HEALTH INFORMATION PRIVACY – THE BRITISH COLUMBIA EXPERIENCE1
Canadian Institute Conference – Toronto
David Loukidelis, Information and Privacy Commissioner
Some might be tempted to say that achieving an acceptable balance
between privacy, and use or disclosure, of personal health information in
the healthcare sector presents special, perhaps insurmountable,
challenges. No one can seriously dispute that the sharing of some
individually-identifiable information is necessary for proper diagnosis
and treatment. The same can be said for many important medical research
activities. The challenge, of course, is to delineate the boundaries
between individual autonomy – as articulated through requirements for
consent to disclosure or use of personal information – and the public good
in effective medical research.
2.0 OUTLINE OF BRITISH COLUMBIA’S LEGISLATION
Again, unlike a number of other Canadian jurisdictions, British Columbia does not have specific legislation concerning health information privacy. Instead, the province relies on the Freedom of Information and Protection of Privacy Act (“BC Act”), which is similar to Ontario’s and Alberta’s legislation of the same name.
What Information Is Covered By the Act?
Part 3 of the BC Act contains familiar rules setting out fair information practices that must be adhered to by the over 2,200 public bodies that are subject to the BC Act. Those rules apply to the collection, use and disclosure of “personal information”. Schedule 1 defines “personal information” as “recorded information about an identifiable individual”, including
By contrast to statutes such as Alberta’s Health Information Act or Ontario’s now-withdrawn Bill 159, the BC Act does not prescribe what qualifies as identifiable information. In Alberta, information is “individually identifying” only if the identity of the data subject “can readily be ascertained from the information” in issue. Under Bill 159, by contrast, information would be non-identifiable only if the information in issue cannot be used, linked, matched or manipulated “by a reasonably foreseeable method” to identify the data subject’s identity. Although the issue has never arisen for me to consider, I expect the Legislature in British Columbia intended to impose a standard of identifiability closer to that found in Bill 159 than that in the Alberta law.
It should be noted, in passing, that a very strong argument can be made that, especially in a publicly funded health care system, certain information describing professional services provided by a health care provider does not necessarily merit the same (if any) protection as “personal information” within the meaning of the BC Act. Such a case has been made, with great persuasive force, by Murray Rankin, Q.C., Chris Jones and James Rowan, in an article forthcoming in the Canadian Journal of Administrative Law and Practice. Their views have strong appeal.
What Fair Information Practices Apply?
The Part 3 rules on collection, use and disclosure of personal information can be summarized as follows:
The BC Act also provides for use of individually identifiable data for research. Of course, if an individual consents to use or disclosure of her or his personal information for research, that use or disclosure is permitted. This approach is followed in clinical trials, e.g., those conducted by the BC Cancer Agency. Section 35 of the BC Act goes further, however, and provides what I consider to be a workable compromise between individual privacy interests and the public interest in medical research. That section reads as follows:
Disclosure for research or statistical purposes
Clearly, the most notable aspects of this provision are found in paragraphs (a) and (b). By using the words “cannot reasonably be accomplished”, the Legislature chose a threshold lower than that found in the Personal Information Protection and Electronic Documents Act as it relates to use of personal data for research. It also applied an objective standard for judging whether a research purpose can be accomplished using anonymized, or non-personal, information. Ultimately, the Information and Privacy Commissioner has the authority to investigate research uses of data, in response to complaints or on her or his own motion. This allows some check and balance against unnecessary use of personal – i.e., identifiable – data for medical research.
Whether the approach in other jurisdictions, of requiring expert committees to approve such uses, is an improvement is for others to judge. As far as I am aware, there have been no abuses of this approach. Some might argue this merely begs the question of whether ant problems have simply gone undetected. But the OIPC’s experience in dealing with the major research centres in British Columbia is that they are well aware of s. 35 and their obligations under it. It is also clear that these centres use existing research ethics committees to vet and approve research proposals, including in light of the s. 35 criteria.
What Institutions Are Covered By the Act?
The Act covers a wide variety of “public bodies”, of which there are over 2,200 across British Columbia. British Columbia’s hospitals, regional health care boards and boards of health are covered, as “health care bodies”. Schedule 1 to the Act defines the term “health care body” as follows:
“health care body” means
The provincial Ministry of Health is covered by the Act because it is a ministry of the Crown. The self-governing bodies for various health-related professions are also covered, as “local public bodies”. These bodies include the College of Physicians and Surgeons, the College of Dental Surgeons, the College of Pharmacists, Registered Nurses’ Association and the Health Professions Council. The Act does not, however, extend to the private practices of individual practitioners, including doctors. Nor does it apply to private medical labs, such as MDS or BC Bio-Medical Labs. As is discussed below, however, coverage of the self-governing professional bodies offers the opportunity to promote privacy protection through conduct guidelines and bylaws for members of those bodies.
The rest of this paper focuses on examples of how the British Columbia Act has worked in the health care sector generally, including in areas where sector-participants are not directly covered by the Act.
3.0 CHALLENGES IN IMPLEMENTATION
3.1 PharmaNet – PharmaNet is a province-wide electronic network that shares patient prescription information and histories among pharmacists, who are not directly subject to the Act. It was a joint initiative of the Ministry of Health and the College of Pharmacists. Four main justifications were advanced in putting it in place:
Other objectives for PharmaNet are articulated in s. 37 of the Pharmacists, Pharmacy Operations and Drug Scheduling Act, including facilitating the practice of pharmacy, facilitating patient care, facilitating scientific or drug utilization research conducted at a hospital or university and facilitating Ministry investigations of drug abuse or fraudulent prescriptions.
PharmaNet was broadly seen as reasonable and worthwhile from a health care point of view, but from a privacy rights perspective it was seen as problematic. The main privacy issue was the mandatory nature of the program. Another notable concern was the perceived widespread accessibility of sensitive patient information. This was of concern in part because PharmaNet was designed so that one’s entire prescription history for the preceding 18 months would be displayed upon each system access.
Communication between the OIPC, the Ministry of Health and the College of Pharmacists proved critical at the beginning of PharmaNet.. The OIPC’s involvement during project implementation led to a number of privacy safeguards, including the following:
In addition, s. 38.1 of the Pharmacists, Pharmacy Operations and Drug Scheduling Act was enacted to limit the classes of individuals who have access to PharmaNet data. Cabinet may make regulations expanding or retracting those classes of authorized users. That Act also effectively prohibits the sale of data for “market research” and limits disclosure of “patient record information” for research purposes to data stripped of “patient names and addresses”. (This does not, of course, mean patient data so disclosed are anonymous – their linkage to the provincial health number (“PHN”) alone would make such data identifiable and thus personal information.) In addition, Pharmacists, Pharmacy Operations and Drug Scheduling Act contemplates the making of bylaws by the College of Pharmacists to govern members’ behaviour in relation to PharmaNet.
Ongoing communications between the OIPC and PharmaNet – through the Pharmacare Advisory Committee, the PharmaNet Committee, the College of Pharmacists and the Ministry of Health – have been important in ensuring PharmaNet continues to adhere to generally-accepted privacy practices. Among other things, in 1997 the Ministry of Health had KPMG undertake a review of PharmaNet’s security and moved to implement the results of that work. The OIPC continues to monitor progress with security and to keep abreast of compliance with the KPMG recommendations.
Despite these positive aspects of the OIPC’s involvement, the OIPC was not able to accomplish everything it wished. For example, the OIPC wanted to change the mandatory nature of the program and allow opt-in, it sought the use of keypads for password entry and it sought limitations on the information found in the system. The OIPC also remains wary of the danger of function creep in PharmaNet and similar systems. One example of this would be any attempt to permit law enforcement officials to browse sensitive personal information without prior judicial authorization.
The extension of PharmaNet into hospitals and, as a test program, doctors’ offices presents new enforcement challenges. The OIPC continues to work with the Ministry of Health and the PharmaNet Committee to ensure that the access-limitation, auditing and other privacy aspects of the system are adequate for use in these new environments. As we move into this phase, it is clear that most, if not all, of the privacy challenges can continue to be met through dialogue and consultation. Because the BC Act prevails over any bylaws adopted under the Pharmacists, Pharmacy Operations and Drug Scheduling Act, the once-size-fits-all approach under the BC Act will continue to underpin whatever is done under PharmaNet.
3.2 Model Bylaws for Professions – Under the Health Professions Act, colleges can be established to regulate health professions or disciplines, including regarding practice qualifications and the conduct of members. These bodies include the Colleges referred to earlier, as well as many other health-related professions. With Cabinet approval, a college can adopt regulatory bylaws for members. These bylaws can cover, among other things, access to health records and general conduct standards for members. The provincial Ministry of Health has published model bylaws for use by the various colleges. The OIPC participated in the drafting of these bylaws.
Through such regulatory bylaws, the fair information practices under Part 3 of the BC Act can be extended, as appropriate, to private practitioners who would not otherwise be covered by the legislation. The bylaws also deal with the practices of the colleges themselves, even though they are directly covered by the BC Act. These provisions include the following:
Part 6 of the model bylaws contains provisions for dealing with health records kept by college members. These relate to the creation, use, retention and disposal of personal information. Part 6 also provides detailed provisions concerning how patients can gain access to their records.
The incorporation of privacy protections in the model bylaws has, in effect, extended the BC Act to members of the various colleges. It is interesting to note that, although the bylaws relate only to recorded information, any inappropriate collection, use or disclosure of unrecorded information may constitute a breach of the standards of professional ethics endorsed by the college. In this respect, the bylaws echo the general ethical rule, familiar to physicians at least, that patient information must be kept in confidence. Overall, the model bylaws help to enshrine fundamental privacy tenets in the workings of various professional colleges and also extend them to health care practitioners’ private offices. I have recently directed staff to review the model bylaws, to identify any areas that require revision and to approach the Ministry of Health to initiate their update.
An obvious shortcoming in this approach is that it delegates enforcement to individual colleges. Some of them may not have the resources, or the will, to properly monitor and enforce compliance with these aspects of the bylaws. Because of the decentralized enforcement approach inherent in the bylaws, it is difficult to say whether this approach has been as or more effective than would be the case if health privacy laws applied directly to practitioners. As far as the OIPC is aware, however, there is no reason to believe that the delegated approach has created any serious difficulties.
3.3 Privacy Code for Private Physicians’ Offices – Along the lines of the Health Professions Act approach, the OIPC – in co-operation with the College of Physicians and Surgeons of British Columbia and the British Columbia Medical Association – drafted a Privacy Code for Private Physicians’ Offices. Although the BC Act does not cover private physicians’ offices, the principles of the BC Act are an important component of maintaining doctor-patient confidentiality. Our work on the privacy code enabled the OIPC to reach offices not covered by the BC Act. The privacy code includes a number of important privacy components, including the following:
As is the case with the health professions model bylaws, the efficacy of such privacy codes depends on their sound enforcement by the professional regulatory body. It is also necessary to ensure that such codes keep current, to which end I have asked staff to determine whether a revision of the code is in order.
3.4 Privacy Impact Assessments – Unlike the examples of cooperation in the form of the PharmaNet initiative and the model bylaws, use of a privacy impact assessment tool (“PIA”) is an initiative of the OIPC. Our PIA tool – which is under revision - has the broadest possible application. This self-administered assessment is designed for use by all public bodies, regardless of their mandate or size, to identify and avoid (or mitigate) the impact on privacy of any proposed laws, programs or policies. We have continually urged all public bodies to use the PIA tool at the earliest possible stages of design, to ensure that inappropriate proposals are identified and killed, or amended, before it becomes too costly to do so. (Our model PIA tool – which is found on our website – is in the course of being revised in light of recent developments generally in privacy practices.)
PIAs are an invaluable resource, especially, for policy-makers or planners who are new to the world of privacy protection. By laying out a number of significant issues – including nature, source, use, disclosure and security of information collected – as well as examining the individuals affected and the authorization of and notification for collection, PIAs help to avoid privacy violations. Perhaps one of the greatest dangers associated with them, however, is the tendency to regard a PIA as a merely a managerial tool – one that identifies and manages privacy impacts, rather than identifies them and avoids them altogether.
PIAs illustrate a challenge that faces regulatory bodies such as the OIPC – ensuring that regulated parties are reminded of, and knowledgeable about, their legal duties. In the case of the PIA tool, placing it on our website is one way of advocating its use, but it is not the only (or best) way to ensure it is used. As a result, neither I nor my colleagues miss an opportunity to urge public bodies to use PIAs, wherever possible, and to suggest that they provide us with a copy of PIAs for comment and feedback (though not formal approval of proposed actions). We do this through speeches, meetings, letters, our newsletter and word of mouth. This is a good example of how regulatory bodies such as ours must use education, advocacy and persuasion to ensure the spirit and letter of the law are well known and are acted on.
3.4 Site Visits – Site visits are another means of ensuring that public bodies keep abreast of privacy practices under Part 3 of the BC Act and best practices generally. By ‘site visits’, I refer to the practice of the OIPC – generally in the person of the commissioner and a portfolio officer – visiting a public body and assessing its privacy practices through observation of its operations and interviews with its staff. There are three main objectives of a site visit:
A site visit has never been conducted without notice to the public body, even though the commissioner has the power to do so. During the visit, any concerns with privacy practices are noted and later communicated in writing to the public body. The public body then responds with details of the steps it has taken to correct deficiencies noted by the OIPC.
Site visits enable the OIPC to communicate with health care bodies directly, thus ensuring they are kept abreast of the regulator’s current attitudes and allowing them to air concerns or problems with the OIPC. Site visits provide an opportunity for informal communication that allows for constructive problem-solving on the spot. This is a useful adjunct to the more formal approach, which is used where appropriate, of only responding to specific complaints (and then using a formal investigative process). In light of the ever-present limits on resources available to regulatory agencies, the value of informal, pro-active site visits is notable.
In addition to site visits of the kind just described, more formal audit-type approaches can be undertaken. The best example is the 1997 review of the BC Cancer Agency. The BC Cancer Agency was chosen for a number of reasons: it collects a great deal of personal information from its patients, the patient data is centrally stored for a number of facilities (including four comprehensive care centres, twenty-three consultative clinics (fourteen of them located in other facilities), twenty-two provincial chemotherapy clinics and seventy regional pharmacies); and the agency deals with a large volume of data. (In 1996 alone, there were approximately 17,00 new cancer cases in public body and the BC Cancer Agency treated about half of them.) Significantly, the agency must deal with the difficult job of balancing disclosure required to facilitate patient care and research with patients’ privacy.
The site visit, or audit, gave the OIPC the opportunity to assist the BC Cancer Agency with this difficult task. The site visit led to 29 recommendations by the then commissioner. A follow-up review was done by the OIPC two years later and the majority of the results were considered encouraging. The BC Cancer Agency improved its privacy practices in a number of key areas, including:
4.0 FUTURE CHALLENGES
The OIPC must continue to rely on the positive relationships it has developed with various health care bodies. New challenges are emerging and, with our emphasis on communication at the start-up phase of a project and as an on-going tool, privacy can be better protected only with ongoing dialogue.
Two new challenges have already identified themselves. Continuing regionalization indicates that even more layers of privacy safeguards will be needed, as more people will have access to data. In addition, administrative teams will need to ensure safeguards are in place and that staff are adequately trained.
Information technology can pose a great threat to personal privacy. The health sector in public body is quickly moving towards an Internet-based records management system that would allow for information-sharing among a variety of healthcare workers and agencies. The HealthNet/BC system is attempting to connect all healthcare workers in order to facilitate data transfers. The privacy implications are notable and, with the OIPC’s support, the Ministry of Health has already taken a number of steps to ensure some privacy protection. These measures include:
There is little doubt that more work is required in order to ensure health information privacy. Each project provides more knowledge about how to work together and achieve the mutually beneficial results of quality patient care and protection of patients’ fundamental rights. The interaction of privacy experts and health experts is an essential component of this. The continued development of strong relationships between the OIPC and health care bodies will help ensure that health privacy remains an important issue during both the implementation and on-going phase of various projects.
The largest issue of all, of course, is how ongoing federally-funded
harmonization initiatives will play out. Thus far, British Columbia has
decided that one Act is enough to protect health information, but
enactment of the Personal Information Protection and Electronic
Documents Act and initiatives under the Health Infoway (for example)
raise the question of where harmonization will take us. To the lowest
 Speech has been edited slightly for posting on the Web
June 19, 2001
Information and Privacy Commissioner of British Columbia