Prince Edward Island’s Health Information Act (“HIA”), received Royal Assent on May 14, 2014. Prior to this new legislation, personal health information was shared between the public and private sectors without any clear set of rules governing the management and control of this type of information. The HIA, which has not yet been proclaimed, attempts to balance the competing interests of protecting privacy of personal health information and the needs of health care providers to collect, use and disclose the information to provide health care and manage the health care system.
For the purposes of the legislation, “personal health information” means:
identifying information about an individual in oral or recorded form that
- relates to the individual’s physical or mental health, family health history or health care history, including genetic information about the individual,
- relates to information about an individual that is collected for the purpose of registering the individual for the provision of health care, including a health number, medical record number and any other identifier assigned to an individual,
- relates to the provision of health care to the individual,
- relates to an individual’s entitlement to benefits under or participation in a health care program or service,
- is collected in the course of, and is incidental to, the provision of a health care program or service or payment for a health care program or service,
- relates to a drug, a health care aid, device, product, equipment or other item provided to an individual under a prescription or other authorization issued by a health care provider,
- relates to information about payments or eligibility for health care in respect of the individual, or eligibility for coverage for health care in respect of the individual,
- relates to the donation by the individual of any body part or bodily substance of the individual or is derived from the testing or examination of any body part or bodily substance,
- identifies the individual’s substitute decision maker, or
- identifies the individual’s health care provider;
The HIA addresses the following:
- The establishment of rules for custodians regarding the collection, use, disclosure, retention and secure destruction of personal health information;
- Enabling personal health information to be shared and accessed for the provision of health services and the planning and management of the health care system;
- Providing individuals with the right to examine and receive a copy of their personal health information;
- Providing individuals with the right to request corrections to their personal health information;
- Establishing mechanisms to ensure the accountability of persons having custody or control of personal health information and to safeguard the security and integrity of personal health information;
- Providing for an independent review of decisions made by custodians and the resolution of complaints; and
- Providing remedies for contraventions of this legislation.
The application of this legislation is broad in scope and will apply to all holders of personal health information who collect, use, and disclose such information for the purposes of providing health care services. Based on the definition given for “custodian”, it will not matter if the person or organization is in the public or private sector, acts independently or not, or is in the profit or not-for-profit sector.
The penalties for contravention are significant. An individual who violates a provision of the HIA will be liable on summary conviction to a fine of not more than $15,000 or a term of imprisonment of not more than six months, or to both. Similarly, a corporation will face a fine of up to $50,000.
This is only a brief overview of the legislation. If you would like further information on the HIA, please refer to the full text here.