Section 34 of the HIA allows for the disclosure of individually identifying health information with consent. Within section 34, subsection 2, there is a list of specifying criteria that must be adhered to in order for consent to be considered valid. Subsection (2)(c) requires the consent to include the identity of the recipient to whom the health information may be disclosed.
Subsection 34(2)(c) says:
34(2) A consent referred to in subsection (1) must be provided in writing or electronically and must include…
(c) the identity of the person to whom the health information may be disclosed.
The use of the word “person” within section 34(2)(c) has raised the question of whether or not a custodian requires the specific name of a person to whom the health information may be disclosed or if the name of an organization is sufficient when considering adequacy of the consent.
The meaning of the word, “individual” and “person” has been considered in previous Orders issued under the Freedom of Information and the Protection of Privacy Act (FOIP). In Order 96-019, the previous Commissioner has said:
[67] The Act does not define “individual”. Therefore, I intend to give “individual” its ordinary meaning. For the purposes of the Act, I would define “individual” to mean a single human being.
[68] The Act also uses the word “person”, which is not defined in the Act. However, “persons” is defined in section 25(1)(p) of the Interpretation Act, R.S.A. 1980, c. I-7 [subsequently section 28(1)(nn) of the Interpretation Act, R.S.A. 2000, c. 1-8] to include a corporation. “Person” and “individual” are not synonymous. Although “person” can include an “individual”, “individual” cannot include a corporation or any entity other than a single human being.
Therefore, the word “person” can mean a natural person such as an individual, but can also mean an artificial person or entity, created by law, such as a corporation. Section 34(2)(c) of the HIA says that consent must include the “identity of the person” rather than just the “person” to whom the health information may be disclosed. This means that the “person”, whether an individual or a corporation, must be described with enough clarity to ascertain who is the intended recipient of the health information.
It is the custodian’s responsibility to determine whether a consent provided to them for the purpose of disclosure meets the HIA requirements; however, if the consent specifies the recipient of the health information as a particular corporate entity, the requirement to provide the “identity of the person”, to whom the health information may be disclosed, can be considered to have been met.