2.0 Scope

This policy covers the collection, use, disclosure, management, protection, retention and destruction of PHI and PI. This policy applies to all BHL operations and employees. Although the majority of BHL operations and employees do not collect or access PHI, all employees must be aware of the General BHL Privacy and Confidentiality Policies and Procedures.

3.0 Definitions

Agent or Business Associate: BHL is an authorized agent for contracting healthcare providers and health plans using WellnessCheck^® to collect, store and analyze healthcare data. In this capacity BHL serves as a Business Associate (as defined by HIPAA 45 CFR 164.502(e), 164.504(e), 164.532(d) and (e)), or Agent as defined in PHIPA.

Collect: To gather, receive or record information from any source and by any method.

Confidentiality: The organization's obligation to protect from disclosure the PHI and PI with which it has been entrusted.

Cookies: Cookies are used for record keeping and to track movements when visiting a website. The use of cookies is an industry standard, used in most websites, including health-related ones. There are two types of cookies: persistent and session. Persistent cookies are pieces of information that a website transfers to an individual's hard drive for record-keeping purposes. Session cookies are not permanently stored on hard drives and are used to provide easier navigation of websites and cannot be used to collect any personal information.

Custodian or Covered Entity: PHI regulations in Canada, Europe and the US apply to routine healthcare information collected by: (i) health care providers; (ii) health care clearinghouses; (iii) a health plans.

Data linkage: The process by which information from one data holding is combined with that of another data holding to create new or more complete information. Temporary linkages are created for the purpose of specific research projects. Permanent linkages effectively create new data holdings.

Data holdings: A list of all datasets that are maintained on BHL servers and are in the custodianship of BHL.

Disclose: To make personal information available or known to individuals outside BHL.

EU Privacy Directive: Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data.

Express consent: Any specifically given (whether in writing, in person, electronically, by telephone, by using a check-off box or otherwise) voluntary, knowledgeable indication of an individual's wishes.

HIPAA: The Health Insurance Portability and Accountability Act of 1996 and regulations, as amended from time to time.

Identifiers: Identifiers directly and easily identify an individual. An identifying variable would be, for example, a name, full address, telephone number, email address, health insurance number, and social insurance number. These identifiers are differentiated from Quasi-Identifiers.

Individual: The person, whether living or deceased, whose information is collected, used or disclosed.

Institutional Review Boards (IRB): See Research Ethics Board (REB) below.

IP addresses: An IP address is a number that is automatically assigned to a computer whenever surfing the Web. Many Web servers automatically identify computers or networks protected by firewalls by their IP addresses.

Organization: A legal person (e.g., a corporation), an association, a partnership, Covered Entity, a Health Information Custodian or a trade union.

Personal Information (PI): Information about an identifiable individual including personal health information, but does not include the name, title, business address or telephone number of an employee of an organization.

Personal Health Information (PHI):

UNITED STATES: Protected health information (PHI) is any information in the medical record or designated record set that can be used to identify an individual and that was created, used, or disclosed in the course of providing a health care service such as diagnosis or treatment. HIPAA regulations allow researchers to access and use PHI when necessary to conduct research. However, HIPAA only affects research that uses, creates, or discloses PHI that will be entered into the medical record or will be used for healthcare services, such as treatment, payment or operations.

CANADA: As defined by PHIPA 2004 section 4.1, “personal health information”, means identifying information about an individual in oral or recorded form, if the information: (a) relates to the physical or mental health of the individual, including information that consists of the health history of the individual's family; (b) relates to the provision of health care to the individual, including the identification of a person as a provider of health care to the individual; (c) is a plan of service within the meaning of the Long-Term Care Act, 1994 for the individual; (d) relates to payments or eligibility for health care, or eligibility for coverage for health care, in respect of the individual; (e) relates to the donation by the individual of any body part or bodily substance of the individual or is derived from the testing or examination of any such body part or bodily substance; (f) is the individual's health number; or (g) identifies an individual's substitute decision-maker.

EUROPEAN UNION: As defined in Directive 95/46/EC of the European Parliament “'personal data' shall mean any information relating to an identified or identifiable natural person ('data subject'); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity.”

PHIPA: The Personal Health Information Protection Act, 2004 and regulations, as amended from time to time.

