Industry Canada, Government of Canada
Skip all menusSkip first menu
Français Contact Us Help Search Canada Site
Home Site Map What's New About Us Registration
Go to the Strategis home page Home Trust & Confidence Privacy Health & Privacy
About Us
Trust & Confidence
Privacy
Provincial / Territorial Legislation
Health & Privacy
Investigative Bodies
International Issues
Background Material
Related Links
Security
Identity Theft
Task Force on Spam
International Development
Research & Statistics
Partnerships
e-News
Resource Centre
Contact Us
Site Map
Electronic Commerce in Canada

PIPEDA Awareness Raising Tools (PARTs) Initiative For The Health Sector

Questions & Answers

NOTICE: This document has been prepared in consultation with health care provider associations within the context of their day-to-day activities in providing care and treatment to Canadians. The answers to the questions may not necessarily be appropriate for organizations not subject to PIPEDA.

[PDF version 214KB]

This document is an administrative tool to assist in understanding PIPEDA. It is not intended as legal advice.

Overview: top of page

  1. What is the "Personal Information Protection and Electronic Documents Act" (PIPEDA)?

    PIPEDA is federal legislation that protects personal information, including health information. It sets out ten principles that organizations, individuals, associations, partnerships and trade unions must follow when collecting, using and disclosing personal information in the course of a commercial activity.

  2. Does PIPEDA apply throughout Canada?

    The Act will not apply to personal information in Provinces and Territories that have substantially similar privacy legislation in place covering commercial activities that are provincially/territorially regulated. PIPEDA does not apply within the province of Quebec because the province has received substantially similar status but the Act will continue to apply to the province of Quebec for personal information sent outside of the province and to organizations currently subject to the Act, such as banks, broadcasters, airlines, transportation companies and other federally regulated organizations. For more details on this subject please consult Industry Canada's web site.

  3. (a) What are the core features of PIPEDA?

    The core features of PIPEDA include: obtaining consent and identifying the purpose for the collection of personal information, procuring additional consent, express consent in some cases, for any secondary uses or disclosures of the information. To make the consent valid, the Act requires communicating to individuals what personal information is being collected, and how it will be used, disclosed, and protected (see answer #38).

    (b) What are PIPEDA's key principles?

    The 10 key principles of PIPEDA are listed below. The Q&As; that follow will show how these elements apply in the health sector.

    1. Organizations are accountable for the protection of personal health information under their control.
    2. The purposes for which the personal information is being collected must be identified during or prior to the collection.
    3. Information must be collected with the knowledge and consent of the individual and for a reasonable purpose.
    4. The collection of personal information is to be limited to what is necessary for the identified purposes and will be collected by fair and lawful means.
    5. Information can only be used and disclosed for the purpose for which it was collected and will be retained only as long as it is necessary to fulfil the purpose.
    6. Information must be as accurate, complete and up-to-date as possible.
    7. Information must be protected by adequate safeguards.
    8. Information about an organization's privacy policies and practices is to be readily available.
    9. Information must be accessible for review and correction by the individual whose personal information it is, and;
    10. Organizations are to provide the means to an individual to challenge an organization's compliance of the above principles.

    * Organizations include associations, partnerships, trade unions, agencies, and institutions. It also includes health care providers in private practice.

  4. Why is this law required?

    PIPEDA aims to provide assurances to the public, patients, and providers that personal health information will continue to be managed and shared confidentially and securely.

    The Government of Canada believes that, in most cases, PIPEDA's principles may not significantly differ from those currently in place in the health sector. However, to make consent valid PIPEDA requires informing patients of their privacy rights and providing them with an opportunity to know what personal information is being collected, for what purpose, how it will be used, disclosed, and protected (see answer #38).

  5. What additional responsibilities will be added to health professionals as a result of PIPEDA?

    PIPEDA should have minimal impact on regulated health professionals involved in commercial activities who already have good privacy and confidentiality practices in place. Most health professionals already work within a legislative framework or code of ethics that requires them to protect patient privacy, and PIPEDA supports most current best practices.

