Since 2015, 14 cyberattacks have occurred against Canadian healthcare systems [Harish et al, 2023]. Nine of those attacks wanted ransoms to be paid and at least six of those attacks were believed to have compromised patients’ health records.
Patient privacy is a cornerstone of ethical healthcare practice, safeguarding individuals’ personal information and ensuring their autonomy and dignity are respected. In Canada, robust legal frameworks exist to preserve patient privacy rights, but as noted by the statistics listed above, challenges persist in an increasingly digitized and interconnected healthcare landscape.
Patient advocacy groups play a crucial role in addressing these challenges, advocating for legislative reforms, holding institutions accountable, and empowering patients to assert their privacy rights. Through their efforts, these organizations contribute to fostering a culture of respect for patient privacy and upholding the principles of ethical healthcare practice in Canada.
The Legal Landscape
Canada boasts comprehensive legislation to protect patient privacy, most notably the Personal Information Protection and Electronic Documents Act (PIPEDA) – the federal law that governs the collection, use, and disclosure of personal information by organizations – as well as provincial health privacy laws governing the collection, use, and disclosure of personal health information by public and private sector entities, including healthcare providers, insurers, and government agencies.
Under these regulations, healthcare providers must obtain consent before accessing and disclosing patient information, except in specific circumstances outlined by law. Additionally, stringent security measures are mandated to safeguard patient data against breaches or unauthorized access.
Privacy Laws by Province/Territory
Alberta
- Freedom of Information and Protection of Privacy Act (FOIP): public sector privacy law in AB
- Personal Information Protection Act: private sector privacy law in AB
- Health Information Act: privacy law relating to health records in AB
British Columbia
- Freedom of Information and Protection of Privacy Act (FOIPPA): public sector privacy law in BC
- Personal Information Protection Act (PIPA): private sector privacy law in BC
- Personal Health Information Access and Protection of Privacy (E-Health) Act: privacy law relating to health records in BC
Manitoba
- Freedom of Information and Protection of Privacy Act (FIPPA): public sector privacy law in MB
- Personal Health Information Act (PHIA): privacy law relating to health records in MB
New Brunswick
- Right to Information and Protection of Privacy Act (RTIPPA): public sector privacy law in NB
- Personal Health Information Privacy and Access Act (PHIPAA): privacy law relating to health records in NB
Newfoundland and Labrador
- Access to Information and Protection of Privacy Act (ATIPP): public sector privacy law in NL
- Personal Health Information Act (PHIA): privacy laws relating to health records in NL
Northwest Territories
- Access to Information and Protection of Privacy Act (ATIPPA): public sector privacy law in NWT
- Health Information Act: privacy law relating to health records in NWT
Nova Scotia
- Freedom of Information and Protection of Privacy Act (FOIPOP) and the Privacy Review Officer Act: public sector privacy laws in NS
- Personal Health Information Act: privacy law relating to health records in NS
Nunavut
- Access to Information and Protection of Privacy Act (ATIPP): public sector privacy law in NU
Ontario
- Freedom of Information and Protection of Privacy Act (FIPPA) and Municipal Freedom of Information and Protection of Privacy Act (MFIPPA): public sector privacy laws in ON
- Personal Health Information Protection Act (PHIPA): privacy law relating to health records in ON
PEI
- Freedom of Information and Protection of Privacy Act (FOIPP): public sector privacy law in PEI
- Health Information Act: health information law in PEI
Québec
- Act Respecting Access to Documents Held by Public Bodies and the Protection of Personal Information: public sector privacy law in QC
- Act Respecting the Protection of Personal Information in the Private Sector: private sector privacy law in QC
- An Act respecting health services and social services; the Health Insurance Act; and the Act respecting the Régie de l’assurance maladie du Québec: privacy laws relating to health records.
Saskatchewan
- Freedom of Information and Protection of Privacy Act (FOIP) and Local Authority Freedom of Information and Protection of Privacy Act (LA FOIP): public sector privacy law in SK
- Health Information Protection Act (HIPA): privacy law relating to health records in SK
Yukon
- Access to Information and Protection of Privacy Act (ATIPPA): public sector privacy law in YT
- Health Information Privacy and Management Act (HIPMA): privacy law relating to health records in YT
Tension Between Patient Privacy and Research Advancement
Patient data and healthcare records are a valuable commodity. As such, persons wanting to hack electronic health records are a concern, and with the proliferation of wearable health devices and telemedicine platforms, there are additional concerns about data security and privacy breaches. Trying to balance the need for privacy with the convenience of using smart technologies to collect data is extremely difficult. Furthermore, the multidisciplinary nature of healthcare systems, where multiple stakeholders and information-sharing networks communicate with each other, may increase the risk of privacy violations. Whether through negligence or malicious intent, jeopardizing patient privacy can weaken patients’ trust in the healthcare system.
With this said, there are clear benefits of collecting and sharing comprehensive health information for research, treatment, and public health purposes. Patient registries, for example, provide crucial data, which can help develop new therapies, inform healthcare providers about best practices, and identify emerging health threats. Addressing the tension between privacy and data utility requires transparency, ethical oversight, patient engagement, and privacy-enhancing technology, such as encryption and anonymization.
Role of Advocacy Groups
Patient advocacy groups are essential for striking this balance. First and foremost, they can educate patients, caregivers, healthcare professionals, and the public through resources and support about the importance of patient privacy in research and empower patients to take control over their health information. Second, they can advocate on behalf of patients for stronger privacy protections in research through legislation or working directly with research administrators. Through these, and other, methods, patient advocacy groups enable individuals to make informed decisions about the sharing of their personal health data and advocate for their privacy rights within healthcare settings.