I spent yesterday in Ottawa at the Electronic Health Information and Privacy Conference. The speakers were very good and the topics covered a very wide range of sub-topics, including privacy enhancing technology, data masking, and research use of personal health information.
IT Business has some coverage of the conference here. What I found to be one of the most telling observations was made by Dr. Geiger of the Ottawa Hospital:
As Dr. Glen Geiger, the Ottawa Hospital’s medical director of clinical information systems told the conference, even hospital employees don’t want their personal health information loaded onto the electronic patient record. They flag their records to have them registered in special outpatient accounts so the results do not populate the electronic record, Geiger said.
“Treating personal health information for staff differently from that of everyone else creates two classes of citizens,” Geiger said. “That’s wrong. If our staff don’t trust us to keep their information private, why should anyone else?”
I continue to be puzzled about the assumption that PIPEDA allows "implied consent" within a mythical "circle of care". This assumption is expressed in a number of areas, but the prime example is in the PIPEDA Awareness Raising Tools (PARTs) Initiative for the Health Sector.
This may appear eminently reasonable, but I don't think it's a foregone conclusion that a judge would agree. The relevant provision in PIPEDA says that the form of the consent has to be based on the sensitivity of the information. If health information is among the most sensitive (not much debate on this topic), it follows that it requires robust consent. Implied consent doesn't really cut it. I've written about this before if you want to read about it in greater depth (see Focus on Privacy: The Application of PIPEDA to Personal Health Information).
40. Can consent be implied for the use and disclosure of personal health information under PIPEDA?
Yes, once patients are made aware of their privacy rights (see answer #38), consent is implied if the patient continues to seek care and treatment. Thus current practice of implied consent for the primary use of personal information in the direct care and treatment of an individual patient, as defined in a circle of care, will continue under PIPEDA. For example, a lab may infer consent because the individual would reasonably expect that the results be sent to the provider who ordered the lab work.
41. Is consent implied for the disclosure of personal health information to private insurance companies or third party payers for the purposes of reimbursement of health services rendered?
In certain circumstances, yes. In circumstances where the current practice is to obtain written consent by making the patient sign a reimbursement form, the practice should continue. Where no form is signed, implied consent is acceptable provided patients understand that this is happening and have not behaved in a way that may indicate a refusal of consent (see answer #38).
42. When does PIPEDA require express consent?
In commercial activities, the patient's oral or written consent is generally required for all uses and disclosures that are not directly related to the care and treatment of a patient.
This position is also adopted in the Pan-Canadian Health Information Privacy and Confidentiality Framework. Implied consent within the circle of care may be the rule in Ontario's PHIPA, but assuming it is also the rule in PIPEDA is more than a little bit risky.