The realities of implementing health information legislation: the Manitoba experience, 1997-2004.

• Author: Neufeld, Renata

In the late 1990s, an increasing global emphasis on data protection and the expansion of provincial health information systems provided the optimal context for developing health information access and privacy legislation. Manitoba's Personal Health Information Act (PHIA) was thus enacted on December 11, 1997. (1) PHIA was the first law of its kind in Canada and was developed with a view to interpreting internationally accepted fair information principles for application within the local health care system. PHIA requires health information trustees (public bodies and health care providers) to grant individuals access, upon request, to personal health information about themselves. (2) It also requires trustees to protect the personal health information they maintain from inappropriate collection, use, disclosure, retention and destruction. (3) Manitoba's experience with PHIA over the past six years has included some interesting (and a few unforeseen) implementation challenges and has raised several demanding policy questions. This experience has also offered some useful lessons regarding the administration of health information access and privacy legislation. Some of these challenges, policy questions, and lessons are explored below.

Implementation Challenges

An implementation challenge that emerged early on was the complexity of the legislation. Although PHIA was deliberately drafted in plain language, and although the basic requirements are easily understood, the exceptions to these requirements are sometimes not. Yet an understanding of these exceptions is essential to effective implementation. An employee charged with the responsibility of responding to an access request must understand when it is appropriate or even necessary to sever certain information. (4) Likewise, an employee given the responsibility of discussing treatment and care with a patient's family must understand the amount of information it is appropriate to release without the patient's express consent. (5) While understanding the exceptions can be as important as understanding the rules, these details can sometimes be lost in the myriad of other legal requirements and operational demands trustees must respond to on any given working day.

Demands on the time of health providers and health facility staff can also lead to another challenge in implementation: the time necessary to seek and obtain consent. Although PHIA does not currently define consent, common law holds that consent must be informed to be valid. (6) Obtaining informed consent may require a discussion with the patient, which in turn requires time and opportunity. Where these are scarce, there is a danger that the principle of "no disclosure without consent" may, in practice, simply mean "no disclosure."

Where consent to disclose is not sought and information is withheld, misunderstandings about the purpose of the legislation may ensue. This, in turn, may further impede appropriate communication. One such misunderstanding is that PHIA assures absolute privacy. Like all information protection legislation, PHIA provides for reasonable confidentiality with exceptions where the right of privacy conflicts with an overriding societal interest. The...