1	Focus on Privacy Law: PIPEDA for Physicians Medical Society of Nova Scotia Annual General Meeting 2004 David T.S. Fraser Chair, McInnes Cooper Privacy Law Practice Group Counsel, National Privacy Services Inc. david.fraser@mcinnescooper.com 1-877-PRIVLAW // www.privlaw.com
2	Key Concepts: What is Privacy? Often equated with confidentiality. Has been characterised as the right to be left alone, to be secure in one’s home and free from unwanted interference. In the context of the new laws, privacy means having control over one’s personal information Choice of whether to disclose information at all Control over with whom it is shared Control over how it is used Don’t lose control once you’ve released your information “into the wild”
3	Key Concepts: Personal Information From PIPEDA: Addresses “personal information” – information about an identifiable individual: NOT name, title, business address or telephone number of an employee or organization Would include name, address, income, health information, diagnosis, health number, demographics, preferences, birth date, SIN, tissue samples Also includes analysis or opinions about an individual Also includes information that may be traced back to an individual Virtually any information in an individual’s medical file is their personal information
4	Background: History of Privacy Laws Public sector laws date back 20+ years Privacy Act – protection of personal information held by federal government Freedom of Information and Protection of Privacy Act (NS) – protection of personal information held by the provincial governments Hospitals Act (NS) No private sector laws until recently Only Quebec - Act Respecting the Protection of Personal Information in the Private Sector (1994)! In private sector, only had self-regulation Canadian Standards Association Model Code for the Protection of Personal Information Canadian Bankers’ Association Privacy Code Canadian Association of Internet Service Providers Privacy Code CMA Health Information Privacy Code
5	Background: History of Privacy Laws Some jurisdictions have specific health information legislation. Health Insurance Portability and Accountability Act (USA) Health Information Act (Alberta) Personal Health Information Act (Manitoba) Health Information Protection Act (Saskatchewan) Personal Health Information Protection Act (Ontario – pending)
6	Background: History of Privacy Laws According to surveys, one significant impediment to widespread adoption of electronic commerce has been consumer privacy Part of the federal government’s e-commerce agenda, but not limited to online activities Instead of re-inventing the wheel, the federal government turned to a widely-accepted (but not widely followed) privacy code – the Canadian Standards Association Model Code for the Protection of Personal Information Cannot simply follow the CSA Code, as the statute changes it in some significant ways
7	PIPEDA Personal Information Protection and Electronic Documents Act Based on the CSA Model Code Code was designed for commercial operations, not specific to health information Strong view that PIPEDA is not appropriate for health information Many of the view that current practices were sufficient to protect privacy Medical Associations recommended that PIPEDA be amended to deal with health information or that it be “carved out” and supplemented by health specific legislation.
8	PIPEDA Applies to the “collection, use and disclosure of personal information in the course of commercial activities”. “Commercial activities” means any particular transaction, act or conduct or any regular course of conduct that is of a commercial character, including the selling, bartering or leasing of donor, membership or other fundraising lists. Physicians in private practice are engaged in “commercial activities” … PIPEDA applies Physicians exclusively in hospitals or public institutions are usually not engaged in “commercial activities” … PIPEDA does not apply.
