Law & Governance
Coming Soon to a Health Sector Near You: An Advance Look at the New Ontario Personal Health Information Protection Act (PHIPA)
This is Part I of a two-part article that provides a broad overview of the new health sector privacy legislation in Ontario, and compares this legislation to personal health legislation in other provinces. In Part I, we discuss the objectives, structure and scope of, as well as the substantive rights and obligations created by, the Ontario Act. In Part II, which will appear in the Fall 2004 issue, we will discuss the administrative obligations under the Ontario Act, as well as the provisions relating to enforcement and remedies. We will also discuss the approach to the protection of personal health information taken by other provinces, including Alberta, Saskatchewan and Manitoba, which have already enacted legislation that is similar in many respects to the Ontario Act.
The past three years have seen the development of a significant new privacy law regime in Canada, with the enactment of the federal Personal Information Protection and Electronic Documents Act (PIPEDA) (which came into general application on Jan. 1, 2004), and provincially, the Personal Information Protection Acts in Alberta and British Columbia. Ontario, which has experienced numerous false starts,1 has been unsuccessful in developing its own substantially similar legislation. As a result, as of Jan. 1, 2004, PIPEDA began governing the collection, use and disclosure of personal information in the course of a "commercial activity" in Ontario.
Medical records are specifically identified by PIPEDA as "almost always" constituting sensitive personal information. As a result, under PIPEDA, medical records require special treatment in that organizations are generally required to obtain express consent for the collection, use and disclosure of such sensitive information, and are required to protect that information with a higher level of security. However, the "commercial activity" threshold in PIPEDA ironically prevented the application of this standard to a number of organizations operating in the sector most likely to handle personal health information - that is, the health sector. In addition, while personal information was protected to a certain extent by obligations to maintain the confidentiality of patient information that existed in both common law2 and various legislation and codes of conduct,3 Ontario was missing the uniform standard of personal health information protection that is provided in Manitoba (by the Personal Health Information Act 4), in Saskatchewan (by the Health Information Protection Act 5 ) and in Alberta (by the Health Information Act 6 ).
The draft Personal Health and Information Privacy Act (PHIPA), which, together with the Quality of Care Information Protection Act, forms Bill 31, the Health and Information Privacy Act (HIPA), addresses this gap in Ontario. Bill 31 received royal assent on May 20, 2004, and will come into force on Nov. 1, 2004.
Objectives of PHIPAPHIPA creates a regime of information practices that must be followed in connection with the collection, use or disclosure of personal health information. As detailed below (see "B. Scope of Application), PHIPA is aimed primarily at "health information custodians" (HICs) (see B. Scope of Application 3. below), and therefore has very limited application to non-HIC organizations.
The objectives of PHIPA are:
- to establish rules for the collection, use and disclosure of
personal health information about individuals that protect the
confidentiality of that information and the privacy of individuals
with respect to that information, while facilitating the effective
provision of healthcare;
- to provide individuals with a right of access to, and to
require the correction or amendment of, personal health information
about themselves, subject to limited and specific exceptions set
out in PHIPA;
- to provide for independent review and resolution of complaints
with respect to personal health information; and
- to provide effective remedies for contraventions of PHIPA.7
Note that a critical element of the first-stated objective is the need for a balance between the need to protect personal health information and the need to ensure the effective provision of healthcare. This is a balancing principle similar to that in PIPEDA, wherein the need to protect personal information is balanced against the need of organizations to collect, use or disclose personal information for purposes that a reasonable person would consider appropriate in the circumstances.
1. Structure of PHIPAPHIPA is broken down into eight parts: interpretation and application (Part I); administrative practices that HICs must adopt to protect personal health information (Part II); rules concerning consent (Parts III and IV); rules regarding access to personal health information (Part V); provisions regarding the administration and enforcement of PHIPA (Part VI); offences under PHIPA (Part VII); and complementary amendments to 21 pieces of existing health sector legislation (Part VIII).
In addition, the Ontario Minister of Health and Long-Term Care recently released for public consultation a proposed general regulation under PHIPA (the "Proposed Regulation"). The Proposed Regulation would serve to (a) clarify a number of defined terms; (b) provide specific content to provisions of seemingly general application; (c) prescribe individuals/entities or categories of information; (d) create specific requirements in relation to the supply of products and services to health information custodians; and (e) create specific rights for, and impose specific obligations on, the Canadian Blood Services.
