Your Privacy

NOTICE: All photographs used on this web site except those of our staff are purely for creative effect and were not taken of any former or current clients.

PIPEDA Awareness Raising Tools (PARTs) Initiative For The Health Sector

Questions & Answers

NOTICE: This document has been prepared in consultation with health care provider associations within the context of their day-to-day activities in providing care and treatment to Canadians. The answers to the questions may not necessarily be appropriate for organizations not subject to PIPEDA.

Overview:

1. What is the "Personal Information Protection and Electronic Documents Act" (PIPEDA)?

PIPEDA is federal legislation that protects personal information, including health information. It sets out ten principles that organizations, individuals, associations, partnerships and trade unions must follow when collecting, using and disclosing personal information in the course of a commercial activity.

2. Does PIPEDA apply throughout Canada?

The Act will not apply to personal information in Provinces and Territories that have substantially similar privacy legislation in place covering commercial activities that are provincially/territorially regulated. PIPEDA does not apply within the province of Quebec because the province has received substantially similar status but the Act will continue to apply to the province of Quebec for personal information sent outside of the province and to organizations currently subject to the Act, such as banks, broadcasters, airlines, transportation companies and other federally regulated organizations. For more details on this subject please consult Industry Canada?s web site at: www.strategis.ic.gc.ca/privacy

3a. What are the core features of PIPEDA?

The core features of PIPEDA include: obtaining consent and identifying the purpose for the collection of personal information, procuring additional consent, express consent in some cases, for any secondary uses or disclosures of the information. To make the consent valid, the Act requires communicating to individuals what personal information is being collected, and how it will be used, disclosed, and protected (see answer #19 for details).

3b. What are PIPEDAs' key principles?

The 10 key principles of PIPEDA are listed below. The Q&As that follow will show how these elements apply in the health sector.

1. Organizations are accountable for the protection of personal health information under their control.
2. The purposes for which the personal information is being collected must be identified during or prior to the collection.
3. Information must be collected with the knowledge and consent of the individual and for a reasonable purpose.
4. The collection of personal information is to be limited to what is necessary for the identified purposes and will be collected by fair and lawful means.
5. Information can only be used and disclosed for the purpose for which it was collected and will be retained only as long as it is necessary to fulfil the purpose.
6. Information must be as accurate, complete and up-to-date as possible.
7. Information must be protected by adequate safeguards.
8. Information about an organization's privacy policies and practices is to be readily available.
9. Information must be accessible for review and correction by the individual whose personal information it is, and;
10. Organizations are to provide the means to an individual to challenge an organization's compliance of the above principles.
    

* Organizations include associations, partnerships, trade unions, agencies, and institutions. It also includes health care providers in private practice.

4. Why is this law required?

PIPEDA aims to provide assurances to the public, patients, and providers that personal health information will continue to be managed and shared confidentially and securely.

The Government of Canada believes that, in most cases, PIPEDA's principles may not significantly differ from those currently in place in the health sector. However, to make consent valid PIPEDA requires informing patients of their privacy rights and providing them with an opportunity to know what personal information is being collected, for what purpose, how it will be used, disclosed, and protected (see answer #19 for details).

Key Definitions:

5. What is personal information?

In the health context, personal information means information about an identifiable patient which includes any factual or subjective information, recorded or not, about that individual, including health related information.

6. What is an organization?

An organization includes associations, partnerships, trade unions, agencies, and institutions. It also includes health care providers in private practice.

7. What is a commercial activity within the context of the health care sector?

A commercial activity involves the making and provision of a product or service that is commercial in nature. Under PIPEDA, commercial activities include, for example, the selling, bartering, or leasing of donor, membership or other fundraising lists for some consideration. The funding source (public health insurance, private payer, 3rd party payer, etc) is not relevant in determining the existence of a commercial activity.

8. What is a "circle of care"?

The expression includes the individuals and activities related to the care and treatment of a patient. Thus, it covers the health care providers who deliver care and services for the primary therapeutic benefit of the patient and it covers related activities such as laboratory work and professional or case consultation with other health care providers.

Scope of Application:

9. Does PIPEDA apply to the entire health sector in Canada?

No, PIPEDA only applies to the information collected, used and disclosed in the course of commercial activities such as private pharmacies, laboratories and health care providers in private practices. Also, the Act will not apply to personal information in Provinces and Territories that have a substantially similar privacy legislation in place covering commercial activities that are provincially regulated, such as in the province of Quebec. For more details on this subject please consult Industry Canada's web site at: www.privacyforbusiness.ic.gc.ca

10. Are there significant differences between PIPEDA and current privacy practices in the health sector?

No, privacy is a right underpinning health care in Canada. This right is addressed in legislation, codes of ethics, standards and procedures. The Government of Canada believes that, in most cases, PIPEDA's principles may not significantly differ from those currently in place in the health sector. However, to make consent valid PIPEDA requires informing patients of their privacy rights and providing them with an opportunity to know what personal information is being collected, for what purpose, how it will be used, disclosed, and protected (see answer #19 for details).

