Dentists wishing to sell their practices will face significant, if not insurmountable, legal obstacles starting January 1, 2004. For almost all dentists, the federal privacy act comes into force on that date. Most dentists will need to change their policies and procedures for collecting, using and disclosing personal information. The sleeper issue for many dentists is that they will not be able to collect, use or disclose personal information about patients without consent. For example, dentists may need to obtain patient consent now to make “due diligence disclosure” to close the sale of the practice years in the future.
WHEN DOES PRIVACY LEGISLATION TAKE EFFECT?
For almost all dentists, the federal privacy act takes effect this coming January. On January 1, 2004, the Personal Information Protection and Electronic Documents Act comes fully into force. Ontario has circulated a draft Privacy of Personal Information Act, but it is highly unlikely that it will be enacted before this January. Dentists covered by the federal privacy act need to have their policies and procedures in place by then.
WHO DOES PRIVACY LEGISLATION APPLY TO?
The privacy act is intended to cover the entire private sector. With very few exceptions, the privacy act applies to anyone who carries on “commercial activities”. That will include most dentists. Even if the government pays for the goods or services, the privacy act will likely apply. Only dentists employed by a government body or a non-profit agency that does not sell goods or services will be exempt.
The privacy act applies to any collection, use or disclosure of personal information. “Personal information” means any information about an identifiable individual that relates to their personal characteristics (e.g., gender, age, colour, ethnic background, education, family status), their health (e.g., health history, health conditions, health services received by them) or their activities and views (e.g., dealings with the dentist, opinions expressed by an individual, religion, political involvement, a dentist’s view or evaluation of an individual). Personal information is to be contrasted with business information (e.g., an individual’s business address and telephone number), which is not protected by the privacy act.
WHAT HAS TO BE DONE?
Each organization (e.g., dental office) must appoint an Information Officer and develop and publish its privacy policy. The Information Officer should be a senior person in the organization. The Information Officer can be an outsider hired by an organization to perform this role, but that may make it more difficult for the organization to develop a privacy policy that fits its office or practice.
The Information Officer is responsible for overseeing an organization’s compliance with its privacy obligations. This privacy policy would cover the following issues:
reviewing the organization’s policies and practices for collecting, using and disclosing personal information (including conducting an audit of the current personal information practices of the organization);
implementing procedures to safeguard personal information;
ensuring individuals such as patients have the right to access and correct any personal information about themselves held by the organization;
implementing a retention and destruction of information policy;
training the organization’s staff;
acting as a contact person for inquiries from the public or clients; and
ensuring there is a process for handling complaints made about the organization’s information practices.
These policies must be made available to the public. This public access obligation might be met by posting the policy on the organization’s website or in its reception area. Alternatively, a copy can be provided to new clients on their first visit and to anyone else upon request. The policies have to be understandable.
Privacy policies apply on an “organizational” level. Often the identity of the organization is obvious because the solo dentist, partnership or corporation is well defined. However, where a group of people or entities work together in a loose affiliation, there may be more than one way to define the organization. Dentists and their business associates can then decide who their organization will be. For example, every dentist can have his or her own privacy policy. Or, dentists working with others can join together to form a broader organization with one privacy policy covering them all. It just depends on what is most convenient for everyone. Everyone within an organization has to agree to be monitored by the Information Officer. Also organizations will need special consent to disclose personal information outside of the organization.
WHAT ARE THE RESTRICTIONS ON THE COLLECTION, USE AND DISCLOSURE OF PERSONAL INFORMATION?
As a general rule, dentists need to obtain informed consent for the collection, use and disclosure of personal information. This consent is distinct from the consent for providing services. Like any consent, it can be obtained in writing, verbally or by implied consent. In the traditional circumstance of a dentist collecting information directly from the client solely for the purpose of providing services to the client, consent may be implied. However, any departure from this simple approach creates some new obligations for obtaining informed consent. In real life, the simple approach is not usually enough.
Areas in which some change may be required include the following:
Where the dentist collects information about other individuals (e.g., about the client’s family members or those contributing to the client’s condition).
Where the dentist collects information about the client from other persons (e.g., from previous dentists for the client, from family members of the client, from the client’s social contacts).
Where the dentist collects information to be shared with others who are also advising or providing services to the client (i.e., a team approach).
Where there is the likelihood of an ongoing relationship and the information will be used for ongoing services, especially if this is not obvious to the client (e.g., collecting a broad background of a client’s health, family or financial situation to ensure that one can provide broader services later on).
Where third parties will have access to the information (e.g., for a legal, billing or financing purposes).
Where the dentist will use the information for related purposes (e.g., for billing the client or a third party later).
Where the dentist will use or disclose the information for secondary purposes (quality control by the organization, regulatory accountability, research).
Where the dentist might sell the practice or business later on and will need to provide prospective purchasers with access to client information to help the purchaser conduct a due diligence review.
