 This health law primer is about Canadian law and personal health information. The privacy interests that patients have in such information and the obligations you as health care practitioners have to keep it confidential. Here's my info. Feel free to email me if you have follow-up questions. The objectives to this primer are three-fold. Understand the legal rationale behind the duty of confidentiality. Understand the scope of that duty and learn about how new laws in New Brunswick and Nova Scotia define personal health information and how it's to be used by health care providers. Some context to start. Outside health care systems we hear more and more that privacy is dead. With many of us using social media and putting vast amounts of data online, some say we care less and less about our privacy. Even if you buy that, it's hard to say that's happening within the health care context. Massive disclosures of health information like this one from BC are frequently reported in the news, sometimes resulting in lawsuits like this one from Newfoundland. Given the ease of information sharing nowadays, maintaining patient privacy has become an increasingly pressing challenge for health care providers and institutions alike. The importance of patient privacy goes back a long way in law. As early as 1928, the Supreme Court of Canada said in a case called Halls v. Mitchell that information or, quote, secrets imparted by patients to doctors are the secrets of patients, not the other way around. Patients can therefore legitimately expect doctors not to share information pertaining to their health, though there are exceptions when paramount reasons exist override patients' privacy. The rationale for this general rule is straightforward. It's about building trust. It's part of a physician's professional obligations. In other words, the law says MDs owe a duty of confidentiality to their patients. What in practical terms does that principle or duty entail? It can be broken down into several things, specifically access by patients and collection use and disclosure of personal health information by health care providers. Let's start with access, the importance of which has been emphasized by courts and more recently provincial legislatures. The key court case in Canada is called McInerney v. McDonald. Take a minute to read the background facts of this case. Eventually this case went all the way to the Supreme Court of Canada. Along the way, each court said that the patient had a right of access to her complete medical record. It did it for different reasons, but the key point for you to take away is that the Supreme Court of Canada said Ms. McDonald, the patient, had a right of access to her medical file in light of the nature of the relationship she enjoys with her doctor. Dr. McInerney is in a fiduciary position, having power over the patient, so the doctor owes the patient special duties. And as a result, the patient has a continuing right of access to her medical information. The doctor may own the physical copy of her file, but the patient ought to have control over the information contained in that file. In short, physicians are considered the custodians of patients' personal health information, and as custodians, they have a duty to keep that information confidential, while at the same time making it available to the patient upon request. In effect, this principle that McInerney created has been operationalized more recently through various provincial laws pertaining to personal health information. In Nova Scotia, this law is known as FIA, the Personal Health Information Act, whereas in New Brunswick, the law is referred to as FIPPA, the Personal Health Information Privacy and Access Act. Both provincial laws create a right of access for patients, like the court ruled in McInerney, and set out specific timelines and other details that physicians have to respond within to those requests, a procedure to follow, if you like. So if you receive such a request and you're not sure how it works, the statutes in Nova Scotia and New Brunswick gives you some important guidance. Let's move on to the other ways in which the duty of confidentiality that you owe patients works in practice. Apart from patient access, you have you as health care providers will collect, use, and disclose PHI Personal Health Information every day. The law has something to say about how that should happen. Here, we need to look at the two provincial laws I mentioned a moment ago, FIA and FIPPA. If you're practicing in Nova Scotia, it's FIA that applies and FIPPA is the law for New Brunswick. Most other provinces have a Personal Health Information law of their own. If they don't, there's a federal law that kicks in. So it's important to be up to speed on the law that applies wherever you're practicing. Covering every province's law is just beyond the scope of this primer, however. Okay, so I'm going to walk you through the Nova Scotia and New Brunswick laws a little. The questions that I'm going to highlight for you will be important ones to ask wherever you are, however. Provincial laws, that is to say statutes passed by legislatures, are a bit like puzzles. I find it useful to develop a bit of a flow chart based on the key questions that you can ask wherever you are. The first and most immediate question to ask is, does the statute even apply to the situation? In both New Brunswick and Nova Scotia, two conditions have to be met for the statute to apply. First, there has to be personal health information, or PHI, involved. And secondly, a custodian has to be involved. They seem like pretty straightforward conditions, but the law sets out in a fair bit of detail what these two things mean. Hit pause and look first at the definitions of PHI in Nova Scotia and New Brunswick. You'll see that they are pretty similar and both quite broad. PHI is identifying information about an individual, whether recorded or not, and it relates to the individual's condition or ability to access health care, such as the name of their substitute decision maker. Similarly, the term custodian captures a wide range of individuals, including regulated health professionals in Nova Scotia and health care providers in New Brunswick. Here's a good illustration of the puzzle-like nature of statutes. To really know whether you, as a resident, for example, are covered, you have to look up the definition of those two key phrases. Indeed, you are, but this is why you have to sort of search the definition within the definition to truly know. Okay, so setting aside those two sort of prior conditions, PHI and custodians have to be involved. What's not covered? What's outside the scope of these two laws? Well, a few different things. Statistical, aggregate, or de-identified health information, personal health information that's pertaining to an individual that's been deceased for a very long time, and a number of organizations that are more removed from the provision of health care are just exempted from these two provincial laws. Okay, putting aside those sort of exemptions, let's get back to that flow chart and assume that the statute applies. Personal health information and a custodian has been involved. The next question you should ask is how does it work? And within that question, there are at least four questions that I think are germane. One, do I need the personal health information? Secondly, you should ask