Physiotherapists Privacy Requirements in Ontario

Transcription

1 Physiotherapists Privacy Requirements in Ontario Briefing Note 2004 by Steinecke Maciura LeBlanc Adapted by the College of Physiotherapists of Ontario

2 Contents Overview...3 Purpose of this Briefing Note...4 Personal Information Protection and Electronic Documents Act (PIPEDA) 5 Personal Health Information Protection Act (PHIPA)...7 In Practice: Six Steps to Compliance Introduction Step One: Designating Your Organization s Information Officer Step Two: Information and Activities Covered by the Privacy Plan Step Three: Collecting Personal and Personal Health Information Step Four: Safeguards, Retention and Destruction Step Five: Access, Correction, Complaints and Openness Step Six: Implementing Your Privacy Plan Summary Resources Briefing Notes and Privacy Resources are available at: Page 1

3 This briefing note is not intended to provide legal advice. It offers practical suggestions to assist individuals and organizations with information handling practices and in the development of a Privacy Policy. The Personal Information Protection and Electronic Documents Act is unclear in a number of areas and is enforced by the federal Information and Privacy Commissioner. The Personal Health Information Protection Act came into effect on November 1, 2004 and is detailed and complex and is enforced by the provincial Information and Privacy Commissioner. Thus, the descriptions provided here are based on current information and may change as experience with the legislation and its enforcement develops. Some provisions in the Acts are simplified for the purpose of identifying issues for consideration. For legal advice related to your practice, please speak to your lawyer. Adapted from the work of: Richard Steinecke Steinecke Maciura LeBlanc Barristers & Solicitors Original Work Copyright 2004 by Steinecke Maciura LeBlanc Adapted by the College of Physiotherapists on Ontario 2007 Page 2

4 Overview Physiotherapists now practice their profession in a privacy-conscious world where people are becoming increasingly aware of the importance of protecting the privacy of personal information, including personal health information, from misuse and inadvertent or accidental disclosure. This trend has been fostered by factors such as: increasing awareness of individuals rights respecting the protection of their own information the use of personal information as a commodity in marketing products and services (e.g., drug prescribing data, membership lists) the increasing use of technological means (e.g., the internet) to manage and transfer information high profile breaches of personal information that many assumed was secure Factors such as these have led to legislation in a number of countries that governs the collection, use and disclosure of individuals personal information. This legislation is typically principle-based and is usually intended to govern commercial transactions where personal information may be misused. In Ontario, the privacy obligations of most physiotherapists that relate to personal health information are defined in the Personal Health Information Protection Act (PHIPA), which came into effect on November 1, Some physiotherapists, in particular those working in commercial enterprises, may also be subject to some aspects of the Federal legislation, the Personal Information Protection and Electronic Documents Act (PIPEDA), which came into force on January 1, 2004 This briefing note is intended to provide Ontario s physiotherapists with information they need to meet the privacy obligations defined under these two relevant laws. In particular, the intent of this briefing note is to do the following: provide an overview of the relevant portions of the laws provide some guidance as to how to determine whether a registrant has obligations under PHIPA, PIPEDA, or both direct registrants to resources that may help them comply with the laws While physiotherapists and other health professionals have been sensitive to both privacy concerns and issues relating to consent for many years, the privacy legislation that is now in effect and the privacy principles upon which it is based require formal information management practices to ensure compliance. It is true that the professional misconduct regulations of most regulated health professionals have specific provisions dealing with the confidentiality of patient information. However, the principles upon which both PHIPA and PIPEDA are based impose broader obligations on people who collect, use and Page 3