    Health professionals will have to ensure that they:

    • Let patients know about the collection, use or disclosure of their personal information. (see question #38)
    • Obtain consent to disclose information to third parties when appropriate.
    • Provide an individual with access to his or her own personal information.
    • Provide secure storage of information and implement measures to limit access to patient records.
    • Ensure proper destruction of information that is no longer necessary.
    • Inform patients of the organization's information-handling practices through various means (i.e. the posting of notices, brochures and pamphlets, and/or through normal discussions between a patient and a health care provider).

  6. Under PIPEDA are privately insured or privately paid health services considered to be commercial activities?

    PIPEDA does not differentiate between activities based upon who is paying for them. It is based on the nature of the activity. For example, a hospital charging for a fibreglass cast would not bring a hospital within the scope of the Act because the transaction is part of the hospital's core activities, i.e. providing health care services. (see question 24)

    In the case of a privately owned medical equipment store or TV rental business, if the hospital leases the space to the operator, the latter is responsible for complying with the Act, not the hospital.

  7. How does PIPEDA impact the non-commercial aspect of the health care sector?

    Non-commercial areas of health care such as publicly funded hospitals are not subject to PIPEDA.

  8. Some health care services are delivered in "open concept" offices. Under PIPEDA can care and treatment continue in the open concept?

    Special attention and discretion must be exercised in collecting, using and disclosing personal information where services are delivered in an open concept.

Key Definitions: top of page

  1. What is personal information?

    In the health context, personal information means information about an identifiable patient which includes any factual or subjective information, recorded or not, about that individual, including health related information.

  2. What is an organization?

    An organization includes associations, partnerships, trade unions, agencies, and institutions. It also includes health care providers in private practice.

  3. What is a commercial activity within the context of the health care sector?

    A commercial activity involves the making and provision of a product or service that is commercial in nature. Under PIPEDA, commercial activities include, for example, the selling, bartering, or leasing of donor, membership or other fundraising lists for some consideration. The funding source (public health insurance, private payer, 3rd party payer, etc) is not relevant in determining the existence of a commercial activity.

  4. What is a "circle of care"?

    The expression includes the individuals and activities related to the care and treatment of a patient. Thus, it covers the health care providers who deliver care and services for the primary therapeutic benefit of the patient and it covers related activities such as laboratory work and professional or case consultation with other health care providers.

  5. What does "access" mean under PIPEDA?

    Access is not defined in PIPEDA. However, the intention of the right of "access" is to enable individuals to be informed of the existence of, to view and/or obtain a copy of, the personal information, in a form that is generally understandable, that has been collected about them by an organization. The access right also includes the right of individuals to challenge the accuracy and completeness of the information and to have it amended, as appropriate. (see questions # 68 & 69)

  6. PIPEDA uses a "reasonable person" test. What does the term "reasonable person" mean?

    The concept of "reasonable person" is a test that is intended to ensure that personal information is only collected, used or disclosed for purposes that the average person would consider appropriate, logical and fair in the circumstances.

  7. What are an institution's "Core Activities"?

    An institution's "core activities" are those objectives/activities defined either in a provincial Act which regulates that particular industry or those objectives/activities in the legal entity's Letters Patents, including those activities which logically or legally flow from the latter. For example, the core activities of a hospital includes providing accommodations, providing health care services, etc.

Scope of Application: top of page

  1. Does PIPEDA apply to the entire health sector in Canada?

    No, PIPEDA only applies to the information collected, used and disclosed in the course of commercial activities such as private pharmacies, laboratories and health care providers in private practices. Also, the Act will not apply to personal information in Provinces and Territories that have substantially similar privacy legislation in place covering commercial activities that are provincially regulated, such as in the province of Quebec. For more details on this subject please consult Industry Canada's Privacy For Business web site.

  2. Are there significant differences between PIPEDA and current privacy practices in the health sector?

    No, privacy is a right underpinning health care in Canada. This right is addressed in legislation, codes of ethics, standards and procedures. The Government of Canada believes that, in most cases, PIPEDA's principles may not significantly differ from those currently in place in the health sector. However, to make consent valid PIPEDA requires informing patients of their privacy rights and providing them with an opportunity to know what personal information is being collected, for what purpose, how it will be used, disclosed, and protected (see answer #38).