B. SCOPE OF APPLICATION
1. GenerallySection 7 states that PHIPA will apply to
- The collection of personal health information by an HIC
on or after the day PHIPA comes into force; and
- The use or disclosure of personal health information, on
or after the day PHIPA comes into force, by
- an HIC, even if the HIC collected the information before that
- a person who is not an HIC and to whom an HIC disclosed the information, even if the person received the information before that day, and
- an HIC, even if the HIC collected the information before that day, or
- The collection, use or disclosure of a health number by any person on or after the day this section comes into force.8
2. Definition of Personal Health Information"Personal health information" is broadly defined in PHIPA as identifying information about an individual in oral or recorded form, including information that relates to: the physical and/or mental health of the individual (including the health history of the individual's family); the provision of healthcare to the individual; payments or eligibility for healthcare in respect of the individual; the individual's health number; and any identifying information about an individual that does not fall under the general definition of information but is stored in the same record as such information.9
However, identifying information contained in a record that is in the custody or control of an HIC is not personal health information if it relates "primarily"10 to its employees and agents and is "primarily" maintained by the HIC for a purpose other than the provision of healthcare or assistance in providing healthcare to such employees and agents.
It is worth noting that the Proposed Regulation would clarify that the definition of "healthcare" includes (a) taking a donation of blood or blood products from an individual; and (b) assessing the health of an individual for the purposes of a proceeding or claim.11
3. Primary Application to HICsAs noted above, the primary focus of PHIPA is on the collection, use and disclosure of personal health information by HICs. A "health information custodian" is defined as one of a number of enumerated persons or organizations that have custody or control of personal health information in connection with performing their duties or work. These include: a healthcare practitioner or a person who operates a group practice of healthcare practitioners; a person who operates a public or private hospital; a long-term care, mental health or independent health facility; a pharmacy, laboratory or specimen collection centre; an ambulance service; a special-care home, community health or mental health centre or program; an evaluator under the Health Care Consent Act, 1996; or an assessor under the Substitute Decisions Act, 1992.
The Proposed Regulation would designate the Canadian Blood Services as a single HIC with respect to all of its functions.12 It would also clarify that a board of health and the medical officer associated with that board function as a single HIC,13 and that persons who provide fitness or weight-management services are excluded from the definition of "healthcare practitioner."14 In addition, it would permit certain prescribed registries and entities to act as HICs in relation to research purposes approved by a research ethics board in accordance with PHIPA.15
It is important to note that a healthcare practitioner, a service provider within the meaning of the Long-Term Care Act, 1994, an evaluator or an assessor is an "agent" of a HIC, such that the person/entity is not considered to be an HIC for those duties or that work. "Agent" is broadly defined to mean a person who, with the authorization of the HIC, acts for or on behalf of the HIC with respect to personal health information, for the purposes of the HIC and not the agent, whether or not the agent has the authority to bind the HIC or is employed or remunerated by the HIC. This appears, in the case of a hospital and physicians who are not employed by but have admitting privileges at the hospital, to make the hospital responsible for PHIPA compliance for the actions of such physicians performed on behalf of the hospital.
4. Limited Application to Non-HICsPHIPA has very limited application to non-HICs, as follows:
- PHIPA permits an HIC to disclose to a non-HIC personal health
information about its employees and agents that is primarily
maintained by the HIC for non-healthcare purposes, as such
information is not considered to be personal health information for
the purposes of PHIPA in any case, and thus is outside the scope of
- where an HIC discloses to a non-HIC personal health information
that is maintained by the HIC for healthcare purposes, and the
non-HIC is not acting as an agent for the HIC, Section 47 of
PHIPA restricts the non-HIC from using or disclosing (a) the
information for any purpose other than the purpose for which the
HIC was authorized to disclose the information under PHIPA (see C.
"Consent Obligations," below), and (b) more of the information than
is reasonably necessary to meet such purpose, unless the use or
disclosure is required by law; and
- where an HIC exchanges with an agent personal health information that is maintained by the HIC for healthcare purposes, PHIPA (i) treats such exchange of personal health information as a "use" by both persons, and not a "disclosure" by the person providing the information or a "collection" by the person to whom the information is provided (such that Section 47 of PHIPA does not apply), and (ii) restricts such agent to the collection, use, disclosure, retention or disposition of the information, as the case may be, only in the course of the agent's duties as agent and not contrary to the limits imposed by the HIC, PHIPA or another law.
