With almost every rule there is almost always a list of exceptions. This is the case with grammar rules, road rules, and all other rules that guide us to make sound decisions inside and outside of work. After providing more information about the privacy rule, Consent, it is important to understand the exceptions that come with it. Keep in mind that with any sensitive information, it is critical to be very cautious about you handle it even if you do find that one of the exceptions might apply.
As per the previous post, this is a list of exceptions in the form of Do’s and Don’ts; however, there is only one Don’t on this list. Don’t be fooled, though. This particular exception is important as there is a good chance it might at some point show up in your office.
>>Don’t collect, use or disclose personal information without the patient’s consent if it is not publicly available
If you are asking yourself what “publicly available” means, PIPEDA has a very specific definition and it is not the same as publicly accessible, such as information you might find on a social media network. PIPEDA’s definition is not only specific, it’s restricted to only information appearing in the following:
- Telephone directories
- Professional or business directories
- Government registry information
- Records of quasi-judicial bodies that are available to the public.
What about the do’s? The list is extensive and so not all of them will be added here, but after a thorough reading and re-reading, below are the exceptions relevant to your office:
>>Do use or disclose personal information without the patient’s knowledge or consent only . . .
“For an emergency that threatens an individual’s life, health or security.”
Emergencies are always exceptions to any rule, which is why road rules don’t apply to emergency vehicles you have to move over for as they drive with sirens on the wrong way down a one-way. The Access to Information and Protection of Privacy says that “Privacy legislation shouldn’t stand in the way of saving a life or providing vital assistance to someone in need.”
As an example, provided in part by PIPA’s Guide for Businesses and Organizations, if an employee is being threatened by a patient in the office, the owner may disclose the patient’s personal information to the appropriate agency to prevent that employee from being harmed.
>>Do collect, use or disclose personal information without the patient’s knowledge or consent only . . .
“If a reasonable person would consider that it is clearly in the interests of the individual and consent cannot be obtained in a timely way or the individual would not reasonably be expected to refuse consent.”
Similar to an emergency, this exception exists when the information that needs to be collected, used or disclosed is important to the individual’s life, health, or safety.
PIPA’s Guide for Businesses and Organizations gives this example:
“An employee of an apartment building was authorized to disclose medical information about a tenant to 911 dispatch and ambulance attendants when the employee heard the tenant’s home alarm and became concerned for the tenant’s well-being.”
>>Do disclose personal information without the individual’s knowledge or consent only . . .
“In connection with a business transaction.” The rule includes the sale or merger of a business or the lease of a company’s assets. Seeing as sales and mergers are playing a huge role when it comes to business, including dental practices, this exception is important to know. As always, certain conditions must be met “to, among other things, protect the information and limit its use.”
An example comes from PIPA’s Guide for Businesses and Organizations:
ABC Inc. is considering buying Rewind Enterprises, a video rental store. To decide whether to go ahead with the purchase, ABC wants to see some of Rewind’s business records that contain personal information about customers and employees. Rewind may provide these records without the consent of the individuals, as long as ABC has entered into an agreement to protect the information and not to use it for purposes other than its sale. If the deal goes through, ABC may continue to use the personal information for the original purposes for which it was collected. If the deal does not proceed, ABC must return the personal information to Rewind or destroy it. (36)
>>Do disclose personal information without the individual’s knowledge or consent only . . .
“To collect a debt the individual owes.” And again, there is a huge BUT coming as this particular exception has been abused in the past. A CBC article reported that a Canadian telecommunications provider “publicly posted the list of 25 overdue customer accounts.” They have since been ordered by the Privacy Commissioner of Canada to take them down.
PIPEDA does allow for disclosing personal information to collect on a debt owed to your business, BUT there are lines no one is allowed to cross and this is most definitely one of them. The Privacy Commissioner “has emphasized that disclosure must be made in a reasonable manner and the amount of information disclosed must be limited to what is absolutely necessary to achieve this purpose.”
An example, provided in part by PIPA’s Guide for Businesses and Organizations, would be a patient who still owes a debt to your practice but has since moved. You can collect the new address without obtaining the patient’s consent.
When it comes to sensitive information, exception or not, it is your responsibility to keep it secure and limit collection, use and disclosure to only what’s necessary. If you are interested in learning more about these exceptions, the entire detailed list can all be found below along with a number of other resources that have been utilized in this article.
Resources:
- http://www.atipp.gov.nl.ca/info/pdf/Guide_to_Privacy_in_an_Emergency.pdf
- https://www.cmpa-acpm.ca/en/advice-publications/handbooks/consent-a-guide-for-canadian-physicians
- https://www.oipc.ab.ca/media/383666/guide_for_businesses_on_pipa_nov2008.pdf
Suggested Page:
