Questions and Answers

PIPEDA Awareness Raising Tools (PARTs) Initiative For The Health Sector

Notice: This document has been prepared in consultation with health care provider associations within the context of their day-to-day activities in providing care and treatment to Canadians. The answers to the questions may not necessarily be appropriate for organizations not subject to PIPEDA.

---

Knowledge and Consent:

38. Under PIPEDA, the patient's knowledge of the collection, use and disclosure of their personal health information is required. How can this be achieved?

A person can be considered to understand, i.e. be knowledgeable, if they are made aware of their privacy rights including:

• What information is being collected about them
• Purposes for which the information is being collected
• How that information will be used by the provider/health facility/agency
• To whom the provider/health facility/agency will disclose the information
• How the patient can seek access to and corrections to their health record, and;
• How the patient can exercise their right to complain about the organization's personal information practices.

There are several ways of informing patients of these rights, for example, posting of notices, brochures and pamphlets, and/or discussions in the normal course of exchanges that take place between a patient and a health care provider.

Patients should have the opportunity to discuss this information with a health care provider if they wish to do so.

39. Are there provisions in PIPEDA for compensating health professionals for complying with the legislation?

No, PIPEDA contains no provision for this or for any of the industry sectors it covers.

40. Can consent be implied for the use and disclosure of personal health information under PIPEDA?

Yes, once patients are made aware of their privacy rights (see answer #38), consent is implied if the patient continues to seek care and treatment. Thus current practice of implied consent for the primary use of personal information in the direct care and treatment of an individual patient, as defined in a circle of care, will continue under PIPEDA. For example, a lab may infer consent because the individual would reasonably expect that the results be sent to the provider who ordered the lab work.

41. Is consent implied for the disclosure of personal health information to private insurance companies or third party payers for the purposes of reimbursement of health services rendered?

In certain circumstances, yes. In circumstances where the current practice is to obtain written consent by making the patient sign a reimbursement form, the practice should continue. Where no form is signed, implied consent is acceptable provided patients understand that this is happening and have not behaved in a way that may indicate a refusal of consent (see answer #38).

42. When does PIPEDA require express consent?

In commercial activities, the patient's oral or written consent is generally required for all uses and disclosures that are not directly related to the care and treatment of a patient.

However, consent is not always required for research purposes. For example, consent is not required if all of the following conditions are met:

• The information is used or disclosed for statistical, scholarly study or research, or purposes that cannot be achieved without using or disclosing the information.
• It is impractical to obtain consent.
• The organization informs the Office of the Privacy Commissioner before the information is used.

43. What happens when the patient has concerns about the collection, use and/or disclosure of their information with respect to PIPEDA?

The patient's concerns should be addressed by answering their questions, or providing them with information about privacy policies and practices, . Specific complaints must be received, investigated and addressed, or, if matters are unresolved, individuals must be informed of their right to complain to the Office of the Privacy Commissioner of Canada.

44. What happens if the patient refuses to give consent?

The patient must be advised of the known consequences of not consenting. Should the patient continue to refuse to consent, the providers should be guided by their respective professional standards of practice in handling this issue. In some instances, this could result in the denial of health services.

45. What happens if the patient withdraws consent?

The patient must be advised of the known consequences of withdrawing consent. In some instances, it could result in the interruption or the non-provision of health services.

It is advisable that the patient's records not be destroyed for as long as they are necessary to maintain patient safety and meet audit, regulatory or other purposes. The organization should record the withdrawal and is responsible for notifying parties to whom it had disclosed the information. The patient's withdrawal of consent should not result in the destruction of the record.

46. In cases of emergency care, must consent to the collection, use and disclosure of personal information be obtained?

No. PIPEDA clearly provides exemptions in certain health care emergencies. Examples of such cases are when a patient is unconscious, too sick or not lucid, or when collection is clearly in the interests of the individual and consent cannot be obtained in a timely way.

47. How do you obtain knowledge and consent if the individual does not understand either English or French, or is visually impaired and you do not have any written material (in other languages or Braille) to give them?

Reasonable efforts should be made to communicate with the individual in order to obtain consent. Efforts can include communicating in their language, by sign language, or other means (including an interpreter or family member accompanying the patient).

48. How will PIPEDA affect research that requires access to personal information? Will researchers require patient consent to access their records?

Under PIPEDA health information collected in the course of a commercial activity can be used and disclosed for research purposes without consent if all the following conditions are met:

• The information is used or disclosed for statistical, scholarly study or research purposes that cannot be achieved without using the information.
• The information is used in a manner that will ensure its confidentiality.
• It is impractical to obtain consent.
• The organization informs the Office of the Privacy Commissioner of Canada before the information is used or disclosed.

