Collection of Personal Health Information

AuthorHalyna N. Perun; Michael Orr; Fannie Dimitriadis
1) Generally
Among the purposes of the Personal Health Information Protection Act, 20041is
the establishment of rules for the collection of personal health information
about patients by health information custodians.2PHIPA defines the term
“collect” to mean, in relation to personal health information, to gather, acquire,
receive, or obtain the information by any means from any source.3The Act sets
out the circumstances in which a health information custodian can collect per-
sonal health information about a patient, whether directly from the patient, or
indirectly from another source of information.
As with the use and disclosure of personal health information, the gener-
al rule in PHIPA is that a health information custodian requires consent for
the collection of personal health information.4The Act goes on to specify the
1 S.O. 2004, c. 3, Sch. A [PHIPA].
2PHIPA, s. 1(a).
3Ibid., s. 2, definition of “collect.” See Chapter 2, Section E(2) for a more detailed dis-
cussion of the meaning of the term “collect.”
4PHIPA, s. 29(a). In the context of the requirement for consent, the word “patient” includes
the patient’s substitute decision-maker, where the substitute is authorized to act on
the patient’s behalf. For further details about substitute decision-making, see Chapter 6.
8Collection of Personal
Health Information
circumstances in which a custodian may collect personal health information
without the patient’s consent.5
2) Change of Approach
The requirement for a health information custodian to have statutory authori-
ty to collect personal health information marks a significant change in the law.6
Until the advent of PHIPA, legislation applicable in the health care sector in
Ontario typically did not require health care providers to seek a patient’s con-
sent to the collection of personal health information. Health-sector-specific
statutes that apply to health care providers are generally silent on rules con-
cerning the collection of personal health information. Such legislation, howev-
er, usually addresses the disclosure of personal health information, generally
requiring secrecy or confidentiality with respect to the information acquired by
a person under the legislation, while permitting specific disclosures, whether
with or without consent.7Likewise, institutions subject to the Freedom of Infor-
mation and Protection of Privacy Act8or the Municipal Freedom of Information
and Protection of Privacy Act9are not required to seek an individual’s consent
for collection of the individual’s personal information.10 Thus, health informa-
tion custodians will have to adjust their practices to ensure that they consider
their authority to collect personal health information.
5PHIPA, s. 29(b).
6 This approach is consistent with the federal Personal Information and Electronic Docu-
ments Act, S.C. 2000, c. 5, Part 1 [PIPEDA], which requires consent not only for use or
disclosure of personal information, but also for collection. See s. 7.
7 See, for example, the Long-Term Care Act, 1994, S.O. 1994, c. 26, s. 32 [LTCA], prior to
amendments of this section by PHIPA, s. 89(6); the Mental Health Act, R.S.O. 1990,
c. M.7, s. 35 [MHA], prior to amendment of this section by PHIPA, s. 90(6)–(11); and
s. 22 of Hospital Management, R.R.O. 1990, Reg. 965, made under the Public Hospitals
Act, R.S.O. 1990, c. P.40.
8 R.S.O. 1990, c. F.31 [FIPPA].
9 R.S.O. 1990, c. M.56 [MFIPPA].
10 FIPPA, above note 8, s. 38(2) provides: “No person shall collect personal information
on behalf of an institution unless the collection is expressly authorized by statute,
used for the purposes of law enforcement or necessary to the proper administration of
a lawfully authorized activity.” See also MFIPPA, ibid., s. 28(2). Instead of requiring
consent, FIPPA and MFIPPA require notice to the individual to whom the informa-
tion relates of the principal purpose or purposes for which the personal information
is intended to be used. See FIPPA, s. 39(2) and MFIPPA, s. 29(2). FIPPA/MFIPPA
custodians are no longer required to provide such a notice where the information is
personal health information. Instead, they are obliged to have information practices in
place as set out in PHIPA, s. 10(1). For further discussion of these practices, see
Chapter 4, Section D.

To continue reading

Request your trial

VLEX uses login cookies to provide you with a better browsing experience. If you click on 'Accept' or continue browsing this site we consider that you accept our cookie policy. ACCEPT