When your health information flows from a private doctor to a public hospital, different laws will apply to it. The law that applies depends on who is in control of the information.
The Personal Information Protection Act ("PIPA") covers your information when it is held by your doctor or other private health care provider. When your information is held by a public hospital, public clinic or health authority, the Freedom of Information and Protection of Privacy Act ("FIPPA" )applies to it.
When the information is in the doctor’s file, it is protected by the security requirements of PIPA. When the information is in the Medical Services Plan ("MSP") file it is protected by the security requirements of FIPPA. In both cases, access to the information must be limited to those people who have a “need to know” it for a legitimate purpose. Staff are not allowed to look at health information just because they might be interested.
In most cases, your doctor in private practice will assume that you want your relevant information to be seen by the specialist your doctor sends you to consult. So your doctor will probably not ask you for permission to send that relevant information to the specialist. If your doctor wants to use your information in a research study, you have to be asked first. Your doctor is required to send certain information to MSP, and in rare circumstances must report certain information to public health authorities, and is not required to ask your permission first.
If you have questions about how your doctor keeps your health information confidential, you have a right to ask your doctor.
If you want to limit who can see the information in your doctor’s files, you could use this form.
When your information is in the control of a health authority – in a hospital database for instance – many hospital employees may be able to see your information. It will be used and disclosed to provide you with health care services and for billing purposes (just like your doctor does) and likely for other purposes, including to evaluate the programs and services offered by the health authority, to improve and maintain the quality of care, for risk management and legal purposes. It may be de-identified (the names and other identifiers will be taken off) and then used for research purposes and in system planning and resource allocation analyses.
Hospitals, health authorities and clinics under FIPPA are allowed under FIPPA to use patient personal personal health information for research without asking you first, if they comply with very strict requirements. Each hospital or health authority will have a different approach to this issue, so if you have more questions you should contact your health authority (click on the link below for contact information for the information and privacy officers of each health authority).
Some hospital databases can apply tools that limit employee access to information. Some systems do not have the capability. You should ask the hospital about the tools that it can use if you want to limit access to your health information by staff at the hospital or health authority.
If you want to see your personal information held by the hospital or health authority, contact the information and privacy officer of health authority.