  3. Why must information about the collection, use, and disclosure of personal information be made available to patients?

    Information about privacy rights must be made available to patients so that the patients can decide whether or not to consent to the collection, use and disclosure of their personal information.

  4. Will PIPEDA impact on health care professionals/providers and health care facilities/services/agencies?

    PIPEDA should not significantly alter the therapeutic provider/patient relationship. However, PIPEDA may require some changes. For example, in addition to informing individuals about the purpose of the collection, use and disclosure of their personal information to make their consent valid, health care organizations should review their practices and policies to ensure they meet the PIPEDA principles, in particular with respect to secondary uses of the personal health information, e.g. research, health surveillance and statistical analysis of data purposes.

  5. Does PIPEDA require that every health care provider in private practice develop a privacy policy?

    Yes. However, the effort and resources to develop a privacy policy will vary substantially according to the size and type of organization. For example, in a sole practitioner's office, this could be a short document, available on request that sets out the application of the 10 privacy principles under PIPEDA (See Question 3b).

  6. Does PIPEDA require that every health care provider in private practice appoint a privacy officer?

    Under PIPEDA, organizations are required to designate an individual or individuals who are accountable for the organization's compliance with PIPEDA. For a sole practitioner's office, the sole practitioner might be the designated accountable individual or administrative staff could take on this role.

  7. Does PIPEDA apply within a circle of care?

    Yes, it applies to commercial activities within the circle of care.

  8. A number of health care providers work in settings that are not typically thought of as "health care facilities" - for example, schools, correctional facilities, halfway houses, and group homes. Will PIPEDA mean that different privacy rules can apply for different settings?

    Yes. A key consideration in determining which organization or individual should comply with PIPEDA is who has control of the personal information and whether they are engaged in commercial activity.

    PIPEDA does not apply to core activities of a municipality, public school, university, public hospital or correctional facility. Public sector legislation and provincial health information acts would apply in some cases and in some jurisdictions. For example, the Federal Privacy Act would apply in the case of a federal correctional institution.

    PIPEDA applies to personal information collected, used, and disclosed during the course of any commercial activity. Records in organizations engaged in commercial activity would be covered by PIPEDA, e.g. private group homes.

    In the case of an organization subject to PIPEDA that employs a health care professional on a contract basis or on salaried basis, the issue of accountability for compliance depends on who has control of the personal information - the organization, the professional or both.

  9. Is the application of PIPEDA based on the nature of the activity (transaction) or is it based on the nature (public, private, commercial, non-profit, etc) of the health organization, institution, or agency?

    It is based on the nature of the activity.

    A non-profit organization can be engaged in a commercial activity to which the Act would apply. For example, the sale of a fundraising list by a charity can trigger the application of the Act with respect to that particular transaction.

    The Act would not apply to a provincially funded hospital. Hospitals are beyond the constitutional scope of the Act as their core activities are not commercial in nature. Charging for a private room would not bring a hospital within the scope of the Act because the transaction is part of the hospital's core activities, i.e. providing accommodation.

    In the case of a privately owned medical equipment store or TV rental business, if the hospital leases the space to the operator, the latter is responsible for complying with the Act, not the hospital.

  10. What is the responsibility of health care providers employed by federal/provincial/territorial governments under PIPEDA?

    PIPEDA does not apply to federal/provincial/territorial government employees in the execution of their duties. Most federal government institutions, departments, agencies and their employees are subject to the Federal Privacy Act. Provincial/territorial governments are subject to their respective public sector privacy legislation and should be governed accordingly.

  11. Are health care services delivered by long-term care facilities and home health care agencies considered to be commercial activities, which will make them subject to PIPEDA?

