Federal Privacy Commissioner on Bill c-27 news release.

US states move forward on privacy laws

Report into the 2021 cyber attack on Newfoundland health information systems released.

Privacy Commissioner of Canada announced his office is launching a joint investigation into OpenAI

Federal Privacy Commissioner launches new guidance on workplace privacy

Cybersecurity: Best Practices for Setting Up a Security Operations Centre


Circle of Care

February 13, 2020 - Ron Kruzeniski, Information and Privacy Commissioner

When my office investigates privacy breaches in the health care sector, at times, the defense, the explanation, or the reason given is that one believed they were in the “circle of care”. What is the circle of care? It certainly is not used in The Health Information Protection Act (HIPA). I did find one definition on the Canadian Medical Protective Association (CMPA) website in its “Glossary” at https://www.cmpa-acpm.ca/en/home.

Circle of care
The group of healthcare professionals providing care to a patient who need to know the patient’s personal health information to provide that care.

In using this definition, I note the words “who need to know… to provide that care”. That word “need” is most important.

HIPA, in section 23, deals with the need-to-know. If you define “circle of care” by referring to need-to-know, then one is really echoing the principle set out in section 23 of HIPA.

When people were talking to me, they referred to the “circle of care” as an etched in stone concept. I fear many have their own definition of “circle of care”. That creates problems if we all have our own definition.The CMPA definition is one that might create a common understanding of the term.

Dr. Karen Shaw has written an article in “DocTalk” and says this about “circle of care”:

Unfortunately, the use of terminology such as the concept of “circle of care” has led to some of this confusion. The term should be abandoned, as it infers that once a healthcare worker is in the circle of care that person is entitled to access all of the patient’s personal health information. This is incorrect.

There needs to be further discussion on the use and meaning of “circle of care” and how it works in light of section 23 of HIPA. I hope we can have those conversations soon.



Categories: BlogTags: ,

Back to Blog