Media Centre

Personal Health Information Privacy Laws Across the Provinces:
What Works, What Doesn’t and What Can we Do About It?

Implementing the (Ontario) Personal Health Information Protection Act

May 8, 2006
Toronto, Ontario

Address by Patricia Kosseim
General Counsel, Office of the Privacy Commissioner of Canada

Introduction

Let me thank the organizers for kindly inviting me to be part of this conference program. I should forewarn you that although this Panel session is entitled Personal Health Information Privacy Laws Across the Provinces, I have been asked to speak to you about the Personal Information Protection and Electronic Documents Act (PIPEDA), which is neither a provincial law, nor a health privacy law, though it does apply to personal health information that goes across provinces. As you will see, PIPEDA jurisdiction over the health care sector is limited, and the type of complaints we see tend to revolve for the most part outside the circle of care, in respect of transactions between health care providers and third parties. Finally, we are, as many of you may already know, preparing for legislative review of PIPEDA this year. The experience we have had to date interpreting and applying PIPEDA, together with the different approaches we see being taken in the provinces, will help inform the changes we hope to see brought to the law.

Part I: PIPEDA Jurisdiction over Health

PIPEDA applies to organizations that collect, use and disclose personal information in the course of commercial activity. This includes for example, pharmacies, laboratories, physicians, dentists and health care professionals working in private practice (whether they are paid directly by their patients or reimbursed by their provincial health plans or some other employment insurance plan for example).

PIPEDA also applies to inter-provincial transfers of personal health information; and to personal health information that relates to employees of federal works, undertakings and businesses.

For the most part, the activities of health care providers working in British Columbia, Alberta, Ontario or Quebec are now exempted from PIPEDA and instead, are subject to the applicable legislation in their respective provinces.
 
Providers working in Manitoba and Saskatchewan are currently subject to both PIPEDA, and their respective provincial health law. 

Elsewhere in Canada, where there is no private-sector or health sector legislation in place, the activities of health care providers operating in private practice are subject to PIPEDA exclusively.

Though, theoretically, there may be concurrent federal-provincial jurisdiction over the same transaction or over different parts thereof, in simple, practical terms, the legal requirements are generally consistent and compatible with one another. Should a health privacy complaint be brought to both the provincial and federal oversight offices in respect of the same transaction, the reality is that the Commissioners/Ombuds Offices will work collaboratively both formally and informally to coordinate their investigations and findings, to the extent possible.

Indeed, there is a lot of background collaboration that goes on between Privacy Commissioners’ Offices to coordinate the implementation of federal-provincial legislation.  Our common goal is to work together in a dynamic and collegial manner to resolve situations that potentially trigger several laws at once, and come to some working agreement on how we set out to address them. 

In some cases, we have developed formal protocols for handling investigations where there may be overlapping jurisdiction. In March 2004, the Federal Privacy Commissioner entered into a letter of understanding with the Information and Privacy Commissioners of Alberta and British Columbia, confirming their agreement on how complaints relating to organizations in those provinces would be handled both before and after a finding of "substantially similar" was made in respect of the provincial laws. The Federal and Ontario Commissioners have also set out a working agreement to handle complaints in respect of matters covered by Ontario's Personal Health Information Protection Act, 2004, prior to and following the substantially similar designation in November 2005.

In addition to these formal agreements, there are many informal efforts that are made behind the scenes to streamline the federal-provincial approach to jurisdictional issues. Issues of common interest and concern are discussed at bi-annual Federal-Provincial-Territorial meetings of Privacy Commissioners. Senior staff from the various Commissioners' offices have established a private sector privacy forum which seeks to coordinate and harmonize federal and provincial oversight of the private sector in Canada. They take part in monthly teleconferences and/or meetings to develop procedures for determining jurisdiction, transferring complaints and conducting joint or parallel investigations. Investigators' Conferences are held on an annual basis to bring together investigators from different offices to exchange information on jurisdictional issues and discuss how they have handled cases of common interest.

Part II: The Types of Complaints We Get Under PIPEDA

Recent private-sector or health-sector privacy laws have formalized what physicians have regarded for centuries as their primary duty of doctor-patient confidentiality. In that sense, this is really nothing new for physicians, and health care providers generally, who are already highly sensitized to their professional obligation of confidentiality which takes its modern form in applicable laws, regulations and/or codes of ethics.

If there are privacy complaints about the collection, use and disclosure of personal health information between health care professionals within the circle of care, we tend not to see them at the federal level. These tend to take place in public institutions, at least in part, and are generally covered by the implied consent regime of most provincial health statutes, where they exist.