    NOTE: The following answers are preliminary and very general in nature and may vary in particular circumstances depending on the specific circumstances of the situation.

    a. Long-term care facilities

      i. Private for-profit

      Yes. The health care activities carried out by this type of organization would be considered commercial and therefore subject to PIPEDA.

      ii. Private non-profit

      Organizations of this type vary greatly in their corporate objectives and their organizational structure. In order to determine if a specific private non-profit long-term care facility's health care services are commercial activities, which would make them subject to PIPEDA, it is advisable that the organization consult with their legal counsel.

      iii. Provincial (public institution/facility/agency)

      PIPEDA does not apply to core activities of a municipality, public school, university, and public hospital. Public sector legislation and provincial health information acts would apply in some cases and in some jurisdictions. The Act would not apply to a provincial public long-term care facility.

      iv. Federal (public institution/facility/agency)

      PIPEDA does not apply to federal government institutions to which the federal Privacy Act applies. Facilities that are unclear on this matter should consult their legal counsel to determine if they are subject to the federal Privacy Act.

      v. Municipal homes for the aged

      PIPEDA does not apply to core activities of a municipality, public school, university, and public hospital.

      vi. Veterans' homes

      PIPEDA does not apply to federal government institutions to which the federal Privacy Act applies.

    b. Home care services

      i. Private for-profit

      Yes. The health care activities carried out by this type of organization would be considered commercial and thus subject to PIPEDA. However, it is advisable for organizations to consult with their legal counsel.

      ii. Private non-profit

      Organizations of this type vary greatly in their corporate objectives and their organizational structure. In order to determine if a specific private non-profit home care agency's health care services are commercial activities, which would make them subject to PIPEDA, it is advisable that the organization consult with their legal counsel.

      iii. Provincial (public institution/facility/agency)

      PIPEDA does not apply to core activities of a municipality, public school, university, and public hospital. Public sector legislation and provincial health information acts would apply in some cases and in some jurisdictions. PIPEDA would not apply to a provincial public home care agency. (See Question 14)

      iv. Federal (public institution/facility/agency)

      PIPEDA does not apply to federal government institutions to which the federal Privacy Act applies. Agencies that are unclear on this matter should consult their legal counsel to determine if they are subject to the federal Privacy Act.

  12. How will PIPEDA have an impact on health professional regulations?

    Let's remember that PIPEDA applies only in the context of commercial activities. If the health professional regulatory provisions exceed those of PIPEDA then there is no impact. However, if the regulatory provisions are weaker or do not address certain requirements, than PIPEDA would prevail.

  13. In the event that federal privacy legislation is at odds with provincial/territorial laws, standards and codes of practice governing professional associations, which legislation takes precedence? For example, a patient requests a change in his/her file and the regulatory body requires that records not be altered while PIPEDA allows modifications.

    For a true conflict to exist between PIPEDA and provincial legislation, it must be impossible to comply with both requirements.

    In the example noted above, one would not alter the document but instead add a notation to the file indicating the patient's view of the matter. If the information in the file were indeed inaccurate, it would be important to note it in the file but also indicate when and how the error was detected.

  14. What impact will PIPEDA have on health facility accreditation, on quality assurance activities, on chart audits for safety, on reviews against performance measures, on programme/service evaluation?

    Where it has been determined that PIPEDA applies to the particular health facility and a review is undertaken to assess and evaluate the care provided to an individual patient, still receiving care in the facility, then this review can be considered to be part of the circle of care.

    In instances where a number of charts are reviewed as part of a broader quality assurance program, service evaluation, safety review, accreditation activity, or assessment of broader provider practices, de-identified patient information should be used or patient express consent should be obtained unless an existing provincial law permits these disclosures.

  15. Under PIPEDA, can regulatory bodies/colleges still continue to conduct their investigative practices? Does PIPEDA require any changes in the manner in which these investigative activities are conducted?

    The relationship between a regulatory body/college and its members is most often of a noncommercial nature, and therefore not captured by PIPEDA. These bodies are also generally empowered by law to obtain personal information as necessary to fulfill their various functions. Professionals subject to the authority of a regulatory body/college would in all likelihood have agreed to the use of their personal information by the body, as part of a condition of membership. PIPEDA recognizes such authority.

    Regulatory bodies/colleges may, in the course of their function, need to obtain personal information from other organizations that are subject to PIPEDA, such as financial institutions. Such organizations may only disclose personal information without consent to entities that have been designated as "investigative bodies" under PIPEDA, by regulation. As such, regulatory bodies/colleges may be required to obtain this designation if they wish to obtain personal information from these organizations without an individual's consent.

  16. Are regulatory bodies engaged in a "commercial activity" when they collect, use or disclose personal information in the course of carrying out their statutory responsibilities to regulate their members?

    No.