5 disclose personal information than do either the professional misconduct rules intended to govern patient health information or the Health Care Consent Act. Both PHIPA and PIPEDA are based in many respects on the Canadian Standards Association s Model Code for the Protection of Personal Information. In the interests of being sensitive to people s privacy concerns in a privacy conscious world, it may be worthwhile to incorporate and apply these privacy principles to all your professional activities, whether or not PHIPA or PIPEDA actually require it. Purpose of this Briefing Note Since there are some differences between the two statutes, the College has determined that it would be useful to registrants to offer this Briefing Note to help them identify and comply with any obligations they have under these statutes. The material in this Briefing Note was originally developed jointly with the colleges of a number of other regulated health professionals and then adapted for use by the College registrants. After its proclamation, many practitioners or organizations that were subject to PIPEDA developed privacy policies and procedures to ensure their compliance. This led to the development of guidance and tools or templates, to assist registrants to comply with PIPEDA. When PHIPA came into effect, many of the practitioners or organizations who had used this information only had to make minor adjustments in order to also comply with PHIPA. To assist them in making these changes the College issued a guide that provided advice on how the templates developed for PIPEDA could also be used to ensure compliance with PHIPA. Now that both laws have been in effect for some time, the College has determined that it would aid registrants understanding of their privacy obligations if the relevant materials were compiled into one Briefing Note. As such, this Briefing Note, and the tools appended to it, was compiled to aid registrants in establishing the privacy policies and procedures required by PIPEDA and/or PHIPA. A Note on the Application of PIPEDA and PHIPA PHIPA is a provincial statute. PIPEDA is a federal statute. If you practice in circumstances where both PIPEDA and PHIPA apply to you and there are any conflicts between the two statutes (in the sense that it is impossible to comply with both of them at the same time), PIPEDA is the law that is paramount that and must be complied with. Some questions to assist you to determine whether PIPEDA, PHIPA or both apply to your practice are contained later in this Briefing Note. The Federal government has deemed PHIPA to be substantially similar to PIPEDA regarding the obligations it sets out for personal health information. This means that only PHIPA now applies to personal health information in Ontario. However, those who engage in commercial activities still have to comply with PIPEDA in respect of other types (i.e., non-health) of personal information. Organizations that do not engage in commercial activities and collect personal health information, are only subject to PHIPA. Those organizations or individuals that are subject to both laws (i.e. they engage in commercial activities and collect personal health information) should comply with both laws, where this is possible. Page 4

6 Personal Information Protection and Electronic Documents Act (PIPEDA) On January 1, 2004, the federal Personal Information Protection and Electronic Documents Act (PIPEDA) came into force. PIPEDA applies throughout Canada to organizations (including many individuals) when they collect, use or disclose personal information in the course of commercial activities. This includes commercial activities in the business, health and not-for-profit sectors. Some aspects of PIPEDA apply to the practices of many physiotherapists and other health professionals when they engage in commercial activities. What kind of information does PIPEDA apply to? PIPEDA applies to personal information. Personal information is any information about an identifiable individual that relates to their personal characteristics (e.g., gender, age, colour, ethnic background, education, family status), their health (e.g., health history, health conditions, health services received by them) or their activities and views (e.g., dealings with the physiotherapist, opinions expressed by an individual, religion, political involvement, a physiotherapist s view or evaluation of an individual). Personal information is different from business information (e.g., an individual s business address and telephone number), which is not protected by PIPEDA. Who does PIPEDA apply to? PIPEDA is intended to cover the entire private sector. With very few exceptions, it applies to anyone who carries on commercial activities. PIPEDA defines commercial activities as: any particular transaction, act or conduct or any regular course of conduct that is of a commercial character, including the selling, bartering or leasing of donor, membership or other fundraising lists. Even with this definition, the meaning of commercial activities is still vague and it is not clear how far the definition goes. And this means it is not always entirely clear whether an organization is covered by PIPEDA. However, based on the views of various commentators, it appears that PIPEDA will apply to many physiotherapists. Even if the government pays for the goods or services (e.g., through OHIP or CCACs), PIPEDA may apply because the services provided are likely to be seen as commercial activities. Only physiotherapists who are directly employed by government bodies or non-profit agencies (e.g., a public hospital) that do not engage in any form of commercial activities will be exempt. It should be noted that even these government bodies or non-profit agencies do sometimes engage in commercial activities (e.g. gift shops, food outlets or the sale of crutches, splints, etc.). With these considerations in mind, physiotherapists need to consider not only the type of organizations in which they work, but also the kinds of activities that the organizations undertake, when assessing whether PIPEDA will govern their collection, use and disclosure of personal information. Does PIPEDA apply to you or your organization? To assist you in determining whether your collection, use and disclosure of personal information is governed by PIPEDA, you may wish to consider the following questions. If your answer to at least one of the questions is yes, then PIPEDA may apply to at least some of the activities that you or your organization carry out. Page 5

