WHAT ARE THE GENERAL LIMITATIONS ON THE COLLECTION, USE AND DISCLOSURE OF PERSONAL HEALTH INFORMATION?
Under the Personal Health Information Protection Act (PHIPA) a health information custodian (custodian) is prohibited from collecting, using or disclosing personal health information, unless:
- consent has been obtained and the collection, use or disclosure is, to the best of the custodian’s knowledge, necessary for a lawful purpose; or
- the collection, use or disclosure is permitted or required by PHIPA.
According to PHIPA, you cannot collect, use or disclose personal health information if other information will suffice. For example, you may be able to provide a researcher conducting a study with de-identified information, rather than disclosing personal health information. As a custodian, you also cannot collect, use or disclose more personal health information than is reasonably necessary to serve the purposes of the collection, use or disclosure. For example, if a patient requests a doctor’s note to give to his or her employer, the doctor should only include the minimum information necessary, rather than the patient’s entire health history. These limitations do not apply to personal health information that a custodian is required by law to collect, use or disclose.
Where you have collected personal health information in contravention of PHIPA, you cannot use or disclose it unless required by law.
For more information about the collection, use and disclosure of personal health information, please refer to the IPC’s Frequently Asked Questions: Personal Health Information Protection Act.