  17. Do health care professional Regulatory Bodies, operating under provincial legislation, have to obtain an investigative body status under PIPEDA in order to continue to conduct complaint investigations?

    Not necessarily. Professional regulatory bodies should first determine if they have adequate authority under existing provincial legislation. If not, they may need to have this authority recognized under PIPEDA.

  18. How can colleges, regulatory bodies and accreditation bodies apply for investigative body status under PIPEDA?

    They can apply for investigative body status under PIPEDA at Industry Canada. Requests should be directed to:

      Director General
      Electronic Commerce Branch
      Industry Canada
      300 Slater Street
      Room D2090
      Ottawa, Ontario
      K1A 0C8

  19. Are there differences in the application of PIPEDA for different insurance plans, whether public or private?

    Health insurance plans that fall within the scope of public sector privacy legislation, such as the Provincial Government Health Insurance Plans, are not subject to PIPEDA. However, organizations selling private health insurance plans must comply with PIPEDA unless they are subject to provincial/territorial legislation that has been deemed substantially similar to PIPEDA. If the information flows outside provincial/territorial borders, PIPEDA will apply.

    Health care providers should make their patients aware that they, the providers, send certain information to private health insurance plans. In many cases, patients are required to sign forms to obtain reimbursement for prescription drugs or dental visits, and these forms typically contain consent provisions.

  20. Do co-payments or user fees impact the application of PIPEDA?

    No. The application of PIPEDA depends on the nature and character of the activity that the organization engages in, not the nature of the organization. For example the private practice of a health care provider is a commercial activity. Noncommercial activity is not subject to the Act. The method of payment does not determine whether or not an activity is of a commercial nature.

  21. How are telehealth services impacted by PIPEDA?

    Telehealth is a way of providing direct health services and, as such the same rules apply.

    However, telehealth presents increased risk to the security of the information (such as unauthorized access and network breaches). As such, specific safeguard measures (e.g. encryption, access protocols) should be put in place to address these particular risks.

  22. Does PIPEDA apply to the transfer of personal information:

    a) Between provinces and territories?

    The transfer of personal information between provinces and territories is subject to PIPEDA if it occurs in the course of a commercial activity.

    b) Across international boundaries?

    The transfer of personal information outside of Canada to another country is subject to PIPEDA if it occurs in the course of a commercial activity. A provider's responsibilities under PIPEDA, such as ensuring that health information is protected, apply even when sending personal information across an international border.

Knowledge and Consent: top of page

  1. Under PIPEDA, the patient's knowledge of the collection, use and disclosure of their personal health information is required. How can this be achieved?

    A person can be considered to understand, i.e. be knowledgeable, if they are made aware of their privacy rights including:

    • What information is being collected about them
    • Purposes for which the information is being collected
    • How that information will be used by the provider/health facility/agency
    • To whom the provider/health facility/agency will disclose the information
    • How the patient can seek access to and corrections to their health record, and;
    • How the patient can exercise their right to complain about the organization's personal information practices.

    There are several ways of informing patients of these rights, for example, posting of notices, brochures and pamphlets, and/or discussions in the normal course of exchanges that take place between a patient and a health care provider.

    Patients should have the opportunity to discuss this information with a health care provider if they wish to do so.

  2. Are there provisions in PIPEDA for compensating health professionals for complying with the legislation?

    No, PIPEDA contains no provision for this or for any of the industry sectors it covers.

  3. Can consent be implied for the use and disclosure of personal health information under PIPEDA?

    Yes, once patients are made aware of their privacy rights (see answer #38), consent is implied if the patient continues to seek care and treatment. Thus current practice of implied consent for the primary use of personal information in the direct care and treatment of an individual patient, as defined in a circle of care, will continue under PIPEDA. For example, a lab may infer consent because the individual would reasonably expect that the results be sent to the provider who ordered the lab work.

  4. Is consent implied for the disclosure of personal health information to private insurance companies or third party payers for the purposes of reimbursement of health services rendered?

    In certain circumstances, yes. In circumstances where the current practice is to obtain written consent by making the patient sign a reimbursement form, the practice should continue. Where no form is signed, implied consent is acceptable provided patients understand that this is happening and have not behaved in a way that may indicate a refusal of consent (see answer #38).

