The previous
article in this series introduced the
Personal
Information Protection and Electronic Documents Act (PIPEDA)
and began a discussion of its impact. It's time to discuss what has
happened over the summer and introduce how PIPEDA, as it is
presently understood, might impact on your practice.
The Privacy
Commissioner for Canada is the interpreter of PIPEDA; complaints
would be directed in the first instance to him or her. The Privacy
Commissioner for Canada had been Mr. George Radwanski, who resigned
the post in June. An interim Privacy Commissioner has been put in
place, Mr. Robert Marleau, until January 1, 2004 when Mr.
Radwanski's permanent replacement will take over. The effect of this
is that during the six month run up to PIPEDA coming into force, the
office that should be giving physicians guidance as to how the Act
will be interpreted is occupied by a caretaker. The degree to which
this caretaker will be inclined to give direction and how this
direction will coincide with the opinions of any permanent Privacy
Commissioner are causes for concern.
In discussing the impact of PIPEDA, in the absence of statements
from the interim Privacy Commissioner, it is necessary to fall back
on the wording of the Act and the statements of Mr. Radwanski prior
to leaving office. As regards to whom the Act applies, the
applicable part of the Act states:
"4. (1) This Part applies to every organization in respect
of personal information that (a) the organization collects, uses
or discloses in the course of commercial Activities."
It had been hoped that physicians would escape PIPEDA based on the
fact that most physicians receive their income (at least in large
part) from public sources and do not engage in what would be
determined a "commercial activity." However, Mr. Radwanski,
in his Report
to Parliament 2000-2001, indicated that his determination was
that the Act would apply "to such directly health-related
commercial services as doctors' offices, private clinics,
laboratories and pharmacies." He did not go on to explain what
qualifies as a doctor's office, or qualify whether method of payment
(fee for service vs. salary) or mode of employment (independent
practitioner vs. health board employee) has any bearing on whether
or the degree to which this applies. It appears, however, that at
least some and possibly all physicians will fall under the Act.
As a consequence, physicians will be responsible for getting consent
for the collection, use and disclosure of health information.
Physicians, for the most part, imply consent for treatment (to a
point) by the fact that the person shows up requesting help. This
implied consent standard is one of the things that allows us to
provide care in an expeditious manner. The alternative would be
having to explain everything we do before we do it, obtain consent
for every act regardless of significance, and document the process.
The latter process is referred to as expressed consent.
The Act makes several statements with respect to the standard for
consent:
"The form of the consent sought by the organization may
vary, depending upon the circumstances and the type of
information. In determining the form of consent to use,
organizations shall take into account the sensitivity of the
information. Although some information (for example, medical
records and income records) is almost always considered to be
sensitive, any information can be sensitive
An organization
should generally seek express consent when the information is
likely to be considered sensitive."
It would not appear from this (and
statements made by Mr. Radwanski) that implied consent would be
permitted for the collection, use and disclosure of health
information. The methods of obtaining
consent are outlined in the Act, but no specifics are given as to
whether a handout with a consent form signed by the patient will
suffice or whether the physician will be expected to explain the
process in detail.
Obviously, this situation is still unfolding. The NLMA's Health ICT
Policy Committee is working on the matter and will be attempting to
clarify these matters further. For more information and to keep up
with latest developments, visit the Privacy
section of NLMA website.
Dr. Gerard Farrell is a member of the
NLMA Board of Directors and chairs the NLMA's Health ICT Policy
Committee. This article is the second in a series by Dr. Farrell
addressing the privacy and security of health information. The NLMA
is working with the Canadian Medical Association and other divisions
to implement a strategy to address concerns resulting from PIPEDA.
|