9	Implementation of PIPEDA Phased in application 1 January 2001 - Federal Private Sector, except health information Telecommunications, railways, air travel, shipping, credit bureaus, banks 1 January 2002 – Health information in the federal private sector 1 January 2004 - Provincial Private Sector The rest of the economy, including physicians in private practice Exemption applies if provincial government steps in and passes legislation that is declared to be “substantially similar”. No such legislation in Atlantic Canada – none anticipated
10	PIPEDA Ten Principles Based on the principles of the Canadian Standards Association Model Code for the Protection of Personal Information: Accountability Identifying purposes Consent Limiting collection Limiting use, disclosure and retention Accuracy Safeguards Openness Individual access Challenging compliance
11	Principles 1. Accountability - an organization is responsible for personal information under its control and shall designate an individual or individuals who are accountable for the organization’s compliance with the principles contained in the Canadian Standards Association model code for the protection of personal information. You must have a privacy officer You must implement the ten principles
12	Principles 2. Identifying Purposes - the purposes for which personal information is collected shall be identified by the organization at or before the time the information is collected. You must make reasonable efforts to tell your patients why information is being collected
13	Principles 3. Consent - the knowledge and consent of the individual are required for the collection, or disclosure of personal information, except where inappropriate. Form of consent is dependent upon the sensitivity of the information. You must obtain informed consent for the collection, use and disclosure of patient information Medical/health information is among the most sensitive, so have a higher threshold of consent Consent can be revoked
14	Aside: Consent Principle Consent must be informed (“knowledge and consent” and principle 2) Consent can take many forms: Explicit consent – affirmative indication that the patient assents; Can be written (consent form) or oral Implied consent – consent is implied from the actions of the patient; “Opt-out” consent – consent is assumed unless the patient indicates otherwise;
15	Implied Consent Physicians have traditionally relied on implied consent. Former Privacy Commissioner indicated that implied consent may be appropriate within the “circle of care”, “assuming it is based on a general understanding of how personal information will be used and disclosed, for those uses or disclosures that a patient would reasonably expect.” For physicians, implied consent presents risks that you should be aware of. “Circle of care” does not include non-treatment uses: peer review, chart reviews, CMPA consultations, etc. Explicit consent provides clear documentation and evidence of the patient’s understanding and their consent.
16	Principles 4. Limiting Collection - the collection of personal information shall be limited by that which is necessary for the purposes identified by the organization. Information shall be collected by fair and lawful means. Can only collection necessary information Can only collect information for the purposes that have been communicated to the patient
17	Purposes 5. Limiting Use, Disclosure, and Retention - Personal information shall not be used or disclosed for purposes other than those for which it was collected, except with the consent of the individual or as required by law. Personal information shall be retained only as long as necessary for the fulfilment of those purposes. Must obtain consent for all purposes. Should get consent for foreseeable uses in advance. Must consider records retention
18	Principles 6. Accuracy - Personal information shall be as accurate, complete, and up-to-date as is necessary for the purposes for which it is to be used. If information is going to be used to make a decision about an individual, the decision maker has the obligation to use current, accurate information
19	Principles 7. Safeguards - Personal information shall be protected by security safeguards appropriate to the sensitivity of the information. As custodian of very sensitive records, physicians must put in place physical, organizational and technological security measures to protect against the accidental disclosure, alteration, deletion, etc of personal information Obligations begin with collection and end with safe disposal. Obligations also follow the information when it is being processed by third parties.
20	Principles 8. Openness - An organization shall make readily available to individuals specific information about its policies and practices relating to the management of personal information. 4.8.2 The information made available shall include (a) the name or title, and the address, of the person who is accountable for the organization's policies and practices and to whom complaints or inquiries can be forwarded; (b) the means of gaining access to personal information held by the organization; (c) a description of the type of personal information held by the organization, including a general account of its use; (d) a copy of any brochures or other information that explain the organization's policies, standards, or codes; and (e) what personal information is made available to related organizations (e.g., subsidiaries). Must have a privacy policy that clearly communicates how the practice handles personal information.
21	Principles 9. Individual Access - Upon request, an individual shall be informed of the existence, use, and disclosure of his or her personal information and shall be given access to that information. An individual shall be able to challenge the accuracy and completeness of the information and have it amended as appropriate. Individuals have a right of access to their personal information, subject to narrow exceptions. Access must be provided within 30/30 days. Documents must be understandable – handwriting transcribed, abbreviations and technical terms explained. Patients with a visual disability have a right to information in Braille or read to them. Can charge a “reasonable fee” but don’t expect to recover your costs of compliance
22	Principles 10. Challenging Compliance - An individual shall be able to address a challenge concerning compliance with the above principles to the designated individual or individuals accountable for the organization's compliance. Every practice must have procedures in place to receive and respond to complaints or inquiries about policies and practices relating to the handling of personal information. The complaint procedures should be easily accessible and simple to use. Important mechanism to prevent queries from becoming complaints.
