Question 1

The health information legislation will apply to all personal health information in the records of a custodian in any setting. Does the definition of a custodian include everyone who has custody or control of a record? Should the definition be changed and how?

 Question 2

Does the definition of personal health information include all information that would be considered personal health information?

 Question 3

 
Collection of Personal Health Information

Most personal health information is collected directly from people when they go to a hospital or see a health professional. The information is collected to provide the person with health care, or for a program or activity offered by the custodian. Custodians may also collect personal health information because it is required or authorized by law, or it is needed to run the program or activity from which the person is getting services. However, sometimes information may be collected from another person or custodian and these will be identified in regulations.

When the personal health information is collected directly from the person the custodian will tell the person why it is being collected. The custodian must also provide information on who to contact to learn more about the reason for the collection, use and disclosure of the information. The custodian does not have to inform the person again of the purposes and the contact name if similar information is being collected for the same or a related purpose.



Accuracy of Personal Health Information

A custodian must ensure that the personal health information in their records is accurate and complete, for the reason for which it was collected. For example, a researcher may not need a person’s street address, but may need the postal code if the results are to be reported by geographic region.

Accuracy is very important and if a person feels that his or her personal health information is not exact, he or she may ask the custodian to correct it. The custodian will have to respond in a manner and time frame similar to those set up in ATIPPA (See Section 11 and 12 in Access to Information and Protection of Privacy Act). When the personal health information is corrected by the custodian, a record of the original information must be saved.

Using Personal Health Information

A custodian may use personal health information for the reason given when the information was first collected or for another consistent purpose. A consistent purpose has a reasonable, direct link to the reason the information was collected and is needed for the custodian’s legal duties or activity.

The custodian may use the personal health information for a use other than direct health care:

• if the person has agreed to another use
• to prevent or lessen a threat to a person’s mental or physical health or safety, or that of the public.
• to deliver, monitor or evaluate a program,
• to conduct a review of, or for planning by the custodian,
• by a researcher when the project has been approved by a research ethics board,
• for a use authorized by legislation, or
• to create statistical information and information that cannot by itself or when combined with other information, identify a person.

Question 4

The health information legislation will require that a custodian who collects personal health information that is not recorded, limit the use of that information to the reason for which it was collected.

Disclosing Personal Health Information

Custodians may disclose personal health information to the person that the information is about, or to another person or custodian, if the person agrees.

 
The health information legislation will note situations when the custodian is allowed to disclose personal health information without the person’s consent. These include:

• to another custodian, unless the person has instructed the custodian not to disclose the information,
• to a public body administering a regulated program or service,
• to prevent or lessen a threat to a person’s mental or physical health or safety, or that of the public.
• to contact a relative or friend when a person is injured, incapacitated, or ill,
• to identify a deceased person,
• for peer review and quality assurance,
• in the discipline of a health professional,
• to a health information network set up by the government or another custodian recognized in the regulations and for the purpose of delivering care, evaluating or monitoring a program, or review and planning,
• to the government of NL or the government of another jurisdiction, or a public body for payment of health care provided to the individual,
• for use in a civil or quasi-judicial proceeding to which the custodian is a party,
• to comply with a subpoena, warrant or order, or
• to a public body or law enforcement agency regarding the payment for the provision of health care, or investigation or prosecution of an offence related to such payment.

Question 5

Are these disclosures appropriate without the person’s consent? Are there other disclosures of personal health information that have not been identified?
 

When a person is a hospital patient or a resident in a long term care facility, the custodian may disclose personal health information to a relative or friend unless the person has stated that the information must not be disclosed.

Disclosure of Personal Health Information for Research

A custodian may disclose personal health information for research purposes after the project has been approved by a research ethics board. A research ethics board may approve a project when:

• the importance of the research outweighs any intrusion into privacy,
• the research cannot be properly accomplished without the personal health information,
• consent of any identifiable individuals will be obtained or it is unreasonable or impractical for the researcher to obtain consent from the individual, and
• the research project has reasonable safeguards to protect the personal health information, and procedures to destroy the information or remove all identifying information without compromising the research.

In assessing whether it is impractical to get consent, the research ethics board shall consider

• the number of individuals being studied,
• the number of those people who are likely to have moved or died since the personal health information was collected,
• the risk of introducing bias into the research,
• the possibility that the process of re-identifying anonymised information so as to get consent could further violate the confidentiality of the personal health information,
• the possibility that contacting the person to get consent could harm that person,
• the difficulty of contacting the individual, and
• other factors the research ethics boards feels are relevant.

The custodian and the researcher must agree that the researcher will not publish any information that would identify a person, the researcher will only use the personal health information for the approved research project, and the research ethics board may set rules to protect the confidentiality of the personal health information.

If the research requires direct contact with the person, the custodian must get a person’s consent before disclosing the personal health information.

Question 6

Do the factors regarding the research ethics board and the custodian strike the proper balance between protecting a person’s privacy and the need for quality research in the public interest using personal health information?

Access to an Individual’s Own Personal Health Information

The rights of a person to access his or her own personal health information under the proposed health information legislation is similar to that provided for by ATIPPA (See Section 7 in Access to Information and Protection of Privacy Act). However, the custodian may refuse permission for the person to examine or receive a copy of his or her record of personal health information if the information was gathered solely for:

• the purpose of peer review by health professionals,
• for review by a quality assurance committee set up to review health services; or,
• for the purposes of a body with legal responsibility for the discipline of health professionals or for the quality of professional services provided by a health professional.

Role of the Information and Privacy Commissioner and Privacy Officers

The role of the Commissioner under the proposed health information legislation is similar to the role and authority established in ATIPPA. The position of Privacy Officer is similar to that of the Access Coordinator set up under ATIPPA (See Section 51 in Access to Information and Protection of Privacy Act). 

Consent

All previous comments have been included in the current draft of the bill, An Act to Provide Individuals with Access to and Protection of Personal Health Information. The Minister of Health and Community Services is specifically asking for comments on the issues of consent for the collection, use and disclosure of personal health information as this issue has not been included in the current draft of the legislation. The elements of consent generally include that it must be the consent of the person, it must be knowledgeable, related to the information, and not obtained through deception or force.

Consent is considered knowledgeable if it is reasonable in the circumstances to believe that the person knows the purposes and the person may or may not give consent. It would be reasonable to believe that a person knows the reason for the collection, use and disclosure of the personal health information if the custodian makes easily available a notice describing the purposes, or if the custodian gives the person the needed information through discussions or in print.

There are two types of consent, implied and express. A custodian may assume the person has
implied consent unless the person tells the custodian to withhold or withdraw consent. The withdrawal of consent would not be retroactive. The custodian must take reasonable steps to comply with the person’s notice to withhold or withdraw consent and must inform the person of all consequences.

If a person who is a resident or inpatient provides the custodian with information about religious affiliation, the facility may assume implied consent to disclose that information to a representative of the religion where the custodian has offered the person the chance to withhold or withdraw consent.

Express consent would be required for a disclosure of personal health information if the disclosure is not to another custodian, or if the disclosure is to another custodian but not for the purposes of providing health care or assisting in providing health care. Express consent would also be needed for the collection, use and disclosure of personal health information for purposes outside the health care team, except as specifically otherwise provided by legislation.

Question 8

Does this approach to the use of implied and expressed consent provide the appropriate level of consent for the person without creating an administrative burden for custodians?