Bill 122, Broader Public Sector Accountability Act, 2010
In December 2010, the Ontario legislature passed Bill 122, the Broader Public Sector Accountability Act, 2010
, which extends the Freedom of Information and Protection of Privacy Act (FIPPA) to hospitals), outlines guidelines for the use of personal information (excluding personal health information) for fundraising purposes and requires hospitals and LHINs to post expenses of senior executives online and to report annually on their use of consultants.
FIPPA Extension - Key Points
- FIPPA will apply to hospitals as of January 1, 2012. Records that came into a hospital’s custody and/or control on or after January 1, 2007 will subject to FIPPA and to access requests under that legislation.
- As of January 1, 2012, FIPPA will also be amended to provide that FIPPA does not apply to certain hospital records such as:
- Records that relate to the operations of a hospital foundation; and
- Records that relate to charitable donations made to a hospital.
This means that those types of records would not be subject to access requests. This would, of course, not preclude a hospital from disclosing such information in an appropriate case.
- The amendments to FIPPA make it clear that a hospital may use personal information in its records for its own fundraising activities (or the fundraising activities of an associated foundation). In order to use such information, however, sections 41 – 43 of FIPPA outline certain rules pertaining to this use, including giving notice to individuals in the initial fundraising communication and periodically thereafter, that the individual may request that their personal information not be used or disclosed fundraising purposes, or disclosed to or used by an associated foundation for fundraising purposes.
- In order for the hospital to disclose personal information to another person for fundraising purposes (i.e. a foundation) there must be a written agreement in place and the information disclosed must be reasonably necessary for the fundraising purposes.
- The written agreement between the hospital and the foundation must require the notification requirements set out above be met by the foundation, must require the information disclosed by the hospital to the foundation to be disclosed to the individual to whom the information relates upon request and must require that the foundation cease using the personal information of any individual who so requests.
- Bill 122 and FIPPA, however, do not apply to personal health information. This means that fundraising efforts that involve the use of personal health information (such as contact information for a patient) are subject to the requirements, obligations and restrictions set out in the Personal Health Information Protection Act, 2004.
What this Means for Hospital Foundations
1. Foundation information and Freedom of Information Requests
- Hospital foundations are not subject to FIPPA and therefore do not need to develop record tracking systems in order to comply with access requests under that legislation. They must, however, implement sound record keeping practices in order to ensure their contractual obligations in respect of fundraising activities are met (i.e. the obligations that hospitals are obliged to pass on to the foundation).
- Foundation information that is shared with an associated hospital becomes the custody of and under the control of the hospital and therefore subject to FIPPA. That information includes among other items, e-mail messages, hospital meeting minutes and board reports.
- The hospital may choose not to disclose foundation information under the two types of information excluded from FIPPA:
- Information related to the operations of the hospital foundation; and
- Information related to a charitable donation made to the hospital.
- In addition, the hospital must not disclose foundation information that falls within mandatory FIPPA exemptions, such as personal information or sensitive business information supplied by a third party.
- Although hospitals will want to try to maintain consistency in their approach to responding to access requests, it is important to keep in mind that each access request made to a hospital must be considered on a case-by-case basis.
- Foundations should work with their associated hospital as the hospital develops FIPPA processes and procedures to ensure that foundations understand the process the hospital intends to use in responding to access requests and to ensure that appropriate procedures are put in place to address requests for information that is excluded from FIPPA (such as foundation or donation information).
2. FIPPA Privacy Rules
- Personal information in the custody or control of hospitals are now subject to FIPPA. However, FIPPA does not change the obligations that a hospital has concerning the collection, use and disclose of personal health information as found in the Personal Health Information Protection Act, 2004.
Ontario Ministry of Health and Long Term Care Bill 122 website: http://www.health.gov.on.ca/en/legislation/bpsa/default.aspx
FIPPA with new amendments:
FIPPA amendments regarding hospital foundation exclusions:
- (5.4) "This Act does not apply to records that relate to the operations of a hospital foundation. 2010, c. 25, s. 24 (17)."
- (5.6) "This Act does not apply to records relating to charitable donations made to a hospital. 2010, c. 25, s. 24 (17)."
Sources: Ontario Ministry of Health and Long Term Care website, and Ogilvy Renault LLP