Search Results | Clear Search | Previous (in doc) | Next (in doc) | Prev Doc | Next Doc
Qp Date
This Act has "Not in Force" sections. See the Table of Legislative Changes.

E-Health (Personal Health Information Access and Protection of Privacy) Act

[SBC 2008] CHAPTER 38

Contents
Part 1 — Definitions and Interpretation
1Definitions
2Interpretation
Part 2 — Administration of Health Information Banks
Division 1 — Establishment or Designation of Health Information Banks
3Establishment or designation of health information banks
4Collection and use of personal health information
5Disclosure of personal health information
6Requests for information by authorized persons
7Complaints respecting requests for information
Division 2 — Disclosure Directives
8Authorization of disclosure directives
9Making and revoking disclosure directives
10Effect of disclosure directives
Division 3 — Data Stewardship Committee
11Role of data stewardship committee
12Appointment of data stewardship committee
13Data stewardship committee
14Disclosure for health research purposes
15Repealed
16Reports by data stewardship committee
Division 4 — Other Matters Relating to Disclosure
17Not in Force
18Purposes for which disclosure always authorized
19Information-sharing agreements required for disclosure
20No market research
Part 3 — General Matters
21Protection of privacy
22Whistle-blower protection
23Provider registry
24Offences and penalties
25Offence Act does not apply
26Regulations
27-28 Amendments to this Act
29-46 Consequential Amendments
47Commencement

Part 1 — Definitions and Interpretation

Definitions

1  In this Act:

"administrator" means

(a) in the case of a health information bank in the custody or under the control of the ministry of the minister, or a ministry database, the chief data steward, and

(b) in the case of a health information bank in the custody or under the control of a health care body other than the ministry of the minister, a person authorized to administer the health information bank under section 3 [establishment or designation of health information banks];

"chief data steward" means a person employed in the ministry of the minister who is designated by the minister as the chief data steward for the purposes of this Act;

"commissioner" means the commissioner under the Freedom of Information and Protection of Privacy Act;

"data stewardship committee" means the data stewardship committee established under section 12 [appointment of data stewardship committee];

"designation order" means an order establishing or designating a health information bank under section 3;

"disclosure directive" means a written instruction under section 9 [making and revoking disclosure directives];

"employee", in relation to a health care body, includes a volunteer and a person retained under a contract to perform services;

"health care body" means

(a) the ministry of the minister,

(b) a health care body as defined in the Freedom of Information and Protection of Privacy Act,

(c) the Provincial Health Services Authority, and

(d) a society that reports to the Provincial Health Services Authority;

"health information bank" means a health information bank established or designated under section 3;

"health research purpose" means the purpose described in section 4 (h) [collection and use of personal health information];

"ministry database" means a database that is

(a) in the custody or control of the ministry of the minister, and

(b) prescribed for the purposes of this Act;

"person" includes a health care body;

"personal health information" means recorded information about an identifiable individual that is related to the individual's health or the provision of health services to the individual;

"protected information" means

(a) personal health information, or

(b) information related to a health service provider

that is contained in a health information bank or ministry database;

"regional health board" means a regional health board designated under section 4 of the Health Authorities Act;

"through", in relation to the collection or disclosure of personal health information through a health information bank, includes collection and disclosure of personal health information both into and from a health information bank.

Interpretation

2  (1) If a provision of this Act refers to a provision of the Freedom of Information and Protection of Privacy Act, a reference in that Act to

(a) a "public body" is to be read for the purposes of this Act as a reference to a health care body, and

(b) the "head of a public body" is to be read for the purposes of this Act as a reference to the head of a health care body.

(2) For the purposes of

(a) Division 2 [Disclosure Directives] of Part 2, and

(b) section 17 [one's own personal health information to be available], in relation to a person's own personal health information,

a reference to a person includes a person having authority under the common law or an enactment to make personal and health care decisions in respect of the person.

Part 2 — Administration of Health Information Banks

Division 1 — Establishment or Designation of Health Information Banks

Establishment or designation of health information banks

3  (1) Subject to the regulations, the minister may by order establish or designate a database containing personal health information as a health information bank, if

(a) the database is in the custody or under the control of a health care body, and

(b) the collection and use of personal health information through the database is for a purpose set out in section 4 [collection and use of personal health information].

