Information & Ethics Committee on Dec. 13th, 2006

Agreed.

Thank you very much.

The Canadian Medical Association, CMA, is pleased to be here today to participate in your review of the Personal Information Protection and Electronic Documents Act, or PIPEDA. The CMA has had a long-standing interest in privacy-related matters, including enhancing measures to protect and promote the privacy of health information. We welcome the opportunity to share our policies and thoughts on these vital matters.

As a pediatric oncologist from Winnipeg and chair of the CMA's committee on ethics, I come here today with one bottom line. Physicians have always taken, and continue to take, their patients' privacy very seriously. This is the cornerstone of the special bond between patients and their doctor and has been thus since the time of Hippocrates. In recognition of the importance of privacy, the CMA has produced such documents as the CMA code of ethics and the CMA health information privacy code to guide our more than 64,000 members across the country. These documents existed before the federal government introduced PIPEDA. We speak to you today out of our concern for protecting and ensuring the privacy of medical information.

We would like to raise three specific issues. The first is recognition in law of the unique nature of health care, the second is physician information as work product, and the third is emerging privacy and health information issues.

To the first point, recognition in law of the unique nature of health care, I would like to highlight the importance of recognizing in law the special circumstances of protecting health information. In fact, when PIPEDA was first being debated, CMA posed questions about the scope of the act and was told the legislation, originally designed for commerce and the private sector, would not capture health information. We were also told that even if it did, PIPEDA wouldn't change how we practised medicine.

The passing of PIPEDA generated enough concern and uncertainty that government agreed to delay its application to health for three years. For example, PIPEDA failed to clarify the issue of implied consent for the sharing of patient information among health professionals providing care. For example, when the family physician says to a patient they're going to be sent to see an oncologist to run some tests and the patient agrees and follows that course of action, then clearly there is consent to the sharing of their health information with others. As an oncologist, I assume there is consent to send the test results to other specialists I may need to consult to advance the patient's care in a timely fashion. This, however, needed to be addressed before PIPEDA was applied to health care.

The delayed application allowed the federal government and the health care community to work together and develop a set of guidelines to apply PIPEDA. The resulting PIPEDA awareness-raising tools, known as PARTs, contain a series of questions and answers that make up guidelines for health care providers. They answered many of our concerns, provided necessary definitions, and allowed for the implied consent model to continue to be used within the circle of care. The CMA applauds the government for this collaborative effort. The results and guidelines have been used by health care providers ever since.

However, we remain concerned that the PARTs guidelines have no legal status. This limitation creates a degree of uncertainty that the CMA would like this legislative review to see addressed by ensuring the PARTs series of questions and answers are referenced in PIPEDA. In addition to participating in the PARTs initiative since PIPEDA's implementation, the CMA has designed practical tools for physicians and patients. We've adopted the CMA policy, “Principles Concerning Physician Information”, to address the importance of protecting the privacy of physician information. We've produced Privacy in Practice: A Handbook for Canadian Physicians to help physicians maintain best practices in the protection of patient health information. Finally, CMA PrivacyWizard™ was created to help physicians record their current privacy practices, communicate these to patients, and identify possible areas for enhancement.

The second issue I'd like to address is physician practice information as “work product”. I referred earlier to CMA's policy document on physician information. The CMA strongly believes physicians have legitimate privacy concerns about the use by third parties of information such as prescribing and other practice data for commercial purposes. Currently deemed “work product”, this information can be collected, used, and disclosed without consent.

We feel that PIPEDA inadequately protects this information. We recognize that it is information generated out of the patient-physician relationship. We disagreed with findings of the previous Privacy Commissioner that physician prescribing information is not subject to PIPEDA's privacy protection provisions for personal information. The CMA has consistently advocated that physician prescribing data and other practice information is personal information, and appeared as an intervenor in a Federal Court review of this issue that was ultimately settled by the main parties.

As well, insufficient regard for the privacy of prescribing and other physician data could have a negative impact on the sanctity of the physician-patient relationship. Patients confide highly sensitive information to physicians with the expectation that this information will be kept in the strictest confidence. This expectation exists because they know that physicians are under ethical and regulatory dictates to safeguard their information and that physicians take these responsibilities very seriously. The perceived and indeed actual loss of control by physicians over information created in the patient encounter, such as prescribing data, could undermine the confidence and faith of our patients that we are able to safeguard their health information.

This concern is not hypothetical. For physicians, so-called work product information also encompasses such practice patterns as discharge rates, referral rates, billing patterns, hospital lengths of stay, complaints, peer review results, mortality, and readmittance rates.

With the advent of electronic medical records and growth in pay-for-performance and outcome-based incentive programs for physicians, there is an enormous potential for the resulting physician performance data or work product to be mined by other parties and used to influence performance review—traditionally the purview of the medical licensing authorities—as well as decisions around treatment funding and system planning.

