Home Member Services Library Practice Management Protecting Patient Privacy - Are You Ready for 2004?
Protecting Patient Privacy - Are You Ready for 2004? PDF Print E-mail

Lydia Wakulowsky
McMillan Binch LLP
Toronto, ON

Physicians have appreciated the highly sensitive nature of health information and the circumstances of vulnerability and trust under which it is collected since at least the 5th century BC, when the Hippocratic Oath was created. A patient's right of privacy, which is essential to the integrity of the physician-patient relationship, is neither a new, nor a particularly complicated principle. Recently, however, Parliament and provincial legislatures have turned that privacy principle into a complex and confusing maze of laws that may affect the practice of every physician in Canada.  

- Cancer Act
- Charitable Institutions Act
- Child and Family Services Act
- Coroners Act
- Evidence Act
- Freedom of Information and Protection of Privacy Act
- Health Cards and Numbers Control Act
- Health Care Consent Act
- Health Insurance Act
- Health Protection and Promotion Act
- Highway Traffic Act
- Homes for the Aged and Rest Homes Act
- Independent Health Facilities Act
- Long-Term Care Act
- Medicine Act
- Mental Health Act
- Municipal Freedom of Information and Protection of Privacy Act
- Nursing Homes Act
- Personal Information Protection and Electronic Documents Act
- Public Hospitals Act
- Regulated Health Professions Act
- Substitute Decisions Act
- Vital Statistics Act

Canadian legislatures have historically addressed the privacy principle in a piecemeal fashion - as the various statutes affecting health privacy in Ontario demonstrate.

The federal government has further complicated health privacy by enacting the Personal Information Protection and Electronic Documents Act ("PIPEDA"). PIPEDA is legislation that is meant to protect privacy, but it was drafted from a business perspective. It is not surprising that it fails to address the special nature of health information and the special circumstances of health care.

As of January 1, 2004, PIPEDA will apply to all personal health information collected, used or disclosed during the course of commercial activity. If a province chooses to enact its own privacy legislation and if the federal cabinet deems it to be substantially similar to PIPEDA, then PIPEDA will not apply to such information within the province; instead, the provincial law will apply.

Quebec has had private sector privacy legislation in place since 1994. Alberta and Manitoba have passed their own laws relating specifically to health privacy. British Columbia and Alberta have privacy initiatives pending, or so we think. Other provinces are sitting back and monitoring developments.

For over two years, policymakers in Ontario were crafting comprehensive privacy legislation to deal with the commercial, not-for-profit and health sectors. We've had discussion papers, consultations and exposure drafts. Ontario policymakers were on draft 33 of a Bill, when political factors (in light of a rumoured 2003 election) stalled its release. The government has not publicly stated whether it will let PIPEDA take its course, or whether it will enact its own law after the election. Our sources speculate that the Ontario government may simply address some of the Romanow Report's recommendations on electronic health records in general health legislation.

The enactment of PIPEDA and provincial approaches to regulating health privacy has lead to a maze of potential pitfalls for physicians.

First, whether a province will be regulated by PIPEDA or by its own provincial legislation remains to be seen - the federal cabinet has not yet declared any provincial legislation to be substantially similar to the federal Act.

Second, whether the conduct of a physician's private practice will be considered a commercial activity, and subject to PIPEDA, remains an open question.

Third, PIPEDA's ten privacy principles do not always fit the special circumstances of health care (i.e. inferred consent for treatment, right to refuse access to patient records, records retention rules, etc.).

Fourth, recently enacted privacy laws are conceptually similar, but not identical to one another. Significant differences in a number of terms add to the confusion (i.e. the definition of personal health information, entities regulated by the legislation, rights of access, consent requirements, correction of patient records, etc.).

Fifth, it is extremely costly to implement new privacy safeguards. When privacy legislation was implemented in Quebec, the pharmaceutical sector spent close to $25 million in three months to gear up for compliance with the legislation. More money may be put into hospitals to keep them afloat, but this money might not be earmarked for technological upgrades for privacy. Physicians in private practice will likely have to swallow the costs of privacy upgrades themselves.

Finally, we are left with no real framework within which to appropriately address critical health-related privacy issues, such as:

  • use of electronic health records
  • sharing patient data as a result of restructured health systems
  • remote diagnosis
  • data linkage
  • teaching
  • health research
  • system planning


Inconsistent health privacy rules pose a barrier to initiatives such as the integrated delivery of health services and primary care reform.

It seems that technology is driving the privacy issue, and the law is trying to catch up with its rapid development. Where does this leave physicians in private practice? At the moment, the best advice we can give is to consider whether you are governed by PIPEDA or provincial legislation, to review the ten privacy principles to understand the issues and, if necessary, to make changes to your practice to ensure it meets these principles. For example:

  • ensure the patient understands that personal health information might need to be shared with other health care providers for the purpose of providing care
  • identify those other health care providers for the patient and obtain consent for this disclosure
  • obtain written consent for any secondary use of health records (i.e., health research, insurance claims)
  • track and document all authorized disclosures of health records
  • secure health records so that unauthorized personnel cannot access them
  • train your staff about the importance of health privacy


PIPEDA sets out the following ten privacy principles:

  1. Accountability. Be responsible for personal information under your control and designate an individual who is accountable for compliance with the privacy principles.

  2. Identifying Purposes. Identify the purposes for which personal information is collected at or before the time of collection.

  3. Consent. Obtain the informed consent of the individual to the collection, use or disclosure of personal information, except where inappropriate.

  4. Limiting Collection. Limit the collection of personal information to what is necessary for the identified purposes.

  5. Limiting Use, Disclosure and Retention. Do not use or disclose personal information for purposes other than those for which it was collected, except with the consent of the individual or as required by law. Retain personal information only as long as necessary for the fulfillment of those purposes.

  6. Accuracy. Ensure that personal information is as accurate, complete and up-to-date as is necessary for the purposes for which it is to be used.

  7. Safeguards. Protect personal information with security safeguards appropriate to the sensitivity of the information.

  8. Openness. Make readily available to individuals specific information about your policies and practices relating to the management of personal information.

  9. Individual Access. Inform an individual of the existence, use and disclosure of his or her personal information and give access to that information upon request. An individual must be able to challenge the accuracy and completeness of the information and have it amended as appropriate.

  10. Challenging Compliance. Ensure that an individual may address a challenge concerning compliance with the above principles to the designated individual accountable for your compliance.

    This article provides only a summary of issues related to health privacy. Readers are cautioned against making any decisions on the basis of this material alone. Instead, a qualified lawyer should be consulted.

Lydia Wakulowsky is a member of McMillan Binch LLP's Health Law Group and Privacy Law Group. For further information on this or other health or privacy law matters, please contact her directly at This e-mail address is being protected from spambots. You need JavaScript enabled to view it


Last Updated on Tuesday, 05 September 2006 19:15