(2) A designation order must do all of the following:

(a) identify the type or nature of personal health information to be contained in the health information bank, and the source of the personal health information;

(b) in the case of a health information bank in the custody or under the control of a health care body other than the ministry of the minister, authorize one individual who is an employee of the health care body to administer the health information bank;

(c) identify the purposes, as set out in section 4, for which personal health information may be collected and used through the health information bank;

(d) identify the purposes, if any, as set out in section 5 [disclosure of personal health information], for which personal health information may be disclosed from the health information bank;

(e) authorize one or more persons to collect, use or disclose personal health information through the health information bank;

(f) identify from whom personal health information may be collected into the health information bank, including identifying whether personal health information may be collected other than directly from the individual whom the personal health information is about;

(g) except in the case of disclosure for a health research purpose, identify to whom personal health information contained in the health information bank may be disclosed;

(h) identify the limits or conditions, if any, on the collection, storage, use or disclosure of personal health information contained in or disclosed from a health information bank.

(3) A designation order may describe a person by name, title, position or class.

(4) A designation order is not effective until notice of the designation order is published in the Gazette.

(5) If a health information bank is established or designated by a designation order, personal health information may be collected, used and, subject to sections 14 [disclosure for health research purposes] and 19 [information-sharing agreements required for disclosure], disclosed through the health information bank by a person who is authorized to do so by the designation order, according to the terms of the designation order.

Collection and use of personal health information

4  A designation order may authorize the collection and use of personal health information only for one or more of the following purposes:

(a) to identify an individual who needs or is receiving health services;

(b) to provide health services to, or facilitate the care of, an individual;

(c) to identify a person who is providing health services;

(d) to prevent or manage chronic conditions, at the individual or population level;

(e) to facilitate health insurance and health service billing, including for the purposes of

(i) a payment in respect of health services or prescribed drugs, devices or pharmaceutical services to be made to or by the government of British Columbia or a public body,

(ii) authorizing, administering, processing, verifying or cancelling such a payment,

(iii) resolving an issue regarding such a payment, or

(iv) audits by a federal or Provincial government payment agency that makes reimbursement for the cost of health services or prescribed drugs, devices or pharmaceutical services;

(f) to assess and address public health needs;

(g) to engage in health system planning, management, evaluation or improvement, including

(i) health service development, management, delivery, monitoring and evaluation,

(ii) the compilation of statistical information,

(iii) public health surveillance, and

(iv) the assessment of the safety and effectiveness of health services;

(h) to conduct or facilitate research into health issues;

(i) to assess and address threats to public health.

Disclosure of personal health information

5  A designation order may authorize the disclosure of personal health information only for one or more of the following purposes:

(a) if disclosure is inside Canada, a purpose set out in section 4 (a) to (g)[collection and use of personal health information];

(b) [Repealed 2012-22-82.]

(c) if disclosure is inside or outside Canada, a purpose set out in section 4 (h) or (i).

Requests for information by authorized persons

6  (1) A person authorized under a designation order to collect personal health information into a health information bank may request a health care body or a prescribed person to provide information or records that contain personal health information and that are in the custody or under the control of the health care body or prescribed person if

(a) the information or records being requested have a reasonable and direct connection to the purpose for which collection is authorized under the designation order, and

(b) the person making the request is acting in accordance with the terms of the designation order.

(2) Subject to any other enactment that prohibits disclosure, a health care body or a prescribed person to whom a request is made under subsection (1) must comply with the request in the manner and at the times requested if the information or records are in the custody or under the control of the health care body or prescribed person.

Complaints respecting requests for information

7  (1) In this section, "request for information" means a request for information or records made under section 6 [requests for information by authorized persons].

(2) A person who receives a request for information may make a complaint to the commissioner, and the commissioner may investigate and attempt to resolve the complaint.

(3) Section 6 (2) is suspended, in respect of the request for information that is the subject of the complaint, during the period of the commissioner's investigation, if any.