  5. When does PIPEDA require express consent?

    In commercial activities, the patient's oral or written consent is generally required for all uses and disclosures that are not directly related to the care and treatment of a patient.

    However, consent is not always required for research purposes. For example, consent is not required if all of the following conditions are met:

    • The information is used or disclosed for statistical, scholarly study or research, or purposes that cannot be achieved without using or disclosing the information.
    • It is impractical to obtain consent.
    • The organization informs the Office of the Privacy Commissioner before the information is used.

  6. What happens when the patient has concerns about the collection, use and/or disclosure of their information with respect to PIPEDA?

    The patient's concerns should be addressed by answering their questions, or providing them with information about privacy policies and practices, . Specific complaints must be received, investigated and addressed, or, if matters are unresolved, individuals must be informed of their right to complain to the Office of the Privacy Commissioner of Canada.

  7. What happens if the patient refuses to give consent?

    The patient must be advised of the known consequences of not consenting. Should the patient continue to refuse to consent, the providers should be guided by their respective professional standards of practice in handling this issue. In some instances, this could result in the denial of health services.

  8. What happens if the patient withdraws consent?

    The patient must be advised of the known consequences of withdrawing consent. In some instances, it could result in the interruption or the non-provision of health services.

    It is advisable that the patient's records not be destroyed for as long as they are necessary to maintain patient safety and meet audit, regulatory or other purposes. The organization should record the withdrawal and is responsible for notifying parties to whom it had disclosed the information. The patient's withdrawal of consent should not result in the destruction of the record.

  9. In cases of emergency care, must consent to the collection, use and disclosure of personal information be obtained?

    No. PIPEDA clearly provides exemptions in certain health care emergencies. Examples of such cases are when a patient is unconscious, too sick or not lucid, or when collection is clearly in the interests of the individual and consent cannot be obtained in a timely way.

  10. How do you obtain knowledge and consent if the individual does not understand either English or French, or is visually impaired and you do not have any written material (in other languages or Braille) to give them?

    Reasonable efforts should be made to communicate with the individual in order to obtain consent. Efforts can include communicating in their language, by sign language, or other means (including an interpreter or family member accompanying the patient).

  11. How will PIPEDA affect research that requires access to personal information? Will researchers require patient consent to access their records?

    Under PIPEDA health information collected in the course of a commercial activity can be used and disclosed for research purposes without consent if all the following conditions are met:

    • The information is used or disclosed for statistical, scholarly study or research purposes that cannot be achieved without using the information.
    • The information is used in a manner that will ensure its confidentiality.
    • It is impractical to obtain consent.
    • The organization informs the Office of the Privacy Commissioner of Canada before the information is used or disclosed.

  12. How does PIPEDA's consent requirement affect the reporting requirements of provincial/territorial legislations?

    Reporting requirements, such as reporting the abuse of persons, infectious diseases and danger to others, will not change. The Act allows disclosure without consent when required by law.

  13. Current practice allows that a prescription can be brought, filled, and handed over to a person acting on behalf of another person. Will PIPEDA change this practice? If so, how?

    PIPEDA supports most current best practices. If an individual walks into a pharmacy with a signed prescription from a doctor for another person, they should be asked how they represent that other person. If the answer is reasonable, implied consent can be assumed, since they possess a document that likely was entrusted to them by the individual.

  14. Does PIPEDA change current practices for substitute decision makers who can exercise the right of the individual with respect to access to information and other rights related to collection, use and disclosure of the individual's health information?

    PIPEDA does not change current practices in place for substitute decision makers.

Disclosure: top of page

  1. Can case consultation still be done?

    Yes, PIPEDA does not preclude case consultation among health care providers.

  2. Can personal information be shared without patient consent between providers in an emergency situation?

    Yes.

  3. Pharmacists often print lists of filled prescriptions for patients for income tax purposes. This might include a list of prescriptions used by all members of the family. Is a separate, written consent required from each family member? What about children under the age of majority?

    Yes, express consent, either in writing or verbally, is required from all individuals of majority age. In the case of a child, consent can be obtained from the minor's legal guardian. Note that this example can be extended to other situations and professions in which a provider is asked to produce a listing of services.

