Health Information and Privacy Impact Assessments
Abstract
The Romanow Report recommends that “Canadians should have ownership over their personal health information, ready access to their personal health records, clear protection of the privacy of their health records, and better access to comprehensive and credible information about health, health care and the health system”. Privacy is an individual right to control the circulation of personal information. Confidentiality is the obligation of a person or organization to protect personal information. Health providers, information managers, health informaticians and others are the custodians of personal health information entrusted to them by the most vulnerable of the population, those that are seeking medical services. They are duty-bound to respect the individual’s privacy rights. Proper management of this personal health information is essential to maintain the confidentiality and prevent the misuse or unjustified use of this sensitive information. The need to protect the privacy of health information has never been greater. Increasingly the need exist for the flow and exchange of personal health information through the use of technology including electronic patient records. So how are health information custodians ensuring that they are meeting the obligation to protect this sensitive information? The current privacy laws in Canada are made up of patchwork of legislations. There are rules for the private sector and the public sector. How is this information going to flow across the federal, provincial and territorial jurisdictions? These are all very important questions. These important subjects are discussed in this internship report however; the focus is on the early detection of privacy problems. The key subject is the use of Privacy Impact Assessments (PIA). A PIA is a front line privacy defense tool which is also valuable for identifying privacy risk and documentating mitigation strategies. It provides a methodology for ensuring this sensitive information is protected and should be used on all systems which collect, use or disclose personal information.