The lack of transparency in the sale and compilation of physicians' prescribing and other performance data means that physicians might find themselves to be the unwitting subjects and targets of marketing research. We believe practice decisions must be made in the best interests of patients, not the bottom-line interests of business and marketers.

CMA therefore recommends a legislative change to include physician information as personal information under PIPEDA. Legislation in Quebec provides an example that is consistent with CMA's approach, since it requires regulatory oversight and gives individuals the right to opt out of the collection, use, and disclosure of professional information.

Finally, I would like to address emerging privacy and health information issues. With budgetary and demographic pressures, our health care system is under strain. Physicians are striving to deliver timely quality care to patients, often with competing and multiple demands. Physicians are therefore seeking assurances from lawmakers that any amendments to PIPEDA will take into account the potential impact on them and their patients.

Therefore, we seek assurances that, one, health care is recognized as unique when it comes to the disclosure of personal information before the transfer of a business, such as one physician transferring his or her practice to another. This is already regulated at the provincial level through the appropriate licensing bodies. As a general rule, physicians must give notice to the public, whether via a newspaper ad or a notice in the office, about the change in practice.

Secondly, we would like the federal government to consider the impact of the transborder flow of personal information on telehealth and electronic health record activities. Communications between patients and physicians via electronic means are likely to increase and to move across geographic boundaries with increasing frequency.

Finally, we would like the federal government to study the issue of international cross-border data flows, particularly among Canadian researchers who receive funding from U.S. drug companies. These arrangements should be governed by Canadian law, PIPEDA, not American, such as HIPAA or the U.S. Patriot Act.

In closing, the privacy protection of personal health information is a responsibility that my colleagues and I do not take lightly. It is a key pillar of our relationship with Canadians. They not only expect it, they deserve it.

I look forward to taking questions from committee members.

Thank you.

Thank you very much, Mr. Chair.

Good afternoon, ladies and gentlemen.

Thank you for inviting the Canadian Dental Association to speak to you today during the statutory review of the Personal Information Protection and Electronic Documents Act, which we commonly refer to as PIPEDA.

I am the CDA's president, Dr. Wayne Halstrom. CDA represents over 18,000 dentists across Canada. It has as its mission to act as the national voice for dentistry, dedicated to the advancement and leadership of a unified profession and to the promotion of optimal oral health as an essential component of general health.

We welcome the opportunity to make our views known today because we have consistently engaged with the federal government on the issue of privacy of personal health information. We were active participants in the parliamentary debates that led to the passing of PIPEDA in the year 2000. We responded to the Canada Gazette consultations and appeared as witnesses before committees of both chambers of Parliament as PIPEDA made its way through the parliamentary process.

CDA has always been an advocate for legislation that protects our patients' personal health information from abuse and misuse in circumstances when it is released from the dentist-patient relationship. We do not support federal privacy legislation that creates an additional administrative burden for dentists. Dentists work within a provincial legislative framework that requires us to protect the privacy of patient information. CDA knows that dentists have an outstanding record when it comes to privacy protection and that there is no need to alter our current best practices.

Throughout the fall of 2003, there was a great amount of confusion and uncertainty about how PIPEDA would apply to dentistry and to our practices. We recognized that dentists were being inundated with multiple interpretations of what their obligations would be under PIPEDA. We called upon the Minister of Industry and his industry department to develop implementation guidelines for the application of PIPEDA, with consultative input from our association and others in the health sector. The federal government did not respond with guidelines entrenched in law for the health sector, but they did respond to the concerns of the CDA and others in the health care sector. They understood the need to create a process that would allow the health community to have its concerns addressed by the federal government and put an end to the uncertainty and misinformation.

We at the CDA appreciated the federal government's initiative to produce information that would help our members understand their obligations under PIPEDA versus simply obtaining another legal opinion on how PIPEDA would apply to dentists. CDA was an integral member of the working group that met regularly with officials from the Privacy Commissioner's office, Justice Canada, Health Canada, and Industry Canada to create the PIPEDA awareness-raising tools, as we've heard, the PARTs initiative for the health sector. This process created the final content for the federal government's interpretation of PIPEDA, a series of straightforward questions and answers that add clarity to the requirements around obtaining consent, disclosing personal health information to private insurance companies, office safeguards, and requests to change information on a dental record, to name but a few.

Perhaps the greatest accomplishment of the PARTs initiative during the fall of 2003 was to clarify the federal government position on knowledge and consent. The PARTs initiative concluded that under PIPEDA, the patient's knowledge of the collection, use, and disclosure of his or her personal health information is required. A patient must be made aware of his or her privacy rights through methods such as the posting of notices and discussions in the normal course of exchanges that take place between a patient and a dentist. CDA is pleased that through the question and answer initiative the federal government provided this interpretation of implied consent that does not place an increased administrative burden on dentists.