(4) Sections 44 to 48 and 49 (1) and (2) of the Freedom of Information and Protection of Privacy Act apply to an investigation under subsection (2) of this section, and, for these purposes, a reference in those sections to an investigation, inquiry or audit under that Act is to be read as a reference to an investigation under this section.

(5) If an investigation is made under this section, the commissioner must, after the investigation, do one of the following by order:

(a) if the commissioner determines that the person making the request for information is acting within that person's authority under a designation order, either

(i) require the person making the complaint to provide the information or records in accordance with the request for information, or

(ii) require the person making the request for information to reconsider the request;

(b) if the commissioner determines that the person making the request for information is not acting within that person's authority under a designation order, require the person to withdraw the request and, if applicable, destroy personal health information collected outside the person's authority.

(6) If an order is made under subsection (5),

(a) the commissioner may specify terms or conditions in the order, and

(b) the persons affected by the order must comply within 30 days of its issuance.

(7) If an investigation is not made under this section, section 6 (2) applies.

Division 2 — Disclosure Directives

Authorization of disclosure directives

8  (1) Subject to subsection (3), the minister must in a designation order authorize a person whose personal health information is contained in the health information bank that is the subject of the designation order to make a disclosure directive.

(2) An authorization under subsection (1) may limit the making of disclosure directives to

(a) one or more types of personal health information, as identified in the designation order under section 3 (2) (a) [establishment or designation of health information banks], contained in the health information bank,

(b) one or more purposes, as identified in the designation order under section 3 (2) (d), for which personal health information may be disclosed from the health information bank, and

(c) one or more persons or classes of persons, as identified in the designation order under section 3 (2) (g).

(3) Subsection (1) does not apply in respect of a health information bank if the data stewardship committee recommends to the minister that disclosure directives should not be made in respect of the health information bank.

Making and revoking disclosure directives

9  (1) If in a designation order the minister authorizes the making of disclosure directives, a person may, subject to the regulations,

(a) make a disclosure directive as authorized by the designation order, and

(b) revoke a disclosure directive the person has made.

(2) A person who makes or revokes a disclosure directive must

(a) make the disclosure directive or revocation in writing,

(b) comply with any prescribed conditions respecting the making or revoking of disclosure directives, and

(c) forward to a prescribed person the disclosure directive or revocation and, if applicable, the prescribed records.

(3) Until the contrary is demonstrated, every person is presumed to be capable of understanding the nature of a disclosure directive and the consequences of making or revoking a disclosure directive.

(4) A disclosure directive takes effect when activated in the health information bank to which it relates.

Effect of disclosure directives

10  (1) A person who is otherwise permitted to collect, use or disclose personal health information from a health information bank must not do so in any manner that is inconsistent with a disclosure directive except as follows:

(a) to notify a person that a disclosure directive applies to personal health information that would otherwise be available to the person;

(b) for a purpose described in section 33.1 (1) (c) of the Freedom of Information and Protection of Privacy Act;

(c) with the express consent of the person who made the disclosure directive;

(d) if section 12 [exception — urgent or emergency health care] of the Health Care (Consent) and Care Facility (Admission) Act applies and a health care provider acting under that section reasonably believes that the personal health information may be required to provide health care in accordance with that section.

(2) For the purposes of subsection (1) (d), a reference in section 12 of the Health Care (Consent) and Care Facility (Admission) Act to an "adult" is to be read for the purposes of this section as a reference to a person having a disclosure directive.

Division 3 — Data Stewardship Committee

Role of data stewardship committee

11  (1) The role of the data stewardship committee is to consider requests for the disclosure, for a health research purpose, of protected information.

(2) In addition to the data stewardship committee's role under subsection (1), the data stewardship committee may make recommendations to the minister for the purposes of section 8 (3).

Appointment of data stewardship committee

12  (1) The minister must appoint a data stewardship committee consisting of not more than 12 persons.

(2) The committee appointed under subsection (1) must include at least

(a) one person from within the ministry of the minister,

(b) one person chosen as representative of either regional health boards or the Provincial Health Services Authority,

(c) one person nominated by the council of the College of Physicians and Surgeons of British Columbia,

(d) one person nominated by the council of the College of Pharmacists of British Columbia,

(e) one person nominated by the board of the college established under section 15 (1) of the Health Professions Act for the health profession of the practice of nursing,

(f) one person engaged in health research generally,

(f.1) one person engaged in pharmaceutical research, and

(g) up to 3 persons chosen as representative of the general public.

