Questions and Answers

PIPEDA Awareness Raising Tools (PARTs) Initiative For The Health Sector

Notice: This document has been prepared in consultation with health care provider associations within the context of their day-to-day activities in providing care and treatment to Canadians. The answers to the questions may not necessarily be appropriate for organizations not subject to PIPEDA.


Overview
Key Definitions
Scope of Application
Knowledge and Consent
Disclosure
Use and Retention
Access
Safeguards

This document is an administrative tool to assist in understanding PIPEDA. It is not intended as legal advice.


Overview:

  1. What is the "Personal Information Protection and Electronic Documents Act" (PIPEDA)?

    PIPEDA is federal legislation that protects personal information, including health information. It sets out ten principles that organizations, individuals, associations, partnerships and trade unions must follow when collecting, using and disclosing personal information in the course of a commercial activity.

  2. Does PIPEDA apply throughout Canada?

    The Act will not apply to personal information in Provinces and Territories that have substantially similar privacy legislation in place covering commercial activities that are provincially/territorially regulated. PIPEDA does not apply within the province of Quebec because the province has received substantially similar status but the Act will continue to apply to the province of Quebec for personal information sent outside of the province and to organizations currently subject to the Act, such as banks, broadcasters, airlines, transportation companies and other federally regulated organizations. For more details on this subject please consult Industry Canada's web site.

  3. (a) What are the core features of PIPEDA?

    The core features of PIPEDA include: obtaining consent and identifying the purpose for the collection of personal information, procuring additional consent, express consent in some cases, for any secondary uses or disclosures of the information. To make the consent valid, the Act requires communicating to individuals what personal information is being collected, and how it will be used, disclosed, and protected (see answer #38).

    (b) What are PIPEDA's key principles?

    The 10 key principles of PIPEDA are listed below. The Q&As that follow will show how these elements apply in the health sector.

    1. Organizations are accountable for the protection of personal health information under their control.
    2. The purposes for which the personal information is being collected must be identified during or prior to the collection.
    3. Information must be collected with the knowledge and consent of the individual and for a reasonable purpose.
    4. The collection of personal information is to be limited to what is necessary for the identified purposes and will be collected by fair and lawful means.
    5. Information can only be used and disclosed for the purpose for which it was collected and will be retained only as long as it is necessary to fulfil the purpose.
    6. Information must be as accurate, complete and up-to-date as possible.
    7. Information must be protected by adequate safeguards.
    8. Information about an organization's privacy policies and practices is to be readily available.
    9. Information must be accessible for review and correction by the individual whose personal information it is, and;
    10. Organizations are to provide the means to an individual to challenge an organization's compliance of the above principles.

    * Organizations include associations, partnerships, trade unions, agencies, and institutions. It also includes health care providers in private practice.

  4. Why is this law required?

    PIPEDA aims to provide assurances to the public, patients, and providers that personal health information will continue to be managed and shared confidentially and securely.

    The Government of Canada believes that, in most cases, PIPEDA's principles may not significantly differ from those currently in place in the health sector. However, to make consent valid PIPEDA requires informing patients of their privacy rights and providing them with an opportunity to know what personal information is being collected, for what purpose, how it will be used, disclosed, and protected (see answer #38).

  5. What additional responsibilities will be added to health professionals as a result of PIPEDA?

    PIPEDA should have minimal impact on regulated health professionals involved in commercial activities who already have good privacy and confidentiality practices in place. Most health professionals already work within a legislative framework or code of ethics that requires them to protect patient privacy, and PIPEDA supports most current best practices.

    Health professionals will have to ensure that they:

    • Let patients know about the collection, use or disclosure of their personal information. (see question #38)
    • Obtain consent to disclose information to third parties when appropriate.
    • Provide an individual with access to his or her own personal information.
    • Provide secure storage of information and implement measures to limit access to patient records.
    • Ensure proper destruction of information that is no longer necessary.
    • Inform patients of the organization's information-handling practices through various means (i.e. the posting of notices, brochures and pamphlets, and/or through normal discussions between a patient and a health care provider).
  6. Under PIPEDA are privately insured or privately paid health services considered to be commercial activities?

    PIPEDA does not differentiate between activities based upon who is paying for them. It is based on the nature of the activity. For example, a hospital charging for a fibreglass cast would not bring a hospital within the scope of the Act because the transaction is part of the hospital's core activities, i.e. providing health care services. (see question 24)

    In the case of a privately owned medical equipment store or TV rental business, if the hospital leases the space to the operator, the latter is responsible for complying with the Act, not the hospital.

  7. How does PIPEDA impact the non-commercial aspect of the health care sector?

    Non-commercial areas of health care such as publicly funded hospitals are not subject to PIPEDA.

