Section 5: Health Data Management and Privacy Legislation
Dr. Sinéad McElhone; Sherri Hannell; and Noah James
Section Overview
In this section, we will focus more on health data management and health privacy laws in Canada and how these combine to ensure our personal health information is protected and governed appropriately.
According to the Canadian Institute for Health Information (2020b):
In Canada’s health systems, governance of data and information is critical. Strong data and information governance ensures that data is timely, trusted, and fit-for-purpose on a sustained basis. (para. 1)
Furthermore, the Canadian Institute for Health Information (2020a) states the following:
Health systems across Canada are seeking greater value from their health data and information assets in an effort to achieve sustainable, effective, and impactful outcomes, resulting in better individual and population health and better health system planning and delivery. At the same time, it is essential to continue to keep personal health information protected in order to earn and retain public trust. (p. 6)
Section Objectives
By the end of this section, you will be able to:
- Describe two key privacy laws within Canada;
- Understand how personal health information is governed within Ontario;
- Describe the differences between personal information and personal health information;
- List key terms associated with managing health data from a privacy perspective; and
- Describe the implications of a privacy breach for the individual and the organization.
Test Your Knowledge
Complete the following activity to assess how much you already know about the content that will be covered in this section.
Introduction
There are numerous pieces of privacy legislation across Canada from a federal and provincial perspective, and these pieces of legislation differ across the various sectors – public sector, private sector, and health sector. It is possible that more than one privacy law could apply to an organization based on the data they collect and province they reside in.
Canada has two federal privacy laws that are enforced by the Office of the Privacy Commissioner of Canada. These are the Privacy Act and the Personal Information Protection and Electronic Documents Act (PIPEDA), which determines how businesses manage personal information. PIPEDA provides foundational privacy rules for how private sector companies should collect, use, and disclose personal information across Canada, while the Privacy Act is only related to Federal Government Institutions. PIPEDA does not apply to organizations that do not engage in commercial, for-profit activities. It is possible that more than one privacy law could apply to an organization. One part of an organization’s activities, such as collecting personal information within a province, may be subject to a provincial privacy law, while another part, such as disclosure across provincial borders, may be subject to PIPEDA.
What is Personal Information?
Personal information is data about an “identifiable individual” (Government of Canada Office of the Privacy Commissioner, 2018). It is information that on its own, or combined with other pieces of data, can identify you as an individual, such as demographic information (e.g., age, sex, financial information, race, ethnicity, social insurance number, etc.).
What is Personal Health Information?
Health information may be collected and used by many different organizations: federal, provincial, private, or public. Therefore, different regulations may be applied depending on the scenario. Health sector legislation, whether federal or provincial, focuses on the collection, use, and disclosure of information within the circle of care by a health information custodian.
Personal health information is identifiable health information collected on an individual by an organization on behalf of a health information custodian (either orally, documented on paper, or electronically). A custodian is prohibited from collecting, using, or disclosing personal health information unless consent has been obtained.
Deeper Dive
Check out other pertinent legislation related to granting access to information and protecting the privacy of individuals:
- MFIPPA – Municipal Freedom of Information and Privacy Act: https://www.ontario.ca/laws/statute/90m56
- FIPPA – Freedom of Information and Privacy Act: https://www.ontario.ca/laws/statute/90f31
- PHIPA – Personal Health Information Protection Act: https://www.ontario.ca/laws/statute/04p03)
Many provinces have their own legislation pertaining to the collection, use, and disclosure of health information. In Ontario, our legislation is called the Personal Health Information Protection Act (PHIPA).
PHIPA sets out rules for the collection, use, and disclosure of personal health information. These rules apply to all health information custodians operating within the province of Ontario and to individuals and organizations that receive personal health information from health information custodians. These rules recognize the unique character of personal health information, as one of the most sensitive types of personal information that is frequently shared for a variety of purposes, including care and treatment, health research, and managing our publicly funded health care system.
