Privacy Laws & Health Information: Making it Work
This page has been archived on the Web
Information identified as archived is provided for reference, research or recordkeeping purposes. It is not subject to the Government of Canada Web Standards and has not been altered or updated since it was archived. Please contact us to request a format other than those available.
Privacy Laws & Health Information Conference
October 27, 2004
Address by Jennifer Stoddart
Privacy Commissioner of Canada
(Check against delivery)
Good morning. What a pleasure to be invited to address the topic of health information privacy here in Saskatchewan, the home of Tommy Douglas, Roy Romanow, and the birthplace of Medicare. It was 1947 and while indoor plumbing was still a luxury in most of rural Canada, here in Saskatchewan Premier T.C. Douglas had just introduced publicly insured hospital services. It was the beginning of a world renowned system of universally accessible medical care that we cherish today.
35 years later, in 1982, Tommy Douglas remarked that the first phase of MediCare was to remove the financial barriers and the second phase would be to reorganize and revamp the delivery system. That, he said, was the big item. That was the big thing we hadn't done yet. Twenty-two years later, we're still working on it, and you are all part of that endeavour. We're here to talk about protecting the privacy of personal health information. In the world of privacy protection, there is perhaps no area that is quite as sensitive. Health information is about us in a way that is unique and intensely personal.
I think the words of Justice Gérard La Forest sum it up very neatly. He said "The use of a person's body without his consent to obtain information about him invades an area of privacy essential to the maintenance of his human dignity." (R v Dyment)
This recognition of the special nature of personal health information is why we are here today.
Health Care Information and Privacy Laws
I am delighted see this turnout. I understand from Gary Dickson that this two-day conference is completely sold out! This is a great indication of your commitment to protecting the privacy of your patients and clients. I know the stampede to sign up may also indicate uncertainty and confusion on the front lines of health care privacy protection, and I hope to help with that. You have questions and concerns about compliance with provincial or federal laws or both, about putting privacy practices into action, how to avoid problems, and how to handle complaints. Part of what you may be wondering about is how to determine which legislation applies to you and your organization.
As Privacy Commissioner of Canada, my role here today will be to speak with you about:
- the overall landscape of privacy in Canada, and my Office's role in oversight and compliance
- How federal privacy law protects Canadians' personal health information, how the federal law interacts with provincial laws, and what our office is doing to promote harmonization.
- Some practical tips for strong privacy practices in smaller settings.
I also have time at the end of my presentation to take questions hear about any solutions and best practices you have come up with in your organizations. I am very aware that the community of medical and health practitioners has for years been in the forefront of understanding the need for confidentially of patient information and the protection of privacy. The medical profession's codes of conduct and ethical practices have honoured the concepts of patient privacy and confidentiality for centuries before the rest of us caught up. You are way ahead of the pack.
So what I am hoping to do is to leave you with the understanding that privacy laws in Canada can and do work together, and that when it comes to protecting personal and very sensitive health information of Canadians, we are all in this together.
An Overview of Privacy Legislation in Canada
The personal information of individuals is protected in Canada in roughly three categories — public sector, private sector, and health information.
In the public sector, personal information held by government departments, agencies or institutions is protected by the Privacy Act at the federal level. Each province and territory also has a public sector privacy law — that is, a law that provides individual access to and protections for their personal information held by governments. In Saskatchewan, it is of course the Freedom of Information and Protection of Privacy Act .Newfoundland has yet to proclaim its law, but has recently re-affirmed its commitment to doing so.
In the private sector, there is the federal Personal Information Protection and Electronic Documents Act, which I am sure you all know by now as PIPEDA. The Act stipulates that private sector organizations covered under the law cannot collect, use, or disclose personal information about an individual without that person's consent. Once collected, that information can only be used for the original purpose for which consent was obtained — and even with consent, only for a purpose that a reasonable person would find appropriate under the circumstances.