7 1. Do you work in a for-profit business or organization (e.g. in a private practice, or in an organization or business that charges a fee for products or services it provides)? If you answer yes to this question, then it is likely the activities of your business or organization that involve personal information are subject to PIPEDA. 2. Do you work in a not-for-profit organization that engages in activities that are commercial in nature such as: charging a fee for products or services it provides (e.g. assessment fees, administrative fees) renting or sub-letting space holding seminars or conferences for which fees are charged unless the purpose of the organization is to educate others on a non-profit basis selling, bartering or leasing membership lists? If you answered yes to this question, then it is likely the activities of your organization that involve personal information and are commercial in nature will be subject to PIPEDA. Note: Given the uncertainties as to what constitutes commercial activities and thus the application of PIPEDA, you should obtain legal advice to confirm that PIPEDA does, or does not apply to the activities of your organization that involve personal information. What should I do if I believe PIPEDA applies to me or my organization? If you believe that you or your organization are subject to PIPEDA, then you may wish to use the section of this Briefing Note called In Practice Six Steps to Compliance and the Privacy Legislation Checklists in Appendix I to assist you in setting up the required information management practices. This information package is not intended to provide legal advice on PIPEDA, which can only be obtained from your own lawyer. However, the information package may provide you and your organization with some practical suggestions for how some organizations can review their information handling practices. The information package contains tools, including a sample privacy policy and a sample consent form, that may assist you in developing your own privacy policy. By conducting such activities, organizations that are subject to PIPEDA may be better prepared to undertake the tasks that will assist them in being compliant with PIPEDA s requirements. What should I do if I don t believe PIPEDA applies to me or my organization? If you are confident that PIPEDA does not apply to any aspect of your organization s activities as they are not commercial in nature, then PIPEDA does not impose any statutory obligation upon you or your organization. However, even if you or your organization do not have any obligations under PIPEDA, if you or your organization collect, use or disclose personal health information, then it is likely that PHIPA will apply to you and your organization. Please see the section of this Briefing Note on PHIPA to obtain an Page 6

8 overview of your obligations under PHIPA. Personal Health Information Protection Act (PHIPA) The Personal Health Information Protection Act (PHIPA) came into effect on November 1, It was passed to specifically deal with the collection, use and disclosure of health information in the health care sector. While PHIPA follows the same principles as PIPEDA, it does have some minor differences, and provides much more specific guidance about the way personal health information must be handled. Overview This section provides information on how PHIPA affects the privacy practices of health care practitioners and facilities. PHIPA provides more detailed rules than the federal Personal Information Protection and Electronic Documents Act (PIPEDA). PHIPA also provides some additional flexibility in privacy practices for the health sector. In essence, PHIPA applies to any personal health information collected, used or disclosed by a health information custodian (HIC) (the law includes a broad definition for HICs that includes health practitioners who own practices or facilities that employ health practitioners) regardless of whether the HIC engages in commercial activities. Practitioners who work for a health facility or health agency will generally be able to fit under their information practices. Each HIC must appoint an information officer, called a contact person. PHIPA provides more workable consent procedures for the collection, use and disclosure of personal health information. Generally, implied consent will be sufficient for the provision of health care although it is good practice to provide patients with information on how their information will be used, especially during an initial patient contact. Practitioners can usually assume that a signed consent form relating to personal health information is valid. The rules for substituted consent for the handling of personal health information are very similar to those for substituted consent for treatment, within the model of the Health Care Consent Act. PHIPA also provides for more options for using and disclosing personal health information without the patient s consent. These include using the information for health care planning and delivery, risk management and education. Disclosure of personal health information can generally be made without consent to others on the health care team, to provide basic status reports on those admitted to facilities, to support families and friends of a deceased patient, for audit and accreditation purposes, for the purpose of professional regulation, for serious safety issues and to successor HICs. However, patients should be made aware that these types of use and disclosure may be made. PHIPA requires that reasonable safeguards be taken to protect personal health information. Patients Page 7

9 have the right to be advised of privacy breaches. Information Technology (IT) suppliers to HICs must comply with certain standards. However, with patient consent, records can be reasonably stored at the patient s home or an off-site storage facility. PHIPA also provides for a more health-specific system for patient access and correction of their records. For example, access requests can be refused in respect of quality assurance information, for raw data from psychological tests and where there is a risk of significant harm to either the patient or others. Correction requests can be declined for professional opinions and observations and, in many circumstances, where the record was provided by another HIC. In addition, HICs do not have to provide copies of corrected records (or statements of disagreements) to those the HIC has previously disclosed the personal health information to as often as they would under PIPEDA. PHIPA is enforced by the Ontario Information and Privacy Commissioner. The Commissioner has broad powers of investigation and can order a HIC to comply with their PHIPA obligations. HICs are also subject to prosecution for breaches of PHIPA and to civil actions for damages, including a maximum of $10,000 for mental anguish. Most practitioners who have developed privacy policies to comply with PIPEDA only have to make minor adjustments to comply with PHIPA if they fall within the definition of a HIC. Practitioners or facilities that were not subject to PIPEDA also have to determine whether they fall within the definition of a HIC and if so, establish the required privacy policies. What kind of information does PHIPA apply to? As noted above, PHIPA applies to any personal health information collected, used or disclosed by a health information custodian (HIC). The definition of personal health information is quite broad and generally includes all the following types of information when it identifies an individual and if the information: a. relates to the physical or mental health of the individual, including information that consists of the health history of the individual s family b. relates to the providing of health care to the individual, including the identification of a person as a provider of health care to the individual c. is a plan of service within the meaning of the Long-Term Care Act, 1994 for the individual d. relates to payments or eligibility for health care in respect of the individual e. relates to the donation by the individual of any body part or bodily substance of the individual or is derived from the testing or examination of any such body part or bodily substance f. is the individual s health number g. identifies an individual s substitute decision-maker Page 8

