Abstract

The recently released July 2003 "Guidelines for Managing Privacy, Data Protection and Security for Ontario Hospitals," prepared by the Ontario Hospital eHealth Council Privacy and Security Working Group (the "Guidelines") are useful in that they provide a comprehensive overview of the types of issues raised for hospitals by existing and pending privacy legislation, and a very high-level framework for addressing same. However, the Guidelines are, as stated high-level guidelines only - leaving hospital management to grapple with the next big step towards privacy compliance: how to operationalize the Guidelines within their particular hospital. This article summarizes the basis principles of the Guidelines, and seeks to provide some initial guidance as to the role of legal counsel in addressing some of the practical, legal and operational issues hospitals will face in endeavouring to implement the Guidelines. We note that while the Guidelines have been drafted specifically for the Ontario context, where no personal health information omnibus legislation has yet been enacted - in contrast to the Health Information Act1 in Alberta and the Personal Health Information Act2 in Manitoba - the personal health information issues raised by the Guidelines are universal to hospitals in general; as a result, the Guidelines should also be of interest to hospital management in other provinces.