5. Interaction with PIPEDAUnfortunately, it appears that the line between the application of PIPEDA and PHIPA is not currently as clear as it could be.
In its "PIPEDA Awareness-Raising Tools (PARTs) Initiative for the Health Sector,"16 Industry Canada confirms that PIPEDA does apply to information collected, used and disclosed in the health sector in the course of commercial activities, such as are conducted by private pharmacies, laboratories and healthcare providers in private practices. As a result, the scope of PIPEDA clearly overlaps with those organizations within the scope of the definition of HIC found in PHIPA.
Sections 7(2) and (2.1) of PHIPA address such potential conflicts by noting that
(2) In the event of a conflict between a provision of this Act or its regulations and a provision of any other Act or its regulations, this Act and its regulations prevail unless this Act, its regulations or the other Act specifically provide otherwise.
(2.1) For the purpose of this section, there is no conflict unless it is not possible to comply with both this Act and its regulations and any other Act or its regulations.
An analysis of to what extent the interaction of PIPEDA and PHIPA might create such an irreconcilable conflict is beyond the scope of this article. However, it is worth noting that the Proposed Regulation would clarify that where PHIPA or any of its attendant regulations provide that an action, including a collection, use or disclosure, may be taken, and another Act (e.g., PIPEDA) provides that such action may not be taken, there is a conflict.
C. CONSENT OBLIGATION
1. Consent GenerallyPHIPA prohibits each HIC from collecting, using and disclosing personal health information unless (1) (a) the HIC has obtained the knowledgeable consent of each individual and (b) the collection, disclosure or use, to the best of the HIC's knowledge, is necessary for a lawful purpose;17 or (2) such collection, use or disclosure is otherwise permitted by PHIPA.18 Subject to specific provisions in PHIPA to the contrary, (e,g., the requirement for express consent where there are non-"circle of care" disclosures of personal health information [see 4. below]), consent may be express or implied.19
There are limited instances where an HIC may use and disclose personal health information in its control for purposes beyond those to which the individual has consented. For example, an HIC may use personal health information without consent for the purposes of planning, delivering, evaluating or monitoring programs or services; managing risk and error; improving or maintaining the quality of care or services offered; obtaining, verifying or reimbursing claims for payment; and for research, subject to meeting applicable PHIPA provisions.20
The Proposed Regulation would clarify that a "disclosure" does not include providing personal health information back to the person who originally provided or disclosed that information, notwithstanding the fact that the information may have been manipulated or altered, as long as the information does not contain any additional identifying information.21
2. Implied Consent for Collection, Use and Disclosure Within the "Circle of Care"Arguably the most significant provision in PHIPA is somewhat buried in Section 20(2), which states that where an HIC22 (subject to some very limited exclusions of some categories of HICs) receives personal health information about an individual from that individual, a substitute decision-maker or another HIC, for the purposes of providing or assisting in the provision of healthcare to the individual, such HIC is entitled to assume that it has the individual's implied consent to collect, use and disclose the information for such purposes. However, not surprisingly, this assumption of implied consent is no longer true when the HIC receiving the information is aware that the individual has expressly withheld or withdrawn his or her consent.
3. The Lockbox PrincipleThe "lockbox" limiting principle is one of the more controversial principles in PHIPA. PHIPA contemplates that (a) an individual may withdraw his or her consent to the collection, use and disclosure of his or her personal information, even if the consent is implied in connection with the provision of healthcare to that individual,23 and (b) if an HIC disclosing to another HIC in connection with the provision of healthcare does not have the consent of the individual to disclose all the personal health information about the individual it considers reasonably necessary for that purpose, the disclosing HIC shall notify the HIC to whom it disclosed the information of that fact. In summary, as stated during the second reading debate for Bill 31:
There is a provision in the Bill called a lockbox, and it's a provision that perhaps doesn't enjoy universal support, but a lockbox provides that any Ontarian who so wishes to put a square, a box, a lock, a circle around any of their information to prevent its disclosure is entitled to do so.24
In brief, the principle is controversial in that it grants the patient the absolute right to permit the collection, use and disclosure of only some of his or her personal health information, potentially at the expense of reduced effectiveness of healthcare treatment as a result of inadequate disclosure to the applicable healthcare provider.