10 Does PHIPA apply to you or your organization? PHIPA applies to HICs and the law includes a broad definition for HICs that includes health practitioners who own practices or facilities that employ health practitioners, regardless of whether the HIC engages in commercial activities. According to PHIPA, health information custodian, means a person or organization described in one of the following paragraphs who has custody or control of personal health information as a result of or in connection with performing the person s or organization s powers or duties or the work described in the paragraph, if any: 1. A health care practitioner or a person who operates a group practice of health care practitioners 2. A service provider within the meaning of the Long-Term Care Act, 1994 who provides a community service to which that Act applies 3. A community care access corporation within the meaning of the Community Care Access Corporations Act, A person who operates one of the following facilities, programs or services: A hospital within the meaning of the Public Hospitals Act, a private hospital within the meaning of the Private Hospitals Act, a psychiatric facility within the meaning of the Mental Health Act, an institution within the meaning of the Mental Hospitals Act or an independent health facility within the meaning of the Independent Health Facilities Act An approved charitable home for the aged within the meaning of the Charitable Institutions Act, a placement co-ordinator described in subsection 9.6 (2) of that Act, a home or joint home within the meaning of the Homes for the Aged and Rest Homes Act, a placement co-ordinator described in subsection 18 (2) of that Act, a nursing home within the meaning of the Nursing Homes Act, a placement co-ordinator described in subsection 20.1 (2) of that Act or a care home within the meaning of the Tenant Protection Act, 1997 A pharmacy within the meaning of Part VI of the Drug and Pharmacies Regulation Act A laboratory or a specimen collection centre as defined in section 5 of the Laboratory and Specimen Collection Centre Licensing Act An ambulance service within the meaning of the Ambulance Act A home for special care within the meaning of the Homes for Special Care Act A centre, program or service for community health or mental health whose primary purpose is the provision of health care 5. An evaluator within the meaning of the Health Care Consent Act, 1996 or an assessor within the meaning of the Substitute Decisions Act, 1992 Page 9

11 6. A medical officer of health or a board of health within the meaning of the Health Protection and Promotion Act. 7. The Minister, together with the Ministry of the Minister if the context so requires 8. Any other person prescribed as a health information custodian if the person has custody or control of personal health information as a result of or in connection with performing prescribed powers, duties or work or any prescribed class of such persons What should I do if I believe that PHIPA applies to me or my organization? If you believe that you or your organization are subject to PHIPA, then you may wish to use the section of this Briefing Note called In Practice Six Steps to Compliance and the Privacy Legislation Checklists in Appendix I to assist you in setting up the required information management practices. This information package is not intended to provide legal advice on PHIPA, which can only be obtained from your own lawyer. However, the information package may provide you and your organization with some practical suggestions for how some organizations can review their information handling practices. The information package contains tools including a sample privacy policy and a sample consent form that may assist you in developing your own privacy policy. By conducting such activities, organizations that are subject to PHIPA may be better prepared to undertake the tasks that will assist them in being compliant with PHIPA s requirements. Those health practitioners who are not captured by the definition of a HIC will want to ensure that the agency (or HIC) they work for or are associated with has the required privacy policies in place, as they may be subject to these policies. In Practice: Six Steps to Compliance Introduction This section of the Briefing Note is a simplified, abbreviated and practical description of the requirements of the Personal Information Protection and Electronic Documents Act (PIPEDA) and the Personal Health Information Protection Act (PHIPA). It is intended to be used with the accompanying Checklist document that is attached as Appendix I. The unique combination of features contained in these tools is that they provide: a brief, plain language description of the major requirements of the legislation (which does not attempt to be exhaustive) organization of the information in an order that helps the reader prepare the required Privacy Policy for the organization Page 10

