This document was developed to provide guidance to health care fundraising professionals regarding Ontario Bill 31, the Personal Health Information Protection Act, 2003. It answers some of the more commonly asked questions regarding the impact of Bill 31 and its relationship to the federal Personal Information Protection and Electronic Documents Act (PIPEDA).
This document was prepared by a privacy working group of national fundraising and charity organizations, including the Association for Healthcare Philanthropy (AHP), the Association of Fundraising Professionals (AFP), the Association of Professional Researchers for Advancement (APRA), and the Canadian Centre for Philanthropy (CCP). At the time of release of this document, both AFP and AHP have indicated their intention to make formal submission to the Ontario government on Bill 31.
Some of these questions can be found in another document developed by the privacy working group, “Frequently Asked Questions Regarding Charitable Fundraising & PIPEDA.” However, the answers in this guide have been modified in some cases to reflect the requirements and legislative language of Bill 31.
As of this writing, the Bill had only received its First Reading. Thus, some parts of the Bill may change as it moves through the legislative process. The resource material provided in this document and the accompanying appendices is for general information purposes only. The material reflects interpretations and practices regarded as valid as of the date the document was released based on available information at that time. The material is not intended, and should not be construed, as legal advice or opinion nor is it intended to be endorsed as lawful practice. Organizations concerned about the applicability of privacy legislation to their activities are advised to seek legal advice based on their particular circumstances.
CATEGORY A – PERSONAL HEALTH
INFORMATION AND CONSENT
QUESTION #1 : Is there any reference to fundraising in the recently introduced Bill 31, the draft Personal Health Information Protection Act, 2003 ?
ANSWER #1: If enacted, Bill 31 would apply only to health information custodians in Ontario, including healthcare fundraisers. (If you’re a healthcare fundraiser in another jurisdiction, then you may already be covered by other provincial privacy legislation). [1]
Section 31 of the draft Act states, “A health information custodian shall not collect, use or disclose personal health information about an individual for the purpose of fundraising activities unless the individual expressly consents and the custodian collects, uses or discloses the information, as the case may be, subject to the prescribed requirements and restrictions, if any”.
What This Means For You:
Note that the draft Act contains a specific reference to healthcare fundraising – which is a specific information handling activity – and not simply to healthcare fundraisers in general. This means that even if your hospital foundation or charity is a separate legal entity from the hospital or healthcare organization for which you raise funds, Section 31 of the draft Act would still apply to you.
QUESTION #2: What are the implications of an “express consent” requirement in Bill 31? Will consent need to be written? Or can it be obtained verbally and recorded by the individual receiving the information to share with a foundation?
ANSWER #2: First, let’s start by analyzing the requirement for “express consent” in Bill 31. “Express consent” is not actually defined in the Bill, nor is it defined in the federal Personal Information Protection and Electronic Documents Act (PIPEDA). However, data protection specialists [2] generally understand express consent to mean that an individual must explicitly indicate his or her consent to the collection, use or disclosure of his or her personal information for a specific purpose at the time of or before the information collection, use or disclosure takes place.
Express consent can be obtained orally or in writing, but there has to be a substantive, “yes, you may use my information”. This is different from “implied consent”, which means that an individual can reasonably be assumed to have consented to the collection, use or disclosure of his or her personal information, with that reasonable assumption usually resting on how well informed the individual was about the collection, use or disclosure of his or her personal information. Absent express consent, an organization would have to demonstrate that the individual had every opportunity to know that his or her personal information was going to be collected, used or disclosed for a specific purpose, and that armed with this knowledge, the individual persisted with the action that resulted in the information flow.
What This Means For You:
There is nothing in Bill 31 that states that healthcare fundraisers, hospitals or other healthcare organizations must obtain express consent in writing. This means that under Bill 31, healthcare fundraisers, hospitals and other healthcare organizations could obtain express consent for the collection, use or disclosure of an individual’s personal health information for fundraising purposes using a variety of methods.
For example, a hospital might include a clause on its registration form asking patients to check off a box indicating that they give the hospital foundation permission to solicit them. Or a patient’s physician could speak directly to the patient about participating in hospital fundraising activities, and then indicate in the patient’s chart that he or she has consented to the collection, use or disclosure of his or her personal information for fundraising purposes. Or the hospital could send a letter to patients after they are discharged asking them for their permission to use their personal information for fundraising purposes. The letter should include a postage-paid return envelope, and a telephone number or email address that patients can use if they want to opt out of fundraising activities.
