In anticipation, the CFPC has prepared a reference document, Privacy Legislation – A Critical Review for Family Physicians , and a Checklist (below) that highlights information found in much more detail in the document available at the web site.

A Checklist for your practice should bring your attention to the following items:

1. Processes are in place to ensure the privacy and confidentiality of Personal Health Information (PHI).
2. Staff has been trained in PHI management and has signed confidentiality agreements.
3. Staff understands what types of information may be provided and to whom.
4. An individual may be designated to oversee the use of PHI in the office.
5. All medical records are safe and secure.
6. Patients consent to the collection of their PHI.
7. Patients are kept informed through posters, brochures, etc. about the reasons for collecting their PHI.
8. A process is in place to allow patients to access their own PHI.
9. Mechanisms are in place for updating and correcting PHI in charts.
10. Guidelines are being followed for the retention and destruction of PHI in records.
11. A process is in place for dealing with complaints related to the collection and use of PHI.

The College of Family Physicians of Canada
PRIVACY LEGISLATION
A CRITICAL REVIEW FOR FAMILY PHYSICIANS

December 2003

This document represents the best advice currently available to the CFPC and should be considered in association with federal, provincial and territorial legislation, regulatory/licensing requirements and/or other medico-legal obligations.

A.  CURRENT LEGISLATION

Two pillars of privacy legislation are consent and confidentiality. Individuals have a right to be suitably informed when consenting to service and to expect that the confidentiality of their personal information will be maintained. Whether considering current or proposed privacy legislation, these two pillars remain applicable in healthcare.

Much has already been legislated and regulated about patient consent when providing healthcare services, either express (explicit written or oral) or implied. Likewise, requirements related to maintain the confidentiality of patient information are not new. Physicians who practice in accordance with existing provincial/territorial legislation and regulatory college policies are already demonstrating good practices in safeguarding personal health information.

Legislative and regulatory guidelines in most provinces define exemptions to consent to collect, use or disclose personal health information. These include circumstances in which the information may be used to:

•  Provide immediate care during a medical emergency

•  Conduct legal proceedings

•  Prevent serious harm or injury to another person

•  Contact the relatives or next of kin of someone seriously ill

•  Obtain payment for healthcare services

B.  PROPOSED LEGISLATION

New federal privacy legislation, the Personal Information Protection and Electronic Documents Act (PIPEDA), is due to become law on January 1, 2004. This act was developed to respond to public concerns about the privacy of personal information, especially since the advent of electronic communications. A challenge in applying this law is that the law was created to deal with privacy associated with “commercial activities”. Some have argued that the act's definition of commercial activities could apply to most physicians providing patient care and due to the absence of a separate federal act dealing with the management of personal health information, PIPEDA has the potential to become the new standard in law for privacy associated with the collection and use of this information. Requests for an extension of time to enact this law in order to develop a more appropriate federal law related to personal health information, have so far failed to produce any desirable response.

In most circumstances health professionals already maintain acceptable standards required by privacy legislation. Provincial regulatory colleges play an important role in defining these standards.

Since privacy legislation is not uniform throughout Canada , it is highly recommended that physicians review the federal, provincial and/or territorial legislation and regulatory policies applicable to their medical practice location. Privacy legislation varies throughout Canada and agreement between all federal, provincial and territorial governments has not been achieved. As a result, this legislation is undergoing a period of intense review. On January 1, 2004, PIPEDA will only apply where provinces or territories have not implemented a substantially similar form of legislation. Alberta , Saskatchewan , Manitoba and Quebec have already passed legislation that could override PIPEDA – if they are successful in obtaining an Order-in-Council from the Federal Cabinet. To our knowledge, no province has yet been granted this status.

PIPEDA legislates that personal information is private and will not be collected, used or disclosed without consent. Consent is one of the most hotly debated healthcare topics related to PIPEDA. Consent for personal health information is based on the patient's knowledge of why the information is being collected and how it will be used and disclosed. The requirement for consent in the use of personal health information is not new and the federal government is expected to produce statements that essentially say implied consent for care and treatment is acceptable and that express consent is required for all other activities. Implied consent is therefore acceptable for disclosures from a family doctor to another family doctor, a medical specialist, a laboratory technician or a pharmacist in discussing a prescription. More explicit consent would be required for uses or disclosures that a patient would not reasonably expect, e.g. disclosures for research purposes.

Current and proposed privacy legislation and existing regulatory association policies based on previous Supreme Court decisions address the rights of individuals to access their own information contained in a personal record. Consequently, a physician cannot deny a patient's access to his or her own personal health information unless it could present a serious risk of harm to the patient or reveal personal information about a third party. Under PIPEDA, reasons to deny access must be in writing and an individual so denied may appeal to the Federal Privacy Commissioner. Individuals can also challenge the accuracy of the information in their record and request corrections.

Policies that address the security, retention and destruction of personal information must be considered under the new legislation. Consequently, patient information must be secure, whether in handwritten or electronic format.