Quasi-identifiers: A quasi-identifier means a variable that may indirectly identify an individual, such as a date (birth, death, admission, discharge, autopsy, specimen collection, or visit), postal code or other location information. The presence of quasi-identifiers in a dataset does not automatically signify that it contains PHI, but does require that the proper provincial threshold is examined when determining a dataset is de-identified.

Research: A systematic investigation designed to develop or establish principles, facts or knowledge that can be generalized, or any combination of the above, and includes the development, testing and evaluation of research.

Research Ethics Board (REB) or Institutional Review Boards (IRB): A board composed of qualified persons which can be formally designated by an organization, while maintaining its independent functioning from the organization, which meets for the purpose of conducting ethical reviews of research applications and meets the requirements of applicable provincial and federal legislation and regulations (e.g., PHIPA and the federal Food and Drugs Act) and applicable guidelines and policies. The REB may approve, reject, propose modifications to, put on hold or terminate research at its sole discretion as well as recommend the suspension of ongoing research.

Risk Thresholds: Various governments require overlapping but different standards for determining whether data is de-identified. Some of these thresholds include:

Serious Possibility Test: Federal government departments in Canada must follow the “serious possibility test” to determine if data is de-identified. Within this criteria one must determine where there is a serious possibility that the data holding facility could identify an individual through the use of that information, alone or in combination with other available information.

Reasonable Possibility Test: The EU Data Protection Directive states that an “individual shall not be regarded as identifiable if the identification requires an unreasonable amount of time and manpower”. In the United States, HIPAA considers data de-identified if there is not a reasonable possibility that an individual can be identified, and Supreme Courts have interpreted this to mean that it must be demonstrated that non-experts and multiple experts can re-identify a data set before it can be considered personal information.

K-anonymity de-identification criterion: This criterion ensures that there are at least k records in the dataset that have the same values on the quasi-identifiers for every combination of values. For example, if the quasi-identifiers are age and gender, then it would ensure that, say, there are at least k records with “50, male” values.

Rareness criterion: Quasi-identifiers that refer to a regional population subgroup (e.g. a postal or zip code) for fewer than 20,000 individuals, or that refers to less than 0.5% of the population (e.g. individuals over 89 years old) require special consideration when assessing risk thresholds.

Minimum cell size: Because there is quite a bit of subjectivity in most definitions, one can interpret them using a strong precedent. Many custodians, within and outside healthcare for more than 20 years, have been using two thresholds to decide if a dataset is de-identified. These thresholds refer to minimal cell sizes, which mean the number of records that have the same values on the quasi-identifiers. One threshold that has been suggested and used is a minimal cell size of three in data sets that are disclosed [35-38]. Another more common value is a minimal cell size of five [39-48]. Because of the extensive use of these two thresholds over such an extended period of time, one can argue that these represent the risks that society has decided to accept when releasing sensitive personal information.

Safe harbor provision: The Safe Harbor provision of the US HIPAA Privacy Rule specifies 18 data elements whose absence deems a dataset de-identified. HIPAA also provides the certification of datasets as de-identified through statistical techniques even when some of the data elements (quasi-identifiers) are present.

Use: To handle or deal with information, including transferring the information.

4.0 Policy and Procedure

The following sets out how BHL adheres to these principles.

4.1 Principle 1 - Accountability

4.1.1 The President of BHL is accountable for compliance with the applicable privacy legislation and regulations. The President is responsible for ensuring that BHL meets current legal requirements and adheres to the principles of privacy, confidentiality and security.

4.1.2 BHL employees must comply with this policy for the collection, use, disclosure, management, protection, retention and destruction of PHI and PI. All employees must sign the Confidentiality Agreement as a condition of employment/engagement and employees must attend and participate in BHL's privacy and confidentiality training and are required to sign the Privacy Training Acknowledgement Form.

4.1.3 BHL is responsible for protecting the confidentiality of all PHI and/or PI that is transferred to and from Covered Entities or Custodian. BHL ensures that adequate processes are in place to de-identify any PI/PHI that is transferred to any third party before the information is transferred for research purposes.

4.1.4 This policy is evaluated on an ongoing basis to ensure that it reflects current legislation and guidelines and that it reflects practices at BHL.