We created a poster that assisted members in informing patients about their privacy rights. We have provided the committee with both our poster and the PARTs initiative series of questions and answers, but we remain concerned that the good work of the PARTs initiative has no legal status. Although the questions and answers clearly dealt with the concerns of the oral health sector, we know that multiple interpretations of PIPEDA remain, and an increasing paperwork and administrative burden is still required by some health care providers because the questions and answers have no formal legal status.

It is our recommendation to your committee that the PARTs initiative series of questions and answers be referenced in PIPEDA.

To conclude, Mr. Chairman, we know that PIPEDA aims to provide assurances to the public, our patients, that their personal health information will continue to be managed and shared confidentially and securely.

At the CDA, one of our key result areas is to make a recognizable contribution to improving the oral health of Canadians. In order for us to deliver optimum care and improve the oral health of Canadians, our patients must feel comfortable that their personal health information will not be misused in circumstances when it is released from the dentist-patient relationship.

Privacy is a right, underpinning health care in Canada. This right is addressed in legislation, codes of ethics, standards, and procedures. We are comfortable with the outcomes of the PARTs initiative and we now are asking your committee to formally entrench the work of the PARTs Initiative in PIPEDA.

I and my colleague, Mr. Andrew Jones, CDA's director of corporate and government relations, are happy to answer any questions you may have.

Thank you very much.

Thank you very much. We'll see how we do. Perhaps there should be a prize for the one who gets closest to ten minutes.

Good afternoon. The Canadian Pharmacists Association, or CPhA, welcomes this opportunity to present to you today during your review of PIPEDA. My name is Jeff Poston, and I'm the executive director of CPhA.

For those of you who are unfamiliar with our organization, the Canadian Pharmacists Association is the national voluntary organization of pharmacists, committed to providing leadership for the profession of pharmacy and improving the health of Canadians. Our members include pharmacists in all areas of practice: community pharmacies, hospitals, universities, governments, and industry.

We know that pharmaceuticals are a vital part of the Canadian health care system. Retail spending on drugs is forecast at just over $25 billion this year, or 17% of total health care spending. However, there's a recognized need to improve both the safety and outcomes of drug therapy. Pharmacists' scope of practice is changing so that they can better help their patients achieve optimal outcomes from drug therapy.

We would like to state the pharmacy profession's strong commitment to the protection of patient confidentiality and privacy. This is evidenced from our professional code of ethics, legal provincial standards of practice, and CPhA's own privacy code for pharmacists. Pharmacists have demonstrated their capacity to achieve this, using technology such as electronic patient files and the online transfer of prescriptions for payment to public and private drug plans for over 15 years.

Every day across Canada, pharmacists dispense over one million prescriptions. Many of these are for patients with mental illness, HIV/AIDS, infections, and serious illness—health information that is entrusted to us and kept confidential by us. Pharmacists strongly believe that Canadians' right to privacy protection of health information is fundamental.

At the time PIPEDA was drafted, we had three primary concerns. First, it did not make a distinction between the therapeutic purposes for which personal health information is used, even when it's paid for through private plans, and the commercial purposes for which personal information resulting from commercial transactions is normally used.

We were also concerned that it created two levels of privacy protection rights for Canadians, one for people covered by public drug plans paid for by provincial governments and one for those covered by private plans. Also, the impact on the health care system of the proposed changes was unanticipated. What the impact would be on patients' and providers' time, and the ensuing financial burden, was unknown.

We originally proposed amending the legislation so that it would not apply to the health care sector for a period of five years, to allow for the development of specific health privacy protection legislation by the provinces. After this five-year period, we proposed that the act would apply to the health care sector if provincial health privacy legislation were not in place.

Before PIPEDA came into effect, there were major concerns that PIPEDA could impede care. There was a lot of confusion about what it meant for everyday practice. Because of the pre-PIPEDA work done by the privacy working group of health provider and consumer associations, including all the groups before you today, the development by CPhA of the pharmacist's personal information privacy code, and the overriding provincial privacy legislation, PIPEDA has not had the negative effect on pharmacy practice that we first anticipated. However, there are three specific areas of concern that CPhA would like to raise during the review of the act.

First of all, the PIPEDA awareness-raising tools initiatives, or PARTs, was particularly important in interpreting the effect of PIPEDA on the health care sector and clarifying when the legislation was applicable. CPhA's development of the pharmacists' privacy code and other practice tools, such as guidelines, brochures, and posters, helped pharmacists prepare for PIPEDA.

