients and opioid overuse – something that could dramatically improve the health of certain patients and even save their lives.
Some would like to see broader access to health data, so that other organizations could make use of the information for the public good – such as groups of hospitals conducting R&D or even private sector companies.
Christine Sham, director, Information Management Strategy and Policy at the Ministry of Health, asserted that “people are frustrated by the slowness of government in keeping up with change.” She said that health data needs to be used for the greater good, and that it will be necessary to dialogue with the public to find out if it’s ready to allow a broader range of entities have access to its data. “We need to understand what the public wants,” she said.
Don Willison, adjunct professor at the Institute of Health Policy, Management and Evaluation, University of Toronto, suggested that experimentation with patient data sharing – through privacy sandboxes – could help establish new boundaries for privacy and security.
Such experiments could determine what types of organizations should obtain access to patient data, what kinds of data should be shared, and whether it should be anonymized or rendered into “synthetic data” to protect individuals.