The working group will verify with the Ontario government and the Office of the Ontario Information and Privacy Commissioner whether the letter could indicate that if the hospital does not hear back from the patient within a specific time period (e.g. 30 days), the hospital can assume that the patient is willing to be solicited.
QUESTION #3: How is “express consent” different from “notice”? Are there any circumstances under Bill 31 in which Ontario healthcare fundraisers could obtain consent to collect, use or disclose personal health information through notice?
ANSWER #3: The implications of an express consent requirement for Ontario healthcare organizations are enormous, and a source of great concern for grateful patient programs across the province. Many fundraisers are wondering if they can rely on notice to obtain consent for the collection, use and disclosure of personal health information.
Notice is the use of signs, letters, posters, patient brochures, email broadcasts and notices on forms and/or a healthcare organization’s web site about its privacy policies and procedures. Section 18.5 of the draft Act allows health information custodians to use notices to inform patients about the purposes for which an organization collects, uses and discloses personal health information, unless it is “not reasonable in the circumstances”.
The question then, of course, is whether or not it is “reasonable” for hospitals and healthcare fundraisers to use notice as a primary means to obtain consent from patients for the collection, use and disclosure of their personal health information for fundraising purposes (instead of express consent).
Because Bill 31 creates a separate, specific clause requiring express consent for the collection, use or disclosure of personal health information for fundraising purposes, it is doubtful that the draft Act will permit Ontario healthcare organizations to obtain consent for the collection, use or disclosure of personal health information for fundraising purposes through notice alone. However, the organizations comprising the working group will outline the significant disadvantages of an express consent requirement for healthcare fundraising in its submission on Bill 31 to the Ontario government. The submissions will also discuss the merits of an opt-out-consent-through-notice requirement.
What This Means For You:
Simply because Ontario hospitals and other healthcare organizations may be required to obtain express consent for the collection, use and disclosure of personal health information for fundraising purposes in the future (if Bill 31 comes into effect), does not mean that healthcare fundraisers should abandon the use of notices. Clearly written, easy-to-understand notices in multiple formats (e.g. on signs, posters, bulletin boards, and the web, and in donor literature, donor letters and brochures) provide patients with multiple opportunities to learn more about the benefits of fundraising and to opt into or out of fundraising at their convenience. Moreover, if the working group is going to successfully argue in its submissions that notice should replace a specific provision for express consent for the collection, use and disclosure of personal health information for fundraising purposes, then Ontario healthcare organizations must use notices liberally throughout their organizations and donor materials.
QUESTION # 4: What is the definition of “personal health information” under Bill 31 and does it include non-health information such as a patient’s name, title (e.g. Mr. Ms., Dr.), mailing address, email address or telephone number?
ANSWER #4: Personal health information is defined in section 4 as: “identifying information about an individual in oral or recorded form, if the information:
(a) relates to the physical or mental health of the individual, including information that consists of the medical history of the individual’s family,
(b) relates to the providing of health care to the individual,
(c) is a plan of service within the meaning of the Long-Term Care Act, 1994 for the individual,
(d) relates to payments or eligibility for health care in respect of the individual,
(e) relates to the donation by the individual of any body part or bodily substance of the individual or is derived from the testing or examination of any such body part or bodily substance,
(f) is the individual’s health number, or
(g) identifies a provider of health care to the individual or a substitute decision-maker of the individual.”
You can see from the above definition that demographic information about an individual – such as a person's name, title, mailing address, email address, or telephone number – is not specifically covered in the above definition of personal health information, although such information is classified as "identifying information" under the Act. As such, this leaves a critical question for Ontario healthcare fundraisers: if express consent is required for the collection, use and disclosure of personal health information only , what are the rules under the draft Act for collecting, using and disclosing identifying , non-health information?
Before answering this question, the working group must obtain clarification from the government as to whether the types of demographic information described above can rightly be excluded from the definition of “personal health information” contained in section 4 of the draft Act. If the definition of “personal health information” does exclude identifying, non-health information, however, then hospitals and other healthcare organizations need to know that there are no specific rules in the draft Act governing the collection, use and disclosure of identifying, non-health information for healthcare fundraising.
