Bill C-311
If you have any questions or comments regarding the accessibility of this publication, please contact us at accessible@parl.gc.ca.
|
|
SCHEDULE
|
|
|
|
1. Constraints on Purposes and Limitation on Collection,
Use, Disclosure and Access
|
|
|
|
1.1 Provided that the principles contained in this Schedule are
complied with, and that the principles related to patient
consent are applied, health information may be collected,
used, disclosed or accessed for the following purposes:
|
|
|
|
|
|
|
|
(i) primary therapeutic purposes, that relate to
the initial reason for a patient seeking or receiving care
in the therapeutic context and other needs or problems
that are diagnosed in relation thereto, and which pertain
to the delivery of health care to a particular patient with
respect to the presenting health needs or problems and
encompasses consultation with and referral to other
providers on a need-to-know basis, or
|
|
|
|
(ii) primary longitudinal purposes, which
concerns developing composite health information
about a particular patient, such as a detailed medical
history, beyond a direct application to the presenting
health needs or problems, in order to enhance ongoing
general health care to that person;
|
|
|
|
|
|
|
|
|
|
|
|
(i) secondary legislated purposes, which is to
health information collection, use, disclosure or access
required or permitted by or pursuant to an Act of
Parliament or the legislature of a province, or
|
|
|
|
(ii) secondary non-legislated purposes, which
are any other purposes, such as education or research,
not regulated by or pursuant to an Act of Parliament or
the legislature of a province, that meet the provisions of
this Act and the requirements of this Schedule.
|
|
|
|
1.2 Health information collection, use, disclosure or access for
primary therapeutic and longitudinal purposes may be as
extensive as necessary to fulfil such purposes.
|
|
|
|
1.3 Health information collection, use, disclosure or access for
secondary purposes shall be as restricted as possible and as
necessary to protect the patient's right of privacy in the
therapeutic context.
|
|
|
|
1.4 Health information collection, use, disclosure or access
without patient consent shall only occur when
|
|
|
|
|
|
|
|
|
|
|
|
1.5 Every existing or proposed secondary purpose for health
information collection, use, disclosure or access, including
health information systems or networks, shall be subjected
to a patient privacy impact analysis initiated by the health
information custodian, and at their expense.
|
|
|
|
1.6 No existing or proposed secondary purpose shall continue
or commence after the day that is one year after the coming
into force of this Act unless the Commissioner has stated in
writing that it has been demonstrated to the satisfaction of
the Commissioner that a patient privacy impact analysis
has been conducted, the analysis covered the requirements
of section 1.7, the results have been provided to the
Commissioner and show that the use will conform with
section 1.7.
|
|
|
|
1.7 In respect of a secondary purpose,
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
1.8 Before a health information custodian uses health
information in its custody for secondary non-legislated
purposes, or before it releases or makes health information
accessible to an external third party for secondary
non-legislated purposes, it must demonstrate or require the
third party to demonstrate that the provisions of section 1.6
of this Schedule have been complied with.
|
|
|
|
1.9 Health information shall not be collected by means that are
unlawful, unfair or exploit the patient's vulnerability, nor
shall any of the patient's beliefs or potentially false
expectations about subsequent collection, use, disclosure
or access be exploited.
|
|
|
|
1.10 Health information shall be retained only as long as it is
necessary to fulfil authorized purposes and once the
authorized purposes are fulfilled it shall be securely
destroyed, unless some issue or decision related to the
patient and pertinent to the patient's health information is
pending.
|
|
|
|
2. Knowledge and Specification of Purpose, Collection,
Use, Disclosure and Access
|
|
|
|
2.1 Knowledge must be provided to patients to ensure that
before they confide health information or permit health
information to be collected, they actually understand what
can or will subsequently happen with the information,
particularly with respect to uses without any further
specific consent being requested.
|
|
|
|
2.2 Every health information custodian must establish and
maintain a system of documentation that lists all purposes
for which the custodian uses or discloses the health
information it collects, including to whom it permits
access, to what information is access given, in what format
it is provided, whether the patient's consent is required and
which provides adequate safeguards to ensure compliance
with this Act.
|
|
|
|
2.3 Every provider must recognize that, within a therapeutic
context, health information is confided or provided by
patients in the knowledge or with the belief that the
confiding or providing is necessary to achieve therapeutic
purposes and therefore patients must be explicitly informed
about any other purposes.
|
|
|
|
2.4 No person shall use health information for a purpose not
identified to the patient at or before the time it is confided
or collected, unless the patient's consent is subsequently
sought and obtained before it is used for any previously
unidentified purpose.
|
|
|
|
2.5 Every patient must either have or be provided by
reasonable means with knowledge about what can or will
happen with their health information. The degree of detail
or specificity of this knowledge is what a reasonable person
would presume to be germane to the decision of the patient
in the circumstances of the patient.
|
|
|
|
2.6 Unless a particular patient has given indication to the
contrary, the conveyance of generic information is a
reasonable means of providing knowledge. When the
preferences of a particular patient for being informed are
known or can be reasonably inferred given his or her
circumstances, the provision of knowledge should as much
as possible be adapted to these preferences.
