Canadian Privacy Laws and Practices—Health Sector

Question 1

Which provincial health laws have been deemed “substantially similar” to PIPEDA?

Answer 1

Ontario (PHIPA), New Brunswick (PHIPAA), Newfoundland and Labrador (PHIA) and Nova Scotia (PHIA)

Question 2

What defines Personal Health Information?

Answer 2

Any information concerning an individual’s physical and mental health, which includes information collected about individuals when they register to receive health services or pay for health services

Question 3

What makes the collection, use and disclosure of PHI is necessary?

Answer 3

Organizations are prohibited from collecting personal information beyond what is necessary to achieve the specified purpose.
The collection, use or disclosure is also limited to “purposes that a reasonable person would consider to be appropriate in the circumstances”

Question 4

When can an individual access and correct personal health information?

Answer 4

In most instances when making a request. Each Health Law provides individuals with with the right to access their own health information held by the entities covered by the law. In most instances, the right also includes a right to correct or amend inaccurate information.

Question 5

What do HINP do?

Answer 5

Health Information Network Providers enable custodians to share PHI by electronic means by providing them with IT services.

Question 6

What is identifying information?

Answer 6

In Ontario, identifying information means (1) identifies an individual or (2) reasonably could be utilized, either alone or with other information, to identify an individual.

Question 7

What does oversight mean in Health Privacy law?

Answer 7

Each law provides that an independent agency, such as the privacy commissioner, has
independent oversight of the entities covered by the law. The role of the oversight body
is, among other things, to review and resolve complaints from individuals who believe
their rights were violated.

Question 8

How does Health Privacy Law ensure proper use, retention, safeguarding and disposal of PHI, including third parties

Answer 8

Through Accountability - the onus is on the entity covered to remain accountable for the proper use, retention, safeguarding and disposal of the health information under its custody or control. Remains even with outsourced third parties or agents.

Question 9

How does one ensure meaningful consent to the collection, use, and disclosure of PHI?

Answer 9

(1) It must be the consent of the individual concerned, (2) it must be knowledgeable, (3) it must relate to the information at issue, and (4) it must not be obtained through deception or coercion.
“Knowledgeable” consent requires the individual to fully understand the purpose for which the information will be collected, used and disclosed or all three.

Question 10

When implicit/implied consent is considered appropriate?

Answer 10

An individual will have deemed to have implicitly consented to the collection, use and disclosure of their information within their circle of care.

Question 11

What constitutes the circle of care for an individual and who may act as a custodian or trustee for that individual?

Answer 11

In Ontario law allows most healthcare providers and facilities that receive personal health information about an individual from (1) that individual, (2) the individual’s substitute decision-maker, or (3) another health information custodian to imply consent to collect, use or disclose the information for the purpose of providing healthcare or assisting in the provision of healthcare to the individual, except in circumstances where the recipient custodian is aware that the individual has expressly withheld or withdrawn the consent.

Question 12

How does a HIC ensure safeguarding ?

Answer 12

Requires the organizations to adopt reasonable administrative (training/policies), technical (password, updates to software) and physical safeguards (safe or camera) that ensure confidentiality, security, accuracy and integrity of the information.

Question 13

Openness for Health Privacy Law?

Answer 13

The provincial laws do not strictly adhere to the same standards as federal privacy laws in terms of an organization’s obligation to develop comprehensive privacy policies and make them accessible; however, in practice, the commissioners overseeing these laws expect it. Ontario, Newfoundland and Labrador, and British Columbia have laws that more closely resemble the general privacy principle of openness. In these provinces, health information custodians are required to make available information that describes:
* The health information custodian’s information practices
* How to contact the appropriate health information custodian
* How to obtain access to or request correction of personal health information (except for British Columbia)
* How to file a complaint

Question 14

How does a HIC respond to a PHI data breach?

Answer 14

Provincial privacy legislation mandates that the custodian must notify the appropriate privacy commissioner in situations where a custodian reasonably believes there has been a material breach involving the unauthorized collection, use or disclosure of personal health information
* Includes any instance where health information is handled in a way that does not conform to the custodian’s published policy statement on its information-handling practices.
Examples - Missing USB Key

Question 15

How does an organization ensure Openness?

Answer 15

Develop comprehensive privacy policies and make them accessible according to
PIPEDA or provincial law as applicable

Question 16

When will consent not be consider implicit/implied for PHI?

Answer 16

Consent will not be implied if the disclosures will be made to noncustodians or to other custodians outside the circle of care.

Question 17

When is there an obligation to notify the privacy commissioner on a health privacy breach?

Answer 17

Any instance where health information is handled in a way that does not conform to the custodian’s published policy statement on its information-handling practices.

Question 18

What is the OPC’s Four Point Test for determining whether requesting access to genetic test results goes beyond what is necessary

Answer 18

The OPC’s four-point test:
 Is the collection and use of the test results necessary to achieve a legitimate business purpose? (necessary)
 Are the test results likely to be effective in achieving that purpose? (effective)
 Are the collection and use proportionate to the benefits gained? (proportionate)
 Are there less privacy-invasive alternatives to the collection and use of genetic test results? (less privacy-invasive alternatives)

Question 19

What is the purpose of health information privacy laws?

Answer 19

An organization must specify a legitimate purpose for the collection, use or disclosure of personal information and cannot require an individual to consent to any uses beyond
that purpose

Question 20

What act bars any organization from requiring individuals to undergo a genetic test or disclose the results of a genetic test as a condition of providing goods or services or entering into a contract in Canada?

Answer 20

Genetic Non-Discrimination Act (GNDA) received Royal Assent on May 4, 2017

Question 21

List the private- and public-sector laws affecting Canadian health information
privacy.

Answer 21

Federally, PIPEDA and the Privacy Act
Provincial / Territorial, * Alberta * British Columbia * Manitoba * New Brunswick
* Newfoundland and Labrador * Nova Scotia * NW Territories * Ontario * P.E.I.
* Saskatchewan * Yukon