11. Why must information about the collection, use, and disclosure of personal information be made available to patients?

Information about privacy rights must be made available to patients so that the patients can decide whether or not to consent to the collection, use and disclosure of their personal information.

12. Will PIPEDA impact on health care professionals/providers and health care facilities/services/agencies?

PIPEDA should not significantly alter the therapeutic provider/patient relationship. However, PIPEDA may require some changes. For example, in addition to informing individuals about the purpose of the collection, use and disclosure of their personal information to make their consent valid, health care organizations should review their practices and policies to ensure they meet the PIPEDA principles, in particular with respect to secondary uses of the personal health information, e.g. research, health surveillance and statistical analysis of data purposes.

13. Does PIPEDA apply within a circle of care?

Yes, it applies to commercial activities within the circle of care.

14. A number of health care providers work in settings that are not typically thought of as « health care facilities » - for example, schools, correctional facilities, halfway houses, and group homes. Will PIPEDA mean that different privacy rules can apply for different settings?

Yes. A key consideration in determining which organization or individual should comply with PIPEDA is who has control of the personal information and whether they are engaged in commercial activity.

PIPEDA does not apply to core activities of a municipality, public school, university, public hospital or correctional facility. Public sector legislation and provincial health information acts would apply in some cases and in some jurisdictions. For example, the Federal Privacy Act would apply in the case of a federal correctional institution.

PIPEDA applies to personal information collected, used, and disclosed during the course of any commercial activity. Records in organizations engaged in commercial activity would be covered by PIPEDA, e.g. private group homes.

In the case of an organization subject to PIPEDA that employs a health care professional on a contract basis or on salaried basis, the issue of accountability for compliance depends on who has control of the personal information - the organization, the professional or both.

15. Is the application of PIPEDA based on the nature of the activity (transaction) or is it based on the nature (public, private, commercial, non-profit, etc) of the health organization, institution, or agency?

It is based on the nature of the activity.

A non-profit organization can be engaged in a commercial activity to which the Act would apply. For example, the sale of a fundraising list by a charity can trigger the application of the Act with respect to that particular transaction.

The Act would not apply to a provincially funded hospital. Hospitals are beyond the constitutional scope of the Act as their core activities are not commercial in nature. Charging for a private room would not bring a hospital within the scope of the Act because the transaction is part of the hospital's core activities, i.e. providing accommodation.

In the case of a privately owned medical equipment store or TV rental business, if the hospital leases the space to the operator, the latter is responsible for complying with the Act, not the hospital.

16. How will PIPEDA have an impact on health professional regulations

Let's remember that PIPEDA applies only in the context of commercial activities. If the health professional regulatory provisions exceed those of PIPEDA then there is no impact. However, if the regulatory provisions are weaker or do not address certain requirements, than PIPEDA would prevail.

17. In the event that federal privacy legislation is at odds with provincial/territorial laws, standards and codes of practice governing professional associations, which legislation takes precedence? For example, a patient requests a change in his/her file and the regulatory body requires that records not be altered while PIPEDA allows modifications.

For a true conflict to exist between PIPEDA and provincial legislation, it must be impossible to comply with both requirements.

In the example noted above, one would not alter the document but instead add a notation to the file indicating the patient's view of the matter. If the information in the file were indeed inaccurate, it would be important to note it in the file but also indicate when and how the error was detected.

18. What impact will PIPEDA have on health facility accreditation, on quality assurance activities, on chart audits for safety, on reviews against performance measures, on programme/service evaluation?

Where it has been determined that PIPEDA applies to the particular health facility and a review is undertaken to assess and evaluate the care provided to an individual patient, still receiving care in the facility, then this review can be considered to be part of the circle of care.

In instances where a number of charts are reviewed as part of a broader quality assurance program, service evaluation, safety review, accreditation activity, or assessment of broader provider practices, de-identified patient information should be used or patient express consent should be obtained unless an existing provincial law permits these uses and disclosures.

Knowledge and Consent:

19. Under PIPEDA, the patient's knowledge of the collection, use and disclosure of their personal health information is required. How can this be achieved?

A person can be considered to understand, i.e. be knowledgeable, if they are made aware of their privacy rights including:

• What information is being collected about them
• Purposes for which the information is being collected
• How that information will be used by the provider/health facility/agency
• To whom the provider/health facility/agency will disclose the information
• How the patient can seek access to and corrections to their health record, and;
• How the patient can exercise their right to complain about the organization's personal information practices.
  

There are several ways of informing patients of these rights, for example, posting of notices, brochures and pamphlets, and/or discussions in the normal course of exchanges that take place between a patient and a health care provider.

Patients should have the opportunity to discuss this information with a health care provider if they wish to do so.

20. Are there provisions in PIPEDA for compensating health professionals for complying with the legislation?

No, PIPEDA contains no provision for this or for any of the industry sectors it covers.

21. Can consent be implied for the use and disclosure of personal health information under PIPEDA?

Yes, once patients are made aware of their privacy rights (see answer #19 above), consent is implied if the patient continues to seek care and treatment. Thus current practice of implied consent for the primary use of personal information in the direct care and treatment of an individual patient, as defined in a circle of care, will continue under PIPEDA. For example, a lab may infer consent because the individual would reasonably expect that the results be sent to the provider who ordered the lab work.

