Commissioner Concerned by Amendments to the Health Information Act

December 4, 2008

Information and Privacy Commissioner Frank Work calls some proposed amendments to the Health Information Act (HIA) worrisome.

Work said ”Alberta Netcare is an important part of our health care system. However, these are significant changes that will limit the ability of Albertans to control their health information. If Albertans share these concerns, they should speak up either to the Committee or by writing their MLA.” The Commissioner has several concerns about the amendments, including:

  • A custodian, such as a doctor, pharmacist or other health service provider, will no longer be required to consider a patient’s wishes about the exchange of health information via Alberta Netcare.
  • The law will allow for the creation of “health information repositories” for research purposes. The Commissioner has concerns related to the use of health information in these repositories, how the repositories will be regulated and what oversight there will be.
  • The Minister can require custodians to make health information available via Alberta Netcare, and do so without submitting a privacy impact assessment to the Commissioner. It is an offence if the information is not made available.

Work welcomes some changes proposed to the Act, in particular an amendment to expand the scope of the HIA to cover all health information regardless of its funding source and to create provisions respecting the operation of Alberta Netcare.

The OIPC did not object to the original HIA in 1999 which removed the right to consent to the use of their health information. We believed this was needed to enable electronic health records. In 2003 when the HIA was amended to no longer require consent to disclose an individual’s health information in an electronic health record, we did not object because we believed it could facilitate the EHR. The present amendment will remove the last measure of control individual’s have over their health information and no justification has been offered. We cannot support this.

Work said he was pleased to hear that the Bill would be referred to a Committee for review and welcomed the opportunity to make a submission to the Committee.

Backgrounder

The Health Information Amendment Act

Bill 52 (the Health Information Amendment Act or “HIAA”) was introduced on November 24, 2008 to amend the Health Information Act (HIA). The HIA regulates the collection use and disclosure of health information in Alberta and gives individuals the right to access their own information and request corrections.

The Information and Privacy Commissioner has reviewed Bill 52 and noted several concerns. Some of these concerns may be addressed in future regulations. That being said, the Commissioner has not received a copy of any proposed regulations and can only comment on the amendments as tabled in the Legislature.

Concern # 1 – Amendments remove Albertans’ privacy rights

Bill 52 would make the exchange of health information through Alberta Netcare1 a “use” of health information rather than a “disclosure” of health information. This choice of words is important, as some patient privacy rights in the HIA apply only to the disclosure of health information.

For example, section 58(2) of the HIA says a custodian must consider the express wishes of an individual when deciding how much health information to disclose. Section 41(3) says an individual may ask a custodian for a list of disclosures of their health information. Naming the exchange of health information “use,” rather than “disclosure” in Netcare removes these privacy rights.

The effect of this amendment is that custodians would no longer need to consider their patients’ wishes when exchanging health information through Netcare. Albertans would no longer have the right under the HIA to obtain a listing of who has viewed their health information through Netcare.

Masking health information

To meet the express wish requirement noted above, Alberta Health and Wellness (AHW) has developed the ability to “mask,” or hide a patient’s health information in Netcare. When a patient’s data is masked, it is still in the system, but it cannot be viewed unless it is medically necessary. This solution strikes a reasonable balance between the need to have complete medical records in Netcare with patients’ ability to have some control over who can see their data. Other systems in Alberta, such as physician electronic medical records, have been designed with masking built in. Masking is not the only way custodians could manage expressed wishes in Netcare, but it is the method chosen by AHW and accepted by our Office.

A recent Investigation Report2 issued by the Commissioner noted deficiencies in AHW’s implementation of masking in Netcare. Bill 52 eliminates the obligation to consider patients’ expressed wishes and effectively removes the obligation to implement masking or other mechanism to limit the exchange of health information via Netcare.

Concern # 2 – Role of health information repositories unclear

The amendments introduce a new player to the HIA, the health information repository. Bill 52 contains extremely limited information about health information repositories and the purpose they will serve. The proposed amendments do not expressly address important considerations related to the operation of a repository. It is unclear whether or not repositories would fall fully under the scope of the HIA and, subsequently, under the oversight of the Commissioner. It is unclear whether these repositories could be used for research purposes without individual’s consent and without due consideration from a research ethics review board.

Indirect collection of health information for research without patient consent

Another part of Bill 52 would authorize custodians, including AHW, to collect health information indirectly (i.e. not directly from patients, without their knowledge) for research without patient consent. Bill 52 also provides authority for a custodian to disclose health information to a health information repository. The combined effect of these amendments is that patients would have no control over the collection of their health information for research purposes, and minimal control over the subsequent disclosure of their health information to a health information repository.

Concern # 3 – Making it an offence to not provide health information to the Minister

Bill 52 gives the Minister of AHW the power to compel custodians, like a doctor or pharmacist, to make patient information accessible via Netcare and makes it an offence to not comply with the Minister’s request. Finally, Bill 52 removes the existing requirement in the HIA that AHW and the Minister submit a privacy impact assessment3 (PIA) to the Commissioner for his review and comment before compelling a custodian to provide health information.

Conclusion

With the repeal of other parts of the HIA in 2003, patients were given no choice but to have their health information made accessible via Netcare. The Commissioner accepted the 2003 amendments because the HIA included other privacy protection measures. Bill 52 would see the removal of these remaining measures. Bill 52 removes patient privacy rights, paves the way for research without patient consent, creates new entities known as information repositories whose role is unclear, and makes it an offence for any health service provider to not make Albertans’ health information accessible via Netcare. The Information and Privacy Commissioner strongly encourages AHW to address his concerns with changes to the proposed amendments and as regulations are developed.


1 Alberta Netcare (Netcare) is Alberta’s provincial electronic health record (EHR). Netcare was initiated and funded by Alberta Health and Wellness (AHW). AHW says Netcare is “a single, integrated, private and secure, province-wide electronic health record solution, linking community health care providers, hospitals, pharmacies and other points of care to patient information.” AHW states that there were 25 000 authorized Netcare users in spring 2008.

2 Investigation Report H2008-IR-001

3 A PIA is a risk assessment that considers the risk to privacy and security of health information in a new project or information system. The PIA process is described further on the OIPC website. PIAs must be submitted to the Commissioner for review and comment prior to the implementation of new administrative practices or information systems or, as is the case in section 46, before the Minister or Department compels a custodian to provide health information.