What This Means For You:
If express consent is required for the collection, use and disclosure of personal health information only (and not identifying, non-health information), this means that healthcare fundraisers may be able to obtain personal demographic information from the hospitals or healthcare organizations with which they are affiliated as long as these organizations inform their patients of this practice through notice. The working group will ask for clarification from the Ontario government on the types of identifying information that could be included in this category (e.g. a patient’s name, title, mailing address, email address or telephone number).
In the meantime, however, healthcare fundraisers should prepare for a “worst-case” scenario – e.g. the Ontario government may have intended to classify basic demographic information as “personal health information” and may require hospitals and other healthcare organizations to obtain express consent from patients before collecting, using or disclosing such information for fundraising purposes.
CATEGORY B – HOW THE WORKING
GROUP WILL RESPOND TO BILL 31
QUESTION #5: How can Ontario healthcare fundraisers proactively communicate their concerns on the potential negative impact Bill 31 may have on philanthropy and support for their patient communities?
ANSWER #5 : The Ontario government is accepting written submissions on Bill 31 until February 6, 2004. AHP Canada and AFP are currently preparing separate submissions, which they hope to present to one or more of the Standing Committees on Government in Toronto, London, Sault Ste. Marie and Kingston. These meetings will take place in late January and early February. In addition, it is important to remember that Bill 31 is not yet law; it has only had first reading, and if it is passed, it will not come into force before July 1, 2004. So, there is some time for Ontario healthcare organizations to prepare for the legislation, and, hopefully, to also help shape the legislation’s contents.
What This Means For You:
Ontario healthcare fundraisers wishing to submit a response to Bill 31 on behalf of their organization should consult the information on the Ministry of Health and Long Term Care’s web site: http://www.ontla.on.ca/committees/general_government.htm .
In addition, as the members of the working group prepare their submissions for Bill 31, you may receive requests for information from some members to be included in their submission. For example, AHP Canada is looking for information on: fundraisers’ current privacy practices and cost projections on the impact of provincial privacy legislation on the healthcare fundraising sector.
QUESTION #6: What will the presentations and written submissions from AFP and AHP Canada focus on?
ANSWER #6: In general, the written submissions from the working group will:
Acknowledge the opportunity to participate in the consultation process and will continue to advocate for involvement in regulation.
Encourage the government to handle the “consent issue” for fundraisers by legislating an opt-out, implied consent through notice for the collection, use or disclosure of personal, non-health information – e.g. healthcare foundations and hospitals would have to inform patients through notice that their demographic information will be used for fundraising purposes. Patients would be given meaningful opportunities at multiple points in the care delivery cycle to opt out of fundraising. Healthcare foundations and hospitals could solicit patients who fail to indicate that they do not wish to participate in healthcare fundraising. Healthcare foundations and hospitals wishing to collect, use or disclose personal health information for fundraising purposes would require express consent from patients.
Educate the Standing Committee on Government about current data protection safeguards already in place at several Ontario healthcare fundraising organizations. These include: the new privacy policies and practices based on the CSA Model Code in preparation for PIPEDA; the Donor Bill of Rights and each organization’s Statement of Professional Standards and Conduct; the Privacy 101 Guide (developed by the working group); and the industry’s ability to deal effectively with a relatively small number of privacy-related complaints (versus the large value of philanthropic contributions).
Educate the Standing Committee on Government on the urgent need for healthcare fundraising to: purchase new medical equipment and diagnostic technologies that will reduce wait times and improve clinical outcomes; help cover the capital costs for restructuring the province’s public hospitals (estimated between $6-$7 billion in 2002); support health research in geriatric medicine as the Canadian population ages; help Ontario hospitals recover from the devastating effects of SARS; and support new infection prevention controls and research in communicable diseases.
What This Means For You:
The points expressed above represent a short, high-level summary of the major issues the members of the working will raise in their submissions on Bill 31 to the Ontario government.
CATEGORY C – OPERATIONAL ISSUES FOR ONTARIO FUNDRAISERS
QUESTION #7: My hospital has placed a hold on the transfer of patient names and addresses to the Foundation as if Bill 31 is already law. The hospital believes that it will first need to obtain written consent from patients before disclosing patient names and other information. What can I do?
ANSWER #7: Bill 31 is not yet law (and may not even become law), so it is premature for your hospital to withhold patient names and other demographic information required for fundraising purposes. As such, the working group recommends that you talk to your hospital immediately about the status of Bill 31 – e.g. the legislation is only in draft form at this time, and, therefore, there is currently no legal reason to withhold patient names and other demographic information from hospital foundations. You might also want to direct your hospital to this set of Frequently-Asked-Questions on the new draft legislation, so it can see that the privacy group will be asking the government for an opt-out consent through notice for hospital foundations and healthcare fundraisers.