4.1.5 Breaches of the provisions of this policy may result in disciplinary action up to and including termination of the employee.

4.1.6 BHL has procedures in place to receive and to respond to inquiries and complaints.

4.2 Principle 2 - Identifying Purposes

4.2.1 Prior to the collection or receipt of any PI/PHI, BHL must identify the purpose for its collection, use or disclosure. Collection of PI/PHI is limited to the information necessary to meet the identified and, if required, ethically approved clinical or research purposes.

4.2.2 BHL employees must be aware of the purpose for which PI/PHI may be collected for the data holding(s) in their area.

4.2.3 When PI/PHI that was previously collected is to be used or disclosed for a purpose not previously identified, the PI/PHI may only be used or disclosed after the new purpose has been identified and if required (for research data) REB approval has been given.

4.3 Principle 3 - Knowledge and Consent

4.3.1 The collection, use and disclosure of PI/PHI are based on knowledgeable consent with respect to research data and knowledgeable consent for other personally identifiable information or without consent in areas where permitted or required by law.

4.3.2 The Covered Entities or Custodians of the data for which BHL is acting as an Agent or Business Associate are responsible for gathering necessary Express Consent and IRB/REB approvals required within their legal jurisdiction.

4.3.3 Where express consent is required for the collection, use, and disclosure of PI/PHI, BHL will ensure that its customers are aware of this requirement.

4.4 Principle 4 - Limiting Collection of Data

4.4.1 BHL will only collect data for clinical, research or other purposes within its mandate and for its customers.

4.4.2 BHL will not collect PI/PHI indiscriminately. Both the amount and the type of information collected will be limited to what is necessary to fulfill the purposes identified.

4.4.3 PI/PHI will be collected directly from the individual or clinician unless otherwise permitted or required by law.

4.4.4 Any PI/PHI collected that does not fall within the scope identified, must be returned and/or the data will be destroyed.

4.4.5 BHL does not use persistent cookies to collect or store identifying information about users of its websites. Collection and storage of IP addresses are used for system administration and audit the use of BHL websites. Only in the event of a violation of BHL's Terms of Use or Licensing Agreements will BHL use such devises to enforce compliance, protect the integrity of data and intellectual property rights.

4.5 Principle 5 - Limiting Use, Disclosure and Retention

4.5.1 BHL will never disclose PHI for any purpose other than as directed by court order.

4.5.2 All PHI identifiers and quasi-identifiers will be stored in encrypted format.

4.5.3 If an identifier (e.g. health plan policy numbers) is required by contract with a covered entity or custodian, and the identifier is not required for a legitimate BHL business purpose, one-way encryption techniques will be employed, rendering the data de-identified to BHL employees.

4.5.4 If an individual has authorized BHL to store PHI (with proper express consent) containing an identifier (e.g. email address) which BHL will use for a legitimate business purpose (e.g. emailing questionnaire reminders at the patient's request), BHL will store such identifiers in a separate database with double coding and one-way encryption techniques to prevent BHL employees from linking an identifier to clinical data.

4.5.5 If BHL uses collected data for research purposes, it will first be de-identified according to the highest standards currently available in Canada, the European Union, or the United States, whichever (either in isolation or combination) provides greater privacy assurances.

4.5.6 BHL will only collaborate in research that contributes to an improved understanding behavioral health and to improved treatment of individual's quality of life. Restrictions on the use and disclosure of data will be reinforced by BHL's information technology architecture. All other data will be used, disclosed and retained for identified purposes.

4.5.7 Only authorized and designated BHL personnel, who have signed BHL's Confidentiality Agreement and received appropriate Privacy and Confidentiality Training, will be allowed access to PHI/PI. Access will be authorized on a need-to-know basis for performing BHL duties. No BHL employee may access PI/PHI unless required to do so for the purposes of his/her employment.

4.5.8 BHL will take appropriate steps to protect against any risk of unauthorized disclosure of PI/PHI. BHL employees engaged in research must work with researchers and/or external parties to develop strategies for preparing data sets so that there is no potential risk of residual disclosure while meeting the analysis requirements for the approved research protocol. BHL will develop and maintain standards and guidelines for unauthorized disclosure avoidance and will make researchers and external parties aware of these standards and guidelines. If unauthorized disclosure issues cannot be resolved to BHL's satisfaction, BHL will not disclose related data.