PIPEDA has been implemented in stages beginning in 2001, first applying only to the federally regulated commercial sector — banks, telecommunications companies, airlines, for example, and to the sale of information across provincial or national borders.
Parliament delayed the application of the law to personal health information for a year after that and so PIPEDA has covered personal health information in the federally regulated sector and when it crosses borders since January, 2002.
In January 2004, PIPEDA came fully into force for the commercial sector. Currently, the federal law applies to all commercial activities in Canada — including those that involve health care — except where provinces have passed substantially similar privacy legislation. Where substantially similar legislation has been passed, the federal government may, by Order in Council, exempt the province from the jurisdiction of the federal legislation, and the provincial law will apply. PIPEDA does not extend to employee information, including health information, except in federal works, undertakings, or businesses — which we like to call FWUBs.
Québec was the first province in Canada to have its legislation declared substantially similar to PIPEDA. I am very pleased to say that substantially similar orders were made in mid-October for Alberta and British Columbia.
Health Sector Privacy Laws
Quebec has had health privacy legislation for the public sector since the early 1990's, and Alberta, Saskatchewan, Manitoba and Ontario have more recently enacted health - specific privacy laws. These laws recognize the particularly sensitive nature of personal health information, and take into account the demands and circumstances of health care treatment.
- Manitoba was a leader in this field in English-speaking Canada with the Personal Health Information Act.
- Saskatchewan passed The Health Information Protection Act in 1999. It came into force last September, with regulations being developed this fall and winter.
- Alberta's Health Information Act was passed in 1999 and came into effect in 2001.
- Ontario recently passed its own Personal Health Information Protection Act, which will come into force in a few days on November 1.
I realize there is some confusion in the health care sector over which law applies to which activities. Again, none of these laws has yet been deemed to be "substantially similar" to the federal legislation, and so, PIPEDA applies to personal information used during the course of commercial activities in the health sector in all provinces, except in Quebec.
Ontario has requested that its legislation be considered substantially similar to PIPEDA. When that happens, doctors and other health care providers will be covered. by the provincial Act. Interestingly, the Act does not differentiate between private and public sector health care providers. Our opinion is that the Ontario legislation is substantially similar to the federal law. We are confident that the Ontario Act will be deemed substantially so in due course. Currently, PIPEDA still applies in Ontario for personal health information used in the course of commercial activity.
So what is commercial activity in the health care sector?
You can be forgiven if you remain somewhat confused about what constitutes a commercial activity! It is not always clear, particularly in the health care sector. Sometimes there is a mix of public health care and private health care functions to be taken into account. We have found it difficult to make generalizations in our office, and cases may need to be examined individually.
- First of all, PIPEDA does not extend to the core activities of hospitals — that is, patient care and treatment.
- Non-core activities do fall under PIPEDA, even if they take place on hospital property. For example, a pharmacy leasing space within a hospital to carry on a business would fall under our federal Act.
- Individual doctors and other health practitioners also come under PIPEDA even if they also see patients in a hospital setting. A doctor, dentist, chiropractor or optometrist is a self employed professional engaged in commercial activity. So records of a patient's stay in hospital are not covered by PIPEDA, although they would be covered by the applicable provincial health information privacy law. Health records generated by a patient's visit to a private practitioner would be covered under PIPEDA, and also could be covered by the applicable provincial legislation that is in force.
- Ontario's new Health Information Protection Act will not differentiate between public and private healthcare providers. All Health Information Custodians who collect, use and disclose personal health information will fall under the Ontario Act. The term custodian is also used in the Alberta legislation, and is roughly equivalent to the "trustee" as defined in your Act here in Saskatchewan and the Manitoba Act.
Response to Privacy Commissioner Gary Dickson Concerns
- I know you have been busy here in Saskatchewan recently, developing the regulations that are to be used with the recently proclaimed Health Information Protection Act. I have read Gary Dickson's well-argued and thoughtful report on these regulations, and hope you will allow me the liberty of making a few comments on his recommendations.