49. How does PIPEDA's consent requirement affect the reporting requirements of provincial/territorial legislations?

Reporting requirements, such as reporting the abuse of persons, infectious diseases and danger to others, will not change. The Act allows disclosure without consent when required by law.

50. Current practice allows that a prescription can be brought, filled, and handed over to a person acting on behalf of another person. Will PIPEDA change this practice? If so, how?

PIPEDA supports most current best practices. If an individual walks into a pharmacy with a signed prescription from a doctor for another person, they should be asked how they represent that other person. If the answer is reasonable, implied consent can be assumed, since they possess a document that likely was entrusted to them by the individual.

51. Does PIPEDA change current practices for substitute decision makers who can exercise the right of the individual with respect to access to information and other rights related to collection, use and disclosure of the individual's health information?

PIPEDA does not change current practices in place for substitute decision makers.

---

Disclosure:

52. Can case consultation still be done?

Yes, PIPEDA does not preclude case consultation among health care providers.

53. Can personal information be shared without patient consent between providers in an emergency situation?

Yes.

54. Pharmacists often print lists of filled prescriptions for patients for income tax purposes. This might include a list of prescriptions used by all members of the family. Is a separate, written consent required from each family member? What about children under the age of majority?

Yes, express consent, either in writing or verbally, is required from all individuals of majority age. In the case of a child, consent can be obtained from the minor's legal guardian. Note that this example can be extended to other situations and professions in which a provider is asked to produce a listing of services.

55. Under PIPEDA, can prescriptions still be phoned or faxed in by the prescriber for delivery to the patient?

Yes. Prescriptions can still be phoned or faxed in by the prescriber for delivery to the patient, on the condition that appropriate security safeguards are in place to protect the information.

56. If a health professional receives a request from another health professional, can patient information for circle of care purposes be disclosed to the requesting party without the patient's express consent?

Yes, under PIPEDA, express consent of the patient is not required if the information is disclosed for the care and treatment of the patient within the circle of care.

57. A third party health benefits insurer may require that a policyholder be made aware of a claim by another person covered under the policyholder's insurance. What is the health care provider to do under these circumstances?

The onus to obtain the consent of the patient rests with the insurer. If this consent has not been obtained, the provider cannot be made to disclose information to a third party by a commercial contract.

58. Can drug manufacturers continue to report adverse drug reactions using identifiable patient information to Health Canada without the patient's knowledge and consent?

Yes. Manufacturers are required, under the Food and Drugs Act and its regulations to report all adverse drug reactions. Since the disclosure is "required by law" it is permissible under PIPEDA.

59. Under PIPEDA, can a health care provider in private practice continue to send billing information that contains identifiable health information without the express consent of a patient for the purposes of reimbursement to:

The provincial/territorial government;

Yes. Health care providers should inform their patients that they, the providers, are required to send certain information to provincial/territorial government for reimbursement.

A 3rd party payer?

Yes. Health care providers should inform their patients that they, the providers, will be required to send certain information to private health insurance plans in order to be paid for the services rendered. In many cases, patients are required to sign forms to obtain reimbursement for prescription drugs or dental visits, and these forms typically contain consent provisions. (See questions # 41 & 34)

60. Under PIPEDA, can a health care facility or service operating under the federal/provincial/territorial government e.g. a Health Authority still send, without the express consent of the patient, health record abstracts that contain identifiable information to:

A. The provincial/territorial government;

Yes, as PIPEDA does not apply to federal/provincial/territorial governments' activities.

B. The Canadian Institute for Health Information (CIHI)?

Yes, as PIPEDA does not apply to federal/provincial/territorial governments' activities. For more information on CIHI, please see http://secure.cihi.ca/cihiweb/splash.html.

Use and Retention:

61. How does PIPEDA impact on the retention of temporary recordings of information?

Under PIPEDA all identifiable personal information, regardless of format, must be protected in the same way. Temporary records that are no longer required can be destroyed, or modified to ensure that the information is no longer identifiable.

If the provider uses a third party organization to transcribe personal information, the provider is obligated to use contractual agreements to ensure that the information is adequately protected by the third party organization in accordance with PIPEDA.

62. Patients sessions are sometimes videotaped or audio taped for educational and clinical purposes. Training tapes are typically destroyed and do not form part of the patient's record. What impact will PIPEDA have on this practice?

PIPEDA supports most current best practices. Patient consent must be obtained before taping. The consent form should indicate the retention period for the tape.

Educational tapes that identify individuals must be considered to be their personal information. However, some note must be made of the existence of the tape to enable the individual to have access to the tape. If an individual asks to have access to the tape they would have to be given access to the portion containing footage of themselves only.