23	Consequences Complaint driven process Commissioner can audit, but is unlikely to do so. No “reporting” requirements The Commissioner is akin to an “ombudsman” Has a mandate to resolve complaints. New Commissioner much more likely to be helpful. Any individual (not just patient!) can make a written complaint to the Privacy Commissioner (s. 11). Commissioner may initiate a complaint of her own accord or conduct an audit. Commissioner investigates the complaint Powers in s. 12(1): Compel evidence, administer oaths, accept any evidence whether ordinarily admissible (or not), enter any premises other than a dwelling, review documents, etc. Commissioner’s Report To contain findings and recommendations, whether there was a settlement “Anonymous” version is made public Commissioner can decline to issue a report if the complainant has other recourse available
24	Consequences Court hearing A complainant (not the organization), after receiving the Commissioner’s report, may apply to the Federal Court – Trial Division for a hearing. Hearing is not an appeal of the Commissioner’s findings Court’s remedies include: Order the practice/physician to correct its practices in order to comply with ss. 5-10 of the Act; Order the practice/physician to publish a notice of actions taken to correct its practices; and Award damages, including damages for humiliation the complainant may have suffered.
25	Power of Publicity Commissioner has the power to “make public any information relating to the personal information management practices of an organization if the Commissioner considers that it is in the public interest to do so.” s. 20(2). Commissioner can publicize information handling practices, even before the Court has been given the opportunity to consider the matter. Commissioner’s pronouncements are privileged for the purposes of any law related to libel or slander, so long as it is said in good faith.
26	Employers need to know PIPEDA creates a number of offences about which employers must be aware. It is unlawful to discipline or retaliate against an employee or independent contractor who “Whistleblows” to the Commissioner about the employer’s privacy practices; Refuses to do something contrary to Part I of the Act; Acts to prevent a contravention of Part I of the Act; Interferes with an investigation of the Commissioner destroy personal information before a complainant has exhausted his/her recourse against the organization
27	What it means to physicians Worst-case scenarios The CMA has estimated that the law will require 1900 additional physician-years to implement across Canada Some have suggested that the uncertainty of the law means that physicians should “wait and see” to see how it is interpreted Not a good idea – you don’t want to be the test-case CMPA “practitioners who are not implementing privacy law requirements in their province/territory might be at medico-legal risk.” Whether the CMPA will respond to defend against complaints is also undetermined Colleges Whether non-compliance may be unprofessional conduct is unclear Generally recognized that regulated professionals (physicians, lawyers, engineers, etc.) are ethically/professionally obliged to obey the law
28	What physicians need to do Appoint a privacy officer (I, X) Will need to be well trained / have good resources Develop a communications plan (II) You must tell your patients how you will use their information Develop a consent strategy (III) You need consent … how will you get it? Develop a privacy policy (VIII) Every organization that collects, uses and discloses personal information in the course of commercial activity must make this available. Allow individual access (IX) Put in place pre-release screening Implement safeguards (VII) Have your safeguards audited by a professional who is attuned to privacy issues Train all staff (VIII, II, I)
29	Existing Resources Medical Society of Nova Scotia (http://www.doctorsns.com) Good resources and links to assistance MSNS has been the most proactive provincial society Office of the Privacy Commissioner (http://www.privcom.gc.ca) Some very generic resources – not focused on the medical community Industry Canada Privacy Awareness Tools (http://ecom.ic.gc.ca/epic/internet/inecic-ceac.nsf/en/h_gv00207e.html) PIPEDA Q & As Canadian Medical Association (http://www.cma.ca/privacy-shortcuts) “Shortcuts” with general information for physicians – legislation agnostic
30	Focus on Privacy Law: PIPEDA for Physicians Medical Society of Nova Scotia Annual General Meeting 2004 David T.S. Fraser Chair, McInnes Cooper Privacy Law Practice Group Counsel, National Privacy Services Inc. david.fraser@mcinnescooper.com (902) 424-1347