Last year’s post on April Fool’s Day – a comic touching on biomedical ethics and patient privacy protection – was so popular that I’ve decided to do the same type of thing this year! Enjoy the comic (1), and then scroll down for the more serious side of this post
What was your reaction to this comic? Did you laugh just a bit uncomfortably? Did you shake your head, or roll your eyes, because you know that this type of thing still happens? Because it happens more frequently than those of us working in healthcare fields would like to admit?
Here in Canada, the protection of patients’ medical information is somewhat complex – we have a patchwork approach to patient privacy protection, which can vary from one jurisdiction to the next.
First off, at the national level, we have the Personal Information Protection and Electronic Data Act (PIPEDA) for private-sector organizations. Then we have another national law, The Privacy Act, which governs privacy protection in the public sector; for departments and agencies of the federal government.
Still with me? Next up, each province or territory can have its own privacy law(s); these can be specific (e.g. health information) or broad in scope. And a province or territory’s privacy law(s) can be deemed to be ‘substantially similar’ to PIPEDA by the Governor in Council.
Once it obtains the ‘substantially similar’ designation for a privacy law, that jurisdiction is exempt from PIPEDA (for that class of information) as long as it maintains similar protections to PIPEDA.
Are you starting to see why I refer to privacy legislation in Canada as a ‘patchwork’? Finally (for this post, at any rate!) are the laws that are specific to medical and health records and information. As far back as 2009, several provinces already had “health-specific privacy legislation (British Columbia, Alberta, Saskatchewan, Manitoba, Ontario).”(2)
Since then, many other Canadian jurisdictions have enacted legislation specifically to protect health information.(3) This list now includes:
- Alberta: Health Information Act (HIA)
- British Columbia: Personal Health Information Access and Protection of Privacy Act (E-Health)
- Manitoba: Personal Health Information Act (PHIA)
- New Brunswick: Personal Health Information Privacy and Access Act (PHIPAA)
- Newfoundland and Labrador: Personal Health Information Act (PIA)
- Northwest Territories: Health Information Act (HIA)
- Nova Scotia: Personal Health Information Act (PHIA)
- Ontario: Personal Health Information Protection Act (PHIPA)
- Quebec: An Act to amend the Act respecting health services and social services, the Health Insurance Act and the Act respecting the Regie de l’assurance maladie du Quebec (The Act)
- Saskatchewan: Health Information Protection Act (HIPA)
- Yukon: Health Information Privacy and Management Act (HIPMA)
Whichever privacy law you’re subject to – any of those noted above if you’re in Canada, or the Health Insurance Portability and Accountability Act (HIPAA) if you’re in the United States – it’s important to remember that paper records also have to be protected.
We can’t focus solely on electronic health records (EHR) and electronic medical records (EMR) when we’re considering appropriate prevention of patient’s personal health information; we have to also protect any paper records!
Happy April Fool’s Day!
References:
(1) The Office of the Privacy Commissioner of Canada; Government of Canada. “Don’t worry, everything in your medical file is strictly confidential!” 2016. Accessed 01 Apr 2017. Web:
https://www.priv.gc.ca
(2) Power, Michael. Privacy and electronic health records in Canada. The Privacy Advisor. International Association of Privacy Professionals (IAPP). 01 Sep 2009. Web:
https://iapp.org/news/a/2009-09-privacy-and-electronic-health-records-in-canada
(3) Office of the Privacy Commissioner of Canada. Provincial and territorial privacy laws and oversight. Government of Canada. Accessed 28 Mar 2017. Web:
https://www.priv.gc.ca/en/about-the-opc/what-we-do/provincial-and-territorial-collaboration/provincial-and-territorial-privacy-laws-and-oversight