|
|
|
|
3. Consent
|
|
|
|
3.1 Subject to section 1.4 of this Schedule, the patient's consent
is required for health information collection, use,
disclosure or access for any purpose.
|
|
|
|
3.2 For the purposes of this Act, consent for health information
collection, use, disclosure or access in emergency
situations is deemed to have been given to the extent
necessary to allay the emergency as consistent with legal
principles governing emergency medical care. The
protection accorded this information shall be consistent
with the provisions of this Act.
|
|
|
|
3.3 Consent to health information collection, use, disclosure
and access for the primary therapeutic purpose may be
inferred. Consent to subsequent collection, use, disclosure
and access on a need-to-know basis by or to other
physicians or providers for this purpose may be inferred, if
there is no evidence that the patient would not have given
express consent to share the information.
|
|
|
|
3.4 Consent to health information collection, use, disclosure
and access for longitudinal primary purposes must be
express unless the provider has good reason to imply
patient consent.
|
|
|
|
3.5 For the purposes of this Act, disclosure of health
information to the patient's relatives or significant others is
recognized as assisting in primary purposes. Consent to this
disclosure must be express unless the provider has good
reason to imply patient consent.
|
|
|
|
3.6 Consent can only be inferred in the case of primary
purposes; collection, use, disclosure or access thus
authorized must be limited either to the known
expectations of a particular patient or to what the
reasonable person in similar circumstances would likely
believe necessary to receive health care.
|
|
|
|
3.7 Implied consent does not deprive the patient of the right to
refuse consent or the right to challenge the provider's
finding of implied consent.
|
|
|
|
3.8 Patient consent for secondary non-legislated purposes shall
be express, voluntary and fully informed.
|
|
|
|
3.9 Where express consent is required, patients must be
informed of their right to refuse consent.
|
|
|
|
3.10 Patient care shall not be deliberately compromised as a
consequence of the patient's refusal to provide express
consent, nor shall any fear that the patient might have that
this could occur be exploited.
|
|
|
|
3.11 Consent must not be obtained by coercion, deception or
manipulation. Failure to inform the patient by reasonable
means of relevant information pertinent to the consent
invalidates the consent.
|
|
|
|
3.12 All health information is sensitive and should be treated as
such. The more sensitive the health information is likely to
be, in light of the circumstances or preferences of the
patient, the more important it is to ensure that consent is
voluntary and informed.
|
|
|
|
4. Individual Access
|
|
|
|
4.1 The patient is entitled to know about and, subject to 4.5 of
this Schedule, to have access to any information about
himself or herself under the custody of the health
information custodian.
|
|
|
|
4.2 Patients must be informed that they have the right to access
their health information, to read it and to have copies of it.
|
|
|
|
4.3 Patients who wish to access their health information must
be given the opportunity to do so and receive any
explanation they need from a health professional who is
knowledgeable about this information and capable of
interpreting it for the patient.
|
|
|
|
4.4 Patients must be able to receive copies of their health
information at a reasonable cost that does not exceed the
cost of providing the information.
|
|
|
|
4.5 A provider may withhold health information from a patient
if the provider has made a written record of a determination
that there is a significant likelihood of a substantial adverse
effect on the physical, mental or emotional health of that
particular patient or substantial harm to a third party, and
the onus is on the provider to justify the withholding.
|
|
|
|
4.6 Patients are entitled to know who has gained access to their
health information and for what purposes.
|
|
|
|
5. Accurate Recording of Information
|
|
|
|
5.1 Health information shall be recorded as accurately as
possible, and shall be as complete and current as necessary
for authorized purposes.
|
|
|
|
5.2 The recording of statements of fact, clinical judgements
and determinations or assessments shall reflect as nearly as
possible what has been confided by the patient and what
has been ascertained, hypothesized or determined to be true
using professional judgement.
|
|
|
|
5.3 Patients who have reviewed their health information and
believe it to be inaccurately recorded or false have the right
to suggest amendments and to have their amendments
appended to the health information.
|
|
|
|
5.4 Whenever possible, health information should be recorded
in a form that allows for authorized secondary purposes
consented to by the patient.
|
|
|
|
5.5 Standardization of recording requirements relevant to
subsequent secondary purposes shall not impede recording
of information for primary purposes.
|
|
|
|
6. Security
|
|
|
|
6.1 Health information, regardless of the information format,
shall be protected by security safeguards to ensure
compliance with the provisions of this Act.
|
|
|
|
6.2 The development of security safeguards with respect to
levels of access for various users shall recognize the
differences in the sensitivity of health information and
permit access accordingly.
|
|
|
|
6.3 Security safeguards shall impede as little as possible health
information collection, use, access and disclosure for
primary purposes.
|
|
|
|
6.4 A health information custodian shall ensure that only
authorized persons are able to collect, use, disclose or
access health information in its control. Persons thus
authorized must have a clear understanding of the
authority, parameters, purposes and responsibilities of their
access, and of the consequences of failing to fulfil their
responsibilities.
