Data protection, privacy and digitisation in healthcare

Digitisation

What are the legal developments regarding digitisation in the healthcare sector and industrial networks or sales channels?

There have been various developments on digitisation in the healthcare sector in Canada. Given that regulation of healthcare is largely provincial, these initiatives often vary from province to province, although there are some federal initiatives as well. One such federal initiative is to create the infrastructure necessary to enable e-prescribing.

At the provincial level, some of the initiatives involve making available certain health-related information (eg, prescription drug history and electronic medication administration records) to healthcare providers throughout the province in an effort to increase continuity of care or to promote safety.

There is also an increased interest in telemedicine, which has been accelerated by the covid-19 pandemic.

Provision of digital health services

Which law regulates the provision of digital health services, and to what extent can such services be provided?

Where a digital health service meets the definition of a medical device, it will be regulated under the Food and Drugs Act and the Medical Devices Regulations. A medical device is one that is manufactured, sold or represented for use in diagnosing, treating, mitigating or preventing a disease, disorder or abnormal physical state or restoring body structure. Any digital health service, including software, that meets this definition must also meet the requirements of that Act and Regulations, which, depending on how the device is classified, may require device licensing and pre-approval by Health Canada.

Federal and provincial privacy laws govern the collection, use and disclosure of personal health information, including in the context of digital health services. Provided these services are offered in compliance with these laws, they can be offered; however, privacy considerations are often a barrier to providing services as it is important to ensure that the platform itself is secure and that both the patient and provider are able to access the services in an environment that allows for privacy.

In addition, given that provincial legislation governs the provision of healthcare, it is necessary that any digital health services contemplate the requirements set out in the relevant provincial legislation as well as any by-laws, policies and other guidance provided by provincial healthcare professional regulatory authorities. Some regulators have expressed concerns about the ability to establish the necessary provider–patient relationship over digital platforms, and it is important that any services provided recognise any constraints and that patients are referred for in-person visits if needed. If the patient and provider are located in different provinces, the laws and other requirements of both jurisdictions must be considered.

Authorities

Which authorities are responsible for compliance with data protection and privacy, and what is the applicable legislation? Have the authorities issued specific guidance or rules for data protection and privacy in the healthcare sector?

Federal and provincial privacy commissioners are responsible for compliance with data protection and privacy. Additionally, healthcare professional regulatory authorities have jurisdiction over the compliance with laws by their members (including data protection and privacy laws).

The specific rules for privacy and data protection in respect of personal health information are set out in federal, and in some cases provincial, privacy legislation. Privacy commissioners and regulatory authorities often set out further guidance to assist healthcare providers and professionals in complying with the rules.

Requirements

What basic requirements are placed on healthcare providers when it comes to data protection and privacy? Is there a regular need for qualified personnel?

The Personal Information Protection and Electronic Documents Act (PIPEDA) is the federal legislation that governs data protection and privacy by private-sector organisations that collect, use or disclose personal information (including health information) in the course of a commercial activity. This Act would apply to most healthcare institutions, however in provinces with legislation in force that is deemed substantially similar to PIPEDA, that legislation would apply instead. Additionally, some provinces have legislation that applies in addition to PIPEDA, particularly in relation to personal health information.

There are variations in the requirements placed on healthcare providers depending on the legislation that applies; however, they are generally similar. As an example, PIPEDA sets out 10 fair information principles that provide the ground rules for the collection, use and disclosure of personal information (including personal health information). These are:

  • Accountability: an organisation is responsible for personal information under its control. It must appoint someone to be accountable for its compliance with these fair information principles.
  • Identifying purposes: the purposes for which the personal information is being collected must be identified by the organisation before or at the time of collection.
  • Consent: the knowledge and consent of the individual are required for the collection, use or disclosure of personal information, except where inappropriate.
  • Limiting collection: the collection of personal information must be limited to that which is needed for the purposes identified by the organisation. Information must be collected by fair and lawful means.
  • Limiting use, disclosure and retention: unless the individual consents otherwise or it is required by law, personal information can only be used or disclosed for the purposes for which it was collected. Personal information must only be kept as long as required to serve those purposes.
  • Accuracy: personal information must be as accurate, complete and up to date as possible to properly satisfy the purposes for which it is to be used.
  • Safeguards: personal information must be protected by appropriate security relative to the sensitivity of the information.
  • Openness: an organisation must make detailed information about its policies and practices relating to the management of personal information publicly and readily available.
  • Individual access: upon request, an individual must be informed of the existence, use and disclosure of their personal information and be given access to that information. An individual shall be able to challenge the accuracy and completeness of the information and have it amended as appropriate.
  • Challenging compliance: an individual shall be able to challenge an organisation’s compliance with the above principles.
Common infringements

What are the most common data protection and privacy infringements committed by healthcare providers?

A common data protection and privacy infringement is the unauthorised accessing and use of personal information by employees of healthcare institutions. Many institutions have taken a zero-tolerance approach to unauthorised access and provide that any such access is grounds for termination. Fines are also possible in some provinces.

Additionally, hospitals and healthcare providers are frequently the target of cybersecurity attacks in Canada as hackers seek to obtain the personal information of patients.