In Fall 2022, the Office of the Privacy Commissioner of Canada (OPC) published a study it had funded on the privacy implications of direct-to-patient commercial virtual care platforms (VCPs) in Canada, technologies that allow healthcare practitioners to provide healthcare services to patients remotely.
While the study does not constitute binding law or guidance, it is nonetheless noteworthy for operators of VCPs because (1) it identifies practices by commercial operators that the study describes as problematic and (2) makes recommendations for amending Canada’s core privacy law statutes to address these issues.
(1) Practices by Commercial Operators Described as Problematic in the Study
(a) not treating personal information collected during registration as personal health information
The study found that commercial operators of VCPs collect a large amount of personal information when patients register for use of the VCP, including their name, email address, IP address, telephone number, and other contact information. However, even where such information is collected from a patient or in a healthcare setting, some operators do not treat this information as personal health information, which may call for a higher degree of care under provincial health privacy laws than private sector privacy laws.
(b) privacy policies are too vague or confusing for patients and practitioners to understand
While the study found operators of VCPs have privacy policies in place, it took issue with the fact that privacy policies tend to be vague in their descriptions of how personal information and personal health information will be used, transferred, disclosed or otherwise processed, and the fact that privacy policies tend to be too confusing or complicated for patients or practitioners to make informed decisions.
(c) VCPs use personal information to sell or promote a business partner’s products or services
The study found that some VCPs use a patient’s personal information to promote products or services of a business partner (e.g. medications or vaccinations from a pharmaceutical company if the personal information shows that the patient may not be vaccinated or is not taking a certain medicine). The study takes issue with using personal health information in this manner, especially if the use is not disclosed.
(d) where a VCP only provides one type of health service, any personal information connecting a patient to the VCP could reveal the patient’s health condition or request for services
The study found that some VCPs are only used to provide one type of health service (e.g. psychiatric services or HIV prevention services). Under those circumstances, any personal information that can connect an individual to the use of the VCP, such as their name or basic contact information, could, when combined with the fact that the VCP is only used for one type of health service, reveal a person’s health condition or their request for services relating to a particular medical issue, such as psychiatric health.
(e) requiring patients to use VCPs to access health services
The study found that some VCPs require patients to agree to commercial uses of their personal information prior to accessing health services. The study found that this practice raises jurisdictional issues around patients’ right to access medical services and flagged this practice as ethically questionable.
(2) Study’s Recommendations for Amending Canada’s Core Privacy Statutes
(a) handling of de-identified personal information should be regulated
The study found that VCPs may de-identify personal information; however, they proceed to share, analyze, publish and otherwise process the de-identified personal information. The study pointed to gaps under Canadian privacy laws, including under the Personal Information Protection and Electronic Documents Act (PIPEDA), with respect to the use and processing of de-identified personal information.
(b) personal information collected by commercial VCPs should be personal health information
The study recommends that provincial health privacy laws expressly recognize that all personal information collected by VCPs, including basic contact information, be considered personal health information and, as a consequence, be subject to health privacy law regimes under those statutes.
(c) VCPs should be prohibited from using their platforms to promote pharmaceutical products
The study argues that the collection of personal health information via VCPs and, in turn, using that personal health information to sell or promote pharmaceutical products and services, is ethically questionable and is calling for regulation to prohibit these kinds of uses of personal health information.
(d) Encouraging privacy regulators to regularly audit VCPs
Given the privacy-related risks the study identified for patients and practitioners, the study is calling for increased audits of VCPs by privacy regulators to ensure compliance with health privacy laws.
(e) Requiring VCPs to share de-identified health data with public entities
The study found that VCPs handle large amounts of de-identified health data, but that such data is only being used to serve the commercial purposes of the VCP operator. The study calls for regulations that would require VCPs to share their de-identified health data with public entities for research purposes.
Key Take-Aways and Recommendations
- Canadian privacy regulators are studying privacy-related risks from commercial operators’ use of VCPs, and have flagged a number of risks and concerns that could underscore future guidance.
- In particular, one study found that uses and disclosures of personal health information, collected using VCPs, are not clear to data subjects or practitioners, privacy policies are too vague and are confusing for individuals without legal training, and should be redrafted in plain language and in a manner that conveys the granular uses and disclosures of personal health information.
- Supplements to privacy policies may be helpful for patients and healthcare practitioners, such as descriptions of how the VCP technology works, who are the main parties involved, and how personal information will be collected, used and disclosed to help users make informed decisions.
- Audits of VCPs by privacy regulators may be on the rise; thus, commercial operators of VCPs should have policies and record retention schedules in place in the event of any future audits.