4.5.9 BHL may participate in data linkage with covered entities and custodians for specific analyses or for other clinical purposes, in accordance with applicable laws and/or regulations. All linked data sets will be subject to BHL's policy and procedures which govern the collection, use and disclosure of PI/PHI.

4.5.10 BHL has procedures and guidelines for the secure retention of PI/PHI and will not keep the data beyond the designated retention period set out in its data retention policy which is in compliance with applicable legislation.

4.5.11 PI/PHI that is no longer required to fulfill its identified purposes will be securely destroyed after the applicable retention period has expired.

4.5.12 BHL ensures that datasets have surpassed provincial threshold tests as defined above and meet the minimum cell size requirements to ensure de-identification standards have been met.

4.6 Principle 6 - Accuracy of PI/PHI

4.6.1 BHL will require that the PI/PHI it receives is accurate, complete and up-to-date at the time of collection, as verified by the individual or organization collecting the data.

4.6.2 BHL will not update the PI/PHI it collects unless it is necessary to fulfill the purposes for which the PI/PHI was collected. Data which has been made anonymous will not be updated by BHL.

4.7 Principle 7 - Safeguards (anonymization of data and process for the disposal or destruction of PI/PHI)

4.7.1 BHL has security safeguards to protect against the loss, theft, unauthorized access, disclosure, copy, use, modification or disposal of PI/PHI.

4.7.2 BHL provides a secure physical environment for the equipment and facilities where PI/PHI is stored and for the employees who use this information.

4.7.3 All BHL employees must sign a Confidentiality Agreement. PI/PHI may only be accessed by designated employees on a need-to-know basis and is protected by data-sharing agreements as required. BHL makes all employees aware of the importance of maintaining the privacy and confidentiality of all PI/PHI.

4.7.4 BHL has policies and procedures in place pertaining to the disposal or destruction of PI/PHI to prevent unauthorized parties from gaining access to the information.

4.7.5 Privacy impact assessments including, as appropriate, security analyses and threat risk assessments, are completed on data holdings and organizational practices to ensure that privacy issues are identified and resolved or mitigating strategies, with follow-up plans are in place.

4.7.6 BHL adopts industry standards and regularly tests its systems to ensure security of its data storage equipment and communication systems.

4.8 Principle 8 - Openness

4.8.1 BHL makes information available about its policies and practices relating to the management of PI including PHI.

4.9 Principle 9 - Individual Access to PI/PHI

4.9.1 BHL is not a Covered Entity or Health Information Custodian and does not hold health records for individuals for the purpose of providing health care. BHL does not update individual records to ensure that data are current or accurate with respect to the individual. Individuals requesting access to records about themselves that they believe to be held by BHL will be directed to contact the Health Information Custodians that collected or created the information about them. This includes court requests for data collected or stored at BHL.

4.10 Principle 10 - Challenging Compliance

4.10.1 Questions, concerns and complaints about BHL's Privacy and Confidentiality Policy are to be addressed to BHL's Privacy Officer (PO) as set out below. All concerns and questions will be dealt with in a timely fashion and if a complaint is found to be justified, BHL will take appropriate measures including, as necessary, changes to its policies and procedures.

References

1. Safran C, Bloomrosen M, Hammond E, Labkoff S, S K-F, Tang P, Detmer D. Toward a national framework for the secondary use of health data: An American Medical Informatics Association white paper. Journal of the American Medical Informatics Association, 2007; 14:1-9.

2. Perun H, Orr M, Dimitriadis F. Guide to the Ontario Personal Health Information Protection Act. 2005: Irwin Law.

3. El Emam K, King M. The data breach analyzer. 2009; Available from: [http://www.ehealthinformation.ca/dataloss].

4. Willison D, Emerson C, Szala-Meneok K, Gibson E, Schwartz L, Weisbaum K. Access to medical records for research purposes: Varying perceptions across Research Ethics Boards. Journal of Medical Ethics, 2008; 34:308-314.