12 step-by-step checklists (see accompanying Appendix I: Checklist) of the requirements and suggestions needed to prepare the required Privacy Policy for the organization concrete examples (with emphasis on those appropriate for the health practitioners) sample forms. The emphasis in these tools is to help small health offices or other organizations to bring themselves into compliance with PIPEDA and/or PHIPA. Large organizations may require and have the resources for a formal data flow analysis, extensive assistance by external consultants and a large team of people to balance the competing priorities of different departments. However, there are few practical tools available for small health offices or other organizations. Completing the checklists will assist an organization to comply with the requirements of PIPEDA/PHIPA. Boxes are to be ticked off when appropriate and blanks are to be filled in where they apply to your organization. There are six steps to compliance outlined in this section of the briefing note as well as in Appendix I: Checklist. They are as follows: 1. Designating Your Organization s Information Officer 2. Information and Activities Covered by the Privacy Plan 3. Collecting Personal Information 4. Safeguards, Retention and Destruction 5. Access, Corrections, Complaints and Openness 6. Implementing Your Privacy Plan For each of these six compliance steps there are two subsections. The first subsection in each step relates to PIPEDA and how to use the checklists (Appendix I) to become compliant with its requirements. The second subsection in each step relates to PHIPA and how to use the checklists to become compliant with its requirements. For those individuals or organizations that are subject to both laws, it will be important to review both subsections. Those individuals that are subject only to PHIPA may wish to concentrate on the second subsection in each step. However, there may be instances where reviewing both subsections may be required to fully understand the obligation. In addition to the guidance incorporated into this section and Checklists in Appendix I, there are also three other forms attached to this Briefing Note in Appendix II. They are as follows: Form 1: Health Consent Form Form 2: Privacy Policy Generic Form Form 3: Privacy Policy Health Practitioner Sample Form Page 11

13 When you use this material we recommend that you read the description in this section of the Briefing Note Guide and then complete the corresponding section in the Checklist document. The documents are numbered in an identical fashion to assist you in this process. Throughout this section references are made to section numbers in brackets such as: (ss. 3(1)). These are references to the provisions of the PHIPA unless otherwise indicated. Step One: Designating Your Organization s Information Officer Part One: Under PIPEDA (a) Identifying Your Organization Often it is obvious who or what your organization is. An organization can be: a single individual (e.g., in a sole proprietorship) a partnership a corporation an association of individuals, partnerships and/or corporations Where a number of persons or entities work together, they may choose either to treat themselves as a single organization for the purposes of developing one Privacy Policy, or to require each one to develop their own Privacy Policies (e.g., a multidisciplinary office). Similarly, where consultants (e.g., lawyers, accountants, information technology advisors) or outsourced agencies (e.g., database management, marketing, office cleaners, office security, and file storage) are used, there may again be a choice as to whether or not to treat them as a part of a single organization. The advantages of treating various persons or groups as one organization include the following: the simplicity of having a single set of rules for everyone avoiding the need to enter into contracts with everyone outside of the organization who has access to personal information on your behalf simplifying the consent required from those who provide personal information The disadvantages of treating various persons or groups as one organization include the following: having to monitor the information handling practices of consultants and agencies reluctance of consultants and agencies who have multiple patients to be bound by multiple privacy plans Page 12

14 Go to Step 1 (a) in the Checklists document to identify your organization. (b)selecting Your Information Officer In order to comply with the Personal Information Protection and Electronic Documents Act (PIPEDA), each organization must designate an individual (or individuals) who is accountable for the organization s compliance with the privacy obligations. Specific tasks that this Information Officer (sometimes called a Privacy Officer ) is responsible for include the following: reviewing the organization s collection, use and disclosure of personal information implementing procedures to protect personal information being the contact person for patient or public inquiries about information handling establishing and, in a small organization, operating a complaints procedure training and continually updating staff on information Privacy Policy monitoring compliance publishing the organization s information handling policies to the public Characteristics of a good Information Officer include the following: a senior position in the organization familiarity with how information is collected, stored, used and disclosed in the organization experience with human resources or personnel management experience with customer relations a comfort level with legal matters The Information Officer need not be an employee of the organization. It can be the organization s lawyer or an outside privacy consultant. However, for many small offices, it makes sense for the Information Officer to be the owner, senior partner or president. Go to STEP 1 (b) in the Checklists document to designate your Information Officer. Part One: Under PHIPA (a) Identifying Your Organization Under PHIPA, the organization is the health information custodian or HIC. For example, an individual in private practice, a CCAC or a large hospital are all HICs. Unlike PIPEDA, however, what constitutes a Page 13