|
|
|
|
6.5 An authorized person's access to health information,
including persons or groups external to the health
information custodian, shall be limited to only the
information needed for the authorized purpose, and be in
the least intrusive format.
|
|
|
|
6.6 Security safeguards shall be used to prevent unauthorized
health information collection, use, disclosure and access
and must include both physical and human resource
safeguards including locked filing cabinets, restricted
access to certain offices or areas, and the use of passwords,
encryption and lock-boxes, personnel security clearances,
sanctions, training and contractual undertakings.
|
|
|
|
6.7 A health information custodian must protect health
information in its custody so as to ensure its integrity and
have assurance that the integrity of information received
from other health information custodians has been
similarly safeguarded.
|
|
|
|
6.8 Security safeguards must include, where appropriate,
corporate identification, authentification procedures,
information integrity and availability safeguards and
assurances that the procedures and undertakings are not
subject to repudiation.
|
|
|
|
7. Accountability
|
|
|
|
7.1 Health information custodians are responsible for the
security of health information they collect, use, disclose or
permit access to.
|
|
|
|
7.2 Health information custodians must ensure that persons,
including administrative and technical support staff,
receive authorization to access health information only as
necessary to fulfil authorized purposes.
|
|
|
|
7.3 A health information custodian must ensure that anyone
permitted to have access to health information has clearly
defined and understood responsibilities in connection with
health information, agrees to accept those responsibilities,
and is subject to appropriate sanctions for failing to fulfil
the accepted responsibilities.
|
|
|
|
7.4 Health information custodians must designate a qualified
person responsible and accountable for monitoring and
ensuring internal compliance with this Act. The designated
accountable person must have the autonomy, authority, and
resources necessary to ensure the health information
custodian's adherence to the Act. In the case of small
private practices the practitioner or one of them may be
designated.
|
|
|
|
7.5 Policies and procedures to ensure compliance with this Act
must consider the special, direct accountability of health
professionals to their patients and protect the high level of
trust vested in health professionals that is essential to secure
initial confiding of health information for therapeutic
purposes.
|
|
|
|
7.6 Health information custodians must ensure that third
parties privy to health information are bound by this Act or
are bound by equivalent and enforceable provisions.
Provided that this has been determined before health
information is disclosed or made accessible, health
information custodians are not accountable for the actions
of third parties or for what subsequently happens to the
information.
|
|
|
|
7.7 Although it is the responsibility of the health information
custodian to ensure that patients are appropriately
informed, secondary users whose information
requirements impose a burden upon the health information
custodian are responsible for covering their share of any
related costs or resource requirements, such as preparation
of brochures. Health information custodians may
reasonably require secondary users to cover their own costs
as a condition of making health information available to
them as authorized.
|
|
|
|
8. Transparency and Openness
|
|
|
|
8.1 Health information custodians must have transparent,
explicit and open policies, procedures and practices,
tailored to their practice setting, that seek to ensure that
patients are provided with information about what can or
must happen with their health information without their
consent.
|
|
|
|
8.2 Policies, procedures and practices must be as explicit as
necessary to ensure that patients are aware of any
considerations that could be relevant to deciding what
information they elect to freely confide or consent to be
collected, used, disclosed or accessed. Nothing must be left
implicit that, if made explicit, could reasonably be expected
to alter a patient's decision to freely confide information.
Information about non-consensual collection, use,
disclosure and access must be made explicit.
|
|
|
|
8.3 Patients must be able to discuss the health information
custodian's policies, procedures and practices concerning
health information with a knowledgeable person and have
specific questions about their own health information
answered in a timely fashion.
|
|
|
|
8.4 A health information custodian's policies, procedures and
practices must ensure that patients can understand what
may or must happen to their health information, that
consent is sought as required by this Act and that nothing
is left implicit or unknown to patients that if known or made
explicit could reasonably be expected to alter a patient's
decision to freely confide information.
|
|
|
|
8.5 Patients must be able to challenge the health information
custodian's compliance with the provisions of this Act by
addressing their concerns to an individual designated by
the custodian for the purpose.
|
|
|
|
8.6 Procedures must be in place to enable and require the health
information custodian to receive and respond to complaints
or inquiries about policies, procedures and practices
relating to health information collection, use, disclosure
and access. The complaint process must be easily
accessible and simple to use.
|
|
|
|
8.7 Patients who make inquiries or lodge complaints must be
informed of the relevant complaint procedure.
|
|
|
|
8.8 All complaints must be investigated by the health
information custodian to whom they are directed and if
found to be justified, the custodian must take appropriate
remedial measures such as amending policies, procedures
or practices.
|
|
|
|
9. Health Information Policies
|
|
|
|
9.1 Health information custodians must have in place and
implement policies, procedures and practices that give
effect to the principles of this Act.
|
|
|
|
9.2 Health information policies, procedures and practices must
be adapted to the health care function of the health
information custodian and address and provide for
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
9.3 The health information custodian's policies must be readily
available to patients and specify the custodian's practices
and procedures.
|
|