C.  IMPLICATIONS FOR FAMILY PHYSICIANS

It is uncertain which aspects of the new privacy act will eventually apply to patient care, medical practice and family practice research. The final answer to this question will probably not be available until long after January 1, 2004. Nevertheless, the enactment of this law may affect the expectations of patients and other interest groups about the way their personal health information is managed. And it may be that the full intent of the law may only be decided in court.

For the purpose of providing a summary of how PIPEDA might apply to family practice, the following ten principles identified in the legislation and used widely as a framework for understanding the new law should be considered. These principles relate well to best practices already expected in the management of personal health information and more particularly, may guide family doctors and their staff in their use of confidential patient information. It is important to emphasize that while the suggestions under each principle may be the most relevant at this time, new interpretations of PIPEDA or other proposed legislation could change these suggestions at a later time. Please also note that wherever reference is made to a family doctor's responsibilities, staff working in the family doctor's practice could also be implicated, depending on the family physician's decision to delegate authority for managing personal health information.

General Principles Applicable to Personal Health Information

1.  Accountability

a. It might be appropriate for family doctors to designate an individual in the practice to be responsible for overseeing the use of personal health information in the office. However, ultimate accountability continues to rest with the family doctor and to date, this seems to have been accepted by legislators.

b. It is uncertain whether there is an expectation for all medical practices to develop written policies related to the use of personal health information. Nevertheless, this is an appropriate time to review all internal processes for managing this information in family practice and to ensure that the privacy and confidentiality of patient information are maintained. Note that privacy policies already exist with licensing authorities (for resources, see Section E – Provincial Regulatory Authorities).

c. All staff in the medical practice should be reminded of good personal health information management. It may be appropriate for all family practice staff to sign confidentiality agreements related to their use of personal health information.

2.  Identifying Purpose

Physicians should ensure that they and their staff are able to identify why they are collecting personal health information and that patients understand the reasons for collecting this information at the time or before the information is collected. This could be accomplished through the use of wall posters, written notices or patient brochures.

3. Consent

a. When personal health information is collected, physicians and their staff should ensure that patients are aware of the reasons for collecting their personal information.

b. In continuing to provide care and treatment, implied consent appears to be acceptable in most circumstances for the ongoing use of personal health information.

c. Patients can withdraw their consent at any time and should be clear about the consequences of denying or withdrawing consent.

4. Limiting Collection

Physicians and their staff should collect only the personal health information required to provide care for their patients

5. Limiting Use, Disclosure and Retention

a. Except where disclosure is mandated by law, express patient consent (explicit written or oral) is required for all new uses of personal health information outside of care and treatment.

b. Family doctors should only disclose personal health information consistent with the use for which it was collected.

c. Guidelines should be in place for the retention and destruction of personal health information contained in records. Professional regulatory colleges are often a resource in determining these guidelines.

6. Accuracy

a. Family doctors should collect and maintain accurate personal health information in their patients' records. This might require the updating of information from time to time.

b. In most situations, patients may be allowed to correct the information in their health record. When this occurs, an appropriate process for correcting information should be followed, e.g. an explanation added to the current record, signed and dated.

7. Safeguards

a. The safety and security of all medical records, in hard copy or electronically, should be assured at all times.

b. Access to relevant information related to the provision of patient care should only be available to authorized persons.

8. Openness

Posters or other forms of written information might be used to reassure patients that the confidentiality of their personal health information is important in the medical practice. Copies of personal health information policies used by staff could be made available to patients of the practice.

9. Individual Access

Patients should be able to access their own personal health information in an appropriate way and should be allowed to correct this information using a process that tracks any amendments.

10. Challenging Compliance

Physicians should agree to a process for responding to complaints related to the collection and use of personal health information in their medical practices. Appropriate measures should be taken to correct any perceptions of inappropriate management of personal health information.

D. FURTHER COMMENTS & RECOMMENDATIONS FOR FAMILY PHYSICIANS

Most family doctors maintain good practices in their management of personal health information. Over the years, these have been encouraged through the

• Ongoing review and application of professional guidelines from a variety of reliable sources in the use of personal health information
• Awareness and application of provincial or territorial regulatory privacy policies and guidelines
• Awareness and application of provincial or territorial privacy legislation relevant to personal health information

While the most appropriate ways to eventually apply the federal government's privacy legislation (PIPEDA) may be uncertain, good practices for the management of personal health information should continue to support the principles in the new legislation.

Principles and guidelines applicable to family practice and related to the direction of the new federal privacy act are provided. These should be considered complimentary to good personal health information practices already being followed by most family doctors and should align with privacy legislation in place in some provinces.

At the least, new federal privacy legislation should encourage family doctors to review how they manage the collection and use of personal health information in their practices. At most, it might lead to some changes in the way personal health information is managed in family practice, to align with current legislation and its expectations and perhaps, better information practices.

Due to the regional variation in requirements and expectations, decisions to replicate the principles contained in this document for family doctors, their staff and patients, should be made by individual family practices as considered appropriate to the practice location and its applicable privacy legislation and regulations.

