McMaster University

Search

Explore

Questions and Answers about PIPEDA and OHIPA for Researchers

PDF

  1. What are PIPEDA and OHIPA?
  2. Does PIPEDA apply to research in the hospital and university setting?
  3. If PIPEDA does apply to research, what implications does that have for the research and the researcher?
  4. If PIPEDA does apply to my research, can I collect personal information (i.e. information about an identifiable individual) without consent?
  5. If PIPEDA does apply to my research, can I use or disclose the personal
    information that I have collected without the knowledge or consent of the
    individual?
  6. If PIPEDA does apply to my research, what implications does that have for the
    Institution?
  7. If PIPEDA does apply to my research, what implications does that have for the
    Research Ethics Board?
  8. Does OHIPA apply to research in the Hospital and University Setting?
  9. If OHIPA is passed as it is currently proposed, will it apply to research in the
    Hospital and University setting?
  10. If OHIPA comes into force, will I or my institution be able to collect personal
    health information about an individual (in relation to research or otherwise) without consent?
  11. If OHIPA comes into force, and I am a researcher, but not a health information practitioner or institution, will I be able to access personal health information for the purposes of research without the consent of the individual?
  12. If OHIPA comes into force, and I am a researcher, but not a health information practitioner or institution, will I be able to access personal health information for the purposes of research without the consent of the individual?
  13. If OHIPA comes into force, what implications does that have for an institution?
  14. If OHIPA comes into force, what implications does that have for the research ethics board?
  15. What does OHIPA require of the research ethics board in research where personal health information is involved?
  16. Now I am really confused. Is there any simple solution?

One

Question: What are PIPEDA and OHIPA?

Answer: PIPEDA stands for the “Personal Information Protection and Electronic Documents Act”. It is federal legislation that protects personal information, including health information. It has been in effect and applicable to Federal government entities since 2001. Its impact was broadened on January 1st, 2004, when it became applicable to the commercial private sector. PIPEDA’s primary purpose is to govern the collection, use and disclosure of personal information in recognition of the realities of electronic commerce. It was not developed to specifically deal with health information.

OHIPA stands for the Ontario “Health Information Protection Act”. It is provincial legislation which is currently in Draft Bill format (Bill C-31). It is currently in the committee hearings process, subsequent to its first reading in the House. OHIPA will provide, for the first time ever in Ontario, consistent comprehensive rules governing the collection, use and disclosure of personal health information and it will codify many of the current practices and codes of conduct of health care providers in Ontario. The legislation applies to health information custodians (e.g. Health care practitioners, public and private hospitals, pharmacies etc.) It also applies to non-health information custodians (e.g. researchers, students, private individuals or companies who receive personal health information from a health information custodian.

Underlying both pieces of legislation are 10 “fair information” principles. These principles are set out in the Canadian Standards Association Model Code for the Protection of Personal Information, and they include:

• Accountability;
• Ensuring that the purpose for which information is collected, used and disclosed is identified;
• The need for consent;
• The need to limit collection to the minimum required to accomplish the stated purpose;
• The need to limit use, disclosure and retention to only that which is necessary;
• To ensure accuracy of records;
• To ensure that there are safeguards to protect personal information from unauthorized disclosure or corruption;
• To ensure there is openness and transparency in how the information is used;
• To ensure that there is strong oversight; and
• To ensure that there is the ability to challenge non-compliance with the legislation.


Two

Question: Does PIPEDA apply to research in the hospital and university setting?

Answer: The answer is very unclear. The Act applies only to collection, use and disclosure of information in the course of commercial activities. Principles of statutory interpretation indicate that unless the paramount purpose of the research is profit-related, that it is not commercial in character. That would exclude a large amount of research being conducted by the University and the affiliated hospitals.

HOWEVER, the guidance from the Privacy Commissioner’s Office is very ambiguous, and it is very difficult, to determine whether or not research is “commercial in character”, given the inter-relations between academia, government and industry.


Three

Question: If PIPEDA does apply to research, what implications does that have for the research and the researcher?

Answer: It means that:

i) The purposes for which personal information (i.e. information about an identifiable individual) is being collected will need to be disclosed to the data subject prior to or at the time it is being collected;

ii) Express or implied consent of the individual to the collection will have to be obtained;

iii) Unless certain criteria (for research) are met, the consent of the individual to the use and disclosure of the information will have to be obtained;

iv) The collection of the information will need to be limited to that which is essential for the disclosed purposes

v) the use and disclosure of the information will need to be limited to the purposes for which is was collected, unless additional consent is obtained, or certain criteria (for research) are met;

vi) the information should be as accurate as possible, it should be protected by security safeguards appropriate to the sensitivity of the information, care should be used in disposal of the information; and

vi) the individual should be able to access the information or if that is not possible due to the nature of the information and the research, the exceptions to access should be specific, limited and explained to the individual. As noted in the Canadian Standards Model Code, exceptions may include information that is prohibitively costly to provide, information that contains references to other individuals, information that cannot be disclosed for legal, security or other reasons or information that is subject to solicitor-client or litigation privilege.