15 HIC is specifically described in the Act (s. 3) and is not left to the choice of the parties. PHIPA provides a list of HICs, including the following: health care practitioners, including all those registered under the Regulated Health Professions Act, naturopaths, registered social workers and social service workers, unregistered health care practitioners and unregistered persons operating a group health care practice community service providers under the Long-Term Care Act community care access centres (CCACs) most health facilities including public hospitals, long term care facilities, laboratories, ambulance services and community health centres However, where a potential HIC (e.g. a physiotherapist) is an individual practitioner who acts as an agent for an organizational HIC (i.e., a hospital), the organizational HIC and not the individual practitioner becomes the HIC. For example, a physiotherapist or other practitioner who work for or acts as an agent for a hospital, CCAC or long term care facility is not a HIC. In other words, it is typically the umbrella organization or facility that is defined as a HIC and the health practitioners and others who are associated with it become its agents and subject to the rules that apply to the HIC. The purpose of this rule is to prevent HICs from competing for control over the organization s privacy policies. However, the individual practitioner must then comply with the HIC s privacy practices when acting on the HIC s behalf unless otherwise permitted by law (s. 17). Except for public hospitals and CCACs a HIC can only have one physical site unless special permission is obtained from the Minister of Health and Long-Term Care. (b) Selecting Your Information Officer/Contact Person The information officer (called the contact person under PHIPA) need not be a practitioner (s. 15). Like PIPEDA, the information officer under PHIPA is responsible for ensuring that the HIC has a privacy policy (called information practices ). However, PHIPA goes further and places an explicit duty on the HIC to follow its own information practices (s. 10). The contact person shall do the following: facilitate compliance with PHIPA by the HIC educate the agents of the HIC respond to public inquiries about the HIC s information practices oversee access and correction requests handle privacy complaints Page 14

16 make available to the public the HIC s written information practices (ss. 15 and 16) It is important that the HIC s information practices be in place because there are special obligations on the part of the HIC if personal health information is being used or disclosed in a manner not described in the information practices (ss. 16(2)). For example, if a physiotherapist (acting as a HIC) was asked by the College to provide access to a patient s record for regulatory purposes and this possible disclosure was not included in the information practices, the HIC would normally have to notify the patient for the use or disclosure of the record. Step Two: Information and Activities Covered by the Privacy Plan Part One: Under PIPEDA The Personal Information Protection and Electronic Documents Act (PIPEDA) applies to any commercial activities of the organization that involve personal information. It is important to first identify what commercial activities your organization engages in and what personal information it collects, uses and discloses in the course of those activities. Only then can you go to the next step of assessing whether your current information practices require change. (a) Commercial Activities The term commercial activities is vague and it is unclear as to precisely how far it goes. Little help has been provided to assist those who might be covered by PIPEDA and commentators have taken widely divergent views. Likely, if the organization is non-profit in nature, PIPEDA only applies to activities of the organization that are commercial in nature (e.g., selling or bartering patient or membership information, fundraising ventures). However, if the organization is for profit in nature (e.g., a private practice), then almost everything done by the organization is a commercial activity. This is probably true even if the activity is publicly financed (e.g., paid by OHIP, legal aid, or some other government-funded program). (Note: There remains debate on the issue and you may wish to speak with your lawyer on the matter.) There are certain commercial activities that are not covered by PIPEDA. These activities are not subject to the personal information handling rules of the Act. Again, there is doubt about the interpretation of some of these exceptions. For example, it is fairly clear that personal information about employees in the provincial sphere (which includes most employees) is probably not covered by the legislation. However, it is not clear whether personal information about the consultants or contract staff used by the organization to provide its commercial activities is covered. To be prudent, organizations should read these exceptions fairly narrowly until some clear rulings have been made. To assess whether you engage in commercial activities go to Step 2(a) in the Checklists document. (b)inventory of Personal Information Collected PIPEDA applies only to personal information. Personal information means information about an identifiable individual. Thus, anonymized information, which cannot be matched to an individual, is no longer Page 15

17 personal information. Also, information about a partnership or corporation or other business entity is not normally about an individual. It is unclear whether individual includes a person who is dead at the time it is collected, an issue that can be quite significant for some organizations (e.g., health facilities). The information has to be personal in nature. This would obviously include information about health, personal characteristics and family circumstances. However, some information about the professional activities or capacity of an individual is not personal in nature. For example, the prescribing patterns of a physician have been held not to be personal, but rather to be about their professional capacity (this decision is still under judicial review). Other examples of work product information are letters written by employees in the course of their employment, legal opinions or reports prepared by employees for use by management. In addition, specific exemptions are made for the name, title, business contact information such as telephone numbers, office mailing addresses and, presumably, business addresses. However, other information even though it has business overtones can still be personal in nature, such as the work hours or income of an individual. Information does not have to be recorded to be personal. Thus, information requested about an individual but not recorded is still personal information. So are live stream cameras (closed circuit TV) even though no tape or other record is made (and thus privacy principles would apply, e.g., people should know they are under surveillance). The following are examples of personal information. Personal Characteristics: Name Home contact information Identification number (e.g., credit card, social insurance, health, website cookies) Insurance benefit coverage Identifying features including fingerprints and blood type Gender Age Colour Language Ethnic or country of origin Education or training Marital status, sexual history or sexual orientation Income Social status Health: Health history Health measurements, samples or examination results Health conditions, assessment results, diagnoses Health services provided to or received by the person Health information collected in the course of providing services Prognosis or other opinions formed during assessment and treatment Compliance with assessment and treatment Reasons for discharge and discharge condition and recommendations Bodily donations activities or plans for donations Page 16

