- Report a privacy breach
- Collection, use and disclosure of personal health information
- Responding to a privacy breach
- Unauthorized access
- Access and correction
- PHIPA complaint process
- Safeguarding personal health information
- PHIPA Code of Procedure
WHAT IS A COLLECTION OF PERSONAL HEALTH INFORMATION UNDER PHIPA?
PHIPA defines the term “collect” as the gathering, acquiring, receiving or obtaining of personal health information by any means from any source. This means that you, or your authorized agent–such as a nurse who is employed by a hospital–can collect personal health information in several ways. For example, when a doctor makes notes about a patient or when a pharmacist receives a prescription to be filled, they are collecting personal health information.
WHAT ARE THE RULES REGARDING THE COLLECTION OF PERSONAL HEALTH INFORMATION?
As a general rule, you need consent to collect an individual’s personal health information. There are some circumstances, under PHIPA, where you can collect it without consent.
For more information about the requirements for a valid consent to collect personal health information, please see our section on Consent and Your Personal Health Information and our guidance document, Frequently Asked Questions: Personal Health Information Protection Act.
With limited exceptions, you must collect personal health information directly from the individual about whom the information relates.
You can collect personal health information about an individual directly from that individual, even if he or she is incapable of consenting, if you need the information for the provision of health care and it is not possible to obtain consent in a timely manner.
You must also take steps that are reasonable in the circumstances to ensure that personal health information is not collected without authority.
WHEN CAN CUSTODIANS INDIRECTLY COLLECT PERSONAL HEALTH INFORMATION?
As noted above, you can generally only collect personal health information directly. However, in some circumstances, PHIPA permits you to collect personal health information indirectly.
For example, you may collect personal health information indirectly if:
- the individual consents.
- you need the information to provide health care to an individual and it isn’t possible to collect accurate and complete information directly from that individual.
- the information is necessary for providing health care to an individual and you cannot get it from that individual in a timely manner.
- you collect it for the purposes of research from a person who is not a custodian (provided that certain conditions are met).
- you are required or permitted by law to collect it indirectly.
This post is also available in: French