The Information and Privacy Commissioner of Alberta, Diane McLeod, is raising concerns with the Government of Alberta about amendments to the Health Information Act (HIA), which were tabled in the Legislative Assembly of Alberta on November 24th. The amendments are set out in Bill 11, the Health Statutes Amendment Act, 2025 (No. 2), and are currently being debated in the Legislative Assembly of Alberta.
The Commissioner has written a letter to the Minister of Primary and Preventative Health Services (PPHS), Adriana LaGrange, and the Minister of Hospital and Surgical Health Services, Matt Jones, who share responsibility for HIA. Earlier, on October 20th, the Commissioner submitted comments and recommendations regarding proposed amendments to HIA as described in a policy document received from representatives of PPHS. The submission contained comments and 31 recommendations.
“I would like to acknowledge that several of my recommendations have been accepted, which I am pleased to see,” said McLeod. “For those recommendations not accepted, I have been informed by representatives of PPHS that most will be addressed through regulation and that PPHS will work with my office on the development of the regulations. We look forward to this engagement. That said, given the importance of privacy rights and for the sake of providing certainty to both custodians and the public, it is my view that these requirements should be codified in the Act, not in the regulations, as it is up to the legislature to establish the most important high-level principles that will guide the overall governance and accountability under HIA, which is quasi-constitutional legislation.”
The letter to the two ministers describes in detail positive aspects as well as gaps in the amendments being considered. Some of the gaps in the proposed legislation include the following.
- Sharing custodian model: HIA is being amended to permit shared custody and control of health information by sharing custodians. This is a new model not seen anywhere in Canada. Without adequate protections, it has the potential to create confusion across the health system, which in turn would create significant risks to Albertans’ health information and to their privacy rights under HIA. The amendments to HIA would not create an adequate governance structure and there would be no clear accountability for sharing custodians.
- Abandoned health records: It is positive to see provisions in Bill 11 to address abandoned health records, given that the number of records abandoned over the past few years has been significant. However, the provisions are not clear enough to set out what happens when ‘another person’ or a ‘regulatory college’ assumes custody or control of the records, so that an individual can exercise their right of access to records that have been transferred, including for ongoing care.
- Non-identifying health information: The amendments in Bill 11 would expand data-sharing between custodians and public bodies through a new authority in HIA that would permit disclosure of health information to a public body for data-matching and for common or integrated programs or services. There are also expanded authorities regarding the inputting of health information into an automated system. The Commissioner recommends that the definition of ‘non-identifying’ health information be strengthened in HIA to align with that found in the Protection of Privacy Act (POPA) because the definition in POPA is stronger and is more likely to ensure individually-identifying health information will truly be non-identifying prior to disclosure. In addition, POPA has a process built into the Act that public bodies must follow to ensure identifiable information is transformed into non-identifiable information so that it cannot be re-identified. The Commissioner also recommended that this be built into HIA. Such improvements would also promote harmonization between laws.
- Use of automated systems: The proposed changes to HIA include permissions for custodians to use health information in automated systems for decision-making, which include artificial intelligence (AI), as part of health services delivery. However, there are no corresponding privacy rights for individuals in the amendments that relate to use of these systems. The protection of these rights is now common in other modernized privacy laws which permit use of AI.
- Health care card modernization: Bill 11 proposes changes to enable adding personal health numbers (PHNs) of Albertans to driver’s licences or identification cards. The Commissioner previously recommended against use of PHNs on these types of cards because it creates risks, including fraud. The fraudulent use of someone’s PHN to access medical care could result in the wrong health information appearing in the person’s health record, which could cause them harm. A related concern is that the Registrar of Motor Vehicles, the branch that will be collecting this information to put it on driver’s licences or identification cards, is not subject to privacy laws in Alberta. As such, it will hold the highly-sensitive health information of all Albertans, with no corresponding duty to protect this information and no consequences for breaches. There is also no oversight by the Office of the Information and Privacy Commissioner (OIPC). Since Bill 11 was tabled, the OIPC has received more than 50 emails from Alberta citizens raising concerns about adding PHNs to driver’s licences.
- Enforcement: Considering the significant expansion of information-sharing proposed under the new sharing model and in other areas of the proposed HIA amendments, the Commissioner has recommended her office be given the authority to issue administrative monetary penalties to deter non-compliance, including by snoopers or by parties outside the health sector to which HIA applies. Such penalties are now becoming a common measure to deter non-compliance in modernized privacy laws, including in Ontario. Bill 11 does not provide this authority.
- Whistleblower protection: The Commissioner recommended that government ensure the whistleblower provisions are broad enough to facilitate disclosures to the Commissioner about any non-compliance with HIA and to ensure that the provisions protect the whistleblower from retaliation. Currently, there is no protection from retaliation built into the amendments. This gap must be addressed to broaden who can blow the whistle concerning any suspected or actual non-compliance with HIA and to include provisions to protect the whistleblower from retaliation. These provisions are necessary, especially in light of the new expanded sharing of health information and the new permitted uses of this information in HIA.
“HIA is an important piece of legislation that establishes the privacy rights of Albertans regarding their highly-sensitive health information,” added McLeod. “Any amendments must ensure these rights are upheld and strengthened as HIA expands the sharing and use of health information. I am pleased that the amendments address modern issues, including the use of technology to enhance delivery of public health services. However, advancing these policies must be balanced with adequate rights, so that individuals can continue to effectively control their own health information, which is the primary purpose of privacy laws. In my view, Bill 11 as it is currently before the legislative assembly does not effectively achieve this balance.”
McLeod is encouraging government and legislators to consider her comments and recommendations as Bill 11 makes its way through the legislative process.
Through the OIPC, the Information and Privacy Commissioner performs the responsibilities set out in Alberta’s access to information and privacy laws, the Access to Information Act, the Protection of Privacy Act, the Freedom of Information and Protection of Privacy Act during the transition period, the Health Information Act, and the Personal Information Protection Act. The Commissioner operates independently of government.
No comments:
Post a Comment