63. How does PIPEDA impact on the ability of health care facilities to send fundraising letters to patients?

Fundraising, in this context, is not considered to be a commercial activity. Therefore there would be no impact from PIPEDA on this activity, unless the facility was selling, leasing or trading the fundraising lists for some consideration. (see question #11).

64. Health professionals often have the financial value of their practice assessed through a review of patient health records. Under PIPEDA can this practice continue?

Yes. This would be considered a transfer for processing purposes, for which consent is not required. The health professional must ensure that the personal information is protected while in the possession of the third party conducting the valuation.

65. Under PIPEDA, can a provincial/territorial government use, without the express consent of the patient, the identifiable health information, which has been collected as a result of reimbursement for care and treatment or from other sources, such as, health record abstracts for administration/management, activities such as, planning, resource allocation, reporting, policy development or evaluation?

PIPEDA does not apply to federal/provincial/territorial governments' activities. The personal health information collected by the governments, regardless of the source or reason for the collection, should be used and disclosed according to privacy legislation applicable to the public sector.

66. Under PIPEDA, can a 3rd party payer utilize, for other general administrative purposes, the identifiable health information, which has been collected as a result of reimbursement for care and treatment, without the express consent of the patient?

No. The use of identifiable health information is limited to the original purpose of the collection for which consent was given. If the information is to be utilized for new purposes, the patient's express consent must be obtained for each new purpose.

67. A private health care provider/facility has collected identifiable information in the course of care and treatment. It has informed the patient that the information may be used for administrative/management activities such as planning resource allocation, reporting, or evaluation. Can the private provider use the information for these stated purposes?

The provider/facility/service should make reasonable efforts to anonymize the patient's identifiable information for purposes of administration/management activities (see question #38).

When the patient has been informed that their identifiable information will be used for specifically identified administration/management activities by the private provider/facility/service agency and the patient continues with the consultation for care and treatment, the patient's consent can be inferred for this use of his/her identifiable information.

---

Access:

68. What is required if the patient requests that his/her records be corrected?

PIPEDA should not alter current best practices. The health care provider will consider the request and decide whether to make the change or not.

Historical data should be maintained as long as necessary to maintain patient safety and meet audit, regulatory or other purposes. The patient's request and the health professional's decision should be noted in the file.

69. Do patients have a right to demand to have their record changed?

No, they have a right to seek correction, which will be considered by the health care provider who will decide whether to make the change or not. The lack of change by the provider may then be the subject of a complaint to the Office of the Privacy Commissioner.

70. Under PIPEDA, can a health professional deny an individual access to his/her own record?

Yes, access can be denied for several different reasons, including:

• If doing so would likely reveal information about another individual, unless the other individual's information is severable or the other individual third party has consented.
• If doing so could reasonably be expected to threaten the life or security of another individual, unless the third party information is severable.
• If the information is protected by solicitor-client privilege.
• If doing so would reveal confidential commercial information.

71. Under PIPEDA, can a health professional deny an individual access to his/her own record if the health professional thinks it might harm the individual?

No, PIPEDA does not allow denial of access for this purpose. If access is denied on this basis, the requester can complain to the Office of the Privacy Commissioner who will investigate.

72. Under PIPEDA, will patients have access to the interpretation tools used in psychological testing?

PIPEDA applies to personal information. If the interpretation tools are not or do not contain personal information about the patient, PIPEDA does not apply. However, if the interpretation tools are necessary for the personal information to be understandable then they must also be released.

For example, if the tool translates raw numbers into a meaningful result, the meaningful result has to be provided, not simply the raw data.

---

Safeguards:

73. What is required to comply with the security standards set out in PIPEDA?

Organizations should assess their current security practices.

As necessary, security provisions include:

• Developing and implementing a security policy to protect personal health information. The effort and resources to accomplish this exercise will vary substantially according the size and type of organization. For a sole practitioner's office, this could simply be a short documentation of how the information is safeguarded such as:
  • physical measures (locked filing cabinets, restricting access to offices, alarm systems)
  • technological tools (passwords, encryption, firewalls, anonymizing software)
  • organizational controls (security clearances, limiting access on a "need-to-know" basis, staff training, confidentiality agreements)
• Making employees aware of the importance of maintaining the security and confidentiality of personal information by holding regular staff training on safeguards.
• Reviewing and updating security measures regularly.

74. Are home care records subject to PIPEDA?

Home care records are subject to PIPEDA if there is a commercial activity. However, where the records are in the patient's home and under the patient's control, these records are not the responsibility of the provider organization(s).

75. Vials and other medication containers with patient and drug name are thrown directly in the trash by some pharmacies. Will there now be an obligation under PIPEDA to erase or destroy in a secure manner this information prior to disposing of the vials/medication containers?

Yes. Vials and other medication containers that show a patient and drug name are considered personal information, which should be erased or destroyed in a secure manner.