  4. Under PIPEDA, can prescriptions still be phoned or faxed in by the prescriber for delivery to the patient?

    Yes. Prescriptions can still be phoned or faxed in by the prescriber for delivery to the patient, on the condition that appropriate security safeguards are in place to protect the information.

  5. If a health professional receives a request from another health professional, can patient information for circle of care purposes be disclosed to the requesting party without the patient's express consent?

    Yes, under PIPEDA, express consent of the patient is not required if the information is disclosed for the care and treatment of the patient within the circle of care.

  6. A third party health benefits insurer may require that a policyholder be made aware of a claim by another person covered under the policyholder's insurance. What is the health care provider to do under these circumstances?

    The onus to obtain the consent of the patient rests with the insurer. If this consent has not been obtained, the provider cannot be made to disclose information to a third party by a commercial contract.

  7. Can drug manufacturers continue to report adverse drug reactions using identifiable patient information to Health Canada without the patient's knowledge and consent?

    Yes. Manufacturers are required, under the Food and Drugs Act and its regulations to report all adverse drug reactions. Since the disclosure is "required by law" it is permissible under PIPEDA.

  8. Under PIPEDA, can a health care provider in private practice continue to send billing information that contains identifiable health information without the express consent of a patient for the purposes of reimbursement to:

    The provincial/territorial government;

    Yes. Health care providers should inform their patients that they, the providers, are required to send certain information to provincial/territorial government for reimbursement.

    A 3rd party payer?

    Yes. Health care providers should inform their patients that they, the providers, will be required to send certain information to private health insurance plans in order to be paid for the services rendered. In many cases, patients are required to sign forms to obtain reimbursement for prescription drugs or dental visits, and these forms typically contain consent provisions. (See questions # 41 & 34)

  9. Under PIPEDA, can a health care facility or service operating under the federal/provincial/territorial government e.g. a Health Authority still send, without the express consent of the patient, health record abstracts that contain identifiable information to:

    A. The provincial/territorial government;

    Yes, as PIPEDA does not apply to federal/provincial/territorial governments' activities.

    B. The Canadian Institute for Health Information (CIHI)?

    Yes, as PIPEDA does not apply to federal/provincial/territorial governments' activities. For more information on CIHI, please see http://secure.cihi.ca/cihiweb/splash.html.

Use and Retention: top of page

  1. How does PIPEDA impact on the retention of temporary recordings of information?

    Under PIPEDA all identifiable personal information, regardless of format, must be protected in the same way. Temporary records that are no longer required can be destroyed, or modified to ensure that the information is no longer identifiable.

    If the provider uses a third party organization to transcribe personal information, the provider is obligated to use contractual agreements to ensure that the information is adequately protected by the third party organization in accordance with PIPEDA.

  2. Patients sessions are sometimes videotaped or audio taped for educational and clinical purposes. Training tapes are typically destroyed and do not form part of the patient's record. What impact will PIPEDA have on this practice?

    PIPEDA supports most current best practices. Patient consent must be obtained before taping. The consent form should indicate the retention period for the tape.

    Educational tapes that identify individuals must be considered to be their personal information. However, some note must be made of the existence of the tape to enable the individual to have access to the tape. If an individual asks to have access to the tape they would have to be given access to the portion containing footage of themselves only.

  3. How does PIPEDA impact on the ability of health care facilities to send fundraising letters to patients?

    Fundraising, in this context, is not considered to be a commercial activity. Therefore there would be no impact from PIPEDA on this activity, unless the facility was selling, leasing or trading the fundraising lists for some consideration. (see question #11).

  4. Health professionals often have the financial value of their practice assessed through a review of patient health records. Under PIPEDA can this practice continue?

    Yes. This would be considered a transfer for processing purposes, for which consent is not required. The health professional must ensure that the personal information is protected while in the possession of the third party conducting the valuation.

  5. Under PIPEDA, can a provincial/territorial government use, without the express consent of the patient, the identifiable health information, which has been collected as a result of reimbursement for care and treatment or from other sources, such as, health record abstracts for administration/management, activities such as, planning, resource allocation, reporting, policy development or evaluation?