The questions and answers of the PARTs initiative have served as the primary guideline for how this legislation affects the provision of health care. CPhA, like our colleagues here today, is concerned that PARTs still does not have legal standing. These guidelines are fundamental to the application of PIPEDA in the health sector.

CPhA would like to see the PARTs guidelines specifically referenced in the act so that they have official legal status. In particular, the principle of implied consent in the direct care and treatment of a patient, as defined in a circle of care, needs to be recognized under PIPEDA. This is recognized as a core concept in the pan-Canadian health information privacy and confidentiality framework.

There are a number of privacy issues that arise when patient information is being used for research purposes. Health information for research is produced and created by all sorts of health care professionals, and we have to allow appropriate exchange and use of such information. This data is particularly useful in helping to assure the appropriate use of health care services to measure outcomes and develop health policy. We believe health information data should not identify individual patients and should not be used for purposes outside of appropriate statistical scholarly study or health care research.

We support the appropriate collection, exchange, and use of health information, including prescribing data, for health care research. Specifically with respect to pharmaceuticals, this data could be used to support optimal prescribing and utilization. This is for quality assurance purposes, and it needs to occur within a peer-reviewed process. However, we do have concerns that sometimes this information is used inappropriately.

We must look to a future with electronic prescribing and electronic health records. Having patients' health information directly at the point of care will enable the appropriate health care provider to make better, more informed decisions concerning patient care. These electronic information systems will enhance patient health outcomes and safety and will maximize the efficient use of health care resources. In an e-health environment, pharmacists will need to read and write to the EHR in order to communicate and work collaboratively with other providers and make better-informed patient care decisions.

We have collaborated with the Canadian Association of Chain Drug Stores and the Canadian Society of Hospital Pharmacists to develop principles and elements to guide the development and use of these electronic drug information systems. One of the key principles is that health information systems, including pharmacy information networks, must employ rigorous, stringent security measures and comply with privacy legislation to protect the confidentiality of patient information, while not constraining the ability of health care providers to access information and to practise in a patient-focused and efficient manner.

The PARTs guidelines play an important role in clarifying PIPEDA for the health care sector. This will be even more significant in the future with the evolution of electronic patient records. It is important that the current interpretation of the legislation as it applies to health care is also extended to the future electronic transmission of health information. The pan-Canadian health information privacy and confidentiality framework is an important step to supporting such developments.

In conclusion, the protection of personal health information has and always will continue to be of paramount importance to pharmacists. The relationship of trust between patients and pharmacists is fundamental to the delivery of care.

Thank you again for the opportunity to allow CPhA to participate in this review of PIPEDA. I'd be pleased to answer any questions you might have.

I don't think we've had much difficulty. About four pharmacy issues have gone before the federal Privacy Commissioner, which is a relatively small number when we see about a million prescriptions filled daily. I think at the beginning there was a lot of concern, but the PARTs guidelines, particularly the concept of implied consent within the circle of care, have helped with implementation.

Most pharmacies have a system of consent by notice. They either have a notice posted in the pharmacy about how information is used or they give the patient a brochure or leaflet. We've really seen no major problems.

In the context of dentistry, most of the challenges were in the time period of the fall of 2003, before the legislation came fully into effect in the health care sector, when there were multiple interpretations and a great amount of confusion in the system. As was mentioned, our members were being inundated with seminars on how to prepare for the implementation of the legislation. Some of our colleges went to great lengths to inform their members about how to best deal with the legislation.

Through this time period, we worked on the PARTs initiatives, especially to get the interpretation of implied consent into action, which calmed down the burden on the membership.

Beyond that, I would say that there has been some increased burden on individual offices, with respect to creating a privacy code, and an increased day-to-day burden on the practice of dentistry, when in fact the dentist-patient relationship was always enshrined in this protection of privacy.

So there certainly have been some consequences, but the PARTs initiative helped to ease things early in 2004.

My comments would be quite similar, in that as I said, physicians had already been protecting patient privacy as part of their ethical and professional obligations in the day-to-day interaction between physicians and patients. But there was the added impetus with PIPEDA to have written policies and notices to inform patients about their office privacy practices.

This is not a bad thing, but it is done in an already time-pressed environment. But where we found some assistance for this was in the PARTs guidelines for health care providers. These guidelines outlined in greater detail exactly what the obligations of health professionals were under PIPEDA, while also acknowledging the priority assistance and protection offered by the physicians' codes of ethics and regulatory obligations. This is part of our rationale and reasoning for wanting to have the PARTs guidelines also recognized in the legislation, because that eased the burden.

One of the great concerns we have is administrative burden in general, and you're absolutely correct that there are a number of laws that affect us—certainly the ethical and regulatory things that apply from province to province, sometimes not necessarily consistently.

So it is an ongoing burden that makes us very interested and anxious to make sure that as little administrative burden as imaginable comes with these kinds of proposals.