Scope of PHIA

The PHIA applies to PHI collected, used, and disclosed by a 'custodian', which the PHIA defines as a 'person' who has custody or control over PHI in connection with the performance of their obligations as either an authority, a body established by the authority, a department created under the Executive Council Act of 1995, a healthcare provider or professional, the Provincial Health Laboratory, the Centre for Human Information and the Workplace Health, and the Safety and Compensation Commission, among others.

Thus, the PHIA defines PHI as information, oral or written, identifying an individual that relates to:

• the physical or mental health of the individual;
• the provision of healthcare to the individual;
• the donation by an individual of a body part or bodily substance, including information derived from the testing or examination of a body part or bodily substance;
• the individual's registration information;
• payments made or an individual's eligibility for a healthcare program or service;
• an individual's entitlement to benefits under or participation in a healthcare program or service;
• information about the individual that is collected in the course of, and is incidental to, the provision of a healthcare program or service, or payment for a healthcare program or service;
• a drug, healthcare aid, device, product, equipment, or other item provided to an individual under a prescription or other authorisation issued by a healthcare professional; or
• the identity of a representative of an individual.

Duties and responsibilities of a custodian

Among the various requirements under the PHIA, a custodian is required to establish and implement information policies and procedures so as to ensure compliance with the PHIA with respect to the collection, copying, modification, use, storage, transfer, and destruction of PHI - whether within or outside the Province of Newfoundland and Labrador. Moreover, the policies and procedures implemented should include the protection of confidentiality, restrict access, and ensure safe storage of the PHI.

Furthermore, a custodian is required to:

• ensure that its employees, agents, contractors, and volunteers take an oath or affirmation of confidentiality with respect to the PHI;
• take reasonable steps to ensure that PHI in its custody is protected from theft, loss, unauthorised access, disclosure, copying, and modification, and is disposed of in a secure manner;
• notify a data subject in the event of a data breach;
• inform the Commissioner of the Office of the Information and Privacy Commissioner for Newfoundland and Labrador ('the Commissioner') in the event of a data breach; and
• ensure that PHI under its control is accurate.

Moreover, the PHIA stipulates that a custodian that is not a natural person should appoint one or more 'contact person(s)' whose obligations are, among others, to:

• help ensure that the custodian is compliant with the PHIA;
• ensure that the people working for the custodian are well informed of their duties under the PHIA;
• respond to questions from members of the public; and
• respond to individuals' requests concerning the access to, or the correction of, their PHI.

In the event that the custodian fails to designate a contact person, the PHIA states that the custodian will be considered to be the contact person.

Furthermore, a custodian is required to make public a written statement that describes the custodian's information policies and procedures, the contact details of the contact person if appointed, and if not the contact details of the custodian, how individuals can exercise their rights, and how individuals can make a complaint to the Commissioner.

Finally, among the abovementioned obligations, custodians also have obligations with respect to information to be provided to individuals whose PHI is collected directly or through the individual's representative. More specifically, the PHIA requires that a custodian notify the individual or their representative of the purposes for the collection, use, and disclosure of PHI, as well as the identity of a contact person, and any other information prescribed under the Personal Health Information Regulations.

Consent

Generally, the PHIA prohibits the collection of PHI unless the individual concerned has given consent to the collection, or the collection is permitted by the PHIA. As such, the exceptions to obtaining consent apply where the individual is unable to provide consent, and one of the following circumstances apply:

• the individual has not appointed a representative who can provide consent on behalf of an individual;
• the individual has been certified as an 'involuntary patient'; and
• the collection is necessary for the provision of healthcare services to the individual.

Where consent is to be obtained, the PHIA contemplates two main forms of consent, namely express or implied, and provides that consent should inherently be the consent of the individual, knowledgeable, and not obtained through deception or coercion. Where a custodian seeks to disclose PHI of an individual to a person that is not a custodian, or to another custodian, but not for the purposes of providing healthcare services to the individual, the consent to be obtain must be express consent from the individual. In other instances, consent may be express or implied.

Furthermore, and with respect to implied consent, the PHIA also refers to 'continuing implied consent' where a custodian, having obtained consent from an individual, transmits PHI to another custodian for the purposes of providing healthcare services to an individual as part of a 'circle of care', unless the custodian is aware that the individual has withdrawn their consent. In this case, the PHIA defines a 'circle of care' as those persons participating in activities related to the provision of healthcare services to the individual.