What This Means For You:
In addition to the above, the working group also recommends that Ontario foundations open a dialogue now with their affiliated organizations (if they have not already done so), so that they can work jointly to begin developing a privacy management plan to prepare for Bill 31, in the event the draft legislation is passed.
For more information on how to develop a privacy management plan, see the Guidelines for Managing Privacy, Data Protection and Security for Ontario Hospitals from the Ontario Hospital Association’s E-Health Council (July 2003). [3] The Guidelines contain a sample privacy policy, a sample data sharing agreement, a sample job description for a Privacy Officer, and other information on best privacy practices in the Ontario healthcare sector. If healthcare foundations implement the recommendations in the Guidelines now, then they should have a large part of the “privacy infrastructure” in place to deal with PIPEDA or Bill 31. The Guidelines are also supported by the Ontario Information and Privacy Commission, which served on the Privacy and Security Working Group that produced the Guidelines.
Finally, here are some options for dealing with the consent/opt-out issue:
Contact all your donors by mail or telephone and seek consent for the continued collection, use and disclosure of their personal information for fundraising purposes.
Provide a phone questionnaire to donors that they could answer when a donor calls to “opt-out” of fundraising. The questionnaire should be specific about the donor’s preferences. For example, sometimes donors are interested in receiving mail solicitations, but simply want to be removed from a telemarketing list.
Provide a survey on solicitations that includes an annual opt-out option so you always have an up-to-date list of donors or prospective donors who do not wish to be contacted. This might also be included in a welcome package for new donors.
Provide a brochure to donors on your privacy practices that includes an opt-out option. Don’t be concerned that openness with donors about your privacy practices will inhibit fundraising. For example, one large Ontario healthcare foundation recently circulated 8,000-10,000 privacy brochures to donors, and only one donor requested to be removed from the organization’s fundraising lists!
Ensure your opt-out language contains enough specific information for donors to understand what activities they may be opting out of. For example, simply asking donors if they wish to be removed from mailing lists may mean that you will no longer send them annual reports or donor newsletters, when, in fact, donors may be interested only in being removed from solicitation mailing lists!
Present opt-out options in multiple formats – e.g. check-off boxes on paper and web forms; easy-tear, mail-in cards inserted in donor newsletters; scripts for telemarketing staff to handle verbal opt-out requests, etc.
Ensure your opt-out options are user-friendly. For example, privacy notices should be clearly written, easy to read (e.g. Grade 6 language), and published in multiple languages, if appropriate. You also need to make it simple for donors to opt-out of your fundraising activities by providing them with a mailing address, email address or even a toll-free telephone number where they can indicate their opt-out preferences. For more information on opt-out mechanisms, consult the Privacy Commissioner of Canada’s web site at http://www.privcom.gc.ca .
QUESTION #8: Under PIPEDA or Bill 31, can my organization continue to collect and use information found in traditional research sources when preparing donor and prospect profiles?
ANSWER #8: Your organization should only collect the personal information that is necessary to fulfill your stated purposes and is to be used in the near future.
What This Means For You:
When in doubt, consider what type of information a “reasonable person” would expect your organization to collect and use for your each of your fundraising activities.
QUESTION #9: How should my organization treat personal information used for planned giving?
ANSWER #9: Neither PIPEDA nor Bill 31 deals specifically with the issue of planned giving. However, there are best practice guidelines your organization should follow.
What This Means For You:
Best practice guidelines suggest that all personal information, especially sensitive personal information, should be treated with the utmost of care. Consult your organization’s privacy or security policy for information on the appropriate safeguards for protecting personal data.
QUESTION #10: Stewardship – Can my organization continue to publish donor lists?
ANSWER #10: Again, neither PIPEDA nor Bill 31 deals specifically with this issue. However, there are best practice guidelines your organization should consider.
What This Means For You:
Best practice guidelines suggest that when thanking a donor, your organization should include information that his or her gift will be recognized within a specific range and mention the type of vehicle in which it will appear (e.g. newsletter). Include an opportunity to opt-out in the thank you letter. You may also want to consider whether your organization will publish donor names on its website without express consent since the Internet offers such a potentially wide audience.
