2016 ‐ 10 ‐ 16 H EA LT H P R I V A C Y & M O B I L E T EC H N O LO G I ES Across Canada ABOUT M E Judy Tian 3 rd year Common Law (J.D.) Student at the University of Ottawa Interests: • Privacy Law • Policy Development Across a range of sectors: • Immigration Law firm (Immigration Law) • Department of Justice (Privacy Law/EDRM) • Venture Capital Firm (Corporate Law) • Ontario Securities Commission (Securities Law) OBJECTI VES Health privacy law framework in Canada • Key legislation 1 • Who must comply with federal and provincial privacy laws? How laws apply to mobile health technology ImmunizeCA • 2 understand how these laws apply to electronic records and mobile technologies • Gaps in the legislative framework • Privacy Resources 1
2016 ‐ 10 ‐ 16 PROJECT OVERVI EW Dr. KumananWilson Prof. Colleen Flood ImmunizaCA Legal App Framework Health privacy law framework in Canada • Key legislation 1 • Who must comply with provincial privacy laws? Four Key Points 1) There is no single health privacy statute that applies uniformly across Canada 2) The legal framework is composed of federal and provincial statutes 3) Different Laws apply to public sector entities and to private sector entities 4) The laws that apply vary in each province W HAT I S HEALTH PRI VACY LAW ? There are a number of laws in Canada that relate to privacy rights. Some are general application laws; others are sector- specific. The key factors that determine what laws apply and who oversees them include: • The nature of the organization responsible for the personal information • The type of information—is it personal information, and if so, what type of personal information is it? Best way to discuss laws is to distinguish between public and private sectors 2
2016 ‐ 10 ‐ 16 W HAT I S HEALTH PRI VACY LAW ? Health Privacy Law is a sector-specific branch of Privacy Law It relates to the regulation of how designated individuals and organizations handle personal health information (PHI). The purpose of health privacy legislation is to balance the need to maintain confidentiality with the legitimate need to use and share that information. Consent based model: Generally, health privacy laws prevent individuals and organizations who handle personal health information (Health Information Custodians) from disclosing it, unless the individual consents.* *statutes provide exceptions where consent can be implied, for instance information sharing between medical practitioners in a patient’s circle of care. PERSONAL HEALTH I NFORM ATI ON I S BROADLY DEFI NED Personal Health Information is: Identifying information about an individual oral or recorded form that relates to their physical or mental health. This can include: • the provision of health care to the individual • is a plan of service within the meaning of the Home Care and Community Services Act, 1994 for the individual, • relates to payments or eligibility for health care, or eligibility for coverage for health care • relates to the donation by the individual of any body part or bodily substance of the individual or is derived from the testing or examination of any such body part or bodily substance, • the individual’s health number, or • identifies an individual’s substitute decision-maker Definition from Personal Health Information Protection Act, SO 2004 c 3, Sch A, s. 4 FEDERAL STATUTES Public Sector Private Sector The Privacy Act The Personal Information Protection and Electronic Documents Act Regulates the personal information-handling practices of federal government departments PIPEDA regulates the personal information- and agencies. handling practices of private-sector The Privacy Act only applies to federal organizations in the course of commercial government institutions listed in the Privacy Act activities across Canada. Schedule of Institutions. PIPEDA does not apply to organizations that The Public Health Agency of Canada and the are not engaged in commercial activity, such as Canadian Institute of Health Research are charity groups, associations or political parties,. examples of institutions listed in the Schedule. PIPEDA will not apply to an organization that operates wholly within a province that has legislation that has been deemed substantially similar to the PIPEDA. 3
2016 ‐ 10 ‐ 16 PROVI NCI AL STATUTES Private sector Public Sector • some provinces have privacy • Every province and territory has its legislation that has been deemed own public-sector legislation. The “substantially similar” to PIPEDA, relevant provincial act will apply to which means that it is applied provincial government agencies, not instead of PIPEDA when information the Privacy Act. does not cross provincial or federal borders. • In every provinces, provincial statutes apply to personal health information handled by provincial public agencies. • Provincial statutes will apply to private commercial entities in provinces with a statute that is substantially similar to PIPEDA PROVI NCI AL HEALTH PRI VACY STATUTES Personal health information is governed by a health It is governed by a framework of general application sector specific statute in most provinces statutes in others Alberta Ontario British Columbia Manitoba Prince Edward Island New Brunswick Newfoundland and Labrador Nova Scotia Saskatchewan Health privacy law framework in Canada • Key legislation 1 • Who must comply with provincial privacy laws? Health privacy statutes mainly apply to Health Information Custodians and their agents* Health privacy legislation across provinces have the same purpose: to establish rules for collecting, using and disclosing personal health information in order to protect the privacy of individuals, while enabling health information to be shared and accessed, where appropriate, to provide health services and to manage the health system. Ontario’s health privacy law, the Personal Health Information Protection Act, 2004 (PHIPA) only engages the responsibility of “Health Information Custodians.” The equivalent statutes in other provinces have similar applicability. * In addition, statutes apply to Electronic Service Providers and recipient who obtain personal health information directly from a Health Information Custodian. 4
2016 ‐ 10 ‐ 16 W HO I S A HEALTH I NFORM ATI ON CUSTODI AN? The answer to this question is not as straightforward as it appears—and will affect which privacy laws apply to an entity. • A Health Information Custodian is an organization or individual in the health system that receives and uses health information in connection with prescribed powers related to the provision of healthcare. • Health care is defined as any observation, examination, assessment, care, service or procedure that is done for a health-related purpose and is carried out or provided to diagnose, treat or maintain an individual’s physical or mental condition; to prevent disease or injury or to promote health; or as part of palliative care. W HO I S A HEALTH I NFORM ATI ON CUSTODI AN? Remember: the definition of a health information custodian is grounded in a function, which is the provision of health care. This definition does not included everyone who may collect or use health information in the course of their work. Similarly, it does not by default include a healthcare practitioner if they are collecting information for purposes other than the provision of healthcare. CUSTODI AN OR NOT? The Children's Aid Society of Ottawa is a non-profit community organization with a mission to protect children and youth from abuse and neglect. They keep comprehensive records of children in their care—including No: personal health information, such Many social service agencies, e.g. Children’s as vaccination records and health Aid Societies, would not fall under this history. definition, except if the main purpose of the organization is to provide health care to its Is the Children’s Aid Society a clients. Health Information Custodian? 5
Recommend
More recommend