18 Activities and Views: Transaction history with the organization Occupation/profession Opinions expressed by the person Community involvements Religion Political involvements Work hours Criminal history Disciplinary actions against the individual Credit or loan data Existence of a dispute with the organization Intentions (e.g., to buy goods or services, to change jobs) Involvement with organization (e.g., they are a patient) Letters written to the organization by the person Views, evaluations or opinions of the organization about the person Many organizations collect personal information primarily about their patients. However, many organizations also collect personal information about third parties as well. A separate part of the Privacy Policy will apply to each category of individuals for whom personal information is collected. Thus, it is important to identify these categories of individuals. Examples of these categories of individuals include the following: Patients Prospective patients or other members of the general public Contract staff (non-employees, volunteers, students) If your organization collects personal information in the course of its commercial activities, continue on with the Guide. If you organization does not collect personal information in the course of its commercial activities or does not undertake commercial activities, you are not covered by PIPEDA. (See Step 2 (b) of the Checklists document). Part Two: PHIPA (a) Commercial Activities vs. Personal Health Information PIPEDA applies principally to any personal information about an individual collected, used or disclosed in the course of a commercial activity. The approach taken in PHIPA is quite different. In essence, PHIPA applies to any collection, use or disclosure of personal health information by a health information HIC (s.7). The scope of PHIPA is both narrower and broader than PIPEDA. It is narrower in the sense that it generally applies only to personal health information and not other sorts of personal information (e.g., financial information, conduct history, opinions and views, culture, race, etc.). However, the scope of Page 17

19 PHIPA is also broader in that, for the most part, it does not matter whether the HIC is collecting, using or disclosing personal information for commercial purposes. Thus it is important to know whether one is dealing with personal health information. Personal health information is very broadly defined (s. 4) and includes the following components: it must relate to an identifiable individual, including information that can be combined with other data (e.g., a code or a key) to then identify the individual it can be in oral or recorded format (thus simply asking a question even if the answer is not recorded can constitute collecting personal health information) it relates to the individual s: i. physical or mental condition, including his/her family health history ii. health care (including maintenance, preventative or palliative measures) iii. provider of health care service iv. payment for the health service including health card number v. substituted decision maker vi. non-health care information (e.g., home contact information) mixed in with other personal health information. PHIPA does not apply 120 years after collecting the information or 50 years after the death of the individual. PHIPA is usually paramount over any inconsistent provincial statute (ss. 7). However, PHIPA has a number of exceptions within it. For example, PHIPA does not apply to the regulatory activities of the College (cl. (9)(2)(e)). (b) Inventory of Personal Information Collected An inventory such as that described above in Step 2, Part One, (b), would still be valid except that it also contains personal non-health information (which would be covered by PIPEDA rather than PHIPA). Step Three: Collecting Personal and Personal Health Information Part One: Under PIPEDA (Personal Information) (a) Principles of Identifying Purposes and Obtaining Consent Now that you have an inventory of the types of personal information your organization handles and the categories of individuals for which you collect the information, you have to ensure that your information handling practices are consistent with privacy principles. Perhaps the most significant privacy principle is that your organization needs to be able to justify why it needs the information and have authority to collect it. Step 3 deals with this privacy duty. Page 18

20 For any type of personal information collected by your organization, you must identify the following: the purposes for which you collect the information whether you could limit its collection by what authority (e.g., consent of the individual, legal exception to the consent requirement) you collect it In other words, you must identify the following: The primary purpose for collecting this information. The primary use of personal information from patients is generally the provision of the good or service sought by them. The purpose must be documented by the organization (see Step 3 in the Checklists document). The purpose must be one which a reasonable person would consider to be appropriate in the circumstances. You have to balance the description of your purposes so that they are not too general as to be meaningless (e.g., to enable our organization to operate ) but not so specific as to be overly detailed or unworkable (e.g., to enable my assistant to assign a file number when making photocopies of documents on your behalf ). The primary purpose for collecting personal information from non-patients (e.g., members of the public) is not always as obvious and will need to be stated. Any related purposes for collecting the information. Related purposes support the primary purpose for which the information is gathered (e.g., billing the patient if not paid right away, accounting and tax records, follow-up services, etc.). Because some individuals will not immediately think of these purposes, they should be part of the consent process and your Privacy Policy. Any other or secondary purposes for the information that are likely to arise. Most organizations have secondary uses for the information, such as quality control (a supervisor reviewing the information to ensure that the employee is performing their job well), marketing future special offers to the patient, and regulatory accountability (most professionals and organizations are regulated by a self-governing or government agency that has the right to inspect records and investigate complaints). These should be identified in any consent obtained or in the organization s Privacy Policy. Where possible (e.g., marketing future special offers) the patient should be given a choice to refuse the secondary use. Whether there are steps you can reasonably take to limit the collection of personal information. Some information that you currently collect (e.g., social insurance number) may not be necessary to achieve your purposes. If so, you should stop collecting the information. In addition, there may be some information that you do not need to collect every time (e.g., home address and financial information where the patient pays at the time of purchase). If so, you should only collect the information if needed. In addition, personal information should only be collected through fair (e.g., without deception) and lawful means How you will obtain consent, or other legal authority, for collecting, using or disclosing the information. The intent of the legislation is that personal information will only be collected with the informed consent of the individual, with rare exceptions. To be informed, the individual Page 19