The purposes of the PHIPA Act (2004) are:
-
- To establish rules for the collection, use, and disclosure of personal health information about individuals that protect the confidentiality of that information and the privacy of individuals with respect to that information, while facilitating the effective provision of health care;
- To provide individuals with a right of access to personal health information about themselves, subject to limited and specific exceptions set out in this Act;
- To provide individuals with a right to require the correction or amendment of personal health information about themselves, subject to limited and specific exceptions set out in this Act;
- To provide for independent review and resolution of complaints with respect to personal health information; and
- To provide effective remedies for contraventions of this Act.
Watch the video below about PHIPA:
The legislation balances individuals’ right to privacy with respect to their own personal health information with the legitimate needs of persons and organizations providing health care services to access and share this information. With limited exceptions, the legislation requires health information custodians to obtain consent before they collect, use, or disclose personal health information. In addition, individuals have the right to access and request correction of their own personal health information.
What is the Circle of Care?
The circle of care can be different depending on the organization. According to the Information and Privacy Commissioner of Ontario (2015a):
In the context of a hospital, the circle of care may include: the attending physician and the health care team, for example residents, nurses, clinical clerks, and employees assigned to the patient, who have the responsibility of providing care to the individual or assisting with that care. (p. 18)
What Happens if an Employee Outside of the Circle of Care Reviews Personal Health Information?
There can be serious repercussions for employees who ‘snoop’ in patients’/clients’ files if they are not part of the circle of care – e.g. fines or losing their jobs.
Deeper Dive
Check out these newspaper articles about employees who ‘snooped’ in patients’/clients’ files:
What is a Health Information Custodian?
According to the Information and Privacy Commissioner of Ontario (2015a):
A custodian is a person or organization listed in PHIPA that, as a result of his, her, or its power or duties or work set out in PHIPA, has custody or control of personal health information. Examples of custodians include: health care practitioners, hospitals, long-term care homes, pharmacies, laboratories, ambulance services, Canadian Blood Services, etc. (p. 7-8)
Collection, Use, and Disclosure
According to the Information and Privacy Commissioner of Ontario (2015a):
Collection refers to the gathering, acquiring, receiving, or obtaining of personal health information by any means from any source.
Use refers to handling or dealing with personal health information as described in previous sections in this chapter such as the data lifecycle or data management.
Disclosure refers to the fact that, as a general rule, consent is required to disclose an individual’s personal health information, unless PHIPA allows the disclosure without consent and it means to make the personal health information available or to release it to another custodian or person.
Privacy, Confidentiality, and Security
Privacy refers to the right of an individual to control the collection, use, disclosure, and retention of their personal information.
Confidentiality refers to the obligation of a health care provider (or other person) to protect the secrecy of personal information.
Security refers to the tools and techniques we use to protect the confidentiality, integrity, and availability of personal information.
What is a Privacy Breach?
PHIPA contains notification requirements for both agents and custodians. If personal health information handled by an agent on behalf of a custodian is stolen, lost, or accessed by unauthorized persons, the agent must notify the custodian of the breach at the first reasonable opportunity (Information and Privacy Commissioner of Ontario, n.d.-a). PHIPA also requires custodians to notify individuals at the first reasonable opportunity if personal health information is stolen, lost, or accessed by an unauthorized person.
According to the Information and Privacy Commissioner of Ontario (2018):
In Ontario, health information custodians have a duty under PHIPA to protect personal health information against privacy breaches. A privacy breach occurs when personal health information is collected, used, or disclosed without authorization. This can include theft, loss, or unauthorized copying, modification, or disposal. As a custodian, you should have a privacy breach protocol in place so that there is a process to follow in the event of a privacy breach. The protocol should be flexible enough to cover a wide range of possible breaches, such as:
-
- Cyberattacks;
- Loss or theft of portable devices;
- Misdirected faxes; and
- Collection of personal health information without authority by means of the electronic health record. (p. 1)
Deeper Dive
Check out these newspaper articles about privacy breaches:
Privacy Breach Fines
There are now very heavy fines for individuals and organizations who are guilty of committing an offence under PHIPA. An individual found guilty of committing an offence under PHIPA can be liable for a fine of up to $200,000 or up to one year in prison, or both. An organization or institution can be liable for a fine of up to $1,000,000.