Four

Question: If PIPEDA does apply to my research, can I collect personal information (i.e. information about an identifiable individual) without consent?

Answer: NO.

Five

Question: If PIPEDA does apply to my research, can I use or disclose the personal information that I have collected without the knowledge or consent of the individual?

Answer: Yes. If the following criteria are met:

• the research purposes cannot be achieved without the information
• it is impracticable to obtain consent
• (for use) the information is used in a manner that will ensure its confidentiality; and
• the Privacy Commissioner is informed of the use or disclosure before it occurs . (See question Six below)


Six

Question: If PIPEDA does apply to my research, what implications does that have for the Institution?

Answer: Institutions need to ensure that researchers are aware of their obligations
under PIPEDA and under the TCPS with respect to privacy and confidentiality of
information collected, used and disclosed. In particular, institutions need to ensure that specific policies are enunciated respecting the transfer of personal information between persons and between locations.

The (former) Privacy Commissioner has stated (November 2002) that he and his
Office do not wish to be kept apprised of every single [health] research project
taking place across Canada, however, they do want to be made aware of all the
organizations carrying out such research, and the safeguards under which they
operate. Therefore, institutions should be advising the Privacy Commissioner of
their policies and procedures respecting privacy and confidentiality in research.

Seven

Question: If PIPEDA does apply to my research, what implications does that have for the
Research Ethics Board?

Answer: Firstly, independent of PIPEDA, the Research Ethics Board needs to ensure that the privacy and confidentiality provisions of the TCPS are being met. (Section 3)

Secondly, the Research Ethics Board needs to ensure that the provisions of PIPEDA are being met. That is, they should be ensuring that items i) through (vi) in Question Three above are addressed in the research plan, in the consent, in the approval and in monitoring.

Thirdly, Research Ethics Boards need to be aware that PIPEDA, if it applies, is paramount. Accordingly, despite the provisions of the TCPS on Secondary Use, (C, Articles 3.3 and 3.4), consent for secondary use of (identifiable) personal information cannot be waived unless the criteria outlined in Question five are met, including ensuring that the Privacy Commissioner has been made aware of the circumstances (presumably by having had the Institution make the Privacy Office aware of the policies and procedures respecting privacy and confidentiality in research.)

Eight

Question: Does OHIPA apply to research in the Hospital and University Setting?

Answer: The legislation as it stands is in draft format only, so it doesn’t apply to any
research at the moment.


Nine

Question: If OHIPA is passed as it is currently proposed, will it apply to research in the
Hospital and University setting?

Answer: OHIPA applies only to personal health information collected, used, or disclosed by a health information custodian. OHIPA is focused on who collects the information, conversely, PIPEDA is focused on the context in which the information is being collected – i.e. commercial use.

A health information custodian includes health care practitioners, public and private hospitals, psychiatric facilities, long-term care facilities, community health centres, program and services, etc. Included within the definition of health care practitioner is anyone who is regulated by the Regulated Health Professions Act, or the Drugless Practitioners Act, a person who is a member of the Ontario College of Social Workers or Social Service Workers who provides health care and any one else whose primary function is to provide health care for payment.

Therefore, OHIPA applies to research being conducted at either of the affiliated Hospitals or their various health centres, as well as to research being conducted by anyone at the University who is a health care practitioner as defined by the Act.

OHIPA applies to all personal health information (including mixed information) collected, used or disclosed by a health information custodian, or by a non-health custodian who obtains the information from the health custodian.Personal health information means identifying health information about an individual. So for example, OHIPA would apply to a survey conducted by a non-health-care practitioner that contains identifying personal health information, It would not apply to a survey conducted by a non-health-care practitioner that contained only aggegate or anonymous (non-personal) health information.

Ten

Question: If OHIPA applies to me and/or my institution, what implications does that have for research being conducted in my institution or by me, as a health care practitioner?

Answer: As a health information custodian, you and your institution are subject to certain
requirements respecting accuracy, accountability, safeguarding and access in relation to an Individual’s personal health information, including obtaining consent to the collection, use or disclosure of the information.

These requirements are generally the 10 principles enunciated in the Canadian Standards model code set out above in Question One.

Eleven

Question: If OHIPA comes into force, will I or my institution be able to collect personal health information about an individual (in relation to research or otherwise) without consent?

Answer: No. Although, consent may be express (orally or in writing), or implied, with some exceptions.

Twelve

Question: If OHIPA comes into force, and I am a researcher, but not a health information practitioner or institution, will I be able to access personal health information for the purposes of research without the consent of the individual?

Answer: Yes, provided you get the approval of a research ethics board, and enter into an agreement with the health information custodian, pertaining to both the use of and the disclosure of the information. The same applies if you are a health care practitioner or a health care institution which wishes to use or disclose personal health information for research purposes without consent of the individual. (Except that in that case you don’t have to enter into an agreement with the health information custodian, if you are the custodian.)


Thirteen

Question: If OHIPA comes into force, what implications does that have for an institution?

Answer: If the institution is a healthcare custodian, it must comply with all of the provisions of the Act, respecting record keeping and management, access, accountability, description of policies etc.

The Institutions or healthcare practitioners must obtain the consent of their individual patients to release personal healthcare information to non-health care providers or for non-health care purposes, unless the REB has waived the requirement for a specific protocol.

Institutions which are health care custodians must also ensure that the researcher has research ethics board approval for his/her research and that the researcher has entered into an agreement with them, respecting the use, security, disclosure return or disposal of the information, consistent with the 10 fair information principles discussed above.

If the institution is not a healthcare custodian, but its researchers are, the institution should ensure that its health-care practitioner researchers comply with all of the provisions of the Act respecting record keeping and management, access, accountability, description of policies etc., in the context of their provision of health care to individuals and the collection and safeguarding of personal health care information.

Fourteen

Question: If OHIPA comes into force, what implications does that have for the research ethics board?

Answer: FIRST: Regardless of whether a protocol involves access to personal health information or not, in the review process, the provisions of the TCPS on privacy/confidentiality should be complied with. (Articles 3.2 – 3.6, pp 3.3 – 3.6)

SECOND: If the research is “commercial in character”, then PIPEDA potentially applies, and the REB should ensure that the provisions of PIPEDA are being met (see Question Seven above).

If the research is commercial in character and involves personal health information, and if OHIPA is recognized by the Governor in Council as being substantially similar to PIPEDA (the likelihood of which is a matter of debate), then PIPEDA does not have to be complied with, and the REB can omit this step.

THIRD: If the research involves “personal health information” then regardless of whether or not PIPEDA applies (i.e. even if it is not commercial in character), then the provisions of OHIPA will also have to be met.

Fifteen

Question: What does OHIPA require of the research ethics board in research where personal health information is involved?

Answer: Section 43 of OHIPA requires that if personal health information is being used or disclosed, then

(2) a written research plan must be submitted to the REB and it must set out

(a) the affiliation of each person involved in the research
(b) the nature and objectives of the research and the public or
scientific benefit of the research that the researcher anticipates;
(c) and all other prescribed matters related to the research (what these may be is yet to be defined)

Section 43 (3) outlines the matters that the research ethics board should consider, including matters that it considers relevant and

(a) whether the objectives of the research could be accomplished without using personal health information (e.g. by using either anonymized or aggregated data);

(b) whether at the time the research is conducted adequate safeguards will be in place to protect the privacy and preserve the confidentiality of the individual;

(c) the public interest in conducting the research and the public interest in protecting the privacy of the individuals whose personal health information is being disclosed; and

(d) whether obtaining the consent of the individuals would be impracticable.

Further, the REB must provide its decision to the researcher in writing, with reasons, setting out the approval of the plan and whether or not it is subject to
any conditions.

Sixteen

Question: Now I am really confused. Is there any simple solution?

Answer: Fortunately, there probably is. CIHR is developing a best practices document respecting the protection of privacy in the design, conduct and evaluation of health research. The provisions of that document are now publicly available < HERE > Researchers, REBs and institutions are also advised to review the Principles set out in the Canadian Standards Association Model Code for the Protection of Personal Information, and regardless of the provisions of any legislation and/or the applicability of any legislation, to bring their policies and procedures into line with the principles set out in the model code. Since these principles underlie the Federal and the provincial legislation (in Ontario and other provinces), then complying with the Model Code should ensure that researchers, REBs and Institutions are being “duly diligent” in respecting the collection, use and disclosure of personal information in research.


 

 
Contact Us | Legal & Privacy Policy | Admin Login