- Informed consent is the backbone of our net of privacy principles and practices — the glue that holds the fair information principles together. There will be situations in the health care field where there is a need to disclose patient information without consent. I echo Commissioner Dickson's concern that these situations be kept to as few as possible. As he points out, it may not be appropriate to disclose patient condition information to the media without the consent of the individual.
- I note with interest that you are grappling here with the fundraising issue, which is one that must be dealt with very carefully. Fundraising by hospital foundations is extremely important to their ongoing provision of quality services. I am sure many grateful patients are happy to make donations. Commissioner Dickson has made some recommendations on this issue and he points out that fundraising is handled in different ways in different jurisdictions. Alberta is one example, where the Health Information Act specifically prohibits the use of individually identifying health information to market a service or for solicitation, without the express consent of the individual. I am sure there will be a lively debate around this issue at this conference, and I look forward to hearing your views.
Definitions of Personal Health Information
Because PIPEDA does apply here in Saskatchewan and in Manitoba, perhaps this is a good time to look at how the federal act defines personal health information. PIPEDA contains a definition that is quite broad, and recognizes the many situations in which health information is used in the private sector.
The Act defines "personal health information" as:
- information concerning the physical or mental health of the individual, for example a diagnosis of depression
- information concerning any health service provided to the individual
- Information concerning the donation any body part or any bodily substance or information derived from the testing or examination of a body part or bodily substance. An example of this might be a blood sample collected by an insurance company, and anything determined from that sample.
- Information that is collected in the course of providing health services to the individual — such as a history of certain diseases or conditions.
- information that is collected incidentally to the provision of health services to the individual
PIPEDA may come into play in a variety of health care settings, from blood tests to psychological counselling. Health care professionals have an obligation to let patients know about how personal information will be collected, used, or disclosed, and they need to obtain consent to disclose this information to third parties.
PIPEDA and the "Circle of care"
- Our Office recognizes and understands the need for information to flow from health care provider A to heath care provider B in order to ensure the best level of patient care. We recognize the principle of implied consent for information to flow freely within the "circle of care".
- The definitions around the "circle of care" relate to the care and treatment of the patient and health care services for the therapeutic benefit of the patient. This would include laboratory work and professional case consultation with other health care providers.
- Patients can be informed of how their information may be used and disclosed, and of their rights to consent and access by posters, brochures in the waiting room — in short, a general statement will do. We don't expect practitioners to have long conversations with each patient.
- I know that I am preaching to the converted here when I talk about patient confidentiality. Most health care practitioners have well-thought out systems and ethical codes for maintaining the privacy of their patient files. PIPEDA also requires that an individual have access to the personal information organizations have about them, and this is an area that practitioners may need to develop. But in general, PIPEDA should not impact greatly on the regulated health professionals who already have good privacy and confidentiality practices in place.
Why is personal health information different?
- We have an understanding of the special nature of health care information on two fronts. First, the sensitive nature of health care information and its potential for misuse and abuse set it apart. What is more deeply personal than the fact you were treated for cancer or depression, had a heart attack, had a substance abuse problem, were tested for HIV, or had an abortion? It's hard to overstate how much harm could be done by the inappropriate disclosure or release of this kind of information.
- So first and foremost, we must be able to rely on those who handle our health care information to keep it absolutely confidential, store it securely, and release it only with our consent or under carefully prescribed circumstances as required by law.
- Secondly, we know the circulation and sharing of health care information can benefit patient and result in better care and more responsive health care system. During the drafting of PIPEDA there was anxious lobbying to remove health information entirely from Act. There were concerns that consent obligations might affect the quality of care.
- Our Office, along with the federal departments of Justice, Heath and Industry, has worked with stakeholders to help clarify the application of the Act and alleviate concerns. Practical guidance materials have been developed for practitioners — notably, the Privacy Awareness Raising Tools document. This offers 75 questions and answers about how PIPEDA applies to the health care sector. You will find a link to this useful document on in the Resources area of our website — www.priv.gc.ca. The Canadian Medical Association also has an exemplary resource for privacy compliance in the CMA Health Information Privacy Code available on their website at www.cma.ca
- Now I would like to talk a bit about harmonization — that is, how our federal law works with provincial laws to offer Canadians seamless privacy protection for their medical information.