What we do see giving rise to privacy complaints under PIPEDA are transactions involving collection, use and disclosure of personal health information between private health care providers and third parties. It is at the intersections between private practice and multiple other contexts unrelated to direct patient care where PIPEDA is most often triggered. Here are some examples:

1. Health care providers and insurance companies

Certainly an area of concern for many complainants is the broad scope of the consent clauses used by life and health insurance companies to collect full particulars of clients’ medical history from any third party, including from health care practitioners, in order to administer claims. While we can certainly appreciate the practical difficulty of obtaining multiple consents each time personal health information is collected, used or disclosed, during the lifespan of an insurance policy, a wide-open, blanket consent provided only once, up front, for all time is likewise problematic.

It is vitally important that the consent(s) requested by insurance companies be given on a truly free and informed basis, in order to permit limited collection, use and disclosure of personal health information only to the extent necessary for appropriate and reasonable purposes directly related to the claim. Much more than a one-time signature on a consent form, informed consent is a dynamic process which involves keeping individuals actively aware, on an ongoing basis, of what you intend to do with their personal health information and for what purpose, and allowing them the opportunity to ask questions or challenge assumptions – particularly in relationships of unequal bargaining power like insurance contracts.

For this reason, we were heartened when we met recently with the Canadian Medical Association, to learn that they encourage their members to obtain express consent of their patients before releasing personal health information to insurance companies. Rather than merely rely on the faxed authorization form containing clients’ one-time signature that insurance companies use to obtain personal health information from any third party, the best practice calls on physicians to independently contact their patients to obtain their express consent directly.

Another area of concern which gives rise to complaints under PIPEDA is the relationship between individuals and independent medical examiners working on behalf of insurance companies. While the right to access medical records is clearly established at common law as a function of the fiduciary duty a physician owes his or her patient in a relationship of care, the independent medical examiner (IME) is in a different situation vis a vis an individual being assessed for insurance purposes. As a result, an individual used the complaint mechanism under PIPEDA to gain access to the IME’s notes taken during the assessment. Although the IME provided the individual with a copy of the formal report he provided to the insurance company, he refused to provide him with a copy of his background notes, on the grounds that these were not part of the individual’s medical record.

In a finding issued last year (case summary # 306), Assistant Commissioner Heather Black concluded that the information in question was the individual’s personal information within the meaning of PIPEDA, and that he therefore had a right to access it. The notes were not exempted from access under the solicitor-client privilege since the independent medical examiner had not been retained as an expert for litigation purposes, nor was the assessment part of a formal dispute resolution. Rather, the IME was done to assist the insurance company in determining its obligations under the insurance policy. Accordingly, the Assistant Commissioner recommended that the physician make his notes available to the individual. This case is now proceeding before the Federal Court.

2. Health care providers and employers

Another situation fraught with issues is when inquisitive employers approach health-care providers to enquire into the health status of their employees. Health practitioners should exercise care when answering such enquiries.

First, any release of information by a health-care provider to the employer of one of his or her patients requires the valid consent of the patient. For example, in one case (case summary #287), an employee had returned to work in a “safety sensitive” position after recuperating from a serious illness. The employer requested the employee to ask his physician to fill out requisite forms in order to provide an update on his medical condition and whether he was fit for duty. The employee had signed a consent form, valid for 90 days, giving his physician permission to release the information to his employer. However, subsequent to this and long after the validity of the employee’s consent form had expired, the company doctor contacted the physician directly looking for supplementary information. The Assistant Commissioner concluded that the company should not have contacted the specialist directly unless it had a valid consent from the employee.

Providers who answer employer questions about appointments, scheduling and other seemingly innocuous information may effectively disclose personal information of an individual without her consent. For example, case summary #235 involved an employee who had requested leave to undergo medical tests. The employer called the hospital to determine the length of time needed for these tests, and then turned down the employee’s leave on the basis that the amount of time being requested exceeded the time “needed” for the tests. The Assistant Commissioner concluded that the employer had contravened PIPEDA by contacting the hospital to obtain information about the employee’s medical examination without the latter’s consent.

Moreover, even when valid consent has been given by patients, providers should be mindful of when an employer is asking for too much information than is necessary for the purpose consented to.  In findings #233 and #257, the Assistant Commissioner agreed that it was acceptable for an employer to require a medical certificate to justify an employee’s absence which exceeded the allowable number of absences without a certificate. However, a physician’s attestation of the absence from work for illness was sufficient for this purpose. The employer was not entitled to ask for a description of the employee’s diagnosis or other details about his or her medical condition.

3. Health-care providers and record storage companies

Health care providers are required by professional regulations in most cases to store patient records for a certain number of years. Though providers are well aware of their obligations in this regard, problems may arise in situations where their practice comes to an abrupt end due to death, retirement or decision to move out of province. In such situations, providers may not have had the chance to notify their patients of their exit plan. Instead, arrangements are made to transfer all patient records to a record storage company. For example, we have seen contractual arrangements between the provider and the storage company that allows the company to contact patients directly to notify them of the whereabouts of their file following their provider’s departure and the costs for obtaining a copy should they want one. Several issues arise.

