On April 2nd, the Alberta Court of Queen’s Bench issued a significant judgement on the Alberta Health Information Act, quashing an order by the Alberta OIPC that prohibited disclosure of prescription data to IMS Health.
The Court made two substantive findings. First, it held that the OIPC did not err in limiting the scope of its investigation to disclosures to IMS only, even though a determination on the issue it was investigating could affect other related programs and other parties. Second, and more significantly, it held that the OIPC erred in finding that the Act required consent to disclose data that could be used to profile or detail a prescriber – namely, information about how a prescriber chose to diagnose and treat a patient of a particular age, with a particular condition, and specifically what medication was used, in what dosage, and for how long.
The Court declined to make the order on the basis of IMS’s broader arguments about the nature of “work product information” and health information custodians’ right of expression, so its judgement is technical and confined in its significance (though it’s a nice statutory interpretation decision).
In essence, the Court held that the OIPC read a limitation on the “business card exception” in the definition of “health services provider information” too literally and too broadly in light of the exhaustive statutory definition of “health services provider information. ” This limitation – in section 37(2)(a) – limits the disclosure of business card information (e.g. a prescriber’s name, in the circumstances) where it would reveal “other information about a health services provider.” The Court held that “other information” must mean “other health services provider information” or “other information about the health services provider that cannot be disclosed under the HIA”:
A reasonable approach to statutory interpretation required the Commissioner to recognize that the presumption of consistent expression is only one indication as to the intention of the Legislature. There are also indications of the intention in the statutory context of the HIA. A reasonable decision-maker must consider the competing indications. Is it more likely that the Legislature intended “other information about the health services provider” to have a different meaning than “other health services provider information about the health services provider” because different words are used? Or is it more likely that the Legislature intended the qualification to an exception in ss. 37(2)(a) to drastically expand the scope of protected information under the HIA and to render the apparently exhaustive definition of “health services provider information” virtually meaningless. There is really no contest. The different language used pales in significance when compared with the overall scheme of the HIA. The only reasonable interpretation, when the full context is considered, is that “other information about the health services provider” in s. 37(2)(a) means “other health services provider information” or “other information about the health services provider that cannot be disclosed under the HIA”.
Interpreting s. 37(2)(a) in this way gives the subsection a limited but real role within the scheme of the HIA. It means that the Act’s permission to custodians to disclose business card information without consent applies only where that information does not result in prohibited disclosures under the HIA. Business card information is likely to occur in the same context, perhaps in the same document as other health services provider information. Indeed, it may be the business card information that causes the other information to be individually identifiable. In the absence of s. 37(2)(a), custodians might purport to comply with the HIA by editing out prohibited categories of information while still disclosing the business card information. Because of s. 37(2)(a), business card information in this context must not be disclosed if it would “reveal” the other prohibited information. This is, as I indicated, a limited role. But a limited role is much more to be expected with respect to a statutory provision that occurs as a qualification to an exception, rather than a role that drastically expands the scope and basic definitions of the HIA.
The Ontario Personal Health Information Protection Act does not protect the personal privacy of health care practicioners as does the Alberta health privacy statute. As for PIPEDA, the Privacy Commissioner of Canada has found that prescriber data is “work product information” rather than “personal information.”
IMS Health Canada, Limited v. Alberta (Information and Privacy Commissioner), 2008 ABQB 213 (CanLII).