- Harmonization does not mean that all jurisdictions will take exactly the same approach to privacy, that legislation will have the same wording, or handle complaints and solutions the same way. This would not be workable or desirable. Harmonization does mean we will work together with the provinces whenever we can, and particularly when there is overlap in the jurisdictions concerning the health care sector.
- Staff members in our office are in regular contact with their counterparts in the provinces; we've recently had staff exchanges with other privacy commissoners' offices and hope to arrange more in the future. We have a good working relationship with Alberta and British Columbia and worked out a protocol on how to handle the transfer of complaints in anticipation of the recent substantially similar orders.
- We are encouraged by the level of cooperation we have achieved with the provinces, and hope to expand this process. We are committed to working with Ontario to ensure a smooth transition when Bill 31 comes into force. We have already started consultations with the Office of the Information and Privacy Commissioner of Ontario on how to handle complaint files in a cooperative and coherent fashion.
- We are also in contact and have opened a dialogue with a number of health care organizations, including the Canadian Medical Association, the Canadian Royal College of Physicians and Surgeons, the Chain Drugstore Association and others. We continue to learn and to exchange information and best practices with these organizations
- Certainly one of the greatest challenges facing everyone connected with health information is the implementation of electronic medical records. I know you are all familiar with the Saskatchewan Health Information Network, which is an innovative project to electronically link provincial health service sites. While this technological advance can provide major health care benefits and ultimately, better patient care and outcomes, it also raises challenges for privacy and security of records.
- On the federal scene, the Pan-Canadian Personal Health Information Privacy and Confidentiality Framework is a federal, provincial and territorial project to develop a comprehensive set of rules for electronic as well as paper-based health records in all organizations — public or private, engaged in commercial activity or not, all across Canada. As currently envisioned, the Pan-Canadian Framework would be broader in scope than PIPEDA. Our office is supportive of the general intent of this initiative. We have made specific recommendations to Health Canada that we hope will strengthen the privacy, access, and security provisions. This is a long-term project, one which we will be following closely.
I would like to thank you again for inviting me to share ideas with you on how to make our privacy laws work together. I would urge you not to miss the forest for the trees when implementing privacy policies in your individual workplaces. While federal and provincial privacy laws may be different in the details, they share a common commitment to basic principles of fair information handling.
You may all be familiar with these already, but I will highlight them for everyone's benefit:
- Identifying purposes
- Limiting collection
- Limiting use
- Disclosure, and retention
- Individual access
- Challenging compliance
These principles can be applied to your management of personal information, even if you are in a smaller organization.
- First, review your information management practices to see what you collect, what you use it for, if you really need it, and to whom you disclose it. Personal health information is almost always considered to be sensitive information and it should be protected by safeguards that are appropriate to that sensitivity.
- Files should be locked in a secure area, with controlled access. Third party contracts for processing or storage of personal health information should include specific privacy protection clauses.
- Records must also be disposed of properly — that means being shredded on-site, or by a reputable company, not being sent to a landfill site. After reviewing you practices, establish a policy and make sure someone is responsible for compliance and for handling access requests.
You can also find a lot of practical advice in our Guide for Businesses and Organizations, which I believe you have been provided with as part of your conference package. If you need more copies, please contact our office at 1-800-282-1376 and we will be glad to send some out to you.
Thank you for your time and attention today. I hope that I have been able to dispel some of your concerns and confusion over jurisdictional issues. I think you will find that applying common sense, your own professional ethics, and common courtesy when dealing with the personal health information of others will go a long way towards compliance, whether with the federal PIPEDA, or with your respective provincial acts.
If you have questions, I would be glad to answer them now.
Report a problem or mistake on this page
- Date modified: