![]() |
|||
![]() ![]() |
![]() |
![]() |
Français | ![]() |
Contact Us | ![]() |
Help | ![]() |
Search | ![]() |
Canada Site |
![]() |
![]() |
![]() |
![]() |
![]() |
![]() |
![]() |
![]() |
![]() |
![]() |
![]() |
![]() |
![]() |
Home | ![]() |
Site Map | ![]() |
What's New | ![]() |
About Us | ![]() |
Registration |
![]() |
![]() ![]() ![]() ![]() |
|
![]() |
![]() |
![]() PIPEDA Awareness Raising Tools (PARTs) Initiative For The Health SectorQuestions & Answers - First SeriesNOTICE: This document has been prepared in consultation with health care provider associations within the context of their day-to-day activities in providing care and treatment to Canadians. The answers to the questions may not necessarily be appropriate for organizations not subject to PIPEDA.
Overview:
PIPEDA is federal legislation that protects personal information, including health information. It sets out ten principles that organizations, individuals, associations, partnerships and trade unions must follow when collecting, using and disclosing personal information in the course of a commercial activity. The Act will not apply to personal information in Provinces and Territories that have substantially similar privacy legislation in place covering commercial activities that are provincially/territorially regulated. PIPEDA does not apply within the province of Quebec because the province has received substantially similar status but the Act will continue to apply to the province of Quebec for personal information sent outside of the province and to organizations currently subject to the Act, such as banks, broadcasters, airlines, transportation companies and other federally regulated organizations. For more details on this subject please consult Industry Canada?s web site at: www.strategis.ic.gc.ca/privacy
PIPEDA aims to provide assurances to the public, patients, and providers that personal health information will continue to be managed and shared confidentially and securely. The Government of Canada believes that, in most cases, PIPEDA's principles may not significantly differ from those currently in place in the health sector. However, to make consent valid PIPEDA requires informing patients of their privacy rights and providing them with an opportunity to know what personal information is being collected, for what purpose, how it will be used, disclosed, and protected (see answer #19 for details).
Key Definitions:
In the health context, personal information means information about an identifiable patient which includes any factual or subjective information, recorded or not, about that individual, including health related information. An organization includes associations, partnerships, trade unions, agencies, and institutions. It also includes health care providers in private practice. A commercial activity involves the making and provision of a product or service that is commercial in nature. Under PIPEDA, commercial activities include, for example, the selling, bartering, or leasing of donor, membership or other fundraising lists for some consideration. The funding source (public health insurance, private payer, 3rd party payer, etc) is not relevant in determining the existence of a commercial activity. The expression includes the individuals and activities related to the care and treatment of a patient. Thus, it covers the health care providers who deliver care and services for the primary therapeutic benefit of the patient and it covers related activities such as laboratory work and professional or case consultation with other health care providers.
Scope of Application:
No, PIPEDA only applies to the information collected, used and disclosed in the course of commercial activities such as private pharmacies, laboratories and health care providers in private practices. Also, the Act will not apply to personal information in Provinces and Territories that have a substantially similar privacy legislation in place covering commercial activities that are provincially regulated, such as in the province of Quebec. For more details on this subject please consult Industry Canada's web site at: www.privacyforbusiness.ic.gc.ca No, privacy is a right underpinning health care in Canada. This right is addressed in legislation, codes of ethics, standards and procedures. The Government of Canada believes that, in most cases, PIPEDA's principles may not significantly differ from those currently in place in the health sector. However, to make consent valid PIPEDA requires informing patients of their privacy rights and providing them with an opportunity to know what personal information is being collected, for what purpose, how it will be used, disclosed, and protected (see answer #19 for details). Information about privacy rights must be made available to patients so that the patients can decide whether or not to consent to the collection, use and disclosure of their personal information. PIPEDA should not significantly alter the therapeutic provider/patient relationship. However, PIPEDA may require some changes. For example, in addition to informing individuals about the purpose of the collection, use and disclosure of their personal information to make their consent valid, health care organizations should review their practices and policies to ensure they meet the PIPEDA principles, in particular with respect to secondary uses of the personal health information, e.g. research, health surveillance and statistical analysis of data purposes. Yes, it applies to commercial activities within the circle of care.