  8. Some health care services are delivered in "open concept" offices. Under PIPEDA can care and treatment continue in the open concept?

    Special attention and discretion must be exercised in collecting, using and disclosing personal information where services are delivered in an open concept.


Key Definitions:

  1. What is personal information?

    In the health context, personal information means information about an identifiable patient which includes any factual or subjective information, recorded or not, about that individual, including health related information.

  2. What is an organization?

    An organization includes associations, partnerships, trade unions, agencies, and institutions. It also includes health care providers in private practice.

  3. What is a commercial activity within the context of the health care sector?

    A commercial activity involves the making and provision of a product or service that is commercial in nature. Under PIPEDA, commercial activities include, for example, the selling, bartering, or leasing of donor, membership or other fundraising lists for some consideration. The funding source (public health insurance, private payer, 3rd party payer, etc) is not relevant in determining the existence of a commercial activity.

  4. What is a "circle of care"?

    The expression includes the individuals and activities related to the care and treatment of a patient. Thus, it covers the health care providers who deliver care and services for the primary therapeutic benefit of the patient and it covers related activities such as laboratory work and professional or case consultation with other health care providers.

  5. What does "access" mean under PIPEDA?

    Access is not defined in PIPEDA. However, the intention of the right of "access" is to enable individuals to be informed of the existence of, to view and/or obtain a copy of, the personal information, in a form that is generally understandable, that has been collected about them by an organization. The access right also includes the right of individuals to challenge the accuracy and completeness of the information and to have it amended, as appropriate. (see questions # 68 & 69)

  6. PIPEDA uses a "reasonable person" test. What does the term "reasonable person" mean?

    The concept of "reasonable person" is a test that is intended to ensure that personal information is only collected, used or disclosed for purposes that the average person would consider appropriate, logical and fair in the circumstances.

  7. What are an institution's "Core Activities"?

    An institution's "core activities" are those objectives/activities defined either in a provincial Act which regulates that particular industry or those objectives/activities in the legal entity's Letters Patents, including those activities which logically or legally flow from the latter. For example, the core activities of a hospital includes providing accommodations, providing health care services, etc.


Scope of Application:

  1. Does PIPEDA apply to the entire health sector in Canada?

    No, PIPEDA only applies to the information collected, used and disclosed in the course of commercial activities such as private pharmacies, laboratories and health care providers in private practices. Also, the Act will not apply to personal information in Provinces and Territories that have substantially similar privacy legislation in place covering commercial activities that are provincially regulated, such as in the province of Quebec. For more details on this subject please consult Industry Canada's Privacy For Business web site.

  2. Are there significant differences between PIPEDA and current privacy practices in the health sector?

    No, privacy is a right underpinning health care in Canada. This right is addressed in legislation, codes of ethics, standards and procedures. The Government of Canada believes that, in most cases, PIPEDA's principles may not significantly differ from those currently in place in the health sector. However, to make consent valid PIPEDA requires informing patients of their privacy rights and providing them with an opportunity to know what personal information is being collected, for what purpose, how it will be used, disclosed, and protected (see answer #38).

  3. Why must information about the collection, use, and disclosure of personal information be made available to patients?

    Information about privacy rights must be made available to patients so that the patients can decide whether or not to consent to the collection, use and disclosure of their personal information.

  4. Will PIPEDA impact on health care professionals/providers and health care facilities/services/agencies?

    PIPEDA should not significantly alter the therapeutic provider/patient relationship. However, PIPEDA may require some changes. For example, in addition to informing individuals about the purpose of the collection, use and disclosure of their personal information to make their consent valid, health care organizations should review their practices and policies to ensure they meet the PIPEDA principles, in particular with respect to secondary uses of the personal health information, e.g. research, health surveillance and statistical analysis of data purposes.

  5. Does PIPEDA require that every health care provider in private practice develop a privacy policy?

    Yes. However, the effort and resources to develop a privacy policy will vary substantially according to the size and type of organization. For example, in a sole practitioner's office, this could be a short document, available on request that sets out the application of the 10 privacy principles under PIPEDA (See Question 3b).

  6. Does PIPEDA require that every health care provider in private practice appoint a privacy officer?

    Under PIPEDA, organizations are required to designate an individual or individuals who are accountable for the organization's compliance with PIPEDA. For a sole practitioner's office, the sole practitioner might be the designated accountable individual or administrative staff could take on this role.

  7. Does PIPEDA apply within a circle of care?

    Yes, it applies to commercial activities within the circle of care.

