What Personal Health Information Can Businesses Collect?
Written by Carolee Changfoot As COVID starts to plateau in Canada and restrictions lift, I reflect on the last two years and the role health innovation has played in our lives. We have had several medical innovations such as mRNA vaccinations, new COVID treatment medications, and the rise of telehealth.[1] Health and Fitness Apps saw a 47% increase in adoption as COVID spread globally in 2020.[2] Additionally, funding for digital health start-ups hit a record breaking $57.2 billion last year, a 79% increase from 2020.[3] COVID highlighted just how important our health is. Many businesses seem to recognize this as the global mobile health app market is expected to grow 11.8% from 2022 to 2030.[4] With more businesses expecting to work with health data, it is important for businesses to understand their expectations around collecting and protecting personal information. This blog post is not legal advice but describes some of the requirements private businesses face when collecting personal information. National Requirements The Personal Information Protection and Electronic Documents Act (PIPEDA) establishes national limits on the collection of personal information.[5] PIPEDA applies to every organization that collects, uses or discloses personal information in the course of commercial activities.[6] PIPEDA defines “personal information” as information about an identifiable individual.[7] Medical records are considered sensitive information.[8] Organizations must identify the purpose for which the information is to be used at or before the time the information is collected.[9] The purpose must be specified at or before the time of collection to the individual whose information is being collected.[10] Organizations must make a reasonable effort to ensure that the individual understands the purpose for which their information is to be used.[11] The knowledge and consent of the individual whose personal information is collected is required for the collection, use or disclosure of personal information.[12] Consent in regards to sensitive information, like medical information, must be expressly given.[13] If the business changes how they plan to use the personal information, that business must communicate the new purpose to the individuals whose personal information has been collected and must obtain their express consent before their information can be used for the new purpose.[14] Further, an individual may withdraw consent at any time, subject to legal or contractual restrictions and reasonable notice.[15] The organization shall inform the individual of the implications of such withdrawal.[16] Provincial Requirements In addition to PIPEDA, the provinces have established additional requirements through provincial legislation. The collection, use, and disclosure of private information in Alberta is governed by Alberta’s Personal Information Protection Act (AB PIPA) and Alberta’s Health Information Act (HIA).[17] AB PIPA defines “personal information” as identifiable information.[18] The collection, use, and disclosure of personal information requires the consent of the individual whose information is being collected, used and disclosed.[19] Personal information can only be collected for purposes that are reasonable.[20] The purpose must be communicated to the individual whose information is collected at or before the time the information is collected.[21] It is relevant to note that only organizations classified as “custodians” under the Health Information Act and the regulations made under it are authorized to collect an individual’s personal health number.[22] The definition of custodian does not include a private business or organization.[23] Footnotes: [1] COVID Drugs; COVID Vaccines; Rise of Telehealth [2] Fitness App Growth Q2 2020 [3] 2020 Fitness Health Funding [4] mHealth App Market Growth Expectations [5] Privacy Commissioner of Canada, PIPEDA in Brief [6] S. 4 Personal Information Protection and Electronic Documents Act [7] S. 2 Personal Information Protection and Electronic Documents Act [8] Schedule 1 - S. 4.2.3, Personal Information Protection and Electronic Documents Act [9] Schedule 1 - S. 4.2, Personal Information Protection and Electronic Documents Act [10] Schedule 1 - S. 4.2.3, Personal Information Protection and Electronic Documents Act [11] Schedule 1 - S. 4.3.2, Personal Information Protection and Electronic Documents Act [12] Schedule 1 - S. 4.3, Personal Information Protection and Electronic Documents Act [13] Schedule 1 - S. 4.3.6, Personal Information Protection and Electronic Documents Act [14] Schedule 1 - S. 4.2.4, Personal Information Protection and Electronic Documents Act [15] Schedule 1 - S. 4.3.8, Personal Information Protection and Electronic Documents Act [16] Schedule 1 - S. 4.3.8, Personal Information Protection and Electronic Documents Act [17] S. 2, Health Information Act [18] S.1, Alberta Privacy Information Protection Act [19] S.7(1), Alberta Privacy Information Protection Act [20] S.11, Alberta Privacy Information Protection Act [21] S.13, Alberta Privacy Information Protection Act [22] S.21(1), Health Information Act [23] S. 1(1)(f), Health Information Act
0 Comments
Leave a Reply. |
BVC BlogsBlog posts are by students at the Business Venture Clinic. Student bios appear under each post. Categories
All
Archives
February 2023
|