5. El Emam K, Dankar F, Issa R, Jonker E, Amyot D, Cogo E, Corriveau J-P, Walker M, Chowdhury S, Vaillancourt R, Roffey T, Bottomley J. A Globally Optimal k-Anonymity Method for the De-identification of Health Data Journal of the American Medical Informatics Association, 2009.

6. El Emam K, Jonker E, Sams S, Neri E, Neisa A, Gao T, Chowdhury S. Pan-Canadian De-Identification Guidelines for Personal Health Information (report prepared for the Office of the Privacy Commissioner of Canada). 2007; Available from: [http://www.ehealthinformation.ca/documents/OPCReportv11.pdf]. Archived at: [http://www.webcitation.org/5Ow1Nko5C].

7. El Emam K, Brown A, Abdelmalik P. Evaluating Predictors of Geographic Area Population Size Cutoffs to Manage Re-identification Risk. Journal of the American Medical Informatics Association, 2009; 16(2):256-266.

8. ISO/TS 25237. Health Informatics: Pseudonymization. 2008.

9. Hansell S. AOL Removes Search Data on Group of Web Users in New York Times. 2006: 8 August.

10. Barbaro M, Zeller Jr. T. A Face Is Exposed for AOL Searcher No. 4417749 in New York Times. 2006: 9 August.

11. Zeller Jr. T. AOL Moves to Increase Privacy on Search Queries, in New York Times. 2006: August 22.

12. Ochoa S, Rasmussen J, Robson C, Salib M. Reidentification of individuals in Chicago's homicide database: A technical and legal study. 2001; Massachusetts Institute of Technology.

13. Narayanan A, Shmatikov V. Robust de-anonymization of large datasets (how to break anonymity of the Netflix prize dataset). 2008; University of Texas at Austin.

14. Sweeney L. Computational disclosure control: A primer on data privacy protection. 2001, Massachusetts Institute of Technology.

15. Appelate Court of Illinois - Fifth District. The Southern Illinoisan v. Department of Public Health. 2004.

16. The Supreme Court of the State of Illionois. Southern Illinoisan vs. The Illinois Department of Public Health. 2006.

17. Federal Court (Canada). Mike Gordon vs. The Minister of Health: Affidavit of Bill Wilson. 2006.

18. El Emam K, Dankar F. Protecting privacy using k-anonymity. Journal of the American Medical Informatics Association, 2008; 15:627-637.

19. El Emam K. Heuristics for de-identifying health data. IEEE Security and Privacy, 2008:72-75.

20. Federal Data Protection Act (Germany). 2006.

21. Article 29 Data Protection Working Party. Opinion 4/2007 on the concept of personal data: Adopted on 20th June. 2007; Available from: [http://ec.europa.eu/justice_home/fsj/privacy/docs/wpdocs/2007/wp136_en.pdf]. Archived at: [http://www.webcitation.org/5Q2YBu0CR].

22. El Emam K, Kosseim P. Privacy Interests in Prescription Records, Part 2: Patient Privacy. IEEE Security and Privacy, 2009; 7(2):75-78.

23. Canadian Institutes of Health Research. Recommendations for the Interpretation and Application of the Personal Information Protection and Electronic Documents Act (S.C.2000, c.5) in the Health Research Context Canadian Institutes of Health Research. 2001; Available from: [http://www.cihr-irsc.gc.ca/e/documents/recommendations_e.pdf].

24. Canadian Institutes of Health Research. Background Legal Research and Analysis in Support of CIHR's Recommendations with Respect to the Personal Information Protection and Electronic Documents Act (PIPEDA) (S.C. 2000, c. 5). 2001; Available from: [http://www.cihr-irsc.gc.ca/e/documents/legal_analysis_e.pdf].

25. Commission regulation (EC) No 831/2002 o1 17 May 2002 on implementing council regulation (EC) No 322/97 on community statistics, concerning access to confidential data for scientific purposes. Official Journal of the European Communities, 2002.

26. Beach J. Health care databases under HIPAA: Statistical approaches to de-identification of protected health information. DIMACS Working Group on Privacy/Confidentilaity of Health Data. 2003.

27. American Public Health Association. Statisticians and de-identifying protected health information for HIPAA. 2005; Available from: [http://www.apha.org/membergroups/newsletters/sectionnewsletters/statis/fall05/2121.htm].

