2016 10 16 H EA LT H P R I V A C Y & M O B I L E T EC H N - - PDF document

2016‐10‐16 1

H EA LT H P R I V A C Y & M O B I L E T EC H N O LO G I ES

Across Canada

ABOUT M E

Judy Tian

3rd year Common Law (J.D.) Student at the University of Ottawa Interests:

• Privacy Law
• Policy Development

Across a range of sectors:

• Immigration Law firm (Immigration Law)
• Department of Justice (Privacy Law/EDRM)
• Venture Capital Firm (Corporate Law)
• Ontario Securities Commission (Securities Law)

OBJECTI VES

2

understand how these laws apply to electronic records and mobile technologies

Health privacy law framework in Canada

• Key legislation
• Who must comply with federal and provincial

privacy laws?

How laws apply to mobile health technology

• ImmunizeCA
• Gaps in the legislative framework
• Privacy Resources

1

2016‐10‐16 2

PROJECT OVERVI EW

• Dr. KumananWilson
• Prof. Colleen Flood

ImmunizaCA App Legal Framework

Four Key Points 1) There is no single health privacy statute that applies uniformly across Canada 2) The legal framework is composed of federal and provincial statutes 3) Different Laws apply to public sector entities and to private sector entities 4) The laws that apply vary in each province

Health privacy law framework in Canada

• Key legislation
• Who must comply with provincial privacy laws?

1

W HAT I S HEALTH PRI VACY LAW ?

There are a number of laws in Canada that relate to privacy

• rights. Some are general application laws; others are sector-

specific. The key factors that determine what laws apply and who

• versees them include:
• The nature of the organization responsible for the

personal information

• The type of information—is it personal

information, and if so, what type of personal information is it? Best way to discuss laws is to distinguish between public and private sectors

2016‐10‐16 3

W HAT I S HEALTH PRI VACY LAW ?

Consent based model: Generally, health privacy laws prevent individuals and organizations who handle personal health information (Health Information Custodians) from disclosing it, unless the individual consents.* The purpose of health privacy legislation is to balance the need to maintain confidentiality with the legitimate need to use and share that information. It relates to the regulation of how designated individuals and

• rganizations handle personal health information (PHI).

Health Privacy Law is a sector-specific branch of Privacy Law

*statutes provide exceptions where consent can be implied, for instance information sharing between medical practitioners in a patient’s circle of care.

PERSONAL HEALTH I NFORM ATI ON I S BROADLY DEFI NED

Personal Health Information is: Identifying information about an individual oral or recorded form that relates to their physical or mental health. This can include:

• the provision of health care to the individual
• is a plan of service within the meaning of the Home Care and Community Services Act, 1994 for the individual,
• relates to payments or eligibility for health care, or eligibility for coverage for health care
• relates to the donation by the individual of any body part or bodily substance of the individual or is derived

from the testing or examination of any such body part or bodily substance,

• the individual’s health number, or
• identifies an individual’s substitute decision-maker

Definition from Personal Health Information Protection Act, SO 2004 c 3, Sch A, s. 4

FEDERAL STATUTES

Public Sector The Privacy Act Regulates the personal information-handling practices of federal government departments and agencies. The Privacy Act only applies to federal government institutions listed in the Privacy Act Schedule of Institutions. The Public Health Agency of Canada and the Canadian Institute of Health Research are examples of institutions listed in the Schedule. Private Sector The Personal Information Protection and Electronic Documents Act PIPEDA regulates the personal information- handling practices of private-sector

• rganizations in the course of commercial

activities across Canada. PIPEDA does not apply to organizations that are not engaged in commercial activity, such as charity groups, associations or political parties,. PIPEDA will not apply to an organization that

• perates wholly within a province that has

legislation that has been deemed substantially similar to the PIPEDA.

2016‐10‐16 4

PROVI NCI AL STATUTES

Public Sector

• Every province and territory has its
• wn public-sector legislation. The

relevant provincial act will apply to provincial government agencies, not the Privacy Act. Private sector

• some provinces have privacy

legislation that has been deemed “substantially similar” to PIPEDA, which means that it is applied instead of PIPEDA when information does not cross provincial or federal borders.

• In every provinces, provincial

statutes apply to personal health information handled by provincial public agencies.

• Provincial statutes will apply to

private commercial entities in provinces with a statute that is substantially similar to PIPEDA

PROVI NCI AL HEALTH PRI VACY STATUTES

Alberta Ontario Manitoba New Brunswick Newfoundland and Labrador Nova Scotia Saskatchewan British Columbia Prince Edward Island Personal health information is governed by a health sector specific statute in most provinces It is governed by a framework of general application statutes in others Health privacy statutes mainly apply to Health Information Custodians and their agents* Health privacy legislation across provinces have the same purpose: to establish rules for collecting, using and disclosing personal health information in order to protect the privacy of individuals, while enabling health information to be shared and accessed, where appropriate, to provide health services and to manage the health system. Ontario’s health privacy law, the Personal Health Information Protection Act, 2004 (PHIPA) only engages the responsibility of “Health Information Custodians.” The equivalent statutes in other provinces have similar applicability.