4. Other Criteria: "Knowledgeable" ConsentsAll consents must be "knowledgeable" - that is, it must be reasonable in the circumstances to believe that the individual knows the purposes of the collection, use or disclosure, and that the individual may give or withhold consent. PHIPA states that unless it is not reasonable in the circumstances, it is reasonable to believe that this criterion has been met if the HIC posts or "makes readily available" a notice describing such purposes where it is likely to come to the individual's attention, or provides the individual with such notice. However, this appears to be provided as only one example of a method of ensuring that the individual knows the purposes of the collection, use and disclosure. For example, when the consent in question is a "circle of care" implied consent, PHIPA appears to contemplate that this "knowledgeable" requirement has been met.
5. Non-"Circle of Care" Disclosures: "Express" ConsentWhen an HIC discloses personal health information outside of the circle of care - that is, discloses such information to a non- HIC, or to an HIC for purposes other than the purposes of providing healthcare or assisting in providing healthcare - express consent is required.
D. SPECIAL ISSUESThis article is a necessarily abbreviated review of the rather lengthy PHIPA. However, the following issues are of special note.
1. FundraisingThe first draft of PHIPA required that each HIC obtain the express consent of each individual for the collection, use or disclosure of his or her personal information for fundraising purposes. As the result of intensive lobbying efforts by hospitals and their related foundations, PHIPA was amended to allow each HIC to rely on implied consent when the information consists of only the individual's name and the prescribed types of contact information, which the Proposed Regulation would limit to the individual's mailing address.25 However, when the information includes more than this contact information, express consent is required. Effectively, this may require each HIC to obtain express consent for certain targeted fundraising efforts - for example, efforts to raise funds for lung cancer research equipment from lung cancer patients.
The Proposed Regulation would further restrict an HIC's ability to collect, use and disclose personal health information for fundraising. Specifically, it would (a) require the fundraising to relate to a charitable or philanthropic purpose related to the HIC's functions; (b) permit the HIC to rely on implied consent only where it posted or made available to the individual at the time he or she received notice of (i) the HIC's intention to collect, use and disclose personal health information for a fundraising purpose and (ii) the individual's ability to opt out of such collection, use and disclosure; (c) prohibit an HIC from making any solicitation within the first 60 days after the individual's discharge or receipt of service; (d) require an HIC to include easy opt-out instructions in all solicitations with respect to future solicitations; and (e) prohibit an HIC from including in any solicitation any information about an individual's health or healthcare.26
2. MarketingAn HIC cannot collect, use or disclose personal health information for the purpose of marketing or market research unless the individual expressly consents.27 Notably, however, the Proposed Regulation would exclude from the scope of "marketing" (a) a communication by the Canadian Blood Services for the purpose of recruiting blood donors; and (b) a communication by a healthcare practitioner that offers an individual block fees for non-OHIP-covered charges. 28
3. ResearchThere are detailed provisions in PHIPA regarding collection, use and disclosure of personal health information in connection with research. These provisions would be supplemented by additional provisions in the Proposed Regulation.
4. Health NumbersA non-HIC cannot collect or use an individual's health number except for certain specified purposes, and generally cannot disclose an individual's health number unless required by law to do so.29 The Proposed Regulation would stipulate, however, that this general prohibition does not apply to a non-HIC that acts as an agent for, or on behalf of, an HIC,30 or to the Workplace Safety and Insurance Board.31
E. PROPOSED REGULATIONIn addition to the specific aspects of the Proposed Regulation referred to above, the following provisions are worthy of note.
1. Persons Who Provide Goods and Services to HICsThe Proposed Regulation would establish specific requirements in relation to persons who supply goods or services to an HIC for the purpose of enabling the HIC to use electronic means to collect, use, disclose, retain or dispose of personal health information. In addition to numerous other requirements, suppliers who do not act as agents for or on behalf of a HIC would be prohibited from disclosing any personal health information they access in the context of providing services to the HIC. Such suppliers would also be restricted to using such information only as necessary for the purpose of providing related systems repair or maintenance services to the HIC.32
2. Canadian Blood ServicesThe Proposed Regulation would prescribe special rules with respect to the collection, use and disclosure of personal health information by the Canadian Blood Services, which are primarily directed at safeguarding the blood supply.