Doesn’t the openness principle require providers to be transparent about their record-keeping practices, including their intention to transfer patient records for off-site storage at one point or another? Can providers simply authorize third party record storage companies to contact their patients directly (through cold calls) without having to notify patients of this intended transfer and storage first? How meaningful is the right of access when the storage company calls patients to inform them that they may obtain copies of their files for $X, without informing them that they have an equal opportunity to view their files on site at no or minimal cost? Is it always appropriate for third party storage companies to provide indiscriminate access to patient records even in cases where there may be a legitimate need for mediated access or interpretation by a treating physician?

4. Health-care providers and third parties

Unfortunately, we also receive occasional privacy complaints arising from inadvertent disclosures of personal health information from health care providers to third parties, due to insufficient safeguards in their organizational design or due to sheer carelessness or indiscretion of staff. The design of office space, such as reception areas versus special areas dedicated to patient consultations, the visibility of patient files or computer screens, the audibility of telephone conversations, the degree of discretion used by providers when discussing patient files in public places such as elevators, cafeterias, etc. are all factors that must be carefully considered in the day to day operation of private health care practice.

About a year and a half ago, the Edmonton Journal reported that a couple who managed an apartment building had received fax transmissions in error from several organizations. The two organizations that came within our jurisdiction were Dynacare, a medical laboratory, and Viewpoint, a medical diagnosis consultation service. Staff from these two organizations had misdirected faxes containing sensitive personal health information by error when manually keying in the fax destination numbers. The organizations have since undertaken a number of practical safeguard measures to avoid the risk of error repeating itself in the future, have reviewed their employee confidentiality agreements, have identified precise steps to be taken when mistakes are made, and have considered whether, when and how notification to patients should occur.  

5. Health-care providers and researchers

Under s. 7(3)(f) of PIPEDA, personal information may be disclosed without consent for statistical or scholarly study or research purposes where the purposes cannot be achieved without disclosing the information, it is impracticable to obtain consent, and the organization (such as the health care provider) informs the Commissioner of the intended disclosure beforehand. To date, our Office has received only one such notification. 

The fact that we are not receiving notifications under this section might be explained a number of possible ways. It could be that health care providers covered by PIPEDA are not disclosing any personal information for academic research purposes. This seems rather unlikely. Alternatively, it might be that providers are invariably obtaining consent by each individual patient before releasing personal information about them to researchers, both academic and commercial. It could be that providers are taking the position that the information being disclosed is sufficiently de-identified in their view so as not to fall within the meaning of personal information under PIPEDA. Or, it could be that providers are simply not aware of, and/or do not understand, their obligations under PIPEDA. Whatever the reason behind it, this phenomenon requires further examination.

Conclusion

A review of the types of complaints we get about collection, use or disclosure of personal health information by organizations covered by PIPEDA begs the question: is PIPEDA well-suited to deal with them?

Indeed, this is the ultimate question to ask, particularly now as we prepare for the upcoming five-year review of PIPEDA. The OPC is presently drafting a consultation paper on PIPEDA 2006 review which we will open up for public comment to help inform our position on necessary changes to PIPEDA. We certainly hope to receive input from various sectors affected by PIPEDA, including parts of the health sector covered by the law.

In the meantime, we are looking with great interest at the experience provincial jurisdictions are having developing, interpreting and applying their respective laws. We stand to learn a lot from those experiences as we begin to reflect on the future evolution of our own law.

For instance, what can we learn from Ontario PHIPA’s section 12 on notification of breach and how it is actually working in practice? Are there situations where the notification requirement needs to be qualified in some fashion to avoid trivializing it over time, or needs to be carried out in a certain way to avoid causing more harm to patients than good?

How is the Information and Privacy Commission of Alberta handling its statutory mandate under sections 70-72 of HIA to review and comment on privacy impact assessments that health information custodians are required to submit before performing data matching? Are the resource requirements realistic? Is there sufficient technical capacity available to conduct this review and comment in a timely and meaningful way?

And what about the various legal tests for identifiability that have been incorporated in some provincial laws? Do legal tests such as “reasonably ascertainable” in Alberta, “reasonably foreseeable” in Ontario or “reasonable expectation” in Saskatchewan, help provide greater certainty in law? Do they assist stakeholders in predicting when information should be considered identifiable, or when information can potentially be re-identified, so as to become personal information?

I look forward to hearing from various participants today and tomorrow, when certainly we will have the chance to discuss these and many other questions. I would very much like to learn more about the experiences of different jurisdictions in terms of what is working and what is not, so that I may bring back some of this knowledge home with me to share with colleagues and reflect further upon as we prepare for PIPEDA 2006 review. Thank you.