QUESTION #11: Under PIPEDA or Bill 31, can a charity continue to print the names of those individuals that they have received bequests from in their donor newsletters without permission from the deceased individual's estate?
ANSWER #11: It is the opinion of the privacy working group that the printing of donor names from bequests is not a commercial activity, and, therefore PIPEDA does not apply in this circumstance. If the government passes Bill 31, the provincial legislation would cover this type of activity, although the draft Act does not specifically mention the issue of publishing donor information on bequests.
What This Means For You:
Hospital foundations and healthcare fundraisers should exercise “best privacy practices” in the absence of provincial health privacy legislation or the applicability of PIPEDA in this area. If possible, hospital foundations and healthcare fundraisers should try to inform the executor or the next of kin about their intent to publish a donor’s name.
QUESTION #12: My organization doesn't have a check off box if online donors want future correspondence. Does this mean my organization is prohibited from soliciting past online donors who were never given the option to say whether they wanted future correspondence or not?
ANSWER #12: Most data protection laws in Canada hinge on the privacy expectations of what a “reasonable person” would consider appropriate under specific circumstances. Hospital foundations and healthcare fundraisers who have already received online donations from individuals or who have corresponded with donors online can reasonably assume that these donors have already consented to the collection, use and disclosure of their personal information for this activity by virtue of the fact that they have made online donations to the organization in the past or they have participated in online donor communications in the past. (i.e. consent is already implied for this activity). Under Bill 31, it would not be necessary to “re-consent” donors in this circumstance, unless your organization was going to use information previously collected for a new purpose.
What This Means For You:
Many charities have not communicated with their donors by email, and would like to solicit them or correspond with them in this manner in the future. Charities are advised to solicit donors through email only if they have invited donors to support similar programs through other means (e.g. telephone, mail). In this case, it would be reasonable for a donor to receive electronic communications from your organization.
However, it is recommended that donors be given the option to opt out of online communications. Here is a sample opt-out clause for an email solicitation:
" You have been a generous supporter of the XXXXX with a past online donation. We want to thank you for your past generosity and we also want to ask you if you're willing to receive future electronic correspondence from the XXXXXX. If you don't want to receive email fundraising appeals from us in the future, please send a message to feedback@XXXXXX with the word "unsubscribe" in the subject line. For more information about our privacy practices, contact [insert appropriate web address and name and contact information for your organization’s Privacy Officer]"
QUESTION #13: Under PIPEDA or Bill 31, can I continue to collect and use information to prepare call reports?
ANSWER #13: Neither PIPEDA nor Bill 31 deals specifically with this circumstance. However, there are best practice guidelines your organization should consider.
What This Means For You:
For example, when talking to a donor or prospect during a call, your organization should ask him or her for permission to take notes and to retain the information in the donor’s or prospect’s secure, confidential file. Note the permission in the file. Your organization can also remind the donor or prospect that he or she has the right to access his or her own file. Self-presented information is acceptable as long as it is documented in the file. Make sure your organization presents observational notes in a way that would not be offensive to the donor or prospect if he or she were to read their file at a later date.
QUESTION #14: Under PIPEDA or Bill 31, can volunteers still give hospital foundations and healthcare fundraisers names for event mailings and campaigns?
ANSWER #14: The working group believes that these instances do not fall under the definition of "commercial activity" (as it relates to PIPEDA), in which case you are not bound by the legislation for this activity. However, the working group strongly recommends a "best practice" approach to the collection, use and disclosure of personal information for all information-handling activities. For example, hospital foundations and healthcare fundraisers should ensure that the first contact with prospects includes a straightforward opt-out after receiving a “tip” or a “lead” from a volunteer. Also, event mailing lists must never be sold, rented or traded without express consent.
Under Bill 31, volunteers could still provide hospital foundations and healthcare fundraisers with names for event mailings and campaigns. (For example, a volunteer may hear at a cocktail party that a particular individual may be interested in supporting a specific fundraising event). However, the volunteer would be prevented from disclosing any personal health information about the individual without his or her consent, and the same “best practice” approach is still recommended – e.g. hospital foundations and healthcare fundraisers should ensure that the first contact with the prospect includes a straightforward opt-out, and hospital foundations and healthcare fundraisers must never sell, rent or trade event mailing lists without express consent.
