The Northwest Territories have enacted the Health Information Act, SNWT 2014, c 2 (HIA) which took effect on October 1, 2015. The HIA sets out rules for the collection, use and disclosure of personal health information; the Act is designed to protect health information and facilitate the provision of health services.
Much like the health privacy statutes of other provinces, the HIA recognizes the sensitive nature of personal health information, which is frequently shared in the provision of health care and the management of our publicly funded health care system. Other Canadian provinces and territories have similar legislation, including Alberta, Saskatchewan, Manitoba, Ontario, Newfoundland and Labrador, New Brunswick, Nova Scotia, British Columbia and Quebec. Similar laws have also been passed in Prince Edward Island (Bill 42 – Health Information Act) and Yukon (Bill 61 – Health Information Privacy and Management Act), but have yet to be enacted into force.
Application and Scope of the Act
The HIA applies when (1) there is personal health information, (2) in the custody of a health information custodian, that was (3) originally collected to deliver a health service. Each of these terms are defined in the Act.
“Personal health information”
Personal health information is defined as information that either identifies an individual or can be reasonably used to identify individuals. Examples of personally identifying health information include identifiers in registration information (e.g. name, date of birth, sex, address, etc.), information about treatment history (e.g. lab orders and results, prescriptions, diagnostic imaging reports, progress notes, etc.), and scheduling or billing information (appointment dates, medical travel approval, hospital admission date, etc).
There are certain forms of personal health information that are exempt from the Act. For instance, personal health information in child and family services records, adoption records, human resource personnel records and professional licensing files are not covered by the HIA.
“Health information custodian”
The HIA applies to information held by a variety of organizations and individuals within the health care sector called health information custodians. Health information custodians include the:
- Department of Health and Social Services (DHSS)
- Health and Social Services Authorities (HSSAs)
- Physicians who are not employed by the DHSS or HSSAs (“private physicians”)
- Pharmacists who are not employed by the DHSS or HSSAs (“private pharmacists”)
The HIA also applies to agents, which include organizations or individuals who are authorized to act for or on behalf of a health information custodian. Agents include salaried employees, contractors, appointees, information managers, volunteers, summer students, and anyone else working for a custodian. It is the responsibility of the health information custodian to take ‘reasonable measures’ to ensure that its agents comply with standards, policies and procedures established to comply with the HIA.
The HIA applies to personal health information in the custody or under the control of custodians as it relates to physical and mental health services. The term “health service” includes both insured and non-insured services and both physical and mental health services. The HIA further outlines services provided for health related purposes that are within the scope of the Act – they include ambulance and pharmacy services (See HIA s.1, Definition of ‘health service’ (a)(ii)).
Rights and Obligations under the Act
To comply with the HIA, health information custodians are required to adopt standards, policies and procedures to implement the requirements of the Act (See HIA s. 8, Standards, policies, and procedures required). Custodians are also required to implement safeguards to protect personal health information, including administrative, technical, and physical safeguards to protect against privacy breaches (See HIA s. 85, Measures for protection of information). In the event of a privacy breach, health information custodians have a duty to notify the individuals affected (See HIA s. 87, Duty to give notice).
For the purposes of interacting with the public, custodians must name at least one agent as the HIA designated contact person. This person will act on behalf of the appointing custodian and respond to questions and complaints from the public about the collection of information and information practices (See HIA s. 12, Designated contact person).
The HIA also provides individuals with the right to access their own personal health information and the right to request a correction of this information. Health information custodians have a “duty to assist” patients to access their personal health information (See HIA s. 97, Duty to assist applicant).
The HIA further outlines the requirement to obtain consent for the purpose of collection, use or disclosure of personal health information (See HIA s.15(1), Elements of consent). A patient must give express consent before personal health information can be shared in ways that are not specifically allowed by the HIA or other legislation. Patients also have the right to set consent conditions and express instructions that limit the use and disclosure of their personal health information (See HIA s. 22, Conditions); consent can also be withdrawn at a later date (See HIA s. 24, Withdrawal of consent).
Privacy impact assessments (PIA) have also become mandatory whenever a new or updated information system or communication technology is being considered for the collection, use, or disclosure of personal health information. The PIA must be shared with the Information and Privacy Commissioner (See HIA s.89(3), Privacy impact assessment to IPC).
The monetary penalties for contravention of the HIA or its regulations are set at $50,000 in the case of an individual and $500,000 in the case of a corporation. There is a three year limitation period (from the date of discovery of the alleged offence) on the prosecution of offences under the HIA and its regulations (See HIA s. 192, Offence and punishment). However, custodians, agents, the IPC and providers of information have immunity from liability as long as their (in)actions were taken in good faith (See HIA s. 180, Immunity from liability).
The Federal Personal Information Protection and Electronic Documents Act (PIPEDA) regulates the collection, use, and disclosure of personal information by private individuals and organizations across Canada, except in those jurisdictions in which privacy legislation has been enacted that has been deemed to be ‘substantially similar’. The Federal Government has not yet granted HIA substantial similarity status, and as a result, private pharmacists and physicians must follow both PIPEDA and the HIA, until such status is granted.