yourself how much do I need to collect, use, or disclose? Thirdly, do I need the patient's consent? And if so, fourthly, what form should that consent take? Turning to the first question, both statutes prohibit, not caution, but prohibit custodians from collecting, using, or disclosing PHI if other information, information that you might already have, for example, would suffice. In many cases, you will obviously need the information we're talking about, but it's important not to lose sight of the starting point. Okay, so assuming you need the information, how much do you need? That's the second practical question. And here, both statutes require you to limit the amount you collect, use, or disclose in light of the purpose you're trying to achieve. This rule of restraint, if you will, expresses the importance of patient's privacy interests. Don't share their information gratuitously. Thirdly, the New Brunswick and Nova Scotia Laws both say whether you need consent from the patient depends on what your purpose in using or disclosing the information in question is. For some uses, such as educating agents like students, or monitoring adverse events within the institution, and for some disclosures, like talking to a patient's substitute decision maker, consent from the patient is not required. If you hit pause and look at the instances where consent isn't required, as listed on this slide, I think you'll understand the basic underlying rationale for them all. For the most part, it's about facilitating individual patient care and enhancing the institution's ability to do so. But let me draw your attention to the last type of disclosure for which consent is not required. That is, disclosing to third parties to avoid harm. This is tied to something called the duty to warn, which is created by a U.S. court in a case known as Teresoff. Hit pause as you turn to the next slide and read the case's background. In the Teresoff case, the court held that the therapist failed in his duty to warn the student. And although it's an American case, a similar rule was created in 1999 in Canada in a case called Smith vs. Jones. Again, take a minute to read the facts of this case. The key for the purposes of this module is that the Supreme Court of Canada created a three-part test for when a duty to warn exists. The risk of harm has to be specific to an identifiable person or group. It has to be a very serious risk, and the risk has to be imminent. To violate your duty of confidentiality to patients, all three of those conditions have to be met. At least that's what was the case before Nova Scotia and New Brunswick passed FIA and FIPA, respectively. In Nova Scotia, a duty to warn now seems to exist as long as the risk is imminent and significant. That is, it doesn't have to be to a specific person or group. In New Brunswick, the duty to warn is even broader, it seems. The harm doesn't have to be imminent. I should stress that neither of these statutory provisions have been tested in court, and some may question whether they go too far, whether they allow for too much of a breach of confidentiality. But for the time being at least, it appears custodians may have a duty to warn a third party or third parties in these circumstances without a patient's consent. Again, so coming back to the practical questions, the flow chart, the fourth and final question about how these confidentiality rules work in practice is if consent is needed, what form should consent take? How is consent obtained? What I'm getting at here in the main is does the consent for collecting, using, or disclosing PHI have to be explicit or implicit? In general terms, as you'll see on this slide, the starting point in each province where explicit consent isn't necessary unless the law, for lack of a better word, explicitly requires explicit consent for a given collection, use, or disclosure of PHI. If it doesn't require explicit consent, then something called knowledgeable implied consent will suffice. I'll explain what that means in a minute, but here are some general circumstances where explicit consent is required under the two provincial laws. Notice that each are removed from the provision of health care. The purposes are different from patient care. Much as they might in the future help that patient care, for example, as a result of research being done that leads to new insights that can improve their care. So I think these being a bit removed from the provision of care to an immediately available patient or patient in need gives rise to a heuristic that you might hold on to for thinking about whether explicit or implicit consent will suffice. If the collection, use, or disclosure is for a non-health related purpose, at least insofar as the individual patient is concerned, then explicit consent is required by the law. If, however, it has a health care purpose, then knowledgeable implied consent is okay. So what does that look like, knowledgeable implied consent? The statute spelled this out in a fair bit of detail, in general, this is about whether it's reasonable to think the patient is knowledgeable. So the laws say, unless you think there are reasons to think they're not knowledgeable, for example, if there's a patient who has minimal English speaking ability, then apart from those kinds of situations, it's okay to assume the patient is knowledgeable and implicitly agrees to the sharing of information amongst health care providers, that is for health care purpose. And each law says that putting up notices that are likely to come to the attention of patients is a way to make it more reasonable to make this kind of assumption, and thus share PHI without explicit consent. Finally, the last thing I'll say about the form of consent is that whether it's explicit or knowledgeable implied consent that you're talking about, consent for the collection, use, and disclosure of PHI always, always, always has to satisfy four criteria. It has to be the information of a person with capacity to make health care decisions for his or herself. It can't be under any kind of threat or coercion. Rather, it has to be a voluntary sharing or consent that's given, rather. It has to pertain to the individual's own personal health information, not someone else's. And it has to be knowledgeable. If you're talking about implied consent, knowledgeable in the way I just talked about, not unreasonable to think it isn't, in other words. Or, if it's explicit consent, you need their fully informed consent. So in summary, the legal rationale for the duty of confidentiality is to protect patients' privacy and in turn promote trust in a medical profession. Under provincial laws like FIA and FIPA, in the two provinces I talked about, PHI is broadly defined to include all personally identifying information relating to an individual's health or health care status. To protect patient privacy, provincial laws contain a principle of restraint. Don't collect, use, disclose PHI unless you need to do so and do it only to the extent necessary. Exceptions exist to the duty of confidentiality, such as health-related uses by members of the care-providing team or in other defined circumstances, such as risk of harm to third parties. Thank you again for your attention. This is not intended to be legal advice, just for educational purposes. I'd like to thank the Health Law Institute for its generous support of the creation of this module.