MEDICAL PRIVACY OR HEALTH PRIVACY: RESPONSIBILITIES OF HEALTHCARE PROVIDERS
Subsection 8(1) of the Privacy Act prohibits institutions from disclosing ‘personal information’ without consent. However, subsection 8(2) of the Privacy Act contains a number of exceptions to this prohibition. One such exception is contained in paragraph 8(2)(a) of the Privacy Act which stipulates that personal information may be disclosed for the purpose for which the information was obtained or for an use consistent with that purpose.”
CONCEPT OF ‘CONSISTENT USE’
The concept of “consistent use” is critical because it provides the key which allows an institution to use and disclose personal information for indiscriminate purposes without consent. In Bernard v. A.G. of Canada, 2012 FCA 92 , the Federal Court of Appeal cited the following definition of consistent use in the Treasury Board’s Policy of Privacy Protection:
Consistent use means that the contemplated new use has a reasonable and direct connection to the original purpose(s) for which the information was obtained or compiled in the first place. This means that the original purpose and the proposed purpose are so closely related that the individual would expect that the information would be used for the consistent purpose, even if the use is not spelled out. [Our emphasis]
In August 2016, the Canadian Forces Surgeon General confirmed to us in writing that:
“Current legislation and written policies provide us with the adequate authority and mechanism to transmit health information to the Directorate of Military Careers Administration [DMCA] including when consent is not provided. . . . CFHS staff members are working with DMCA to ensure clarity of understanding in how medical information is managed between the two organizations. This includes how DMCA requests information and how we provide it to them, the minimal information they require to ensure relevant career-decision-making, and ensuring that pertinent medical information is shared only with those who are authorized and have a need to know.”
This modus operandi was confirmed during the course of a recent administrative review procedure undertaken by DMCA. Included in the Synopsis prepared for disclosure to the member, the following passage confirmed that DMCA staff has access to the healthcare information of soldiers without their prior knowledge or consent.
Regarding Medical and personal Health Care information, where medical records and related documents are held by CAF Health Services, they will be disclosed to DMCA by CAF Health Services pursuant to Information Bank Number DND PPE 810, which provides that medical records held by the CAF may be disclosed, without the member’s consent, directly to DMCA under ‘consistent use’ where the medical information serves as a reference sources for career administration decision.
PRIVACY OF MEDICAL RECORDS REQUIRED TO ESTABLISH AND PRESERVE TRUST IN THE PHYSICIAN-PATIENT RELATIONSHIP
Patients give information to their physicians in a unique and privileged context where they have the most utmost faith that their physicians and the ‘circle of care’ will maintain their privacy and confidentiality. We find it disconcerting that the disclosure of healthcare information has been authorized to persons outside a CF member’s ‘circle of care’ without the ‘informed’ consent of members. This may very well be contrary to the purported intent of paragraph 8(2)(a) of the Privacy Act at be at odds with the various professional codes of practice as well with provincial legislation such as the Ontario’s Personal Health Information Protection Act [PHIPA].
See article 31 of the Code of Ethics of the Canadian Medical Association [CMA] which obliges physicians to protect the personal health information of their patients as well as CMA principles (see below)for the protection of patients’ personal health information at link:
ONE. Privacy, confidentiality and trust are cornerstones of the patient-doctor relationship. Health information is highly sensitive and is confided or collected under circumstances of vulnerability and trust. Trust plays a central role in the provision of health care and treatment; fulfilment of physicians’ fiduciary obligations enables open and honest communications and fosters patients’ willingness to share personal health information
TWO. Patients have a general right to control the use and further disclosure of their personal health information , and a right of reasonable access to the information contained in their medical record. the personal health information contained in the medical record belongs to the patient; patients retain an interest in what subsequently happens to it
SEVEN. The patient’s express consent is generally required to disclose any part of all of the patient’s personal health information in response to a third-party request that is not directly related to the patient’s health care or treatment. Patient consent is a fundamental concept in the provision of medical care.
EIGHT. The use or disclosure of patient information within the “circle of care” should be done solely on a need-to-know basis. This principle limits the sharing of health information with members of the health care team to only that information that is necessary for each team member, in accordance with their specific training, skills, responsibilities and terms of employment or other engagement, to provide the patient with direct health care and treatment.