Guidelines for Developing Codes of Ethics for Health Professional Organizations
These guidelines are designed to assist organizations and regulated professions in developing a code of ethics that addresses access and privacy considerations.
Schedule 1 of the Personal Information Protection and Electronic Documents Act (PIPEDA) contains the ten fair information principles (principles) of the CSA Model Code. PIPEDA applies to organizations that collect, use or disclose personal information in the course of commercial activities. It does not apply to public sector organizations in Saskatchewan bound by The Freedom of Information and Protection of Privacy Act (FOIP) or The Local Authority Freedom of Information and Protection of Privacy Act (LA FOIP) but will apply to others including those health care professionals in private practice.
These principles offer some protection but were not specifically developed with health information in mind. Many Canadian jurisdictions now have enacted specific health information laws like Saskatchewan’s The Health Information Protection Act (HIPA). Policy involving health information though is not just driven by what the law requires but is also affected by guidelines, codes, bylaws, statements and ethical practices of an assortment of different stakeholder groups. This includes regulatory bodies which clarify the responsibilities of different health professionals in terms of how to conduct themselves. HIPA is a helpful instrument as not only is it the law of the land but it also references and incorporates ethical obligations in the following ways:
27(3) A trustee shall not disclose personal health information on the basis of a consent pursuant to subsection (2) unless:
(a) in the case of a trustee other than a health professional, the trustee has established policies and procedures to restrict the disclosure of personal health information to those persons who require the information to carry out a purpose for which the information was collected or to carry out a purpose authorized pursuant to this Act; or
(b) in the case of a trustee who is a health professional, the trustee makes the disclosure in accordance with the ethical practices of the trustee’s profession.
27(4) A trustee may disclose personal health information in the custody or control of the trustee without the consent of the subject individual in the following cases
(e) if the subject individual is deceased:
(i) where the disclosure is being made to the personal representative of the subject individual for a purpose related to the administration of the subject individual’s estate; or
(ii) where the information relates to circumstances surrounding the death of the subject individual or services recently received by the subject individual, and the disclosure:
(A) is made to a member of the subject individual’s immediate family or to anyone else with whom the subject individual had a close personal relationship; and
(B) is made in accordance with established policies and procedures of the trustee, or where the trustee is a health professional, made in accordance with the ethical practices of that profession;
29(1) A trustee or a designated archive may use or disclose personal health information for research purposes with the express consent of the subject individual if:
(a) in the opinion of the trustee or designated archive, the research project is not contrary to the public interest;
(b) the research project has been approved by a research ethics committee approved by the minister; and
29(2) Where it is not reasonably practicable for the consent of the subject individual to be obtained, a trustee or designated archive may use or disclose personal health information for research purposes if:
(c) in the opinion of the research ethics committee, the potential benefits of the research project clearly outweigh the potential risk to the privacy of the subject individual; and
Instead of health information, HIPA defines and provides the rules for the collection, use and disclosure of “personal health information.” Whereas HIPA places the ultimate responsibility for compliance on the trustee with custody or control of personal health information, ethical codes can raise the bar in terms of individual responsibility of the health care professional and the organizations to which he or she represents. Also, because of the limitations of the definition of “trustee” in HIPA, there are some organizations/professionals that may have custody or control of personal health information but HIPA will not apply. As such, codes of ethics can play an even more important part in the protection of privacy of the patient in the health care system.
Though codes of ethics vary from profession to profession, the following are some common elements/language specifically pertaining to privacy and confidentiality that the Saskatchewan Information and Privacy Commissioner views as fundamental:
1. Personal health information acquired in any practice shall be kept in strict confidence, except as required by law.
2. Respect and protect patient confidentiality and privacy by understanding and complying with applicable privacy legislation, regulatory requirements, agreements and the employer’s policies regarding the collection, use, and disclosure of personal health information.
3. Protect personal health information by collecting, storing, using and disclosing it in compliance with relevant legislation, agreements and employer policies that include physical, administrative and technical safeguards/controls.
4. Provide information reasonable in the circumstances to patients about the reasons for the collection, use and disclosure of their personal health information.
5. Ensure that personal health information is recorded accurately and completely and that a process is in place to accommodate requests for correction/amendment.
6. Use or disclose a patient’s personal health information only pursuant to the patient’s consent, for the purpose of providing care to the patient or for the purpose for which it was obtained unless otherwise authorized by law.
7. Upon a patient’s request, provide the patient, or his or her legal representative, with a copy of his or her personal health information, unless not authorized by law or if doing so could cause serious harm to an individual’s physical or mental health.
8. Respect the right of people to have a measure of control over the collection, use, access and disclosure of their personal information. Rely on express or implied consent wherever possible.
9. Collect, use and disclose personal health information on a need-to-know basis with the highest degree of anonymity possible in the circumstances.
10. When required to disclose information for a particular purpose, disclose only the amount of information necessary for that purpose and inform only those necessary.
11. Do not abuse the ability to access information by accessing health-care records, including an individual’s own records, a family member’s or any other individual’s, for purposes inconsistent with the organization’s professional obligations or if unauthorized by law.
12. Maintain confidentiality in creating, storing, accessing, transferring and disposing of records in the organization’s custody or control.
13. Report any situation where personal health information is accessed or disclosed without appropriate consent or legal authority, whether deliberately or through error.
14. Perform, to the highest standards, only those duties within assigned authority as outlined in licensing /certifying and regulating legislation within the provincial, territorial or federal jurisdictions governing one’s profession.
Please note that the above clauses could be used in a code of ethics, but an organization need not select or use all. An organization can modify for its own purposes.