Using Personal Information
Government organizations under FIPPA and MFIPPA must tell individuals how they intend to use the personal information that they collect, and provide individuals with a contact in the organization who can answer their specific questions.
In general, government organizations are only permitted to use personal information if the individual consents to the use; for the purpose for which it was obtained or compiled or for a consistent purpose; or for a purpose for which the information may be disclosed to the government organization (see section on Disclosure). Government organizations must take reasonable steps to ensure that personal information is not used unless it is accurate and up to date.
Under PHIPA, the “use” of personal health information is defined as the handling or dealing with personal health information that is in the custody or control of a health information custodian. As a general rule, consent is required for any use of an individual’s personal health information unless PHIPA specifically allows the use without consent. Under PHIPA, consent may be express or implied.
PHIPA allows custodians to use personal health information without consent:
- for the purpose for which it was collected or created;
- for a purpose for which a person is permitted or required by law to discloseit to the custodian;
- for planning or delivering programs or services that the custodian provides or funds;
- for the purposes of risk management, error management or improving the quality of care;
- for educating agents who provide health care;
- for the purpose of disposing of the information or modifying the information to conceal the identity of the individual;
- for the purpose of seeking the individual’s consent, as long as the information consists of name and contact information only;
- for the purpose of a proceeding;
- for the purpose of obtaining payment for health care or related goods and services;
- for the purpose of research, subject to certain conditions; or
- if permitted or required by law.
When using personal health information, a custodian must exercise the highest level of care and must take reasonable steps to ensure that the individual’s personal health information is as accurate, complete and up-to-date for the purpose which the custodian uses the information.
For more information on the use of personal health information under PHIPA, please refer to our paper, A Guide to the Personal Health Information Protection Act.