Recent media coverage of disclosure of patient files in some parts of Canada has prompted Information and Privacy Commissioner Frank Work to remind health service providers (custodians under the Health Information Act include doctors, pharmacists and regional health authorities) of their obligations surrounding the disclosure of personal health information.
As of April 2001, health information in Alberta became protected under the HIA. The rules under the HIA require:
- That health information is disclosed only with individual consent or statutory authority.
- That research ethics board approval is obtained for use or disclosure of health information for research.
- That privacy impact assessments (PIAs) be completed and submitted to the Commissioner.
- That the Commissioner be notified of any data matching initiative that involves non- custodians.
- That custodians take reasonable steps to provide administrative, technical and physical safeguards of health information including written policies and procedures.
- That custodians take appropriate measures to protect the security and confidentiality of electronic health records.
- That custodians enter into written agreements before disclosing information to researchers, information managers or to recipients outside of Alberta.
- That custodians disclose only aggregate information whenever possible.
- That custodians disclose only the least amount of information for the intended purpose.
- That custodians consider the expressed wishes of the individual before disclosing information.
- That custodians keep a notation of all disclosures and provide individuals with access to that information upon request.
Disclosure outside these rules contravenes privacy legislation. Remedies are available and can be initiated with a complaint to the Office of the Information and Privacy Commissioner.