The Government has introduced Bill 10, which would repeal section 59 of the Health Information Act (HIA).
In 1999, this Office asked that a provision similar to section 59 be included in the HIA. I am now prepared to see it repealed.
Section 59 of the HIA required that consent be obtained from individuals before their health information was disclosed by electronic means.
Section 59 is of little consequence since it is not about whether health information can be disclosed to a particular person, it is about how it can be disclosed, i.e. one particular method of disclosure. Who health information can be disclosed to remains the same. The rules under the HIA are:
- you (custodian) can only disclose without consent to the people listed in section 35;
- you must use the most anonymous health information possible to do the job: section 57;
- you must use the least amount of health information possible to do the job: section 58;
- you must protect the health information in your custody: section 60;
- you must adopt policies and procedures relating to confidentiality and security of health information: section 63;
- you must prepare privacy impact assessments respecting the information you hold: section 64. Summaries of the privacy impact assessments are available to the public.
Given the value of section 59 compared to the costs of implementing it (for example, having a physician sit down with an individual to deliver a 10 to 15 minute information package to obtain consent), the decision has been made to proceed without it.
In facilitating a province wide electronic health record (EHR), practical experience made it apparent that getting consent from Albertans was going to be difficult and costly. The experience with the Pharmaceutical Information Network (PIN) trials was that the majority of people asked readily consented to their information being put in a database and disclosed by electronic means.
Accordingly, I am not opposed to the repeal of section 59. In particular, I do not believe that it is possible to inform people in a meaningful way, of all the specific disclosures by electronic means, which might ever be made of their health information. Even without section 59, disclosure of health information is limited by the terms of the HIA.
For example, suppose Dr. Jones has your health information. Suppose Dr. Smith needs your health information. The effect of refusing to consent to disclosure under section 59 is that, instead of Dr. Smith being able to directly access your information in an electronic health record, she would have to contact Dr. Jones and get him to send it by FAX, email or courier. Dr. Jones’s ability to disclose your health information is still limited by the HIA rules mentioned above. Dr. Smith’s ability to collect your health information is still limited by those same rules.
Here is another example relating to PIN. In the future, your doctor may give you a prescription and enter it into PIN. Pharmacists could enter PIN and get your prescription and fill it and check for adverse drug interactions. What information your pharmacist accesses, what the pharmacist can do with that information, and what information your doctor discloses is still circumscribed by the HIA.
Section 58(2) requires custodians who hold health information to take into consideration the individuals’ wishes with respect to disclosure of the information along with any other factors the custodian considers relevant. For example, PIN enables specific pieces of information to be masked so that someone viewing the record knows that there is some information there, but does not know what it is.
Albertans will be relying upon health care professionals to collect, use and disclose their personal health information strictly in accordance with the rules in the HIA. Accordingly, the kinds of disclosure listed in the HIA should now be regarded as closed. That is, no future change should be made to the HIA to allow disclosures of health information to anyone not presently listed, particularly by allowing access to an electronic health record.
Furthermore, the Government of Alberta should inform Albertans about the electronic health record and how it will work. It should also inform them of the rules in the HIA and of their ability to have complaints investigated by the Office of the Information and Privacy Commissioner.
Albertans will also be relying on this Office to make sure the rules are followed and that there is an effective mechanism to have concerns and complaints addressed.
The Office of the Information and Privacy Commissioner will receive and investigate complaints that personal health information is not being dealt with according to the HIA.
It must be noted, that the amendment to section 60 adds an additional mechanism for ensuring that custodians implement appropriate protections for the entire lifecycle of the EHR. This amendment provides my office with an additional basis for imposing security and system access controls and auditing of the EHR.
Our Office will continue to receive and review privacy impact assessments that are required to be completed for a new health system or practice, or change to an existing health system or practice.
Frank Work, Q.C.
Commissioner