21 has to know how the information will be used. Consent can be verbal, written or implied (e.g., where the individual comes to the organization for a particular good or service and the information is obviously necessary to provide the good or service and the individual voluntarily provides the information). The form of consent can vary although express consent, particularly in written form, may be preferred when considering the following: the sensitivity of the information (e.g., health information, financial information) the reasonable expectations of the individual the context (e.g., a written consent is difficult to obtain over the phone) Opt out consent forms, requiring action by the individual in order to refuse consent, are frowned upon for sensitive information. Where a person is incapable of consenting (e.g., a child or an incapacitated person), an appropriate substitute can provide the consent (e.g., parent, guardian, spouse, child, power of attorney). You cannot require a patient to consent to disclosure of unnecessary information in order to serve another purpose unless that other purpose is specified and legitimate. For example, you cannot require a patient to consent to your selling their name and address for marketing purposes if they want to obtain your services; that is tied selling. However, you can require a patient to give you reasonable financial information if they are not paying for the good or service at the time because that is reasonably necessary for you to provide them with credit. Consent can always be withdrawn, in which case future use or disclosure of the information is not permitted if consent is required for it. The exceptions to obtaining informed consent for collecting personal information include the following: where collection is clearly in the interests of the individual and consent cannot be obtained in a timely way (e.g., a medical emergency) to investigate a breach of a Canadian law or agreement (e.g., a contract) and knowledge or consent would reasonably compromise the investigation for solely journalistic, artistic or literary purposes publicly available information specified in regulation (e.g., telephone directories, professional directories, statutory registries, court or tribunal records and information provided by the individual to newspapers, magazines and books) (b) Primary Purpose and Consent/Other Legal Authority Checklist PIPEDA applies to the collecting of personal information about any individual, not just patients of the organization. All of these purposes need to be identified. For each category of individuals about whom the organization collects personal information, identify the primary purposes for collecting it on the Checklist document. This will require you to think about the real reason why you collect the information in the first place. Page 20

22 For example, for a health practitioner, the primary purpose for collecting personal information about a patient is to provide goods and services for the patient. A health practitioner might say: Our primary purpose for collecting personal information about you is to provide you with health services. The description of that purpose might be: We collect information about your health history, your physical condition and function, and your social situation in order to help us assess what your needs are, to advise you of your options and then to provide the health care you choose to have. A second primary purpose might be to obtain a baseline of health and social information so that in providing ongoing health services you can identify changes that are occurring. For most organizations, it is easier to list the primary purposes by category of individuals for which it collects personal information. The purposes are often very different for each category. However, when it comes to related or secondary purposes, the purposes are generally the same for everyone. For that reason, the Checklists documents are divided into two categories. First, you must identify the primary purposes by category of person about whom you collect the information (e.g., patients, general public, contract staff, others). Second, you must identify the related and secondary purposes for all of the personal information you collect. Go to Step 3 (b) of the Checklists document to identify primary purposes and indicate how you will obtain consent. (c) Related and Secondary Purposes Checklists For each related or secondary purpose for which the organization collects personal information, complete a separate Checklist in the accompanying document. See section (a) above for a more detailed discussion of related and secondary purposes. Since related and secondary purposes often apply to many or all categories of individuals about whom the organization collects personal information (e.g., quality control), they have not been separated into categories of individuals like the primary purpose section. However, where the related or secondary purpose applies only to some categories (e.g., only patients are invoiced), this is noted under the subheading: Limitations in Collection. Go to Step 3 (c) of the Checklists document to identify related and secondary purposes. Choose only those that apply. (d) Principles of Use and Disclosure Personal information can only be used or disclosed for the purpose for which it was obtained unless: a further consent is obtained there is legal authority to use or disclose the information without consent The new use and the consent or other legal authority to use or disclose it should be documented. Legal authority to use personal information without consent exists in the following circumstances: where its collection is clearly in the interests of the individual and consent cannot be obtained in a timely way (e.g., a medical emergency) Page 21