Best Practices for Gathering Informed Consent and the Content of Consent Forms
In The Freedom of Information and Protection of Privacy Act (FOIP), The Local Authority Freedom of Information and Protection of Privacy Act (LA FOIP) and The Health Information Protection Act (HIPA) consent is sometimes required for the collection, use or disclosure of personal information (PI) or personal health information (PHI).
Where consent is required all three of the statutes require that the consent:
- must relate to the purpose for which the information is required;
- must be informed;
- must be given voluntarily; and
- must not be obtained through misrepresentation, fraud or coercion.
The statutes also provide that:
- A consent may be given that is effective for a limited period.
- Consent may be express or implied unless otherwise provided.
- An express consent need not be in writing.
See section 18 of the FOIP Regulations, section 11 of the LA FOIP Regulations and section 6 of HIPA.
Express consent is informed and voluntary. Consent is informed when the individual knows the purpose for the collection, use and/or disclosure, that they can withhold or revoke their consent and the consequences of doing so. Each individual for which consent is sought has different needs in regards to ensuring ‘informed consent’. Individuals have different levels of literacy, English proficiency, cognitive impairments, learning disabilities, hearing or vision impairments, stress and time pressures. Organizations should adjust the consent process to the needs of the individual. Organizations that receive consent forms electronically should adapt these best practices to ensure individuals are still able to give informed consent.
Best Practices for Gathering Informed Consent
Section 18 of the FOIP Regulations, section 11 of the LA FOIP Regulation and section 6 of HIPA indicates that a consent to the collection, use or disclosure of personal health information is informed if the individual who gives the consent is provided with the information that a reasonable person in the same circumstances would require in order to make a decision about the collection, use or disclosure of personal health information.
The following are best practices for gathering informed consent from individuals for the collection, use and/or disclosure of PI or PHI:
1. Ensure individuals know why their PI or PHI is being collected
To be informed, the explanations given to individuals should be clear and complete. Stating that the information is being collected for ‘research purposes’ or ‘to process a claim’ would be too vague and not specific enough.
2. Ensure individuals know how their PI or PHI will be used.
Individuals should be fully informed of all the ways the organization intends to use their PI or PHI. Incomplete and vague explanations leave individuals without the proper knowledge to consent. In addition, long written explanations (more than 1 page) that use highly technical language make it less likely that individuals will read it or understand it. Make it ‘user friendly’. Consider providing information, brochures or fact sheets that can be taken home by individuals that outline the potential purposes of collection and uses of the information.
3. Ensure that individuals know that they have the right to refuse or revoke their consent.
Consent from individuals must be given freely and without threat or coercion. The threat of not receiving a necessary service, if consent is not given, interferes with an individual’s right to refuse or revoke their consent. Employees should be aware of when consent is required to deliver a service so they can properly inform individuals of the consequences of not providing consent. Some services can still be provided without the full collection and use of PI or PHI. Employees require clarity on what is essential and what is not. Consider developing policies and procedures to guide employees in this regard.
4. Ensure your organization has clear policies and procedures regarding the collection, use or disclosure of PI and PHI with appropriate enforcement policies that coincide.
Improper behavior on the part of employees is not uncommon when it comes to the use of consent forms. Organizations should ensure its employees do not pressure, coerce or threaten individuals into agreeing to sign consent forms. Consider training, written policies and procedures and enforcement mechanisms.
The Content of Consent Forms
The following are some best practices for the content of consent forms:
1. Ensure consent forms are time limited
Consent is not intended to be indefinite for the collection, use and/or disclosure of PI or PHI. Consent forms should have a beginning and end date which covers the amount of time that the consent remains valid and is actually needed by the organization.
Research has shown that consent forms with definite expiration dates (6 months or less) are more likely to be signed by individuals. They are less likely to be comfortable signing it if the expiration is ambiguous.1
1 Bolcic-Jankovic, Dragana et al. 2007. “Do Characteristics of Consent Forms Affect the Response Rate?” Center for Survey Research, University of Massachusetts: Boston.
2. Ensure consent forms are information specific (data minimization /avoid over-collection)
The consent form should outline the specific types of PI or PHI that is being collected, used and/or disclosed. This assists in reducing risks such as over-collection. Organizations should collect, use and/or disclose the least amount of PI or PHI necessary for the purpose. To ensure this, organizations should know prior to the collection, use and/or disclosure what is needed.
For example, if an individual’s medical information is needed, the consent form should be specific as to what type of information is being collected, used and/or disclosed. Rather than “the entire medical record” it could state “only psychological assessments, physical assessments and medication history”.
3. Consent forms should be signed by both the individual and the employee presenting the consent form
To ensure authenticity, consent forms should be signed by both parties to the consent form. It is important that the employee of the organization also sign as they are responsible for having properly acquired the consent should problems arise. This, of course, would need to be adapted for consent forms received electronically. There should be one consent form for each person whose PI or PHI is involved.
4. Consent forms should include the specific names of the involved parties that will be collecting or disclosing the PI or PHI (need-to-know principle)
Consent forms should have the name of the sending party and the name of the party that will receive it. This ensures that the scope of the collection and disclosure is limited to the individuals identified.
Option: Consider using a ‘teach back’ method whereby individuals repeat back their understanding of the consent form. This will lead to correction of misunderstandings or missing information.
More Information About Consent
For more information about consent, please see the following resources on the IPC website:
- IPC Guide to HIPA
- Blog: Access and Privacy Rights of Minors Online
- Blog: Who signs for a child?
- Blog: Deemed Consent in HIPA – What is it?