CONCLUSIONAs Bill 31 proceeded through the legislative process, it began to be informally suggested by some HICs that the implied consent inherent in the PHIPA "circle of care" concept effectively meant that such HICs need use little or no effort to comply with the requirements of PHIPA. Such an approach would reflect a misunderstanding of the PHIPA requirements in a number of respects. First, in order for an HIC to confirm that the personal information is being used and disclosed only in the "circle of care," the HIC must complete a privacy self-audit. Second, the circle of care concept addresses consent obligations only; there remain a number of information practices that will need to be developed and/or refined by each HIC in order to meet the administrative obligations of PHIPA, which we shall address in Part II of this article. Third, many HICs are engaged in more than just the provision of care, and thus may be involved in fundraising, research, joint ventures, etc. that raise other issues that must be addressed. Indeed, rather than a challenge, PHIPA compliance is an opportunity for HICs to finally implement relatively uniform standards with respect to the handling of personal information in their custody and control.
About the Author(s)
John P. Beardwood is a partner and the Vice-Director of the Information Technology group of Fasken Martineau DuMoulin LLP.
Alexis Kerr is an associate at the Vancouver office of Fasken Martineau, whose practice focuses on litigation and access to information and privacy law.
AcknowledgmentPlease address correspondence to: John Beardwood, Fasken Martineau,
Toronto Dominion Bank Tower, P.O. Box 20, Suite 4200, 66
Wellington Street West, Toronto-Dominion Centre, Toronto, Ontario
M5K 1N6, toll-free number: 1 800 268 8424, e-mail email@example.com
1. For example, Bill 159, the Personal Health Information Privacy Act, 2000, and the draft Privacy of Personal Information Act, 2002.
2. McInerney v. MacDonald (1992) 2 S.C.R. 138, on appeal from the Court of Appeal of New Brunswick.
3. For example: in mental health legislation with respect to mental health patients; in professional codes of conduct; and in the Canadian Health Records Association (CHRA) code of conduct.
4. S.M. 1997, c. 51 (C.C.S.M., c. P33.5).
5. S.S. 1999, c. H-0.021, proclaimed in force September 1, 2003 (except subsections 17(1), 18(2) and (4) and section 69) as amended by the Statutes of Saskatchewan, 2002, c. R-8.2; and 2003, c. 25.
6. R.S.A. 2000, C. H-5, proclaimed in force April 25, 2001.
7. S.1, PHIPA.
8. S.7, PHIPA.
9. S.4, PHIPA.
10. Better phraseology would have been "to the extent" maintained by the HIC for a purpose other than the provision of healthcare or assistance in providing healthcare to such employees and agents, as to the extent that such information is used for such healthcare, such information should presumably be as equally protected as that of a non-employee patient.
11. S.1(1), Proposed Regulation
12. S.3(1), Proposed Regulation.
13. S.3(3), Proposed Regulation.
14. S.2, Proposed Regulation.
15. S.3(2), Proposed Regulation.
16. See http://e-com.ic.gc.ca/epic/internet/inecic-ceac.nsf/en/h_gv00207e.html.
17. S.1(4), Proposed Regulation.
18. S.28, PHIPA.
19. S.18(2), PHIPA.
20. S.36, PHIPA.
21. S.1(3), Proposed Regulation.
22. Subject to the very limited exclusion of the following HICs: an evaluator under the Health Care Consent Act, 1996, an assessor under the Substitute Decisions Act, 1992; a medical officer of health or a board of health within the meaning of the Health Protection and Promotion Act; the Minister of Health and Long Term Care; and any other prescribed category of HIC.
23. S.19(1), PHIPA.
24. March 30, 2004, Minster of Health and Long-Term Care, cited in: http://www.ontla.on.ca/hansard/house_debates/38_parl/Session1/L023B.htm#PARA29.
25. S.9(1), Proposed Regulation.
26. S.9(2), Proposed Regulation.
27. S.32, PHIPA.
28. S.1(2), Proposed Regulation.
29. S.34(2),(3) and (4), PHIPA.
30. S.1(5), Proposed Regulation.
31. S.10, Proposed Regulation.
32. S.6(1), Proposed Regulation.
33. S.21, Proposed Regulation.
Be the first to comment on this!
Personal Subscriber? Sign In
Note: Please enter a display name. Your email address will not be publically displayed