In any of these circumstances, the dentist should at a minimum explain the purposes for which the information is being collected and obtain some form of consent. Often the consent process can be a brief oral discussion with the client. Giving the client a handout setting out the dentist’s usual information practices and checking with the client that he or she understands the handout would often be sufficient. Alternatively, obtaining a written consent at a client’s first visit may work in many circumstances. While the Information and Privacy Commissioner is leery of obtaining blanket consents, it may be that, for the usual private practice, this may be appropriate and sufficient.
There are some exceptions that permit dentists to collect information without consent. The most common example is where the purpose is to investigate a breach of law or contract and obtaining consent would compromise the investigation (e.g., a fraud by a client; helping a client deal with a third party). Certain emergency situations (e.g., oral health crisis) may permit the collection, use or disclosure of information without consent as well.
Dentists are also obliged to collect the
least amount of personal information that is consistent with the purposes for which it was collected. For example, collecting an individual’s Social Insurance Number is usually not necessary. One should not routinely collect a client’s home address (unless the client wants something to be sent there, such as an account or a reminder notice). Dentists should not collect financial information about a client who pays the full account at the time of service.
WHAT KIND OF SAFEGUARDS ARE NEEDED?
Most dentists are already careful to preserve their client’s confidentiality. However, when setting out the safeguard policies in writing, dentists may wish to review some of his or her practices. For example, can people see confidential files or computer screens when walking through the office or clinic? Is all personal information shredded before being put in the recycling box? The Information and Privacy Commissioner strongly disapproves of sending personal information through regular email over the Internet.
WHAT ARE ACCESS AND CORRECTION RIGHTS?
A fundamental principle of the privacy act is that any individual has the right to request and see any personal information dentists hold about them. In fact, dentists are required to help individuals make such a request (e.g., explain the filing system so the person knows what to ask for) and to assist them in understanding the information (e.g., explain abbreviations and technical terms). There are a few exceptions where access can be restricted (e.g., where the disclosure will reveal personal information about another individual or will reveal trade secrets), but these are narrow. Dentists will also have to tell individuals to whom the organization has disclosed the personal information about them.
If the individual believes any of the personal information is wrong, he or she can ask that it be corrected. The organization must correct any information it agrees is wrong. The organization must also notify any third parties who received the wrong information of the correction. Where the client and the organization cannot agree that an error has been made then the organization must record the disagreement and notify any third parties who received the contested information. Disagreements about corrections can be taken to the Information and Privacy Commissioner who may review the situation.
WHAT SHOULD AN INTERNAL COMPLAINT SYSTEM LOOK LIKE?
Organizations must also have an internal complaints system to handle concerns about their privacy practices. The internal complaints system should have the following features:
a designated individual in the organization (perhaps the Information Officer) to receive and ensure the prompt investigation and response to all complaints;
an easily accessible and simple to use complaints procedure that at a minimum includes:
– acknowledging receipt of the complaint,
– investigating it, and
– providing a decision with reasons;
a process for the organization to respond appropriately to complaints that are justified including making changes to its privacy policies; and
notifying the public of external recourses including the dentist’s regulatory body and the federal Information and Privacy Commissioner.
WHO ENSURES COMPLIANCE WITH THE PRIVACY LEGISLATION?
Dentists will be held accountable to both the federal Information and Privacy Commissioner and, to a lesser extent, their own regulatory body, in respect of their compliance with the privacy act.
The federal Information and Privacy Commissioner has oversight of the privacy act and functions as an ombudsman. The Commissioner has the following responsibilities:
investigating complaints about an organization’s personal information handling practices including entering the organization’s premises and summonsing documents and witnesses;
mediating and conciliating such complaints;
auditing the personal information handling practices of an organization;
making a public report of poor personal information practices by an organization;
seeking remedies for a breach of the privacy act in the Federal Court of Canada.
Once the Commissioner has issued a report, either the complainant or the Commissioner can then apply to the Federal Court of Canada for one or more of the following remedies:
an order for the organization to correct its personal information handling practices;
an order for the organization to publish a notice of corrective action; or
an award of damages for any humiliation of the complainant.
All indications are that the Information and Privacy Commissioner’s office tends to be educational rather than punitive in their enforcement style. However, it is still better to avoid a complaint than having to deal with one.
Professional regulators may also hold the dentist accountable for his or her privacy practices. Where the conduct involves a breach of core professional values, regulators will have an additional reason to take regulatory action. Even where core professional values are not breached, every dentist is generally obliged to comply with the law, especially those designed to protect the public or which reflect on the dentist’s suitability to be a member of the profession. Many breaches of the privacy act by a dentist may warrant some regulatory action.
WHERE TO START?
The privacy act may seem like a lot of work. However, the key is for dentists to develop a privacy policy. A privacy policy provides a process for dentists to review and revise their organization’s practices and to obtain the consent from clients in the future. With a few adjustments to existing practices and informed consent from clients, most dentists will be ready for the new privacy era.
Richard Steinecke will be a presenter at a Federation of Health Regulatory Colleges of Ontario seminar on getting ready for the new privacy legislation on October 8, 2003. The seminar will be broadcast live to seven locations throughout the province. See www.wdysevents. com/privacyseminar for registration information.
Oral Health welcomes this original article.