What This Means For You:
Bill 31 and many other provincial privacy laws apply to volunteers if volunteers have access to personal information. As a hospital foundation or other healthcare fundraiser, this means you cannot assume that volunteers are “exempt” from privacy requirements and penalties in Bill 31 (or other privacy laws) simply because volunteers are not employees or contractors of your organization. The same is also true of other individuals who may not have “employee status”, but who still may have access to personal information, such as students, researchers, physicians, consultants or third party suppliers.
QUESTION #15: What if my organization already has an individual's consent to gather information about him or her, or if the organization already routinely allows individuals an opportunity to opt-out? Under PIPEDA or Bill 31, do I need to obtain individuals’ permission all over again?
ANSWER #15: The answer depends on how your organization is planning to use the personal information it has already collected. For example, if your organization will continue to use the personal information for the original purposes for which you collected it, neither PIPEDA nor Bill 31 requires you to “re-consent” your donors. However, both PIPEDA and Bill 31 require organizations to obtain consent for new uses of personal information. Best privacy practices also support this requirement.
What This Means For You:
Hospital foundations and healthcare fundraisers should examine any new uses of personal information they may be contemplating in the future. For example, if a hospital foundation has informed its donors that it does nor rent, trade or sell its donor lists, and it then decides it wants to trade its donor lists or “merge” its lists with those of other hospitals or healthcare organizations, then the foundation should inform donors of this activity and give them a meaningful opportunity to opt out.
QUESTION #16: Does PIPEDA require an opt-in mechanism, or can I continue to use an opt-out check-off box?
ANSWER #16: First, Ontario hospital foundations and healthcare organizations need to bear in mind that if the provincial government passes Bill 31, they will be covered by this legislation for the majority (if not all) of their information handling activities, and not PIPEDA. [4] As such, fundraisers should carefully study the requirements for opt-in and opt-out consent that are adopted in the final version of Bill 31. If the government enacts Bill 31, the working group will also offer advice to Ontario fundraisers on complying with the legislation.
What This Means For You:
In the meantime, however, PIPEDA permits the use of opt-out mechanisms, although the opt-out mechanism must be clear and easy for an individual to use. For more information, consult the Privacy Commissioner of Canada’s web site at http://www.privcom.gc.ca .
QUESTION #17: Will Bill 31 have an impact on existing donor databases or addresses acquired through other means than patient records?
ANSWER #17: Bill 31 applies to the collection, use and disclosure of personal health information only, which is generally contained in patient records at hospitals or other healthcare organizations. This is different from the Ontario government’s previous draft privacy legislation, the Privacy of Personal Information Act, 2002. Note, however, that personal health information can exist in institutions that do not provide patient care, such as universities, insurance firms, banks, airlines, travel companies, or other organizations. So, the issue is not the type of institutions from where healthcare fundraisers acquire their personal information, but, rather, the type of personal information (e.g. is it personal health information?) contained in the records from those institutions.
What This Means For You:
Remember that Bill 31 is not yet law, and so the way in which most Ontario hospital foundations acquire their mailing lists (e.g. from the Health Records or Information Technology Department of a hospital) is not currently regulated by any privacy legislation. In cases where hospital foundations or healthcare fundraisers purchase lists from other sources (e.g. a subscriber list from a newspaper), this type of activity is now governed by the fair information principles contained in PIPEDA or other provincial privacy laws. In this circumstance, the primary data custodian (e.g. the newspaper company that collected the names of subscribers for its database) is responsible for obtaining consent from customers before disclosing any personal information to healthcare fundraisers.
Organizations that rent or purchase mailing lists from other sources are also reminded to check these lists against their own “Do Not Contact” files, since a patient’s name may appear on a list from another organization (e.g. subscriber list for a newspaper), but the patient may have already indicated to the hospital or its foundation that he or she does not want to participate in fundraising activities.
Finally, in the absence of provincial privacy legislation that covers all your organization’s information collection, use and disclosure activities, the working group strongly encourages hospital foundations and healthcare fundraisers to exercise the “best data protection practices” outlined in the CSA Model Code for the Protection of Personal Information and in the Guidelines for Managing Privacy, Data Protection and Security for Ontario Hospitals from the Ontario Hospital Association’s E-Health Council (July 2003) – for more information on the Guidelines, see Question #8 or contact the Ontario Hospital Association at www.oha.com .
QUESTION #18: Have hospitals been successful in obtaining express consent from patients while they are receiving care?
