Written by Barbara Stratton, Q.C., Valerie Prather, Q.C. and Tayler Meagher
In the digital age, privacy is becoming a greater illusion. The COVID-19 outbreak is rapidly reinforcing that illusion of privacy. Although some rights to privacy and confidentiality regarding medical information have been relaxed in response to the COVID crisis, medical professionals must continue to take care to ensure these important rights are protected. This blog examines those obligations in light of the current pandemic.
Mandatory Reporting During Public Health Emergencies
Although Canada's privacy laws generally prohibit individuals from disclosing any health information without patient consent, protecting Albertans' health and safety during a pandemic outweighs any privacy considerations. Alberta's Freedom of Protection and Protection of Privacy Act (FOIP Act) permits public bodies, which includes provincial government ministries and municipalities, to collect and disclose any individually identifying health information in an emergency. Under the FOIP Act, health care workers must report individuals who have been tested and diagnosed with COVID-19 to the local public health authority.
Unauthorized Access to Health Records Remains Prohibited
During the COVID-19 pandemic, staff may be tempted to access patients' health records. While they may be well intentioned, any unauthorized disclosure of patients' health information is illegal. Accordingly, Alberta's Heath Information Act (HIA) applies to health information in the control of health care custodians. These custodians include physicians, registered nurses, pharmacists, nursing homes, ambulance operators, Alberta Health, Alberta Health Services, Covenant Health, and certain other health care professionals.
The HIA authorizes custodians to collect and disclose health information with the patient's consent. However, even without a patient's consent, custodians can disclose individually identifying health information:
- to the federal or provincial government for the purpose of managing a health care system and developing health care policy;
- to a person responsible for continuing treatment and care for the individual;
- to any person if the custodian reasonably believes that the disclosure will avert or minimize an imminent danger to the health or safety of any person;
- to another custodian for the provision of health care services;
- to family members or another individual in a close relationship with the individual so they may be notified that the individual is ill or deceased, providing the disclosure is not contrary to the individual's expressed wishes; and
- to law enforcement officials where a custodian reasonably believes the health information relates to a possible offence, and disclosure will protect Albertans' health and safety.
Health care facilities should educate custodians on the importance of upholding patient privacy in the COVID-19 era, as well as provide up-to-date information about the virus. Individual staff members should not embark on information expeditions for their own self-initiated studies about COVID-19. As an extra precaution, facilities may consider flagging the records of any patients tested or diagnosed with COVID-19 for additional privacy auditing.
Telehealth's popularity has skyrocketed during the COVID-19 outbreak and rightfully so. Telehealth and video consultations can help promote social distancing and keep people out of the already strained health care facilities.
Accordingly, on March 23, 2020, Alberta's Minister of Health updated the province's billing codes and announced that Alberta doctors can now bill the province for a remote visit as if it were an in-person appointment, which will remain in effect until the chief medical officer of health orders otherwise. This release came shortly after the announcement that Alberta is collaborating with Telus to provide a virtual app for Albertans to consult with a group of contracted physicians.
However, these virtual technologies do not come without risks, and protecting individuals' privacy remains paramount. Custodians are encouraged to provide virtual health care services, but they should take the following precautions:
- Confirm with the Privacy Officer that your particular health care organization is authorized to use digital tools.
- Ensure only authorized individuals are present in the room. For example, if physicians are providing telehealth services from their homes, then their family members cannot be present.
- Implement as many privacy protections as reasonably possible, including any recommendations or policies of the technologies therein. (i.e., encrypt and password-protect all devices, install and regularly update antivirus systems, etc.)
- Record all clinically relevant information in the traditional health records.
- Set out clear guidelines and boundaries for the technologies (i.e., not to be used in emergencies, types of consultations, varied response times, etc.)
If you have questions on privacy matters in the health care sector, please reach out to a member of the Bennett Jones Health Law group. In addition, please visit our COVID-19 Resource Centre for other COVID-19-related materials.