* In addition, statutes apply to Electronic Service Providers and recipient who obtain personal health information directly from a Health Information Custodian.

Health privacy law framework in Canada

• Key legislation
• Who must comply with provincial privacy laws?

1

2016‐10‐16 5

W HO I S A HEALTH I NFORM ATI ON CUSTODI AN?

The answer to this question is not as straightforward as it appears—and will affect which privacy laws apply to an entity.

• A Health Information Custodian is an organization or

individual in the health system that receives and uses health information in connection with prescribed powers related to the provision of healthcare.

• Health care is defined as any observation, examination,

assessment, care, service or procedure that is done for a health-related purpose and is carried out or provided to diagnose, treat or maintain an individual’s physical or mental condition; to prevent disease or injury or to promote health;

• r as part of palliative care.

W HO I S A HEALTH I NFORM ATI ON CUSTODI AN?

Remember: the definition of a health information custodian is grounded in a function, which is the provision of health care. This definition does not included everyone who may collect or use health information in the course of their

• work. Similarly, it does not by default include a

healthcare practitioner if they are collecting information for purposes other than the provision of healthcare.

CUSTODI AN OR NOT?

The Children's Aid Society of Ottawa is a non-profit community

• rganization with a mission to

protect children and youth from abuse and neglect. They keep comprehensive records

• f children in their care—including

personal health information, such as vaccination records and health history. Is the Children’s Aid Society a Health Information Custodian? No: Many social service agencies, e.g. Children’s Aid Societies, would not fall under this definition, except if the main purpose of the

• rganization is to provide health care to its

clients.

2016‐10‐16 6

CUSTODI AN OR NOT?

Jane is a foster parent who currently has three foster children in her care. The youngest, Laura, is diabetic and relies on Jane to administer her daily dose of insulin—as well as attend to

• ther needs that arise due to her
• condition. Jane keeps detailed records
• f Laura’s health history and other

personal health information. Jane is remunerated for providing medical care to Laura. Is Jane a health information custodian? No: A foster parent, is not a health information custodian, even if the parent is remunerated in part for providing health care to the foster child, since the primary purpose of the foster parent is to provide safe custody for the child.

CUSTODI AN OR NOT?

Michael is a nutritionist who has been hired by Wealthvest, a private financial planning company, to design a healthy lifestyle plan for its employees as part of their health awareness week. Employees who wish to participate must provide Michael with their personal health history (along with signed consent forms). Michael will then create a tailored plan for each individual, track their progress throughout a fixed period and recommend next steps. Is Michael a Health Information Custodian? Yes: A person who would otherwise be a health information custodian who is an agent/employee of an organization that is not a health information custodian, is still considered a health information custodian if they are providing healthcare.

• ImmunizeCA is an app that is being developed in 3 phases

– Phase I: Provides users with a platform to store their personal vaccination records – Phase II: Users can share their vaccination records between accounts – Phase III: Secondary data sharing with public health agencies to improve the administration for the healthcare system

• This technology provides a wealth of opportunities to improve the

administration of healthcare, such as allowing governments to track disease

• utbreaks immunization trends among a population.

2

understand how these laws apply to electronic records and mobile technologies

How laws apply to mobile health technology

• ImmunizeCA case
• Gaps in the legislative framework
• Privacy Resources

But which privacy statutes apply?

2016‐10‐16 7

Remember: A Health Information Custodian is an organization or individual in the health system that receives and uses health information in connection with prescribed powers related to the provision of healthcare. This definition does not included everyone who may collect or use health information in the course of their work. In our case: ImmunizeCA is not a health information custodian.

• ImmunizeCA, or any entity that performs a similar function, is not listed within s. 3(1)
• f PHIPA as a custodian.
• The app does not provide a health care service nor does it receive information

directly from a custodian.

• ImmunizeCA could therefore be analogous to an insurance company or an employer

who receives PHI for administrative or record-keeping purposes.

• I conducted a review of corresponding legislation in other jurisdictions and came to

the same conclusion Question 1: Is ImmunizeCA a Health Information Custodian?

Remember: PHIPA applies to agents who are authorized to act for or on behalf of a health information custodian.The Health Information Custodian is deemed to have custody and control of personal health information in the agent’s custody. The Custodian would remain responsible for the. In our case: The Ottawa Hospital is a Health Information Custodian, and the app development team is employed by the Hospital. Would that make ImmunizeCA an agent?

