Unless the provincial government acts
quickly, on January 1, 2004, a piece of federal legislation will
come into effect in this province that will fundamentally change the
way physicians practice medicine. It is the Personal
Information Protection and Electronic Documents Act (PIPEDA).
While it was not designed to be a piece of health privacy
legislation, it will apply at least in part to health care. In
addition to changing practice patterns, it may take away physicians'
personal rights to privacy. The only way to avoid this would be for
the province to pass superceding health information privacy
legislation.
PIPEDA is one of the remnants of the dot
com boom at the turn of the millennium. PIPEDA was designed to
protect personal privacy in a digital world. When the dot com bubble
burst, a great many of these new companies went spectacularly
bankrupt. Creditors lined up to recoup their losses and found out
that, for all the bills the dot coms ran up, they had precious
little in the way of tangible assets. One exception was the
information they had collected, on customers, clients, and even
surfers passing digitally by. Some of this information was
incredibly detailed and surprisingly personal; the thought that
information would be sold as a commodity to pay off debts had not
occurred to the early adopters of the New Economy. The general
public found that there were no regulations to stop these insolvent
companies from selling any or all of the information the companies
had collected to whomever they wished.
The public was outraged and that outrage
was channeled by the federal government into PIPEDA. The act was
intended to regulate how the private sector handled personal
information, to prevent information being collected and sold against
the person's wishes. In a speech given by the Privacy Commissioner
of Canada on May 7, 2003, Mr. George Radwanski summed up PIPEDA's
regulations as follows:
- "Apart from a few
limited exceptions, no organization can collect, use, or
disclose personal information about an individual without that
individual's consent.
- The only purpose to
which such information can be put is the purpose for which the
consent was given.
- Even with consent, an
organization may collect, use or disclose personal information
only for purposes that a reasonable person would consider are
appropriate in the circumstances.
- Everyone has the right
to see what personal information an organization has about them,
and to correct any inaccuracies.
- There is independent
oversight — that's me and my office — to ensure that the law
is respected.
- And there is redress if
people's rights are violated."
There was one elemental flaw that PIPEDA
inherited from the documents on which it was based; it did not
differentiate large institutions from small organizations, or even
single-person business situations. As a physician, especially if you
are a fee-for-service physician, you will probably find that PIPEDA
applies to you (the position of salaried physicians is less sure).
The impact of PIPEDA is still largely to be
determined. Until the privacy commissioner rules on how the act
applies to physicians, much of the opinion on how PIPEDA applies is
speculation. In one area, though, the privacy commissioner has
already made his views clear — physicians covered by this act are
commercial organizations and do not inherently have the same right
to privacy that a person does. Therefore, information regarding you
as a physician can be collected, bought, and sold without your
knowledge or consent. A company called IMS
Health Canada is already in the business of doing just that.
In future articles we will examine how the
regulations of PIPEDA will change the way physicians in this
province practice medicine, look at the IMS Health Canada case in
more detail, and discuss how a properly worded health information
privacy act could avoid many of the problems PIPEDA poses.
Dr. Gerard Farrell is a member of the
NLMA Board of Directors and chairs the NLMA's Health ICT Policy
Committee. This article is the first in a series by Dr. Farrell
addressing the privacy and security of health information. The NLMA
is finalizing a policy on health information and is implementing a
strategy to address concerns resulting from PIPEDA.
|