Yes. A key consideration in determining which organization or individual should comply with PIPEDA is who has control of the personal information and whether they are engaged in commercial activity. PIPEDA does not apply to core activities of a municipality, public school, university, public hospital or correctional facility. Public sector legislation and provincial health information acts would apply in some cases and in some jurisdictions. For example, the Federal Privacy Act would apply in the case of a federal correctional institution. PIPEDA applies to personal information collected, used, and disclosed during the course of any commercial activity. Records in organizations engaged in commercial activity would be covered by PIPEDA, e.g. private group homes. In the case of an organization subject to PIPEDA that employs a health care professional on a contract basis or on salaried basis, the issue of accountability for compliance depends on who has control of the personal information - the organization, the professional or both. It is based on the nature of the activity. A non-profit organization can be engaged in a commercial activity to which the Act would apply. For example, the sale of a fundraising list by a charity can trigger the application of the Act with respect to that particular transaction. The Act would not apply to a provincially funded hospital. Hospitals are beyond the constitutional scope of the Act as their core activities are not commercial in nature. Charging for a private room would not bring a hospital within the scope of the Act because the transaction is part of the hospital's core activities, i.e. providing accommodation. In the case of a privately owned medical equipment store or TV rental business, if the hospital leases the space to the operator, the latter is responsible for complying with the Act, not the hospital. Let's remember that PIPEDA applies only in the context of commercial activities. If the health professional regulatory provisions exceed those of PIPEDA then there is no impact. However, if the regulatory provisions are weaker or do not address certain requirements, than PIPEDA would prevail. For a true conflict to exist between PIPEDA and provincial legislation, it must be impossible to comply with both requirements. In the example noted above, one would not alter the document but instead add a notation to the file indicating the patient's view of the matter. If the information in the file were indeed inaccurate, it would be important to note it in the file but also indicate when and how the error was detected. Where it has been determined that PIPEDA applies to the particular health facility and a review is undertaken to assess and evaluate the care provided to an individual patient, still receiving care in the facility, then this review can be considered to be part of the circle of care. In instances where a number of charts are reviewed as part of a broader quality assurance program, service evaluation, safety review, accreditation activity, or assessment of broader provider practices, de-identified patient information should be used or patient express consent should be obtained unless an existing provincial law permits these uses and disclosures.
Knowledge and Consent:
A person can be considered to understand, i.e. be knowledgeable, if they are made aware of their privacy rights including: Patients should have the opportunity to discuss this information with a health care provider if they wish to do so. No, PIPEDA contains no provision for this or for any of the industry sectors it covers. Yes, once patients are made aware of their privacy rights (see answer #19 above), consent is implied if the patient continues to seek care and treatment. Thus current practice of implied consent for the primary use of personal information in the direct care and treatment of an individual patient, as defined in a circle of care, will continue under PIPEDA. For example, a lab may infer consent because the individual would reasonably expect that the results be sent to the provider who ordered the lab work. In certain circumstances, yes. In circumstances where the current practice is to obtain written consent by making the patient sign a reimbursement form, the practice should continue. Where no form is signed, implied consent is acceptable provided patients understand that this is happening and have not behaved in a way that may indicate a refusal of consent (see answer #19 above). In commercial activities, the patient's oral or written consent is generally required for all uses and disclosures that are not directly related to the care and treatment of a patient. However, consent is not always required for research purposes. For example, consent is not required if all of the following conditions are met:
The patient's concerns should be addressed by answering their questions, or providing them with information about privacy policies and practices. Specific complaints must be received, investigated and addressed or, if matters are unresolved, individuals must be informed of their right to complain to the Office of the Privacy Commissioner of Canada. The patient must be advised of the known consequences of not consenting. Should the patient continue to refuse to consent, the providers should be guided by their respective professional standards of practice in handling this issue. In some instances, this could result in the denial of health services. The patient must be advised of the known consequences of withdrawing consent. In some instances, it could result in the interruption or the non-provision of health services. It is advisable that the patient's records not be destroyed for as long as they are necessary to maintain patient safety and meet audit, regulatory or other purposes. The organization should record the withdrawal and is responsible for notifying parties to whom it had disclosed the information. The patient's withdrawal of consent should not result in the destruction of the record. No. PIPEDA clearly provides exemptions in certain health care emergencies. Examples of such cases are when a patient is unconscious, too sick or not lucid, or when collection is clearly in the interests of the individual and consent cannot be obtained in a timely way. Reasonable efforts should be made to communicate with the individual in order to obtain consent. Efforts can include communicating in their language, by sign language, or other means (including an interpreter or family member accompanying the patient).
Disclosure:
Yes, PIPEDA does not preclude case consultation among health care providers. Yes. Yes, express consent, either in writing or verbally, is required from all individuals of majority age. In the case of a child, consent can be obtained from the minor's legal guardian. Note that this example can be extended to other situations and professions in which a provider is asked to produce a listing of services.
Access:
PIPEDA should not alter current best practices. The health care provider will consider the request and decide whether to make the change or not. Historical data should be maintained as long as necessary to maintain patient safety and meet audit, regulatory or other purposes. The patient's request and the health professional's decision should be noted in the file. No, they have a right to seek correction, which will be considered by the health care provider who will decide whether to make the change or not. The lack of change by the provider may then be the subject of a complaint to the Office of the Privacy Commissioner.
Safeguards:
Organizations should assess their current security practices. As necessary, security provisions include: Home care records are subject to PIPEDA if there is a commercial activity. However, where the records are in the patient's home and under the patient's control, these records are not the responsibility of the provider organization(s). Note: This document is an administrative tool to assist in understanding PIPEDA. It is not intended as legal advice. |
![]() |
![]() |
|||
Created: 2003-12-11 Updated: 2004-01-07 ![]() |
![]() Top of Page ![]() |
Important Notices![]() |