    PIPEDA does not apply to federal/provincial/territorial governments' activities. The personal health information collected by the governments, regardless of the source or reason for the collection, should be used and disclosed according to privacy legislation applicable to the public sector.

  6. Under PIPEDA, can a 3rd party payer utilize, for other general administrative purposes, the identifiable health information, which has been collected as a result of reimbursement for care and treatment, without the express consent of the patient?

    No. The use of identifiable health information is limited to the original purpose of the collection for which consent was given. If the information is to be utilized for new purposes, the patient's express consent must be obtained for each new purpose.

  7. A private health care provider/facility has collected identifiable information in the course of care and treatment. It has informed the patient that the information may be used for administrative/management activities such as planning resource allocation, reporting, or evaluation. Can the private provider use the information for these stated purposes?

    The provider/facility/service should make reasonable efforts to anonymize the patient's identifiable information for purposes of administration/management activities (see question #38).

    When the patient has been informed that their identifiable information will be used for specifically identified administration/management activities by the private provider/facility/service agency and the patient continues with the consultation for care and treatment, the patient's consent can be inferred for this use of his/her identifiable information.

Access: top of page

  1. What is required if the patient requests that his/her records be corrected?

    PIPEDA should not alter current best practices. The health care provider will consider the request and decide whether to make the change or not.

    Historical data should be maintained as long as necessary to maintain patient safety and meet audit, regulatory or other purposes. The patient's request and the health professional's decision should be noted in the file.

  2. Do patients have a right to demand to have their record changed?

    No, they have a right to seek correction, which will be considered by the health care provider who will decide whether to make the change or not. The lack of change by the provider may then be the subject of a complaint to the Office of the Privacy Commissioner.

  3. Under PIPEDA, can a health professional deny an individual access to his/her own record?

    Yes, access can be denied for several different reasons, including:

    • If doing so would likely reveal information about another individual, unless the other individual's information is severable or the other individual third party has consented.
    • If doing so could reasonably be expected to threaten the life or security of another individual, unless the third party information is severable.
    • If the information is protected by solicitor-client privilege.
    • If doing so would reveal confidential commercial information.


  4. Under PIPEDA, can a health professional deny an individual access to his/her own record if the health professional thinks it might harm the individual?

    No, PIPEDA does not allow denial of access for this purpose. If access is denied on this basis, the requester can complain to the Office of the Privacy Commissioner who will investigate.

  5. Under PIPEDA, will patients have access to the interpretation tools used in psychological testing?

    PIPEDA applies to personal information. If the interpretation tools are not or do not contain personal information about the patient, PIPEDA does not apply. However, if the interpretation tools are necessary for the personal information to be understandable then they must also be released.

    For example, if the tool translates raw numbers into a meaningful result, the meaningful result has to be provided, not simply the raw data.

Safeguards: top of page

  1. What is required to comply with the security standards set out in PIPEDA?

    Organizations should assess their current security practices.

    As necessary, security provisions include:

    • Developing and implementing a security policy to protect personal health information. The effort and resources to accomplish this exercise will vary substantially according the size and type of organization. For a sole practitioner's office, this could simply be a short documentation of how the information is safeguarded such as:
      • physical measures (locked filing cabinets, restricting access to offices, alarm systems)
      • technological tools (passwords, encryption, firewalls, anonymizing software)
      • organizational controls (security clearances, limiting access on a "need-to-know" basis, staff training, confidentiality agreements)
    • Making employees aware of the importance of maintaining the security and confidentiality of personal information by holding regular staff training on safeguards.
    • Reviewing and updating security measures regularly.


  2. Are home care records subject to PIPEDA?

    Home care records are subject to PIPEDA if there is a commercial activity. However, where the records are in the patient's home and under the patient's control, these records are not the responsibility of the provider organization(s).

  3. Vials and other medication containers with patient and drug name are thrown directly in the trash by some pharmacies. Will there now be an obligation under PIPEDA to erase or destroy in a secure manner this information prior to disposing of the vials/medication containers?

    Yes. Vials and other medication containers that show a patient and drug name are considered personal information, which should be erased or destroyed in a secure manner.

Created: 2004-03-03
Updated: 2004-04-07
Top of Page
Top of Page
 Important Notices