The Canadian Privacy Law Blog: Developments in privacy law and writings of a Canadian privacy lawyer, containing information related to the Personal Information Protection and Electronic Documents Act (aka PIPEDA) and other Canadian and international laws.

Search this blog

Recent Posts

On Twitter

About this page and the author

The author of this blog, David T.S. Fraser, is a Canadian privacy lawyer who practices with the firm of McInnes Cooper. He is the author of the Physicians' Privacy Manual. He has a national and international practice advising corporations and individuals on matters related to Canadian privacy laws.

For full contact information and a brief bio, please see David's profile.

Please note that I am only able to provide legal advice to clients. I am not able to provide free legal advice. Any unsolicited information sent to David Fraser cannot be considered to be solicitor-client privileged.

David Fraser's Facebook profile

Privacy Calendar



Subscribe with Bloglines

RSS Atom Feed

RSS FEED for this site

Subscribe to this Blog as a Yahoo! Group/Mailing List
Powered by

Subscribe with Bloglines
Add to Technorati Favorites!

Blogs I Follow

Small Print

The views expressed herein are solely the author's and should not be attributed to his employer or clients. Any postings on legal issues are provided as a public service, and do not constitute solicitation or provision of legal advice. The author makes no claims, promises or guarantees about the accuracy, completeness, or adequacy of the information contained herein or linked to. Nothing herein should be used as a substitute for the advice of competent counsel.

This web site is presented for informational purposes only. These materials do not constitute legal advice and do not create a solicitor-client relationship between you and David T.S. Fraser. If you are seeking specific advice related to Canadian privacy law or PIPEDA, contact the author, David T.S. Fraser.

Tuesday, November 14, 2006

Electronic health information and privacy 

I spent yesterday in Ottawa at the Electronic Health Information and Privacy Conference. The speakers were very good and the topics covered a very wide range of sub-topics, including privacy enhancing technology, data masking, and research use of personal health information.

IT Business has some coverage of the conference here. What I found to be one of the most telling observations was made by Dr. Geiger of the Ottawa Hospital:

As Dr. Glen Geiger, the Ottawa Hospital’s medical director of clinical information systems told the conference, even hospital employees don’t want their personal health information loaded onto the electronic patient record. They flag their records to have them registered in special outpatient accounts so the results do not populate the electronic record, Geiger said.

“Treating personal health information for staff differently from that of everyone else creates two classes of citizens,” Geiger said. “That’s wrong. If our staff don’t trust us to keep their information private, why should anyone else?”

I continue to be puzzled about the assumption that PIPEDA allows "implied consent" within a mythical "circle of care". This assumption is expressed in a number of areas, but the prime example is in the PIPEDA Awareness Raising Tools (PARTs) Initiative for the Health Sector.

This may appear eminently reasonable, but I don't think it's a foregone conclusion that a judge would agree. The relevant provision in PIPEDA says that the form of the consent has to be based on the sensitivity of the information. If health information is among the most sensitive (not much debate on this topic), it follows that it requires robust consent. Implied consent doesn't really cut it. I've written about this before if you want to read about it in greater depth (see Focus on Privacy: The Application of PIPEDA to Personal Health Information).

40. Can consent be implied for the use and disclosure of personal health information under PIPEDA?

Yes, once patients are made aware of their privacy rights (see answer #38), consent is implied if the patient continues to seek care and treatment. Thus current practice of implied consent for the primary use of personal information in the direct care and treatment of an individual patient, as defined in a circle of care, will continue under PIPEDA. For example, a lab may infer consent because the individual would reasonably expect that the results be sent to the provider who ordered the lab work.

41. Is consent implied for the disclosure of personal health information to private insurance companies or third party payers for the purposes of reimbursement of health services rendered?

In certain circumstances, yes. In circumstances where the current practice is to obtain written consent by making the patient sign a reimbursement form, the practice should continue. Where no form is signed, implied consent is acceptable provided patients understand that this is happening and have not behaved in a way that may indicate a refusal of consent (see answer #38).

42. When does PIPEDA require express consent?

In commercial activities, the patient's oral or written consent is generally required for all uses and disclosures that are not directly related to the care and treatment of a patient.

This position is also adopted in the Pan-Canadian Health Information Privacy and Confidentiality Framework. Implied consent within the circle of care may be the rule in Ontario's PHIPA, but assuming it is also the rule in PIPEDA is more than a little bit risky.

Labels: , ,

Links to this post:

Create a Link

This page is powered by Blogger. Isn't yours? Creative Commons License
The Canadian Privacy Law Blog is licensed under a Creative Commons Attribution-Noncommercial-No Derivative Works 2.5 Canada License. lawyer blogs