  8. A number of health care providers work in settings that are not typically thought of as "health care facilities"—for example, schools, correctional facilities, halfway houses, and group homes. Will PIPEDA mean that different privacy rules can apply for different settings?

    Yes. A key consideration in determining which organization or individual should comply with PIPEDA is who has control of the personal information and whether they are engaged in commercial activity.

    PIPEDA does not apply to core activities of a municipality, public school, university, public hospital or correctional facility. Public sector legislation and provincial health information acts would apply in some cases and in some jurisdictions. For example, the Federal Privacy Act would apply in the case of a federal correctional institution.

    PIPEDA applies to personal information collected, used, and disclosed during the course of any commercial activity. Records in organizations engaged in commercial activity would be covered by PIPEDA, e.g. private group homes.

    In the case of an organization subject to PIPEDA that employs a health care professional on a contract basis or on salaried basis, the issue of accountability for compliance depends on who has control of the personal information—the organization, the professional or both.

  9. Is the application of PIPEDA based on the nature of the activity (transaction) or is it based on the nature (public, private, commercial, non-profit, etc) of the health organization, institution, or agency?

    It is based on the nature of the activity.

    A non-profit organization can be engaged in a commercial activity to which the Act would apply. For example, the sale of a fundraising list by a charity can trigger the application of the Act with respect to that particular transaction.

    The Act would not apply to a provincially funded hospital. Hospitals are beyond the constitutional scope of the Act as their core activities are not commercial in nature. Charging for a private room would not bring a hospital within the scope of the Act because the transaction is part of the hospital's core activities, i.e. providing accommodation.

    In the case of a privately owned medical equipment store or TV rental business, if the hospital leases the space to the operator, the latter is responsible for complying with the Act, not the hospital.

  10. What is the responsibility of health care providers employed by federal/provincial/territorial governments under PIPEDA?

    PIPEDA does not apply to federal/provincial/territorial government employees in the execution of their duties. Most federal government institutions, departments, agencies and their employees are subject to the Federal Privacy Act. Provincial/territorial governments are subject to their respective public sector privacy legislation and should be governed accordingly.

  11. Are health care services delivered by long-term care facilities and home health care agencies considered to be commercial activities, which will make them subject to PIPEDA?

    NOTE: The following answers are preliminary and very general in nature and may vary in particular circumstances depending on the specific circumstances of the situation.

    1. Long-term care facilities

      1. Private for-profit

        Yes. The health care activities carried out by this type of organization would be considered commercial and therefore subject to PIPEDA.

      2. Private non-profit

        Organizations of this type vary greatly in their corporate objectives and their organizational structure. In order to determine if a specific private non-profit long-term care facility's health care services are commercial activities, which would make them subject to PIPEDA, it is advisable that the organization consult with their legal counsel.

      3. Provincial (public institution/facility/agency)

        PIPEDA does not apply to core activities of a municipality, public school, university, and public hospital. Public sector legislation and provincial health information acts would apply in some cases and in some jurisdictions. The Act would not apply to a provincial public long-term care facility.

      4. Federal (public institution/facility/agency)

        PIPEDA does not apply to federal government institutions to which the federal Privacy Act applies. Facilities that are unclear on this matter should consult their legal counsel to determine if they are subject to the federal Privacy Act.

      5. Municipal homes for the aged

        PIPEDA does not apply to core activities of a municipality, public school, university, and public hospital.

      6. Veterans' homes

        PIPEDA does not apply to federal government institutions to which the federal Privacy Act applies.

    2. Home care services

      1. Private for-profit

        Yes. The health care activities carried out by this type of organization would be considered commercial and thus subject to PIPEDA. However, it is advisable for organizations to consult with their legal counsel.

      2. Private non-profit

        Organizations of this type vary greatly in their corporate objectives and their organizational structure. In order to determine if a specific private non-profit home care agency's health care services are commercial activities, which would make them subject to PIPEDA, it is advisable that the organization consult with their legal counsel.

      3. Provincial (public institution/facility/agency)

        PIPEDA does not apply to core activities of a municipality, public school, university, and public hospital. Public sector legislation and provincial health information acts would apply in some cases and in some jurisdictions. PIPEDA would not apply to a provincial public home care agency. (See Question 14)

      4. Federal (public institution/facility/agency)

        PIPEDA does not apply to federal government institutions to which the federal Privacy Act applies. Agencies that are unclear on this matter should consult their legal counsel to determine if they are subject to the federal Privacy Act.

  12. How will PIPEDA have an impact on health professional regulations?

    Let's remember that PIPEDA applies only in the context of commercial activities. If the health professional regulatory provisions exceed those of PIPEDA then there is no impact. However, if the regulatory provisions are weaker or do not address certain requirements, than PIPEDA would prevail.