• ImmunizeCA is not an agent of the Ottawa Hospital with respect to PHI collected from the app.
• The Ministry of Health guidelines give the following examples of agents:
• employees of the health information custodian;
• contracted third party who has access to personal health information (e.g. copying or shredding service);
• volunteers or students who have any access to personal health information.
• In the case of ImmunizeCA, the Ottawa Hospital would have no control over the PHI—since users

themselves would input information directly into the app. Therefore, it would seem illogical to consider ImmunizeCA its agent—and hold the Ottawa Hospital responsible for the PHI in ImmunizeCA’s control.

Is ImmunizeCA the agent of a Health Information Custodian?

Remember: PHIPA has been declared as substantially similar to PIPEDA only with respect to the health-sector. It exempts Health Information Custodians and their agents from the application

• f PIPEDA to the extent that they collect, use and disclose PHI within the province of Ontario.

Therefore, Health Information custodians must comply with PHIPA, and are not required to comply with PIPEDA, whether or not they are engaged in a commercial activity. This exception only applies to Health Information Custodians (and others specified by the act. Where PIPEDA would normally apply, entities that are neither Health Information Custodians nor agents must comply with PIPEDA.

• In our case: ImmunizeCA is not a Health Information Custodians—but is not engaged in

commercial activities either. PIPEDA applies to private entities engaged in commercial activity.

• Commercial Activity is not explicitly defined in PIPEDA. The Information and Privacy Commisioner

explains that even an app isn’t generating revenue, it may be considered a commercial enterprise under PIPEDA if collecting, using and disclosing personal information to improve user experience, indirectly contributes to the commercial success of the app.

• However, this example illustrates a situation where an app isn’t presently generating revenue, but its

ultimate goal is to achieve commercial success. Given that ImmunizeCA is funded through grants— and its purpose is to help Canadians track their own vaccination records—ImmunizeCA is not engaging in commercial activities. Its activities would be analogous to fundraising activities of a charity.

Question III: If ImmunizeCA is not subject to PHIPA, then would PIPEDA apply?

2016‐10‐16 8

Lessons learned in the case of ImmunizeCA: 1. Provincial health privacy legislation will not apply because this app is not considered a Health Information Custodians or an agent under PHIPA, and similar legislation, since it does not provide,

• r facilitate the provision of healthcare.

2. PIPEDA does not apply if the app is not engaged in commercial activity. ImmunizeCA is not a profit generating app and fundraising is not considered a commercial activity under PIPEDA. ImmunizeCA’s initial funding was made possible through government grants. Even if it would generate revenue in the future, the sole purpose of that revenue would be for maintaining and developing the app—not generating profit. These two points illustrate how ImmunizeCA, and similar apps fall within the regulatory gaps of the current health privacy framework. It is not governed by health-sector specific legislation, since it is not a health information custodian; and it is not subject to PIPEDA since it is not a commercial entity.

2

understand how these laws apply to electronic records and mobile technologies

How laws apply to mobile health technology

• ImmunizeCA case
• Gaps in the legislative framework
• Privacy Resources

KEY TAKEAW AYS

Most mobile apps will be subject to PIPEDA: since they are commercial entities with the aim of generating a profit. The ImmunizeCA case is a unique example because it is neither a health information custodian, not a commercial entity. Through this research we have learned the following lessons:

• A separate privacy regime has been created for the health sector: legislators

have recognizes that Personal Health Information is considered highly sensitive and should be treated differently than other forms of personal information. However, most health privacy laws were drafted with paper records in mind—the legislator did not contemplate the onset of mobile health technologies at the time the statutes were drafted.

• Mobile health apps should be governed by health-sector specific legislation

such as PHIPA: However, since personal health information is recognized for its unique and sensitive nature, these apps should be governed by health-sector specific legislation.

• Health privacy laws, such as PHIPA, should be amended in order to address the

changing reality of information handling: the onset of mobile technologies in the health sector demonstrate that the traditional definition of Health Information Custodian should be revisited to include mobile health apps within their regulatory purview.

• The IPC’s Privacy Impact Assessment Guidelines for the Ontario Personal Health

Information Protection Act Serves as a self-assessment tool to assist health information custodians in reviewing the impact that a proposed information system, technology or program may have on the privacy of an individual’s personal health information under PHIPA. https://www.ipc.on.ca/wp-content/uploads/Resources/phipa_pia-e.pdf

• The IPC’s Guide: Good Privacy Practices for Developing Mobile Apps

This guidance has been prepared jointly by the Office of the Privacy Commissioner of Canada and the Offices of the Information and Privacy Commissioner of Alberta and British Columbia to draw your attention to key privacy considerations when designing and developing mobile apps. https://www.oipc.bc.ca/guidance-documents/1426

2

understand how these laws apply to electronic records and mobile technologies

How laws apply to mobile health technology

• ImmunizeCA case
• Gaps in the legislative framework
• Privacy Resources

2016‐10‐16 9

THANK YOU