(2.1) The chief data steward is a non-voting member of the committee appointed under subsection (1).

(3) The minister may designate a chair and one or more vice chairs of the data stewardship committee from among the persons appointed to that committee.

(4) Members of the data stewardship committee may be paid

(a) remuneration set by the minister, and

(b) reasonable and necessary travel and out of pocket expenses incurred in carrying out the work of the data stewardship committee.

Data stewardship committee

13  (1) Subject to this Act, the data stewardship committee may make rules governing the following:

(a) the calling and conduct of its meetings;

(b) the establishment of panels of the data stewardship committee to conduct business of that committee;

(c) the practices and procedures of the panels established under paragraph (b);

(d) the quorum of the data stewardship committee or of the panels established under paragraph (b);

(e) other matters respecting the conduct of the work of the data stewardship committee or of the panels established under paragraph (b), including the fees that may be charged by a health care body for information to defray the cost to the health care body to provide the information.

(2) The data stewardship committee must establish policies and procedures respecting the disclosure of information under this Division.

(3) A member of the data stewardship committee must take reasonable steps, in accordance with the regulations, to avoid or manage a conflict of interest.

Disclosure for health research purposes

14  (1) A person may request protected information for a health research purpose only by submitting to the data stewardship committee

(a) a request in the form and in the manner required by the data stewardship committee, and

(b) information required by the data stewardship committee for the purposes of evaluating the request.

(2) The data stewardship committee may approve the request if both of the following apply:

(a) in the case of a request to disclose personal health information, all of the requirements set out in subsection (2.1) are met;

(b) in the case of a request to disclose protected information outside Canada, there is express consent, in writing, to the disclosure from each person who is the subject of the protected information.

(2.1) The requirements for the purposes of subsection (2) (a) are as follows:

(a) the request is for a health research purpose that cannot reasonably be accomplished unless personal health information is disclosed;

(b) if the protected information is contained in a health information bank, the disclosure is authorized under the terms of the applicable designation order;

(c) the disclosure is on condition that it not be used for the purpose of contacting a person to participate in the health research, unless the commissioner approves

(i) the health research purpose,

(ii) the use of disclosed personal health information for the purpose of contacting a person to participate in the health research, and

(iii) the manner in which contact is to be made, including the information to be made available to persons contacted;

(d) any data linkage is not harmful to the individuals who are the subjects of the personal health information, and the benefits to be derived from the record linkage are clearly in the public interest;

(e) the data stewardship committee has imposed conditions relating to

(i) security and confidentiality,

(ii) the removal or destruction of individual identifiers at the earliest reasonable time, and

(iii) the prohibition of any subsequent use or disclosure of personal health information without the express authorization of the data stewardship committee.

(3) If the data stewardship committee approves the request, the administrator may, subject to any conditions set by the data stewardship committee on approving the request, disclose the information to the person who made the request.

(4) An administrator must not disclose information under subsection (3) except under an information-sharing agreement

(a) with the person who made the request, and

(b) made, whether or not personal health information is disclosed, in accordance with section 19 (2) and (3) [information-sharing agreements required for disclosure].

Repealed

15  [Repealed 2012-22-86.]

Reports by data stewardship committee

16  (1) At least once each year, the data stewardship committee must report to the minister respecting

(a) the activities of the data stewardship committee,

(b) information-sharing agreements entered into by an administrator under this Division, and

(c) any matter the minister requires.

(2) After making a report under subsection (1), the data stewardship committee must promptly publish the report.

Division 4 — Other Matters Relating to Disclosure

Not in Force

17  [Not in force.]

Purposes for which disclosure always authorized

18  (1) An administrator may disclose personal health information inside Canada from a health information bank for one or more of the following purposes:

(a) a purpose described in section 33.2 (f) and (i) of the Freedom of Information and Protection of Privacy Act;

(b) to investigate or discipline a person regulated by a governing body of a health profession that has authority, under an enactment, to investigate or discipline the person;

(c) to monitor, by a governing body of a health profession, the practice of a health profession that is, under an enactment, regulated by that body;

(d) a purpose for which the person who is the subject of the personal health information has expressly consented.