  13. In the event that federal privacy legislation is at odds with provincial/territorial laws, standards and codes of practice governing professional associations, which legislation takes precedence? For example, a patient requests a change in his/her file and the regulatory body requires that records not be altered while PIPEDA allows modifications.

    For a true conflict to exist between PIPEDA and provincial legislation, it must be impossible to comply with both requirements.

    In the example noted above, one would not alter the document but instead add a notation to the file indicating the patient's view of the matter. If the information in the file were indeed inaccurate, it would be important to note it in the file but also indicate when and how the error was detected.

  14. What impact will PIPEDA have on health facility accreditation, on quality assurance activities, on chart audits for safety, on reviews against performance measures, on programme/service evaluation?

    Where it has been determined that PIPEDA applies to the particular health facility and a review is undertaken to assess and evaluate the care provided to an individual patient, still receiving care in the facility, then this review can be considered to be part of the circle of care.

    In instances where a number of charts are reviewed as part of a broader quality assurance program, service evaluation, safety review, accreditation activity, or assessment of broader provider practices, de-identified patient information should be used or patient express consent should be obtained unless an existing provincial law permits these disclosures.

  15. Under PIPEDA, can regulatory bodies/colleges still continue to conduct their investigative practices? Does PIPEDA require any changes in the manner in which these investigative activities are conducted?

    The relationship between a regulatory body/college and its members is most often of a noncommercial nature, and therefore not captured by PIPEDA. These bodies are also generally empowered by law to obtain personal information as necessary to fulfill their various functions. Professionals subject to the authority of a regulatory body/college would in all likelihood have agreed to the use of their personal information by the body, as part of a condition of membership. PIPEDA recognizes such authority.

    Regulatory bodies/colleges may, in the course of their function, need to obtain personal information from other organizations that are subject to PIPEDA, such as financial institutions. Such organizations may only disclose personal information without consent to entities that have been designated as "investigative bodies" under PIPEDA, by regulation. As such, regulatory bodies/colleges may be required to obtain this designation if they wish to obtain personal information from these organizations without an individual's consent.

  16. Are regulatory bodies engaged in a "commercial activity" when they collect, use or disclose personal information in the course of carrying out their statutory responsibilities to regulate their members?

    No.

  17. Do health care professional Regulatory Bodies, operating under provincial legislation, have to obtain an investigative body status under PIPEDA in order to continue to conduct complaint investigations?

    Not necessarily. Professional regulatory bodies should first determine if they have adequate authority under existing provincial legislation. If not, they may need to have this authority recognized under PIPEDA.

  18. How can colleges, regulatory bodies and accreditation bodies apply for investigative body status under PIPEDA?

    They can apply for investigative body status under PIPEDA at Industry Canada. Requests should be directed to:

    Director General
    Electronic Commerce Branch
    Industry Canada
    300 Slater Street
    Room D2090
    Ottawa, Ontario
    K1A 0C8

  19. Are there differences in the application of PIPEDA for different insurance plans, whether public or private?

    Health insurance plans that fall within the scope of public sector privacy legislation, such as the Provincial Government Health Insurance Plans, are not subject to PIPEDA. However, organizations selling private health insurance plans must comply with PIPEDA unless they are subject to provincial/territorial legislation that has been deemed substantially similar to PIPEDA. If the information flows outside provincial/territorial borders, PIPEDA will apply.

    Health care providers should make their patients aware that they, the providers, send certain information to private health insurance plans. In many cases, patients are required to sign forms to obtain reimbursement for prescription drugs or dental visits, and these forms typically contain consent provisions.

  20. Do co-payments or user fees impact the application of PIPEDA?

    No. The application of PIPEDA depends on the nature and character of the activity that the organization engages in, not the nature of the organization. For example the private practice of a health care provider is a commercial activity. Noncommercial activity is not subject to the Act. The method of payment does not determine whether or not an activity is of a commercial nature.

  21. How are telehealth services impacted by PIPEDA?

    Telehealth is a way of providing direct health services and, as such the same rules apply.

    However, telehealth presents increased risk to the security of the information (such as unauthorized access and network breaches). As such, specific safeguard measures (e.g. encryption, access protocols) should be put in place to address these particular risks.

  22. Does PIPEDA apply to the transfer of personal information:

    • Between provinces and territories?

      The transfer of personal information between provinces and territories is subject to PIPEDA if it occurs in the course of a commercial activity.

    • Across international boundaries?

      The transfer of personal information outside of Canada to another country is subject to PIPEDA if it occurs in the course of a commercial activity. A provider's responsibilities under PIPEDA, such as ensuring that health information is protected, apply even when sending personal information across an international border.