Additionally, the PHIA also provides for 'limited consent' in circumstances where the custodian discloses, with the consent of the individual, the PHI to another custodian for the purposes of providing healthcare services, but the custodian does not have consent to disclose all PHI of the individual that it considers reasonably necessary. The disclosing custodian must disclose this fact to the receiving custodian.

Notably, an individual has a right to withdraw their consent at any time by giving notice to the custodian. However, the withdrawal does not have a retroactive effect.

Rights of individuals

Access

The PHIA does provide individuals with the right of access to their PHI, although it provides for certain limitations to such right, such as where:

• another law, the law of Canada, or a court order prohibits such disclosure;
• the disclosure would reveal the PHI of another individual; or
• where the PHI was compiled for the purposes of evidence.

In doing so, the PHIA also provides for certain procedural requirements in the exercise of individuals' rights. For example, requests may be made in writing unless the individual has a limited reading and writing ability, or they have a disability or condition that impairs their ability to submit a written request. However, nothing in the PHIA prevents a custodian from complying with an individual's informal oral request to access their PHI provided that access is authorised.

The request should be well detailed to enable the custodian to identify and retrieve the PHI record, and in the case that the request is not well detailed, the custodian should offer to assist the individual to re-formulate the request.

The custodian should respond without any delay and take no more than 60 days after obtaining the request. However, the custodian may extend this time by an additional 30 days where:

• the 60-days period would interfere with the operations of the custodian;
• the PHI consists of numerous records; or
• locating the information would require more than 60 days.

In such a case, the custodian should inform the individual of their decision to extend the response period and their reasons for doing so. Additionally, if the custodian decides not to grant the request, they should inform the individual as soon as possible and not later than the time limit extended. Moreover, where the custodian has reasonable grounds to refuse the request, the individual has a right to appeal this decision to the Trial Division under the PHIA.

The custodian may charge reasonable fees for providing the record of the PHI, but the fees should not exceed the minimum set by the Minister.

Correction

Where the custodian has granted an individual access to the record of their PHI and the individual ascertains that the information is not accurate, they may request, orally or in writing, to correct their information.

The custodian is required to respond as soon as possible and not later than 30 days from receiving the request. However, similarly to access requests, this time period may be extended.

Additionally, and in order to effectively exercise this right, the individual is under an obligation to show, to the satisfaction of the custodian, the record of the individual's PHI that is inaccurate and thus, provide the accurate information. However, the request to correct PHI records may be refused where:

• the custodian did not originally create the record and does not have sufficient knowledge, expertise, and authority to correct the record;
• the correction requested is with respect to information that is considered as professional opinion that has been made in good faith; or
• where the request is made in bad faith, or is frivolous or vexatious.

Once the custodian has made the correction, they are under a duty to notify the individual that they have corrected the record, as well as any third parties of the correction where PHI has been disclosed to them.

The Commissioner

The Commissioner is responsible for, among other things, enforcing provisions of the PHIA, such as where they relate to the rights of individuals. In this context, where a custodian fails to honour an individual's request to the access of their PHI records, the individual has a right to file a complaint with the Commissioner within 60 days from the date that the individual received the custodian's notice of the refusal. The Commissioner should then proceed to provide a copy of the complaint to the custodian and may take steps to resolve the complaint informally; if this fails, however, the Commissioner should conduct a review of the subject matter of the complaint unless the Commissioner is satisfied that:

• the custodian’s response to the individuals’ request was satisfactory;
• the complaint has been or could have been dealt with more appropriately by another procedure;
• the complaint is time barred; or
• the complaint is made in bad faith.

In addition to these powers, and among a few others, the Commissioner has investigative powers and, as such:

• may require documentation relating to any subject matter;
• without a warrant, enter premises to inspect these, demand for documentation relating to the subject matter, and make inquiries into a person in the premises; and
• inspect PHI records of an individual without the individual's consent.

Conclusion

The PHIA applies to both public and private bodies and, as such, organisations should check whether their conduct is covered under the definition of a 'custodian'. Doing so allows for timely understanding of the various requirements outlined within the PHIA, thereby ensuring that covered entities are in compliance with respect to their practices and the protection of individuals' PHI.

Wangari Thuo Privacy Analyst
[email protected]