(2) An administrator may disclose personal health information inside or outside Canada from a health information bank for one or more of the following purposes:

(a) a purpose described in section 33.1 (1) (a), (c), (e), (e.1), (g), (i), (i.1), (m), (m.1), (n), (p) or (t) or (6) or (7) of the Freedom of Information and Protection of Privacy Act, or

(b) a purpose for which the person who is the subject of the personal health information has expressly consented in writing.

(3) Sections 14 [disclosure for health research purposes] and 19 [information-sharing agreements] do not apply to the disclosure of personal health information under this section.

Information-sharing agreements required for disclosure

19  (1) Personal health information contained in a health information bank may be disclosed only if

(a) disclosure is authorized by the terms of the designation order that relates to the health information bank,

(b) the administrator of the health information bank enters into an information-sharing agreement under this section, and

(c) if personal health information is to be disclosed on a bulk or regular basis, it is disclosed only to one or more of the following persons:

(i) an agency or ministry of the government of British Columbia, of another province or of Canada, including a Crown corporation;

(ii) a health care body;

(iii) an aboriginal government, an educational body or a social services body, as those terms are defined in the Freedom of Information and Protection of Privacy Act;

(iv) a public body in another jurisdiction of Canada that is equivalent to one described in subparagraphs (ii) and (iii);

(v) a health service provider;

(vi) a body responsible for the regulation of health professionals;

(vii) an association of health professionals;

(viii) a prescribed body that is public in nature.

(2) An information-sharing agreement must identify all of the following:

(a) the persons, by name, title, position or class, who may collect, use or disclose information under the agreement;

(b) the circumstances in which information may be disclosed under the agreement;

(c) the limits, if any, on

(i) the disclosure of information by the administrator under the agreement, and

(ii) the use or disclosure of the information obtained under the agreement by persons identified under paragraph (a);

(d) the conditions, if any, on the disclosure of information under the agreement, including conditions respecting

(i) security and confidentiality,

(ii) the removal or destruction of individual identifiers at the earliest reasonable time,

(iii) the prohibition of any subsequent use or disclosure of personal health information without express authorization, and

(iv) the monitoring of compliance with the agreement;

(e) the term of the agreement and the circumstances in which the agreement may be renewed, suspended or terminated.

(3) An information-sharing agreement must include a requirement that

(a) protected information disclosed under the agreement will not be used or disclosed for the purpose of market research, and

(b) if disclosure is for a health research purpose, the person to whom information is disclosed must comply with

(i) the data stewardship committee's policies and procedures established under section 13 (2) [data stewardship committee], and

(ii) any conditions imposed under section 14 (2.1) (e) [disclosure for health research purposes].

No market research

20  (1) This section applies despite Part 2 of the Freedom of Information and Protection of Privacy Act, any provision of this Act, and any term of a designation order.

(2) A person must not disclose, for the purpose of market research, any of the following information that is contained in a health information bank or ministry database:

(a) personal health information;

(b) information related to health service providers.

Part 3 — General Matters

Protection of privacy

21  (1) Personal health information must not be collected into a health information bank or used in a health information bank for any purpose or in any manner other than in accordance with the designation order in respect of the health information bank.

(2) Personal health information contained in a health information bank must not be disclosed for any purpose or in any manner other than

(a) in accordance with the designation order in respect of the health information bank, or

(b) as permitted under this Act.

Whistle-blower protection

22  A person must not dismiss, suspend, demote, discipline, harass or otherwise disadvantage another person, or deny another person a benefit, because

(a) the other person, acting in good faith and on the basis of reasonable belief, has notified the minister, an administrator or the commissioner

(i) that a person has contravened or is about to contravene this Act, or

(ii) that a person has collected, used or disclosed, or is about to collect, use or disclose, personal health information in a manner that contravenes the terms or conditions of a designation order,

(b) the other person, acting in good faith and on the basis of reasonable belief, has done or stated an intention of doing anything that is required to be done in order to avoid having any person contravene this Act,

(c) the other person, acting in good faith and on the basis of reasonable belief, has refused to do or stated an intention of refusing to do anything that is in contravention of this Act, or

(d) the person believes that the other person will do anything described in any of paragraphs (a) to (c).