ANSWER #18: Generally, hospitals have not been able to obtain express consent from patients for the collection, use and disclosure of their personal information for any activity outside of direct patient care while a patient is being treated at the hospital. For example, in a pilot study conducted at a major University of Toronto teaching hospital in 2001, clerks from the Admitting Department were trained to ask patients directly for their express consent for the collection, use and disclosure of their personal information for fundraising activities, health research, and to complete a patient satisfaction survey that would be mailed to the patient’s home post-discharge. The study found that 95% of patients admitted during the day (e.g. between 7:00 a.m. and 7:00 p.m.) opted out of all secondary uses of personal information described in the study. For patients who were admitted to the hospital in the evening (e.g. between 7:00 p.m. and 7:00 a.m.), the opt-out rate was even higher – a staggering 98.5%!
AHP Canada, along with the Ontario Hospital Association in its previous submission on the draft Privacy of Personal Information Act, 2002 , believes that there is no appropriate time in the patient care delivery cycle to ask for patients’ express permission to collect, use or disclose their personal information for fundraising purposes. For example, for patients enduring chronic illnesses or treatments with an uncertain end point (e.g. chemotherapy, diabetes, infertility), there is no clear discharge point in the patient’s care delivery cycle. For others, if patients are asked for their express consent upon admission, they may feel “pressured” to give their permission in order to receive “the best possible care”. And if hospitals ask patients for their permission upon discharge, this would have to done by clinical staff since there is no centralized discharge process at hospitals. In the University of Toronto teaching hospital’s pilot study described above, clinical staff actually refused to discuss fundraising issues with patients, arguing that they were already short on time with patients, and that their primary focus had to remain communicating clinical information to support the patient’s care (e.g. types of medication to take upon discharge, the appointment schedule for required follow-up visits, suggested diet and exercise, etc).
What This Means For You:
If the government enacts Bill 31, Ontario hospital foundations and other healthcare fundraisers may be required to obtain express consent from patients for fundraising activities, including, even, the collection, use and disclosure of patient demographic (e.g. non-health) information. For this reason, hospitals and their foundations should be meeting now to begin an open dialogue to prepare for this possible express consent requirement. The working group will also be researching other jurisdictions where express consent is required and will provide any information it finds on “best practice models” from other institutions. Finally, the working group will be strongly encouraging the Ontario government to consider other options for dealing with the consent issue for healthcare fundraising in its submission (other than express consent). Your organization may also want to consider submitting a letter to the Ontario Ministry of Health and Long-Term Care on this point. For information on the submission process, see http://www.ontla.on.ca/committees/general_government.htm .
CATEGORY D – USEFUL LINKS:
Privacy Commissioner of Canada: http://www.privcom.gc.ca
Industry Canada Q & A list on PIPEDA: link
(The Industry Canada Q&A list is highly recommended. Although directed at healthcare fundraisers, most of the questions and answers can be applied to all categories of charities and fundraising.)
The privacy working group’s other documents (note, there is some duplication between the two FAQs documents and we encourage members to review both if in doubt):
- “Privacy 101: A Guide to Privacy Legislation for Fundraising Professionals and Not-for-Profit Organizations in Canada”
- “Frequently Asked Questions About PIPEDA”
- “Fundraising and Privacy: Complying with Federal and Provincial Laws”
can be found at member websites:
APRA Canada: http://www.apracanada.ca/toolkit.htm
AFP Toronto: http://www.afptoronto.org/new_on_site/Privacy101.pdf
CCP: http://www.ccp.ca/display.asp?id=70
Legal Disclaimer: The resource material provided in this document and the accompanying appendices is for general information purposes only. The material reflects interpretations and practices regarded as valid as of the date the document was released based on available information at that time. The material is not intended, and should not be construed, as legal advice or opinion nor is it intended to be endorsed as lawful practice. Organizations concerned about the applicability of privacy legislation to their activities are advised to seek legal advice based on their particular circumstances.
[1] See the Privacy Commissioner of Canada’s web site for links to the various provinces’ privacy laws; http://www.privcom.gc.ca .
[2] See Stephanie Perrin, Heather Black, David H. Flaherty, and Murray Rankin, The Personal Information Protection and Electronic Documents Act: An Annotated Guide , Irwin Law, 2001, p. 28 for an excellent discussion of the differences between express and implied consent.
[3] For more information, contact www.oha.com
[4] This presumes that Ontario hospital foundations and healthcare organizations do not engage in the inter-provincial exchange of personal information for commercial reasons, and that Bill 31 passes the “substantial similarity test” in PIPEDA.