22. Is consent implied for the disclosure of personal health information to private insurance companies or third party payers for the purposes of reimbursement of health services rendered?

In certain circumstances, yes. In circumstances where the current practice is to obtain written consent by making the patient sign a reimbursement form, the practice should continue. Where no form is signed, implied consent is acceptable provided patients understand that this is happening and have not behaved in a way that may indicate a refusal of consent (see answer #19 above).

23. When does PIPEDA require express consent?

In commercial activities, the patient's oral or written consent is generally required for all uses and disclosures that are not directly related to the care and treatment of a patient.

However, consent is not always required for research purposes. For example, consent is not required if all of the following conditions are met:

• The information is used or disclosed for statistical, scholarly study or research, or purposes that cannot be achieved without using or disclosing the information.
• It is impractical to obtain consent.
• The organization informs the Office of the Privacy Commissioner before the information is used.
  

24. What happens when the patient has concerns about the collection, use and/or disclosure of their information with respect to PIPEDA?

The patient's concerns should be addressed by answering their questions, or providing them with information about privacy policies and practices. Specific complaints must be received, investigated and addressed or, if matters are unresolved, individuals must be informed of their right to complain to the Office of the Privacy Commissioner of Canada.

25. What happens if the patient refuses to give consent?

The patient must be advised of the known consequences of not consenting. Should the patient continue to refuse to consent, the providers should be guided by their respective professional standards of practice in handling this issue. In some instances, this could result in the denial of health services.

26. What happens if the patient withdraws consent?

The patient must be advised of the known consequences of withdrawing consent. In some instances, it could result in the interruption or the non-provision of health services.

It is advisable that the patient's records not be destroyed for as long as they are necessary to maintain patient safety and meet audit, regulatory or other purposes. The organization should record the withdrawal and is responsible for notifying parties to whom it had disclosed the information. The patient's withdrawal of consent should not result in the destruction of the record.

27. In cases of emergency care, must consent to the collection, use and disclosure of personal information be obtained?

No. PIPEDA clearly provides exemptions in certain health care emergencies. Examples of such cases are when a patient is unconscious, too sick or not lucid, or when collection is clearly in the interests of the individual and consent cannot be obtained in a timely way.

28. How do you obtain knowledge and consent if the individual does not understand either English or French, or is visually impaired and you do not have any written material (in other languages or Braille) to give them?

Reasonable efforts should be made to communicate with the individual in order to obtain consent. Efforts can include communicating in their language, by sign language, or other means (including an interpreter or family member accompanying the patient).

Disclosure:

29. Can case consultation still be done?

Yes, PIPEDA does not preclude case consultation among health care providers.

30. Can personal information be shared without patient consent between providers in an emergency situation?

Yes.

31. Pharmacists often print lists of filled prescriptions for patients for income tax purposes. This might include a list of prescriptions used by all members of the family. Is a separate, written consent required from each family member? What about children under the age of majority?

Yes, express consent, either in writing or verbally, is required from all individuals of majority age. In the case of a child, consent can be obtained from the minor's legal guardian. Note that this example can be extended to other situations and professions in which a provider is asked to produce a listing of services.

Access:

32. What is required if the patient requests that his/her records be corrected?

PIPEDA should not alter current best practices. The health care provider will consider the request and decide whether to make the change or not.

Historical data should be maintained as long as necessary to maintain patient safety and meet audit, regulatory or other purposes. The patient's request and the health professional's decision should be noted in the file.

33. Do patients have a right to demand to have their record changed?

No, they have a right to seek correction, which will be considered by the health care provider who will decide whether to make the change or not. The lack of change by the provider may then be the subject of a complaint to the Office of the Privacy Commissioner.

Safeguards:

34. What is required to comply with the security standards set out in PIPEDA?

Organizations should assess their current security practices.

As necessary, security provisions include:

• Developing and implementing a security policy to protect personal health information. The effort and resources to accomplish this exercise will vary substantially according the size and type of organization. For a sole practitioner's office, this could simply be a short documentation of how the information is safeguarded such as:
  • physical measures (locked filing cabinets, restricting access to offices, alarm systems)
  • technological tools (passwords, encryption, firewalls, anonymizing software)
  • organizational controls (security clearances, limiting access on a "need-to-know" basis, staff training, confidentiality agreements)
• Making employees aware of the importance of maintaining the security and confidentiality of personal information by holding regular staff training on safeguards.
• Reviewing and updating security measures regularly.
  

35. Are home care records subject to PIPEDA?

Home care records are subject to PIPEDA if there is a commercial activity. However, where the records are in the patient's home and under the patient's control, these records are not the responsibility of the provider organization(s).

Note: This document is an administrative tool to assist in understanding PIPEDA. It is not intended as legal advice.

Child Psychology | Adolescent Psychology | Depression | Phobias | Relationships | Family Mediator