Provider registry

23  (1) Despite section 3 [establishment or designation of health information banks], the minister may by order designate a database that contains personal information of health service providers as a health information bank.

(2) This Act applies to a database designated under subsection (1) as if the database contained personal health information, and a reference in this Act to "personal health information" must be read as a reference to the personal information of health service providers.

Offences and penalties

24  (1) A person who contravenes any of the following sections commits an offence and is liable to a fine of up to $200 000:

(a) section 10 [effect of disclosure directives];

(b) section 20 [no disclosure for market research purposes];

(c) section 21 [protection of privacy];

(d) section 22 [whistle-blower protection].

(2) If a corporation commits an offence under this section, an officer, director or agent of the corporation who authorizes, permits or acquiesces in the commission of the offence also commits an offence, whether or not the corporation is prosecuted for the offence.

(3) In a prosecution for an offence under this section, it is a defence for the person charged to prove that the person exercised due diligence to avoid the commission of the offence.

Offence Act does not apply

25  Section 5 [general offence] of the Offence Act does not apply in respect of this Act or the regulations made under it.

Regulations

26  (1) The Lieutenant Governor in Council may make regulations referred to in section 41 of the Interpretation Act.

(2) Without limiting subsection (1), the Lieutenant Governor in Council may make regulations as follows:

(a) defining "health services", "health service provider" and "health system" for the purposes of this Act;

(b) prescribing databases, by name or by class, that must not be designated as a health information bank under section 3 [establishment or designation of health information banks];

(c) limiting or prohibiting classes of persons from making disclosure directives;

(d) respecting

(i) the manner in which a disclosure directive must be made,

(ii) conditions that apply to the making or revocation of a disclosure directive,

(iii) to whom a disclosure directive must be provided, and

(iv) records that must accompany a disclosure directive;

(e) respecting conflicts of interest in relation to members of the data stewardship committee, including defining conflicts of interest and providing rules for the management of conflicts of interest;

(f) for the purposes of section 17 [one's own personal health information to be available], including

(i) respecting the information that may, or must not, be made available,

(ii) respecting how personal health information is to be made available, including putting conditions on direct access to personal health information,

(iii) respecting information that must be removed from a record before the record is made available, and

(iv) respecting fees that may be charged by administrators for making available the information referred to in subsection (1) (c) of that section;

(g) defining "bulk or regular" for the purposes of section 19 [information-sharing agreements required for disclosure];

(g.1) prescribing activities or circumstances that do or do not comprise market research for the purpose of section 20 [no market research];

(h) for any other matter for which regulations are contemplated by this Act.

(3) A power to make a regulation under this Act in respect of a person includes a power to

(a) establish classes of persons, and

(b) make regulations that are different for different classes of persons.

Amendments to this Act

[Note: See Table of Legislative Changes for the status of sections 27 to 46.]

Section(s)   Affected Act
27-28   E-Health (Personal Health Information Access and Protection of Privacy) Act

Consequential Amendments

Section(s)   Affected Act
29   Adult Guardianship and Planning Statutes Amendment Act, 2007
30-32   Freedom of Information and Protection of Privacy Act
33   Health Act
34-38   Health Statutes Amendment Act, 2007
39-42   Pharmacists, Pharmacy Operations and Drug Scheduling Act
43-46   Pharmacy Operations and Drug Scheduling Act

Commencement

47  The provisions of this Act referred to in column 1 of the following table come into force as set out in column 2 of the table:

Item Column 1
Provisions of Act
Column 2
Commencement
1 Anything not elsewhere covered by this table The date of Royal Assent
2 Sections 1 to 28 By regulation of the Lieutenant Governor in Council
3 Sections 30 to 33 By regulation of the Lieutenant Governor in Council
4 Sections 39 to 46 By regulation of the Lieutenant Governor in Council