A.  The Protection of Personal Health Information

Personal health information is the most private form of information due to its highly sensitive nature, and the circumstances of vulnerability and trust under which it is confided or collected.[23]  In Canada, the protection of personal health information is regulated by various federal and provincial privacy laws that establish standards for patient privacy rights.[24]  The freedom of information and protection of privacy statutes in most provinces protect personal health information in the custody or control of public or government bodies.[25]  Public bodies encompassed by such legislation include hospital and regional health authorities, as well as health agencies. In addition, the federally regulated public sector has privacy legislation in place to cover both personal information and personal health information in the custody and control of federal government bodies (i.e. the Privacy Act[26] and Access to Information Act[27]). The Personal Information Protection and Electronic Document Act (PIPEDA),[28] governs the private sector, and applies to both federal and provincial private entities, unless the provincial privacy statutes have been deemed substantially similar.[29]  PIPEDA extends to information collected, used or disclosed in the course of commercial activities.  In the healthcare context, PIPEDA applies to entities such as private pharmacies, laboratories and healthcare providers operating private practices.


B. Health Information Specific Legislation

The sensitive nature of personal health information has prompted several provinces to enact health information specific legislation.  Manitoba, Saskatchewan, Alberta, Newfoundland and Ontario are the

legislative pioneers in this regard.[30] The statutes apply broadly to the collection, use, disclosure and retention of personal health information by healthcare providers.  

There is, however, significant variation in privacy laws and data access policies nation-wide.[31]  This is evident when comparing consent frameworks employed by provincial health information legislation. For instance, the Saskatchewan Health Information Protection Act (HIPA) follows a deemed consent model.[32]  Here, an individual’s consent is deemed to exist where personal health information is required to provide health services.[33]  Alternatively, Ontario’s Personal Health Information Protection Act (PHIPA) has adopted an implied consent model for the collection, use or disclosure of health information.[34]  Here consent is implied if health information is disclosed for purposes of providing healthcare or assisting in providing healthcare.[35]  

The consent provisions specifically relevant to electronic health records also show a lack of uniformity.  Manitoba regulations permit disclosure without consent for certain EHR purposes,[36] while Ontario’s leaves the specific rules regarding EHRs to be established in regulations.[37]  Should these regulations conflict with more specific health information relevant legislation in other provinces, challenges will emerge as EHR data moves from one jurisdiction to another. 

Prompted by provider feedback, Alberta and Saskatchewan have already altered their health information legislation, as healthcare providers found EHR relevant provisions to be too cumbersome to be applied.[38]  When first implemented, Saskatchewan’s HIPA gave individuals the right to direct that a trustee not store their specified information in the Saskatchewan Health Information Network (SHIN).[39]  Today, an opt-out method is employed, as individuals must indicate in writing if they do not wish to be included.  Alberta legislation underwent a similar change in 2003, as the provision that required consent from individuals before information could be disclosed electronically was removed.[40] 


“Differences in rules on how the scope of purpose is defined, the form of consent required, the conditions for substitute decision-making, the criteria for non-consensual access to personal health information, periods for retention of data, and requirements for destruction, to name but a few, must be seriously addressed in order to enable the development of EHR systems .” 

   (Canada, Standing Senate Committee on Social Affairs, Science and Technology, 2002)

·         Should provincial privacy legislation be aligned to facilitate a national electronic health record that enables the transfer of information across borders? 

 ·         If so, how can these inconsistencies be reconciled?


Previous  Next
First Page  Last Page
Table of Contents