Opinion: Insights on digital health and privacy legislation in British Columbia and Yukon
By Christina Franke, CHIM, Kait Greer, CHIM, and Dennis Lu
In early May, privacy expert Jean L. Eaton, BA Admin (Healthcare), CHIM, CC, presented the 2022 Updates on the Emerging Privacy Management Practices in Health Care series. Health care delivery has changed significantly over the past two years, and this session tied it all together, covering important legislative changes, privacy breaches, and digital health highlights. Three British Columbia and Yukon (BCYT) chapter committee members were in attendance and have collaborated on this article to share our learnings with CHIMA members.
Three privacy legislation trends were discussed: modernizing privacy legislation, access issues, and provincial initiatives. Jean summarized the recent and proposed changes to federal and provincial legislation that have implications on a patient’s information privacy and confidentiality and recommended safeguards to protect this information. For example, the federal government proposed the (Personal Information Protection and Electronic Documents Act) PIPEDA reform to include the Digital Charter Implementation Act (2020), which includes more control for individuals’ privacy rights and heavier penalties for violating privacy or inadequately preventing privacy breaches.
In British Columbia, there remains no specific health privacy legislation that would apply to community health care providers; however, this could change. Jean indicated that BC could expect mandatory breach notifications and penalties as part of the Personal Information Privacy Act (PIPA). During COVID, there was a 30-day Freedom of Information and Protection of Privacy Act (FIPPA) time extension for the disruption to business continuity experienced by many businesses and hospitals. Similar limited extensions have been granted due to business disruption caused by forest fires and other disasters. As for Yukon, the Access to Information and Protection of Privacy (ATIPP) Act was proclaimed on April 1, 2021, and many privacy and security resources have been produced by the Office of the Yukon IPC and Yukon Ombudsman. However, privacy breaches remain a concern for the province and across Canada.
It has been said that “access delayed is access denied,” but with the increasing use of electronic documentation, the delay in access can be reduced. Electronic use has enabled quicker access; however, protection and access control are needed. Although provincial and local requirements need to be considered (for BC, this is PIPA), additionally reviewing national (PIPEDA) and international (i.e., GDPR) requirements is vital; electronic data is no longer limited by geography and can be transferred easily.
Therefore, unauthorized use (such as snooping) is much quicker to happen.
All parties involved in handling health information need to be prepared for potential breaches and failures. For example, an organization should ask if it is functional and feasible to fall back on paper if an electronic failure or security breach is identified. Breach management practices, including remedial actions, should be reviewed to ensure they meet the most current practices and established standards. Lastly, Jean highlighted that privacy impact assessments are a vital first step.
The 2022 Updates on the Emerging Privacy Management Practices in Health Care series was an excellent opportunity to stay updated on current trends, challenges, and changes in the Canadian privacy domain. The topics signify health information professionals’ role in privacy governance and their ability to provide feasible and functional standardization of the access and disclosure of patient records to prevent privacy breaches and access delays. The 2022 updates uphold the applicability of privacy knowledge to health information management (HIM) and the value of the Emerging Privacy Management Practices in Health Care series, which is now available to all CHIMA members.
Further reading
British Columbia Provincial Acts
Personal Information Protection Act
E-Health (Personal Health Information Access and Protection Of Privacy) Act
Access to Information and Protection of Privacy Act (ATIPP) Act