If a corporation commits an offence under PHIPA, every officer, member, employee, or agent of that corporation found to have authorized the offence, or who had the authority to prevent the offence from being committed but knowingly refrained from doing so, can also be held personally liable.
Individuals can also seek compensation for damages and there are no time limits (i.e., one could have a privacy breach from decades ago investigated).
Privacy Officers and Privacy Impact Assessments
Most large health organizations have a dedicated privacy officer who works with all the different business units to ensure that they understand the various privacy legislation and how it applied to them. Privacy officers may lead on or support a privacy impact assessment to assess compliance with the legislation. The privacy impact assessment guide can be found on the Information and Privacy Commissioner of Ontario website and is a self-explanatory document to support those in carrying out this assessment (Information and Privacy Commissioner of Ontario, 2015b).
A privacy impact assessment is a risk management tool used to identify the actual or potential effects that a proposed or existing information system, technology, program, process, or other activity may have on an individual’s privacy. By completing a privacy impact assessment, you will be able to guide your institution through a process that will identify the privacy impact and the means to address them. Privacy risks or impacts fall into two broad categories:
- Risks to individuals, including identity theft and other forms of fraud, adverse impact on employment or business opportunities, damage to reputation, embarrassment, distress or financial impacts; and
- Risks to institutions, including the financial, legal, and reputational impact of privacy breaches.
Carrying out a privacy impact assessment does not need to be complex or time-consuming, but thoroughness is necessary to ensure that potential privacy risks are identified and mitigated.
Summary
When managing health data, privacy is an enormous consideration to ensure that the data you gather and manage is collected, used, and disclosed in an appropriate manner. There are many different pieces of legislation protecting personal, and in particular, health information, and these differ according to federal and provincial legislation. Privacy is a key consideration from a data literacy perspective and needs to be considered at all times. Undertaking a privacy impact assessment before you set up a program, data sources, project, or service is crucial and privacy impact assessments can also be used as part of a regular auditing process for any health organization to avoid privacy breaches and massive fines.
Test Your Knowledge
Complete the following activity to assess how much you learned about the content that was covered in this section.
The business function of planning for, controlling, and delivering data (Fircan, 2021b).
Identifiable health information collected on an individual by an organization on behalf of a health information custodian (either orally, documented on paper, or electronically).
Data about an “identifiable individual” (Government of Canada Office of the Privacy Commissioner, 2018). It is information that on its own, or combined with other pieces of data, can identify you as an individual such as demographic information (e.g., age, sex, financial information, race, ethnicity, social insurance number, etc.).
The gathering, acquiring, receiving, or obtaining of personal health information by any means from any source (Information and Privacy Commissioner of Ontario, 2015a).
Handling or dealing with personal health information (Information and Privacy Commissioner of Ontario, 2015a).
The fact that, as a general rule, consent is required to disclose an individual’s personal health information, unless PHIPA allows the disclosure without consent and it means to make the personal health information available or to release it to another custodian or person (Information and Privacy Commissioner of Ontario, 2015a).
A person or organization listed in PHIPA that, as a result of his, her or its power or duties or work set out in PHIPA, has custody or control of personal health information (Information and Privacy Commissioner of Ontario, 2015a, p. 7).
The right of an individual to control the collection, use, disclosure, and retention of their personal information.
The obligation of a health care provider (or other person) to protect the secrecy of personal information.
The interrelated conditions in which something exists or occurs (Merriam-Webster, 2022).
The sequence of events that data goes through from its initial creation or capture to its eventual archiving or destruction at the end of its usefulness.
The tools and techniques we use to protect the confidentiality, integrity, and availability of personal information.
When personal health information is collected, used, or disclosed without authorization (Information and Privacy Commissioner of Ontario, 2018).
A risk management tool used to identify the actual or potential effects that a proposed or existing information system, technology, program, process, or other activity may have on an individual’s privacy.
The ability to understand and communicate data as information (Jackson & Carruthers, 2019).