E. RESOURCES FOR FURTHER INFORMATION

The following resources are provided for the use of Canadian family doctors who are looking for more specific information related to this subject. It is anticipated that family doctors will also receive information regarding the management of personal health information from other organizations to which they belong.

a. Provincial Regulatory Colleges:

1. College of Physicians and Surgeons of British Columbia - www.cpsbc.ca
2. College of Physicians and Surgeons of Alberta - www.cpsa.ab.ca
3. College of Physicians and Surgeons of Saskatchewan - www.quadrant.net/cpss
4. College of Physicians and Surgeons of Manitoba - www.cpsm.mb.ca
5. College of Physicians and Surgeons of Ontario - www.cpso.on.ca
6. Collège des médecins du Québec - www.cmq.org
7. College of Physicians and Surgeons of New Brunswick - www.cpsnb.org
8. College of Physicians and Surgeons of Nova Scotia - www.cpsns.ns.ca
9. College of Physicians and Surgeons of Prince Edward Island - mmacdonald@collegeofphysicians.pe.ca
10. Newfoundland & Labrador Medical Board - nmb@thezone.net  

b. Provincial Medical Associations:

1. British Columbia Medical Association: www.bcma.org
2. Alberta Medical Association: www.albertadoctors.org
3. Saskatchewan Medical Association: www.sma.sk.ca
4. Manitoba Medical Association: general@mma.mb.ca
5. Ontario Medical Association: www.oma.org
6. Quebec Medical Association: www.amq.ca
7. New Brunswick Medical Society: www.nbms.nb.ca
8. Medical Society of Nova Scotia : www.doctorsNS.com
9. Medical Society of Prince Edward Island : www.mspei.pe.ca
10. Newfoundland and Labrador Medical Association: www.nlma.nf.ca

c. National Medical Organizations:

1. Canadian Medical Protective Association, P.O. Box 8225, Station T, Ottawa, ON K1G 3H7, (800) 267-6522, www.cmpa.org
2. The College of Family Physicians of Canada, 2630 Skymark Avenue , Mississauga , ON L4W 5A4 , (800-387-6197), www.cfpc.ca
3. Canadian Medical Association, 1867 Alta Vista Drive , Ottawa , ON K1G 3Y6 , (800) 267-9703, www.cma.ca

d. Federal, Provincial and Territorial Sources of Privacy Information

1. Government of Canada

• Personal Information Protection and Electronic Documents Act (PIPEDA) - www.privcom.gc.ca/legislation/02_06_01_e.asp
• Your Privacy Rights: A Guide for Canadians to PIPEDA
• Responsibilities: A Guide for Businesses and Organizations to PIPEDA
• Privacy Commissioner of Canada - www.privcom.gc.ca/index_e.asp

2. British Columbia (BC)

• Office of the Information and Privacy Commissioner - www.oipcbc.org

3. Saskatchewan (SK)

• Health Information Protection Act – www.health.gov.sk.ca/ph_br_health_leg_hipamain.html
• Overview of Health Information Protection Act – www.health.gov.sk.ca/ph_br_health_leg_hipamain.html

4. Alberta (AB)

• Health Information Act – www.oipc.ab.ca/hia/
• Health Information – A Personal Matter – www.oipc.ab.ca/ims/client/upload/HIA_Guide.pdf

5. Manitoba (MB)

• Personal Health Information Act – www.gov.mb.ca/health/phia/index.html
• Information on Personal Health Information Act – www.ombudsman.mb.ca/phia.htm

6. Ontario (ON)

• Consultation on Privacy Protection – www.cbs.gov.on.ca/mcbs/english/56HK6V.htm

7. Quebec (PQ)

• Act – Respecting the Protection of Personal Information in the Private Sector – http://publicationsduquebec.gouv.qc.cq/dynamicSearch/telecharge.php?type=2&file=/P_39_1/P39_1.html
• Act – Respecting Access to Documents Held by Public Bodies and the Protection of Personal Information - http://publicationsduquebec.gouv.qc.cq/dynamicSearch/telecharge.php?type=2&file=/A_2_1/A2_1.html

8. New Brunswick (NB)

• Protection of Personal Information Act - www.gnb.ca/acts/acts/p-19-1.htm
• Ombudsman (Ellen King) - nombud@gov.nb.ca

9. Nova Scotia (NS)

• Freedom of Information and Protection of Privacy Act - www.gov.ns.ca/govt/foi/act.htm
• Freedom of Information and Privacy Review Officer (Darce Fardy) - fardyd@gov.ns.ca

10. Prince Edward Island ( PEI )

• Freedom of Information and Protection of Privacy Act - www.gov.pe.ca/photos/original/foipp.pdf.pdf
• Information and Privacy Commissioner of PEI (Karen A. Rose) - karose@gov.pe.ca

11. Newfoundland & Labrador (NL)

• Access to Information and Protection of Privacy Act - www.gov.nf.ca/hoa/statutes/a01-1.htm
• Privacy Act - www.gov.nf.ca/hoa/statutes/p22.htm
• Director of Legal Services, Department of Justice of NL (Chris Curran) - chrisc@mail.gov.nf.ca