28. Brownlee C, Waleski B. Privacy Law. 2006: Law Journal Press.

29. Mike Gordin and the Minister of Health and the Privacy Commissioner of Canada: Memorandum of Fact and Law of the Privacy Commissioner of Canada. 2007; Federal Court.

30. Long M, Perrin S, Brands S, Dixon L, Fisher F, Gellman R. Privacy enhancing tools and practices for an electronic health record (EHR) environment: Phase 2 of a research report for Health Canada's Office of Health and the Information Highway. 2003; Health Canada.

31. Pabrai U. Getting Started with HIPAA. 2003: Premier Press.

32. El Emam K. Data Anonymization Practices in Clinical Research: A Descriptive Study. 2006; Health Canada, Access to Information and Privacy Division. 33. National Committee on Vital and Health Statistics. Report to the Secretary of the US Department of Health and Human Services on Enhanced Protections for Uses of Health Data: A Stewardship Framework for "Secondary Uses" of Electronically Collected and Transmitted Health Data. 2007.

34. Clause S, Triller D, Bornhorst C, Hamilton R, Cosler L. Conforming to HIPAA regulations and compilation of research data. Amercian Journal of Health-System Pharmacy, 2004; 61(10):1025-1031.

35. Duncan G, Jabine T, de Wolf S. Private Lives and Public Policies: Confidentiality and Accessibility of Government Statistics. 1993: National Academies Press.

36. de Waal A, Willenborg L. A view on statistical disclosure control for microdata. Survey Methodology, 1996; 22(1):95-103.

37. Office of the Privacy Commissioner of Quebec (CAI). Chenard v. Ministere de l'agriculture, des pecheries et de l'alimentation (141). 1997.

38. National Center for Education Statistics. NCES Statistical Standards. 2003; US Department of Education.

39. Cancer Care Ontario Data Use and Disclosure Policy. 2005; Cancer Care Ontario.

40. Security and confidentiality policies and procedures. 2004; Health Quality Council.

41. Privacy code. 2004; Health Quality Council.

42. Privacy code. 2002; Manitoba Center for Health Policy.

43. Subcommittee on Disclosure Limitation Methodology - Federal Committee on Statistical Methodology. Working paper 22: Report on statistical disclosure control. 1994; Office of Management and Budget.

44. Statistics Canada. Therapeutic abortion survey. 2007; Available from: [http://www.statcan.ca/cgi-bin/imdb/p2SV.pl?Function=getSurvey&SDDS=3209&lang=en&db=IMDB&dbg=f&adm=8&dis=2#b9]. Archived at: [http://www.webcitation.org/5VkcHLeQw].

45. Office of the Information and Privacy Commissioner of British Columbia. Order No. 261-1998. 1998.

46. Office of the Information and Privacy Commissioner of Ontario. Order P-644. 1994; Available from: [http://www.ipc.on.ca/images/Findings/Attached_PDF/P-644.pdf].

47. Alexander L, Jabine T. Access to social security microdata files for research and statistical purposes. Social Security Bulletin, 1978; 41(8):3-17.

48. Ministry of Health and Long Term care (Ontario). Corporate Policy 3-1-21. 1984.

49. El Emam K, Sams S. Anonymization case study 1: Randomizing names and addresses. 2007; Available from: [http://www.ehealthinformation.ca/documents/PACaseStudy-1.pdf]. Archived at: [http://www.webcitation.org/5OT8Y1eKp].

50. Numeir R, Lemay A, Lina J-M. Pseudonymization of radiology data for research purposes. Journal of Digital Imaging, 2007; 20(3):284-295.

51. Eguale T, Bartlett G, Tamblyn R. Rare visible disorders / diseases as individually identifiable health information. Proceedings of the American Medical Informatics Association Symposium. 2005.

52. El Emam K. De-identifying health data for secondary use: A framework. 2008; Available from: [http://www.ehealthinformation.ca/documents/SecondaryUseFW.pdf].

53. El Emam K, Dankar F, Vaillancourt R, Roffey T, Lysyk M. Evaluating patient re-identification risk from hospital prescription records. Canadian Journal of Hospital Pharmacy, 2009; 62(4):307-319.