What does it mean to have your private health information protected? Do you know where to find your personal health information? Who else has access to your information?
Every province and territory in Canada has its own set of laws that apply to provincial government agencies – such as regional health authorities, ministries of health, etc. – and their handling of personal health information.
For example, under some of these laws, but not all of them, you may have a right to be told about how your personal information is collected, used and disclosed, or to give or not give consent, and a right to get access to your personal information.
So, what are your rights when your personal information is collected and where is it stored? Who can you share this information with? If you are under guardianship or have a legal custodian, what are your rights for your own information? Can someone else
you know get access to your information?
This toolkit will provide answers to those questions and arm you with the resources and information you need to keep your health records protected.
The purpose of the Privacy Laws + Your Personal Health Information Toolkit is to give Canadians with disabilities tools, resources, and support to locate, access and understand your rights about your medical information.
Where available, the following information is included for each Canadian province and territory:
- Applicable legislation* (some provinces/territories have more than one piece of legislation)
- Legal definition of “personal health information”
- Who is responsible for this information?
- What is a custodian?
- Duties of custodians
- Restrictions of information collected
- Rules surrounding using information for health research
- Jurisdiction
*: Some provinces and territories rely on broader privacy and access to information legislation to govern personal health information and therefore do not have personal health information-related legislation.
DISCLAIMER: This information is provided as a resource only. It only makes limited references to some sections of health-related legalisation in Canada. This information is not meant to be a comprehensive analysis and does not constitute legal advice. For specific questions or concerns regarding this information, we recommend contacting legal counsel.
Personal Health Information
Canadian citizens and permanent residents have the right to look at their personal health information, including health information, name, birth date and other information.
*https://medipense.com/hipaa-vs-pipeda-mandatory-protection/
When you give your information to a healthcare provider, like your doctor, you have the right to know how your information will be used, shared, and stored. You also have the right to know who has access to your information. Most often health care providers will ask for a patient’s “informed consent” to share the information within their organization and, in some cases with other doctors or organizations. Health care providers are not allowed to share personal health information unless they first get the patient’s informed consent. Informed consent means that you understand what you are agreeing to in terms of sharing your personal health information. Though different health care providers may want to share information in different ways, they should always first get the patient’s permission.
* https://www.colleaga.org/article/healthcare-privacy-legislation-canada
Participating in Clinical Trials
Clinical trials are experiments that focus on a particular medication or treatment option with the intention of seeing how they work in a small group of people before testing a larger portion of the population. The gold standard for clinical trials are “double-blind” studies, which means that both the researcher and the participant are not aware of whether they are receiving the treatment/medication or if they are getting a placebo/control condition.
If you are part of a double-blind experiment and end up randomly placed in the control group (meaning no treatment), then you should be notified after the clinical trials are finished for every participant. If the treatment showed a significant benefit, then the researchers should offer you that treatment you did not receive during the clinical trial itself. However, if there is any concern about your health or potential reactions to the medication/treatment, they may need to discuss that with you and/or your primary care physician first.
Participating in Research Experiments
Any research studies that involve human subjects must adhere to certain guidelines, regardless of where you live. Each research project at a university or hospital must have ethics approval from their ethics review board. All consent forms must clearly lay out how your health information will be collected and stored. The general requirement is that information is stored so your name is not attached to the data to protect your privacy. It is also required that health information be stored in a secure facility that has a combination of locks and passwords to prevent any leaks of your health information.
If you choose to participate in a study, you ALWAYS have the right to stop your participation if you so choose. However, if you are being paid to be part of that study, if you stop participating early you may no longer be entitled to that compensation.
Questions you can ask researchers and/or clinicians before you agree to participate in an experiment (please note that many of these questions will be answered in the consent form itself, but you can always ask for clarification from the researcher/clinician if anything in unclear):
- What sort of information will you be collecting?
- How will this information be stored?
- Who has access to my information within your organization?
- Will any outside groups be able to access part or all of my information?
- If this experiment/clinical trial includes a genetic screening or brain scans, how will that information be used?
- How will I be notified that the experiment is over and that I can see the overall results?
- If this is a clinical trial, when do you expect it to be over? If the treatment is successful, what is your plan for bringing in control participants who want the treatment after the trials are completed?
- Will I be able to see my detailed results from this experiment/clinical trial?*
*Please note that most ethics review boards will not allow you to see your specific results but will allow you to find out the overall results of the experiment. This is because it can be interpreted as an unfair influence by the researcher/clinician on research participants.
Below is the specific legislation information for each province
British Columbia
Legislation
E-Health (Personal Health Information Access and Protection of Privacy) Act, SBC 2008, c 38
Definition of “personal health information”
1 "personal health information" means recorded information about an identifiable individual that is related to the individual's health or the provision of health services to the individual;
Who is responsible?
Administrator
What is a custodian?
1 In this Act:
"administrator" means
(a)in the case of a health information bank in the custody or under the control of the ministry of the minister, or a ministry database, the chief data steward, and
(b)in the
case of a health information bank in the custody or under the control of a health care body other than the ministry of the minister, a person authorized to administer the health information bank under section 3
Duties of custodians
Requests for information by authorized persons
6(1) A person authorized under a designation order to collect personal health information into a health information bank may request a health care body or a prescribed
person to provide information or records that contain personal health information and that are in the custody or under the control of the health care body or prescribed person if
(a) the information or records being requested have a reasonable
and direct connection to the purpose for which collection is authorized under the designation order, and
(b) the person making the request is acting in accordance with the terms of the designation order.
(2) Subject to any other
enactment that prohibits disclosure, a health care body or a prescribed person to whom a request is made under subsection (1) must comply with the request in the manner and at the times requested if the information or records are in the custody or
under the control of the health care body or prescribed person.
Restrictions of information collected
21 (1)Personal health information must not be collected into a health information bank or used in a health information bank for any purpose or in any manner other than in accordance with the designation order in respect of
the health information bank.
(2)Personal health information contained in a health information bank must not be disclosed for any purpose or in any manner other than
(a)in accordance with the designation order in respect of the
health information bank, or
(b)as permitted under this Act.
Health Research
This is controlled by the data stewardship committee (s.14) which is appointed by the Minister of Health (s. 12).
Jurisdiction
Disclosure of personal health information
5 A designation order may authorize the disclosure of personal health information only for one or more of the following purposes:
(a) if disclosure is inside
Canada, a purpose set out in section 4 (a) to (g) [collection and use of personal health information];
(b) [Repealed 2012-22-82.]
(c) if disclosure is inside or outside Canada, a purpose set out in section 4 (h) or (i).
Alberta
Legislation
Health Information Act, RSA 2000, c H-5
Definition of “personal health information”
1(k) “health information” means one or both of the following:
(i) diagnostic, treatment and care information;
(ii) registration information;
1(i) “diagnostic,
treatment and care information” means information about any of the following:
(i) the physical and mental health of an individual;
(ii) a health service provided to an individual, including
the following information respecting a health services provider who provides a health service to that individual:
(A) name;
(B) business title;
(C) business mailing address and business
electronic address;
(D) business telephone number and business facsimile number;
(E) type of health services provider;
(F) licence number or any other number assigned to the health
services provider by a health professional body to identify that health services provider;
(G) profession;
(H) job classification;
(I) employer;
(J) municipality
in which the health services provider’s practice is located;
(K) provincial service provider identification number that is assigned to the health services provider by the Minister to identify the health services provider;
(L) any other information specified in the regulations;
(iii) the donation by an individual of a body part or bodily substance, including information derived from the testing or examination of a body part
or bodily substance;
(iv) a drug as defined in the Pharmacy and Drug Act provided to an individual;
(v) a health care aid, device, product, equipment or other item provided to an individual pursuant to
a prescription or other authorization;
(vi) the amount of any benefit paid or payable under the Alberta Health Care Insurance Act or any other amount paid or payable in respect of a health service provided to an individual,
and includes any other information about an individual that is collected when a health service is provided to the individual, but does not include information that is not written, photographed, recorded or stored in some manner in a
record;
1(u) “registration information” means information relating to an individual that falls within the following general categories and is more specifically described in the regulations:
(i)
demographic information, including the individual’s personal health number;
(ii) location information;
(iii) telecommunications information;
(iv) residency information;
(v) health service eligibility information;
(vi) billing information,
but does not include information that is not written, photographed, recorded or stored in some manner in a record;
Who is responsible?
Custodian as defined under legislation
What is a custodian?
1(f) “custodian” means
(i) the board of an approved hospital as defined in the Hospitals Act other than an approved hospital that is
(A) owned and operated
by a regional health authority established under the Regional Health Authorities Act, or
(B) repealed 2008 cH4.3 s18;
(ii) the operator of a nursing home as defined in the Nursing Homes Act other than
a nursing home that is owned and operated by a regional health authority established under the Regional Health Authorities Act;
(ii.1) an ambulance operator as defined in the Emergency Health Services Act;
(iii)
a provincial health board established pursuant to regulations made under section 17(1)(a) of the Regional Health Authorities Act;
(iv) a regional health authority established under the Regional Health Authorities Act;
(v)
a community health council as defined in the Regional Health Authorities Act;
(vi) a subsidiary health corporation as defined in the Regional Health Authorities Act;
(vii) repealed 2008 cH5.3 s18;
(viii)
a board, council, committee, commission, panel or agency that is created by a custodian referred to in subclauses (i) to (vii), if all or a majority of its members are appointed by, or on behalf of, that custodian, but does not include a committee
that has as its primary purpose the carrying out of quality assurance activities within the meaning of section 9 of the Alberta Evidence Act;
(ix) a health services provider who is designated in the regulations as a custodian,
or who is within a class of health services providers that is designated in the regulations for the purpose of this subclause;
(ix.1) the Health Quality Council of Alberta;
(x) a licensed pharmacy as defined
in the Pharmacy and Drug Act;
(xi) repealed 2009 c25 s2;
(xii) the Department;
(xiii) the Minister;
(xiv) an individual or board, council, committee, commission,
panel, agency, corporation or other entity designated in the regulations as a custodian,
(xv) repealed 2008 cH4.3 s18,
(xvi) repealed 2013 cB7.5 s11;
Duties of custodians
See Part 6.
Additional definitions
Consider the definition of "affiliate" under s1(a):
“affiliate”, in relation to a custodian, means
(i) an individual employed by the custodian,
(ii) a person who performs
a service for the custodian as an appointee, volunteer or student or under a contract or agency relationship with the custodian,
(iii) a health services provider who is exercising the right to admit and treat patients at a hospital
as defined in the Hospitals Act,
(iv) an information manager as defined in section 66(1), and
(v) a person who is designated under the regulations to be an affiliate,
but does not include
(vi)
an agent as defined in the Health Insurance Premiums Act, or
(vii) a health information repository other than a health information repository that is designated in the regulations as an affiliate;
Consent
Disclosure of individually identifying health information
to be with consent
34 (1) Subject to sections 35 to 40, a custodian may disclose individually identifying health information
to a person other than the individual who is the subject of the information if the individual has consented to the disclosure.
(2) A consent referred to in subsection (1) must be provided in writing or electronically and must include
(a) an authorization for the custodian to disclose the health information specified in the consent,
(b) the purpose for which the health information may be disclosed,
(c) the
identity of the person to whom the health information may be disclosed,
(d) an acknowledgment that the individual providing the consent has been made aware of the reasons why the health information is needed and the risks and
benefits to the individual of consenting or refusing to consent,
(e) the date the consent is effective and the date, if any, on which the consent expires, and
(f) a statement that the consent may be revoked
at any time by the individual providing it.
(3) A disclosure of health information pursuant to this section must be carried out in accordance with
Restrictions of information collected
Collection of personal health number
21(1) Only the following have the right to require an individual to provide the individual’s personal health number:
(a) custodians;
(b) persons authorized by the regulations to do so.
Collection of health information by affiliate
24 An affiliate of a custodian must not collect health information in any manner that
is not in accordance with the affiliate’s duties to the custodian.
Health Research
See Division 3. Application to use health information in the custody of a custodian or health information repository requires a successful proposal to a research ethics board.
Jurisdiction
60(1) A custodian must take reasonable steps in accordance with the regulations to maintain administrative, technical and physical safeguards that will
(a) protect the confidentiality of health information
that is in its custody or under its control and the privacy of the individuals who are the subjects of that information,
(b) protect the confidentiality of health information that is to be stored or used in a jurisdiction
outside Alberta or that is to be disclosed by the custodian to a person in a jurisdiction outside Alberta and the privacy of the individuals who are the subjects of that information,
Alberta – continued
Legislation #2
Health Information Regulations, Alta Reg 70/2001
Definition of “personal health information”
3 The following information, where applicable, relating to an individual is registration information for the purposes of section 1(1)(u) of the Act:
(a) demographic information, including the following:
(i)
name, in any form;
(ii) signature;
(iii) photograph or electronic image of the individual’s face for identification purposes;
(iv) personal health number or any other unique
identification number that is used to identify the individual as eligible for, or a recipient of, a health service;
(v) gender;
(vi) date of birth;
(vii) birth information, including
(A) the birth facility, and
(B) birth order, in the case of a multiple birth;
(viii) marital status;
(ix) date of death;
(x) treaty status,
including band number;
(xi) whether the individual is a registrant or a dependant of a registrant under the Health Insurance Premiums Act;
(b) location, residency and telecommunications information, including
the following:
(i) home, business and mailing addresses, electronic address and telecommunications numbers;
(ii) health regions, as established under the Regional Health Authorities Act, in which the individual
resides and previously resided;
(iii) citizenship or immigration status, including the date on which the individual’s current immigration status expires if the individual is not a Canadian citizen or landed immigrant;
(iv) date of entry into Canada and into Alberta;
(v) province or country of birth or of last residence;
(vi) date on which the individual became or expects to become a permanent resident
of Canada;
(vii) in the event the individual is registered as a registrant or dependant under the Health Insurance Premiums Act and the individual intends to be temporarily or permanently absent from Alberta,
(A)
date of departure;
(B) destination and intended date of arrival at the destination;
(C) forwarding address;
(D) intended date of return, where the individual intends to be temporarily
absent;
(E) purpose of absence;
(c) health service eligibility information, including the following:
(i) whether the individual is registered as a registrant or dependant under the
Health Insurance Premiums Act;
(ii) whether the individual is eligible to receive health services that are directly or indirectly paid for by the Government of Alberta, in full or in part;
(iii) whether
the individual has elected to opt out of the Alberta Health Care Insurance Plan and the Hospitalization Benefits Plan;
(iv) whether the individual is exempt from the requirement to register under the Health Insurance Premiums
Act;
(v) whether the individual is exempt from the requirement to pay premiums under the Health Insurance Premiums Act;
(vi) whether the individual is eligible to receive a reduction or waiver of premiums
or charges payable in respect of health services and the level or amount, or both, of that reduction or waiver;
(vii) information about any program of a custodian that is related to the information described in subclauses (i)
to (vi), including the effective and termination dates of the program and, if applicable, the program name;
(d) billing information, including the following:
(i) information about amounts owed by the individual
to the custodian;
(ii) method of payment;
(iii) the individual’s account number;
(iv) if another person is liable for or will be billed for the amount owed by the individual,
that person’s name and account number.
Saskatchewan
Legislation
Health Information Protection Act, SS 1999, c H-0.021
Definition of “personal health information”
1(m) “personal health information” means, with respect to an individual, whether living or deceased:
(i) information with respect to the physical or mental health of the individual;
(ii) information with respect
to any health service provided to the individual;
(iii) information with respect to the donation by the individual of any body part or any bodily substance of the individual or information derived from the testing or examination of a body part
or bodily substance of the individual;
(iv) information that is collected:
(A) in the course of providing health services to the individual; or
(B) incidentally to the provision of health services to the individual; or
(v)
registration information;
Who is responsible?
Trustee as defined under legislation.
What is a custodian?
1(t) “trustee” means any of the following that have custody or control of personal health information:
(i) a government institution;
(ii) the provincial health authority or a health care organization;
(iii)
Repealed. 2002, c.R-8.2, s.77.
(iv) a licensee as defined in The Personal Care Homes Act;
(v) a person who operates a facility as defined in The Mental Health Services Act; (vi) a licensee as defined in The Health Facilities Licensing
Act;
(vi.1) a licensee as defined in The Patient Choice Medical Imaging Act;
(vii) an operator as defined in The Ambulance Act;
(viii) a licensee as defined in The Medical Laboratory Licensing Act, 1994;
(ix) a proprietor as
defined in The Pharmacy and Pharmacy Disciplines Act; (x) a community clinic:
(A) as defined in section 263 of The Co-operatives Act, 1996;
(B) Repealed. 2014, c.17, s.7.
(C) incorporated or continued pursuant to The Non-profit
Corporations Act, 1995;
(xi) the Saskatchewan Cancer Foundation;
(xii) a person, other than an employee of a trustee, who is:
(A) a health professional licensed or registered pursuant to an Act for which the minister is responsible;
or
(B) a member of a class of persons designated as health professionals in the regulations;
(xiii) a health professional body that regulates members of a health profession pursuant to an Act;
(xiv) a person, other than an employee
of a trustee, who or body that provides a health service pursuant to an agreement with another trustee;
(xv) any other prescribed person, body or class of persons or bodies;
Duties of custodians
Duty to protect
16 Subject to the regulations, a trustee that has custody or control of personal health information must establish policies and procedures to maintain administrative, technical and physical safeguards
that will:
(a) protect the integrity, accuracy and confidentiality of the information;
(b) protect against any reasonably anticipated:
(i) threat or hazard to the security or integrity of the information;
(ii) loss of
the information; or
(iii) unauthorized access to or use, disclosure or modification of the information; and
(c) otherwise ensure compliance with this Act by its employees.
17(2) A trustee must ensure that:
(a) personal health information stored in any format is retrievable, readable and useable for the purpose for which it was collected for the full retention period of the information established in the policy mentioned in subsection (1);
and
(b) personal health information is destroyed in a manner that protects the privacy of the subject individual.
Additional definitions
1(u) “use” includes reference to or manipulation of personal health information by the trustee that has custody or control of the information, but does not include disclosure to another person or trustee.
Consent
Consent required for use or disclosure
5(1) Subject to subsection (2), an individual has the right to consent to the use or disclosure of personal health information about himself or herself.
(2) A trustee shall use or disclose personal health information about an individual only: (a) with the consent of the subject individual; or (b) in accordance with a provision of this Act that authorizes the use or disclosure.
Restrictions of information collected
Rights re production of health services number
11(1) An individual has the right to refuse to produce his or her health services number or any other prescribed identifying number to any person, other than a trustee
who is providing a health service, as a condition of receiving a service.
(2) Except as provided in subsection (3), no person shall require an individual to produce a health services number as a condition of receiving any product or service.
(3) A person may require the production of another person’s health services number:
(a) for purposes related to:
(i) the provision of publicly funded health services to the other person;
(ii) the provision of a
health service or program by a trustee; or
(b) where authorized to do so by an Act or regulation.
Health Research
Use and disclosure for research
29(1) A trustee or a designated archive may use or disclose personal health information for research purposes with the express consent of the subject individual if:
(a) in the opinion
of the trustee or designated archive, the research project is not contrary to the public interest;
(b) the research project has been approved by a research ethics committee approved by the minister; and
(c) the person who is to receive
the personal health information enters into an agreement with the trustee or designated archive that contains provisions:
(i) providing that the person who is to receive the information must not disclose the information;
(ii) providing
that the person who is to receive the information will ensure that the information will be used only for the purpose set out in the agreement;
(iii) providing that the person who is to receive the information will take reasonable steps to ensure
the security and confidentiality of the information; and
(iv) specifying when the person who is to receive the information must do all or any of the following:
(A) return to the trustee or designated archive any original records or copies
of records containing personal health information;
(B) destroy any copies of records containing personal health information received from the trustee or designated archive or any copies made by the researcher of records containing personal health
information received from the trustee or designated archive.
(2) Where it is not reasonably practicable for the consent of the subject individual to be obtained, a trustee or designated archive may use or disclose personal health information
for research purposes if:
(a) the research purposes cannot reasonably be accomplished using de-identified personal health information or other information;
(b) reasonable steps are taken to protect the privacy of the subject individual
by removing all personal health information that is not required for the purposes of the research;
Saskatchewan – continued
Legislation #2
Health Information Protection Regulations, RRS c H-0.021 Reg 1
Manitoba
Legislation
Personal Health Information Act, CCSM c P33.5
Definition of “personal health information”
"personal health information" means recorded information about an identifiable individual that relates to
(a) the individual's health, or health care history, including genetic information about the individual,
(b) the
provision of health care to the individual, or
(c) payment for health care provided to the individual,
and includes
(d) the PHIN and any other identifying number, symbol or particular assigned to an individual, and
(e)
any identifying information about the individual that is collected in the course of, and is incidental to, the provision of health care or payment for health care;
Who is responsible?
Trustee or agent
What is a custodian?
"trustee" means a health professional, health care facility, public body, or health services agency that collects or maintains personal health information. "health services agency" means an organization that
provides health care such as community or home-based health care pursuant to an agreement with another trustee;
"agent", in relation to a trustee, includes,
(a) if the trustee is a corporation, an officer
or
director of the corporation, and
(b) a student or volunteer;
Note: there is a lengthy list in Schedule A to the Regulations of designated health care facilities pursuant to the Act.
Duties of custodians
Contained throughout the legislation.
Additional definitions
"use", in relation to personal health information, includes processing, reproduction, transmission and transportation of information.
Consent
Elements of consent
19.1(1) When this Act requires an individual's consent for the use or disclosure of personal health information, the consent must
(a) relate to the purpose for
which the information is used or disclosed;
(b) be knowledgeable;
(c) be voluntary; and
(d) not be obtained through misrepresentation.
Knowledgeable consent
19.1(2) Consent
is knowledgeable if the individual who gives it has been provided with the information that a reasonable person in the same circumstances would need in order to make a decision about the use or disclosure of the information.
Express or implied consent
19.1(3) Consent may be express or implied.
Exception
19.1(4) Consent must be express, and not implied, if
(a) a trustee
makes a disclosure to a person that is not a trustee; or
(b) a trustee makes a disclosure to another trustee, but the disclosure is not for the purpose of providing health care or assisting in providing health care.
Express consent need not be written
19.1(5) An express consent need not be in writing.
Express consent can be relied on
19.1(6) A trustee (other than the trustee who
obtained the consent) may act in accordance with an express written consent or a record of an express consent having been given without verifying that the consent meets the requirements of subsection (1), unless he or she has reason to believe that
the requirements have not been met.
Consent with conditions
19.1(7) An individual may give consent subject to conditions. But a condition that has the effect of restricting
or prohibiting a trustee from recording personal health information is not effective if the recording is required by law or by established standards of professional or institutional practice.
S.M. 2008, c. 41, s. 10.
Consent may be withdrawn
19.2 An individual who has given consent, whether express or implied, to the use or disclosure of personal health information may withdraw it by notifying the trustee. A withdrawal does not have retroactive
effect.
Restrictions of information collected
Part 3, Div 1 - Restrictions on Collection and Retention of Information applies to trustees
Part 3, Div 2 - Security Safeguards applies to trustees
Part 3, Div 3 - Restrictions on
Use applies to trustees
Production and use of PHIN
26(1) No person other than a trustee may require the production of another person's PHIN or collect or use another
person's PHIN.
Exceptions
26(2) Despite subsection (1), a person may collect or use another person's PHIN
(a) for purposes related to the provision of
publicly funded health care to the other person;
(b) for purposes of a health research project approved under section 24; or
(c) in circumstances permitted by the regulations.
Health Research
Disclosure for health research
24(1) A trustee may disclose personal health information to a person conducting health research if the research has been approved under this section.
Who may give an approval
24(2) An approval may be given by
(a) the health information privacy committee established under section 59, if the personal health
information is maintained by the government or a government agency; and
(b) an institutional research review committee, if the personal health information is maintained by a trustee other than the government or a government agency.
Conditions for approval
24(3) An approval may be given under this section only if the health information privacy committee or the institutional research review committee, as the case may be, has determined that
(a) the research is of sufficient importance to outweigh the intrusion into privacy that would result from the disclosure of personal health information;
(b) the research purpose cannot reasonably be accomplished unless the personal health
information is provided in a form that identifies or may identify individuals;
(c) it is unreasonable or impractical for the person proposing the research to obtain consent from the individuals the personal health information is about; and
(d) the research proposal contains
(i) reasonable safeguards to protect the confidentiality and security of the personal health information, and
(ii) procedures to destroy or remove, at the earliest opportunity consistent with the purposes
of the research, any information that, either by itself or when combined with other information available to the holder, allows individuals to be readily identified.
Agreement required
24(4) An
approval under this section is conditional on the person proposing the research project entering into an agreement with the trustee, in accordance with the regulations, in which the person agrees
(a) not to publish the personal health information
requested in a form that could reasonably be expected to identify the individuals concerned;
(b) to use the personal health information requested solely for the purposes of the approved research project; and
(c) to ensure that the research
project complies with the safeguards and procedures described in clause (3)(d).
Limitation for projects requiring direct contact with individuals
24(5) If a research
project will require direct contact with individuals, a trustee shall not disclose personal health information about those individuals under this section without first obtaining their consent. However, the trustee need not obtain their consent
if the information consists only of the individuals' names and addresses.
Disclosure to health research organization
24.1(1) A trustee may disclose personal health information
to a health research organization for a purpose mentioned in subsection (2) only if the organization is prescribed in the regulations and meets the requirements of this section.
Jurisdiction
Section 66(1)(l) permits the Lieutenant Governor in Council to make regulations regarding the disclosure of personal health information outside MB
Manitoba – continued
Legislation #2
Personal Health Information Regulation, M.R. 245/97
Ontario
Legislation
Personal Health Information Protection Act 2004 SO 2004 c3 SchA
Definition of “personal health information”
Personal health information
4 (1) In this Act,
“personal health information”, subject to subsections (3) and (4), means identifying information about an individual in oral or recorded form,
if the information,
(a) relates to the physical or mental health of the individual, including information that consists of the health history of the individual’s family,
(b) relates to the providing of health
care to the individual, including the identification of a person as a provider of health care to the individual,
(c) is a plan of service within the meaning of the Home Care and Community Services Act, 1994 for the individual,
(d) relates to payments or eligibility for health care, or eligibility for coverage for health care, in respect of the individual,
(e) relates to the donation by the individual of any body part or bodily substance of
the individual or is derived from the testing or examination of any such body part or bodily substance,
(f) is the individual’s health number, or
(g) identifies an individual’s substitute decision-maker.
Who is responsible?
Health information custodian or his agent
What is a custodian?
Health information custodian
3 (1) In this Act,
“health information custodian”, subject to subsections (3) to (11), means a person or organization described in one of the following paragraphs
who has custody or control of personal health information as a result of or in connection with performing the person’s or organization’s powers or duties or the work described in the paragraph, if any:
1. A health care
practitioner or a person who operates a group practice of health care practitioners.
2. A service provider within the meaning of the Home Care and Community Services Act, 1994 who provides a community service to which that Act applies.
3. Repealed: 2016, c. 30, s. 43 (1).
4. A person who operates one of the following facilities, programs or services:
i. A hospital within the meaning of the Public Hospitals Act, a private hospital within
the meaning of the Private Hospitals Act, a psychiatric facility within the meaning of the Mental Health Act or an independent health facility within the meaning of the Independent Health Facilities Act.
Duties of custodians
Responsibilities of health information custodian
17 (3) A health information custodian shall,
(a) take steps that are reasonable in the circumstances to ensure that no agent of the custodian collects,
uses, discloses, retains or disposes of personal health information unless it is in accordance with subsection (2); and
(b) remain responsible for any personal health information that is collected, used, disclosed, retained or disposed
of by the custodian’s agents, regardless of whether or not the collection, use, disclosure, retention or disposal was carried out in accordance with subsection
Agents and information
17 (1) A
health information custodian is responsible for personal health information in the custody or control of the health information custodian and may permit the custodian’s agents to collect, use, disclose, retain or dispose of personal health information
on the custodian’s behalf only if,
(a) the custodian is permitted or required to collect, use, disclose, retain or dispose of the information, as the case may be;
(b) the collection, use, disclosure, retention
or disposal of the information, as the case may be, is necessary in the course of the agent’s duties and is not contrary to this Act or another law; and
(c) the prescribed requirements, if any, are met.
Additional definitions
2 In this Act,
“agent”, in relation to a health information custodian, means a person that, with the authorization of the custodian, acts for or on behalf of the custodian in respect of personal health
information for the purposes of the custodian, and not the agent’s own purposes, whether or not the agent has the authority to bind the custodian, whether or not the agent is employed by the custodian and whether or not the agent is being remunerated;
Consent
Part III of the Act deals with consent.
Capacity to consent
21 (1) An individual is capable of consenting to the collection, use or disclosure of personal health information if the individual is able,
(a) to understand the information that is relevant to deciding whether to consent to the collection, use or disclosure, as the case may be; and
(b) to appreciate the reasonably foreseeable consequences of giving, not
giving, withholding or withdrawing the consent.
Presumption of capacity
(4) An individual is presumed to be capable of consenting to the collection, use or disclosure of personal health information.
Non-application
(5) A health information custodian may rely on the presumption described in subsection (4) unless the custodian has reasonable grounds to believe that the individual is incapable of
consenting to the collection, use or disclosure of personal health information.
Persons who may consent
23 (1) If this Act or any other Act refers to a consent required of an individual to a collection,
use or disclosure by a health information custodian of personal health information about the individual, a person described in one of the following paragraphs may give, withhold or withdraw the consent:
1. If the individual is capable
of consenting to the collection, use or disclosure of the information,
i. the individual, or
ii. if the individual is at least 16 years of age, any person who is capable of consenting, whom the individual has authorized
in writing to act on his or her behalf and who, if a natural person, is at least 16 years of age.
Also see Health Care Consent Act 1996 SO 1996 c2 Sch A
Health Research
Research approved outside Ontario
44(10) Subject to subsection (11), a health information custodian may disclose personal health information to a researcher or may use the information to conduct research if,
(a) the research involves the use of personal health information originating wholly or in part outside Ontario;
(b) the research has received the prescribed approval from a body outside Ontario that has the function of approving
research; and
(c) the prescribed requirements are met.
Jurisdiction
Disclosure outside Ontario
50 (1) A health information custodian may disclose personal health information about an individual collected in Ontario to a person outside Ontario only if,
(a) the individual
consents to the disclosure;
(b) this Act permits the disclosure;
(c) the person receiving the information performs functions comparable to the functions performed by a person to whom this Act would permit the custodian
to disclose the information in Ontario under subsection 40 (2) or clause 43 (1) (b), (c), (d) or (e);
(d) the following conditions are met:
(i) the custodian is a prescribed entity mentioned in subsection 45 (1) and
is prescribed for the purpose of this clause,
(ii) the disclosure is for the purpose of health planning or health administration,
(iii) the information relates to health care provided in Ontario to a person who is
resident of another province or territory of Canada, and
(iv) the disclosure is made to the government of that province or territory;
(e) the disclosure is reasonably necessary for the provision of health care to
the individual, but not if the individual has expressly instructed the custodian not to make the disclosure; or
(f) the disclosure is reasonably necessary for the administration of payments in connection with the provision of health
care to the individual or for contractual or legal requirements in that connection.
Québec
Legislation
n/a - see Act Respecting the Protection of Personal Information in the Private Sector
New Brunswick
Legislation
Personal Health Information Privacy and Access Act, SNB 2009, c P-7.05
Definition of “personal health information”
“personal health information” means identifying information about an individual in oral or recorded form if the information (renseignements personnels sur la santé)
(a) relates to the individual’s physical
or mental health, family history or health care history, including genetic information about the individual,
(b) is the individual’s registration information, including the Medicare number of the individual,
(c) relates to the provision
of health care to the individual,
(d) relates to information about payments or eligibility for health care in respect of the individual, or eligibility for coverage for health care in respect of the individual,
(e) relates to the donation
by the individual of any body part or bodily substance of the individual or is derived from the testing or examination of any body part or bodily substance,
(f) identifies the individual’s substitute decision-maker, or
(g) identifies
an individual’s health care provider.
Who is responsible?
Custodian - can be an individual or organization under this legislation.
What is a custodian?
“custodian” means an individual or organization that collects, maintains or uses personal health information for the purpose of providing or assisting in the provision of health care or treatment or the planning and management
of the health care system or delivering a government program or service and includes (dépositaire)
(a) public bodies,
(b) health care providers who are not agents or employees of a custodian,
(c) the Minister,
(d) the following
organizations or agencies:
(i) EM/ANB Inc.,
(ii) the New Brunswick Health Council,
(iii) Repealed: 2015, c.44, s.99
(iv) regional health authorities,
(v) the Workplace Health, Safety and Compensation Commission, and
(vi)
the Canadian Blood Services,
(e) Repealed: 2017, c.30, s.2
(e.1) research data centres,
(f) researchers conducting a research project approved in accordance with this Act,
(g) Repealed: 2017, c.30, s.2
(h) a laboratory or
a specimen collection centre,
(i) nursing homes and operators as those terms are defined in the Nursing Homes Act, and
(j) a person designated in the regulations as a custodian.
Duties of custodians
27(1) A custodian may collect personal health information relating to an individual if
(a) the custodian has the individual’s consent under this Act and the collection, to the best of the custodian’s knowledge,
is necessary for a lawful purpose, or
(b) the collection is permitted or required by this Act.
Consent
Express consent
19(1) Unless otherwise provided in this Act, express consent of an individual is required in relation to the collection, use or disclosure of his or her personal health information by a custodian,
including when the custodian discloses information to
(a) the media,
(b) a person for the purpose of fundraising activities,
(c) a visitor to a health care facility,
(d) a person outside New Brunswick, and
(e) a person
for the purpose of research.
19(2) The consent of an individual to the collection, use or disclosure of personal health information by a custodian is express if
(a) the custodian requests the individual to provide
the personal health information,
(b) the individual knows the purpose of the collection, use or disclosure of the information, as the case may be,
(c) the individual grants the custodian permission, the contents of which may be prescribed
by regulation, to collect, use or disclose the information, and
(d) if the permission referred to in paragraph (c) is in oral form, the custodian makes a record of the individual’s consent.
Capacity to consent
23(1) An individual is capable of consenting to the collection, use or disclosure of personal health information if the individual is able
(a) to understand the information that is relevant to deciding whether to consent
to the collection, use or disclosure, as the case may be, and
(b) to appreciate the reasonably foreseeable consequences of giving, not giving, withholding or withdrawing the consent.
23(2) An individual may be capable
of consenting to the collection, use or disclosure of personal health information at one time, but incapable of consenting at another time.
23(3) An individual is presumed to be capable of consenting to the collection,
use or disclosure of personal health information.
23(4) A custodian may rely on the presumption under subsection (3), unless the custodian has reasonable grounds to believe that the individual is incapable of consenting
to the collection, use or disclosure of personal health information.
Determination of incapacity
24 A custodian that determines that an individual is incapable of consenting to the collection, use
or disclosure of personal health information under this Act shall do so in accordance with the requirements and restrictions, if any, prescribed by regulation.
Restrictions of information collected
Medicare number
48(1) No person may require the production of an individual’s Medicare number or collect or use an individual’s Medicare number except a person that requires its production, collection
or use for the following purposes:
(a) for the provision of health care;
(b) to verify the individual’s eligibility to participate in a health care program or receive a health care service;
(c) for the payment and management
of the health care system;
(d) to verify the individual’s eligibility to participate in the drug insurance plan under the Prescription and Catastrophic Drug Insurance Act;
(e) to obtain proof of immunization under subsection 42.1(1)
of the Public Health Act; and
(f) for the establishment or maintenance of the immunization registry or the notifiable disease registry under the Public Health Act.
Disclosure for research purposes
43(1)A custodian may disclose personal health information to a person conducting a research project only if the project has been approved under this section.
43(2)An
approval may be given by a research review body that meets the requirements prescribed by regulation.
Note: "research review body" is an undefined term under the legislation.
Jurisdiction
Under s79(1)(cc) the Lieutenant Governor in Council can make regulations regarding the storage of personal health information outside of Canada.
Nova Scotia
Legislation
Personal Health Information Act SNS 2010, c 41
Definition of “personal health information”
3(r) “personal health information” means identifying information about an individual, whether living or deceased, and in both recorded and unrecorded forms, if the information
(i) relates to the physical or mental
health of the individual, including information that consists of the health history of the individual’s family,
(ii) relates to the application, assessment, eligibility and provision of health care to the individual, including the identification
of a person as a provider of health care to the individual,
(iii) relates to payments or eligibility for health care in respect of the individual,
(iv) relates to the donation by the individual of any body part or bodily substance of the
individual or is derived from the testing or examination of any such body part or bodily substance,
(v) is the individual’s registration information, including the individual’s health-card number, or
(vi) identifies an individual’s
substitute decision-maker;
Who is responsible?
Agent or custodian
What is a custodian?
3(f) “custodian” means an individual or organization described below who has custody or control of personal health information as a result of or in connection with performing the person’s or organization’s powers
or duties:
(i) a regulated health professional or a person who operates a group practice of regulated health professionals,
(ii) the Minister,
(iii) repealed 2012, c. 31, s. 1.
(iv) a health authority as defined in the
Health Authorities Act,
(v) repealed 2014, c. 32, s. 151.
(vi) the Review Board under the Involuntary Psychiatric Treatment Act,
(vii) a pharmacy licensed under the Pharmacy Act,
(viii) a continuing-care facility licensed by
the Minister under the Homes for Special Care Act or a continuing-care facility approved by the Minister,
(ix) Canadian Blood Services,
(x) any other individual or organization or class of individual or class of organization as prescribed
by regulation as a custodian;
Additional definitions
3(a) “agent”, in relation to a custodian, means a person who, with the authorization of the custodian, acts for or on behalf of the custodian in respect of personal health information for the purposes of the custodian, and not the agent’s purposes, whether or not the agent has the authority to bind the custodian, is paid by the custodian or is being remunerated by the custodian, and includes, but is not limited to, an employee of a custodian or a volunteer who deals with personal health information, a custodian’s insurer, a lawyer retained by the custodian’s insurer or a liability protection provider;
Consent
11 A custodian shall not collect, use or disclose personal health information about an individual unless
(a) the custodian has the individual’s consent under this Act and the collection, use or disclosure is reasonably
necessary for a lawful purpose; or
(b) the collection, use or disclosure is permitted or required by this Act.
Health Research
See sections 53 to 60 of the Act.
Steps required prior to using information
55 A custodian may use personal health information for research if, before commencing the research, the custodian
(a) prepares a research plan that meets the requirements in Section 59;
(b) repealed 2012, c. 31, s. 6.
(c) receives the approval of a research ethics board; and
(d) meets any conditions imposed by the research ethics board.
Obligations of researcher
56 A custodian may disclose personal health information about an individual to a researcher if the researcher
(a) submits to the custodian
(i) an application
in writing,
(ii) a research plan that meets the requirements of Section 59, and
(iii) a copy of the submission to and decision of a research ethics board that approves the research plan; and
(b) enters into the agreement required
by Section 60.
Jurisdiction
Disclosure to person outside Province
44 (1) A custodian may disclose personal health information about an individual collected in the Province to a person outside the Province if
(a) the individual
who is the subject of the information consents to the disclosure;
(b) the disclosure is permitted by this Act or the regulations;
(c) the disclosure is to a regulated health professional and the disclosure is to meet the functions of another
jurisdiction’s prescription monitoring program;
(d) the following conditions are met:
(i) the disclosure is for the purpose of the planning and management of the health system or health administration,
(ii) the information
relates to health care provided in the Province to an individual who resides in another province of Canada, and
(iii) the disclosure is made to the government of that other province of Canada; or
(e) the disclosure is reasonably necessary
for the provision of health care to the individual and the individual has not expressly instructed the custodian not to make the disclosure.
(2) Where a custodian discloses personal health information about an individual under clause (1)(e)
and an express request of the individual who is the subject of the information prevents the custodian from disclosing all the personal health information that the custodian considers reasonably necessary to disclose for the provision of health care
to the individual, the custodian shall notify the person to whom it makes disclosure of that fact.
Prince Edward Island
Legislation
n/a - see FIPPA
Newfoundland and Labrador
Legislation
Personal Health Information Act, SNL 2008, c P-7.01
Definition of “personal health information”
5. (1) In this Act, "personal health information" means identifying information in oral or recorded form about an individual that relates to
(a) the physical or mental health of the individual, including information respecting
the individual's health care status and history and the health history of the individual's family;
(b) the provision of health care to the individual, including information respecting the person providing the health care;
(c)
the donation by an individual of a body part or bodily substance, including information derived from the testing or examination of a body part or bodily substance;
(d) registration information;
(e) payments or eligibility for
a health care program or service in respect of the individual, including eligibility for coverage under an insurance or payment arrangement with respect to health care;
(f) an individual's entitlement to benefits under or participation
in a health care program or service;
(g) information about the individual that is collected in the course of, and is incidental to, the provision of a health care program or service or payment for a health care program or service;
(h)
a drug as defined in the Pharmacy Act, 2012 , a health care aid, device, product, equipment or other item provided to an individual under a prescription or other authorization issued by a health care professional; or
(i) the identity of
a person referred to in section 7.
Who is responsible?
Custodian, or an agent acting for a custodian.
What is a custodian?
2 (a) "agent", in relation to a custodian, means a person that, with the authorization of the custodian, acts for or on behalf of the custodian in respect of personal health information for the purposes of the custodian, and not
the agent's purposes, whether or not the agent has the authority to bind the custodian, is paid by the custodian or is being remunerated by the custodian;
4. (1) In this Act, "custodian" means a person described in one
of the following paragraphs who has custody or control of personal health information as a result of or in connection with the performance of the person's powers or duties or the work described in that paragraph:
(a) an authority;
(b) a board, council, committee, commission, corporation or agency established by an authority;
(c) a department created under the Executive Council Act , or a branch of the executive government of the province, when engaged in
a function related to the delivery or administration of health care in the province;
(d) the minister, where the context so requires;
(e) a health care professional, when providing health care to an individual or performing a
function necessarily related to the provision of health care to an individual;
(f) a health care provider;
(g) a person who operates
(i) a health care facility,
(ii) a licensed pharmacy as defined in the
Pharmacy Act, 2012 ,
(iii) an ambulance service, or
(iv) a centre, program or service for community health or mental health, the primary purpose of which is the provision of health care by a health care professional or health
care provider;
(h) the Provincial Public Health Laboratory;
(i) the Centre for Health Information;
(j) with respect to Memorial University of Newfoundland, the Faculty of Medicine, the School of Nursing, the School
of Pharmacy and the School of Human Kinetics and Recreation;
(k) the Centre for Nursing Studies;
(l) the Western Regional School of Nursing;
(m) a person who, as a result of the bankruptcy or insolvency of a custodian,
obtains complete custody or control of a record of personal health information, held by the custodian;
(n) a rights advisor under the Mental Health Care and Treatment Act ;
(o) the Workplace Health, Safety and Compensation Commission;
and
(p) a person designated as a custodian in the regulations.
(2) Except as otherwise provided in this Act or the regulations, a person described in one of the following classes shall not be considered to be a custodian
in respect of personal health information he or she may collect, use, disclose or dispose of while performing the powers or duties described:
(a) an employee of a custodian when acting in the course of his or her employment;
(b)
a body with statutory responsibility for the discipline of health professionals;
(c) the Trial Division,
the Court of Appeal or the Provincial Court ;
(d) a person who is authorized to act for or on behalf of a person that is not a custodian where the scope of the duties of the authorized person do not include the provision of health care;
(e) a person that collects or uses an MCP number for a purpose other than the provision of health care;
(f) an officer of the House of Assembly;
(g) a person who is neither a health care professional or a health care
provider and who provides fitness, weight-management, stress management, smoking-cessation or aesthetic services;
(h) an information manager;
(i) the Statistics Agency;
(j) a person referred to in section 7, when acting
in the capacity described in that section; and
(k) a person designated by the regulations as excluded from the meaning of "custodian".
Additional definitions
2 (b) "authority" means a regional health authority established under the Regional Health Authorities Act;
(j) "health care professional" means a person, including a corporation, that is licensed
or registered to provide health care by a body authorized to regulate a health care professional under one of the following enumerated Acts but does not include an employee of a health care professional when acting in the course of his or her employment:
(i) Chiropractors Act,
(ii) Dental Act,
(iii) Denturists Act, 2005 ,
(iv) Dieticians Act ,
(v) Dispensing Opticians Act, 2005 ,
(vi) Hearing Aid Practitioners Act ,
(vii)
Licensed Practical Nurses Act, 2005 ,
(viii) Massage Therapy Act, 2005 ,
(ix) Medical Act, 2005 ,
(x) Occupational Therapists Act, 2005 ,
(xi) Optometry Act, 2012 ,
(xii) Pharmacy Act, 2012 ,
(xiii) Physiotherapy Act, 2006 ,
(xiv) Psychologists Act, 2005 ,
(xv) Registered Nurses Act , and
(xvi) Social Workers Association Act ;
(k) "health care provider" means a person, other than
a health care professional, who is paid by MCP, another insurer or person, whether directly or indirectly or in whole or in part, to provide health care services to an individual;
(i) "health care facility" means a facility that provides
in-patient health care, including a hospital, a psychiatric unit under the Mental Health Care and Treatment Act , a personal care home, a community care home, a long-term care home or other facility designated in the regulations;
Consent
See Part III
Health Research
Disclosure for research purposes
44. A custodian may disclose personal health information without the consent of the individual who is the subject of the information for research purposes but only where the research
project has been approved by a research ethics board or research ethics body under the Health Research Ethics Authority Act.
Jurisdiction
Information practices, policies and procedures
13. (1) A custodian that has custody or control of personal health information shall establish and implement information policies and procedures to facilitate
the implementation of, and ensure compliance with, this Act and the regulations respecting the manner of collection, storage, transfer, copying, modification, use and disposition of personal information whether within or outside the province.
Disclosure outside the province
47. (1) A custodian may disclose personal health information about an individual collected in the province to a person outside the province but only where
(a)
the individual who is the subject of the information consents to the disclosure;
(b) the disclosure is permitted by this Act or the regulations;
(c) the person receiving the information performs functions similar to the functions
performed by a person to whom this Act would permit the custodian to disclose the information in the province under subsection 40(2);
(d) the following conditions are met:
(i) the disclosure is for the purpose of health planning
or health administration,
(ii) the information relates to health care provided in the province to a person who is a resident of another province or territory of Canada , and
(iii) the disclosure is made to the government of that
other province or territory of Canada ;
(e) the disclosure is reasonably necessary for the provision of health care to the individual and the individual has not expressly instructed the custodian not to make the disclosure in its entirety;
or
(f) the disclosure is reasonably necessary for the administration of payments in connection with the provision of health care to the individual or for contractual or legal requirements in that connection.
(2) Where a
custodian discloses personal health information about an individual under paragraph (1)(e) and an express request of the individual who is the subject of the information prevents the custodian from disclosing all the personal health information that
the custodian considers reasonably necessary to disclose for the provision of health care to the individual, the custodian shall notify the person to whom it makes disclosure of that fact.
Yukon
Legislation
Health Information Privacy and Management Act, SY 2013, c16
Definition of “personal health information”
“personal health information” of an individual means
(a) health information of the individual, and
(b) except as prescribed, prescribed registration information and prescribed provider registry information in respect
of the individual;
Who is responsible?
Custodian
What is a custodian?
2(1) In this Act
“custodian” means a person (other than a person who is prescribed not to be a custodian) who is
(a) the Department,
(b) the operator of a hospital or health facility,
(c) a health care provider,
(d) a prescribed branch, operation or program of a Yukon First Nation,
(e) the Minister,
(f) a person who, in another province
(i) performs functions substantially similar to the
functions performed by a health care provider, and
(ii) is, in the performance of those functions, subject to an enactment, of Canada or a province, that governs the collection, use and disclosure of personal information or personal health information,
or
(g) a prescribed person;
Duties of custodians
Custodian’s information practices generally 19(1) A custodian must protect personal health information by applying information practices that include administrative policies and technical and physical safeguards that ensure the confidentiality, security, and integrity of the personal health information in its custody or control.
Additional definitions
2(1) In this Act
“agent” of a custodian means a person (other than a person who is prescribed not to be an agent of the custodian) who acts for or on behalf of the custodian in respect of personal health
information, including for greater certainty such a person who is
(a) an employee of the custodian,
(b) a person who performs a service for the custodian under a contract or agency relationship with the custodian,
(c)
an appointee, volunteer or student,
(d) an insurer or liability protection provider,
(e) an information manager,
(f) if the custodian is a corporation, an officer or director of the corporation, or
(g) a prescribed
person;
Consent
See Part 4 of the Act.
General rule for consent
33 Unless this Act requires express consent to the collection, use or disclosure of personal health information, implied consent is sufficient.
Capacity to consent
45(1) An individual is capable of consenting to the collection, use or disclosure of personal health information if the individual is able
(a) to understand the information that
is relevant to deciding whether to consent to the collection, use or disclosure, as the case may be; and
(b) to appreciate the reasonably foreseeable consequences of giving, refusing, withholding or withdrawing the consent.
(2) An
individual may have the capacity at one time to consent to the collection, use or disclosure of their personal health information but be incapable of consenting at another time.
(3) An individual may have the capacity to consent
to the collection, use or disclosure of some portions of their personal health information but be incapable of consenting with respect to other portions of it.
Restrictions of information collected
Restrictions
18(1) Subject to subsection (2), no person may collect, use or disclose an individual’s Yukon public health insurance plan number.
Health Research
Division 5 provides for collection, use and disclosure for research
Collection for research
66(1) Subject to subsection (2), a custodian may, for the purpose of research, collect an individual’s
personal health information from the individual or any other person.
(2) If a custodian intends to collect an individual’s personal health information for the purpose of research (other than research that is incidental to a purpose
for which this Act otherwise allows the custodian to collect the personal health information), the custodian must
(a) where the custodian is a public body, a branch, operation or program of a Yukon First Nation or a prescribed person, meet
the prescribed requirements, if any; or
(b) where the custodian is not a person described in paragraph (a), obtain prior approval of the collection by an institutional research review committee.
Use for research
67 A custodian may, without the individual’s consent, use for the purpose of research an individual’s personal health information that is in its custody or control.
Jurisdiction
Notice and knowledgeable consent
41(1) (d) advises that if the personal health information is disclosed outside Yukon, the law of the jurisdiction to which it is disclosed will govern its use, collection and disclosure
in that jurisdiction.
Northwest Territories
Legislation
Health Information Act, SNWT 2014, c 2
Definition of “personal health information”
"personal health information" means the following information in any form that identifies an individual, or in respect of which it is reasonably foreseeable in the circumstances that the information could be used, either alone or with
other information, to identify an individual:
(a) information about the health and health care history of an individual,
(b) information respecting health services provided to an individual,
(c) information about eligibility or registration
of an individual for a health service or related product or benefit,
(d) information about the payment for a health service for an individual,
(e) information collected in the course of providing a health service to an individual or information
that is collected incidentally to the provision of a health service to an individual, including the individual’s name and contact information,
(f) a personal health number, other identifying number, symbol, or other particular assigned
to an individual in respect of health services or health information,
(g) prescribed information about a health service provider that provides a health service to an individual,
(h) information respecting the donation by an individual
of a body part or bodily substance,
(i) information prescribed as personal health information;
Who is responsible?
Agent or health information custodian
What is a custodian?
1(1) "agent", except in paragraphs 25(1)(g) and 115(b) and (c), subsection 151(6) and section 193, means a person or organization listed in subsection 9(2) that is authorized by subsection 9(1) to act as an agent;
"health information custodian" means
(a) the Department,
(b) a medical practitioner, other than a medical practitioner acting as an agent of a health information custodian,
(c) a pharmacist as defined in subsection 1(1) of the Pharmacy Act, other than a pharmacist acting
as an agent of a health information custodian,
(d) a prescribed organization responsible under the Hospital Insurance and Health and Social Services Administration Act for the management, control and operation of one or more facilities from
which health services are provided, or
(e) a prescribed person or class of persons, or a prescribed organization other than an organization prescribed as a health information custodian under paragraph (d);
Duties of custodians
24(3) If an individual places a condition on his or her consent to the collection, use or disclosure of personal health information about the individual, a health information custodian that collects the information shall
(a)
inform the individual of the implications of the condition;
(b) take reasonable steps to comply with the condition;
(c) attach the condition to or record the condition on the applicable record; and
(d) take reasonable steps to give
notice of the condition to other persons and organizations to which the custodian discloses the information.
Additional definitions
1. (1) For the purposes of paragraph (d) of the definition "health information custodian" in subsection 1(1) of the Act, the following organizations, responsible under the Hospital Insurance and Health and Social Services Administration
Act for the management, control and operation of one or more facilities from which health services are provided, are prescribed as health information custodians:
(a) Hay River Health and Social Services Authority;
(b) Northwest Territories
Health and Social Services Authority;
(c) Tåîchô Community Services Agency.
9 (2) Each of the following persons and organizations may act as an agent for or on behalf of a health information custodian
if authorized by subsection (1) to do so:
(a) an employee of the custodian;
(b) a person who performs a service for the custodian as an appointee, volunteer, student or under a contract or agency relationship;
(c) an information
manager for the custodian;
(d) a prescribed person, class of persons or organization.
Consent
See Part 3.
18. (1) Subject to subsections (3) and (4), a health information custodian that collects personal health information from the individual the information is about for the purpose of providing or
assisting in the provision of a health service to the individual, may assume that the individual has provided implied consent to the custodian’s (a) collection or use of that information for the purposes of providing or assisting in the provision
of a health service to the individual; and (b) disclosure of that information to a health service provider for the purposes of providing or assisting in the provision of a health service to the individual.
Health Research
See sections 69 - 83.
71. A researcher shall not
(a) collect personal health information for the purpose of conducting research from a source other than the individual the information is about unless
(i) a research ethics
committee has, under paragraph 69(b), determined that the researcher may do so, or
(ii) an extra-territorial research ethics committee has determined that the researcher may do so and paragraph 78(a) applies; or
(b) collect personal health
information for the purpose of conducting research or conduct research using personal health information without the express consent of the individuals the information is about, if
(i) a research ethics committee has determined under paragraph
69(c) that express consent must be obtained, or
(ii) an extra-territorial research ethics committee has determined that express consent must be obtained.
Jurisdiction
85. (1) A health information custodian shall take reasonable measures to maintain administrative, technical and physical safeguards for the protection of personal health information, including for protection
(b) of the confidentiality of personal
health information that is to be stored or used outside the Northwest Territories, or that is to be disclosed by the custodian to a person or organization outside the Territories;
176. Notwithstanding subsections 178(1) and (2), the Information
and Privacy Commissioner may, for the purpose of coordinating activities and handling complaints involving two or more jurisdictions, enter into information sharing and other agreements with, and disclose personal health information to, a person who,
under the legislation of Canada, a province or another territory, has powers, duties and functions similar to those of the IPC.
Nunavut
Legislation
n/a - see Access to Information and Protection of Privacy Act
Photo by National Cancer Institute on Unsplash
