PRIVACY LEGISLATION AND ITS APPLICATION TO FUNDRAISING
AND PERSONAL HEALTH INFORMATION

By U. Shen Goh, LL.B., LL.M.

A. INTRODUCTION

On November 1, 2004, the Ontario Personal Health Information Protection Act ("PHIPA") came into effect. In general, the purpose of PHIPA was to establish rules for the collection, use and disclosure of personal health information about individuals that protect the confidentiality of that information and the privacy of individuals with respect to that information, while facilitating effective provision of health care. Specifically, PHIPA also contains special rules that relate to fundraising activities in recognition of the need to facilitate the collection, use and disclosure of personal health information for fundraising purposes.

On November 28, 2005, PHIPA was ruled substantially similar to the federal Personal Information Protection and Electronic Documents Act ("PIPEDA"). As a result, health information custodians collecting, using or disclosing personal health information in Ontario were generally no longer subject to PIPEDA and were required to comply with the privacy standards set out in PHIPA instead.

B. DOES PHIPA APPLY TO CHARITIES AND NOT-FOR-PROFIT ORGANIZATIONS IN ONTARIO?

If the charity or not-for-profit organization is a health information custodian that collects personal health information in Ontario, PHIPA will clearly apply.
PHIPA defines "health information custodian" as:

1. A health care practitioner or a person who operates a group practice of health care practitioners.

2. A service provider within the meaning of the Long-Term Care Act, 1994 who provides a community service to which that Act applies.

3. A community care access corporation within the meaning of the Community Care Access Corporations Act, 2001.

4. A person who operates one of the following facilities, programs or services:

i. A hospital within the meaning of the Public Hospitals Act, a private hospital within the meaning of the Private Hospitals Act, a psychiatric facility within the meaning of the Mental Health Act, an institution within the meaning of the Mental Hospitals Act or an independent health facility within the meaning of the Independent Health Facilities Act.

ii. An approved charitable home for the aged within the meaning of the Charitable Institutions Act, a placement co-ordinator described in subsection 9.6 (2) of that Act, a home or joint home within the meaning of the Homes for the Aged and Rest Homes Act, a placement co-ordinator described in subsection 18 (2) of that Act, a nursing home within the meaning of the Nursing Homes Act, a placement co-ordinator described in subsection 20.1 (2) of that Act or a care home within the meaning of the Tenant Protection Act, 1997.

iii. A pharmacy within the meaning of Part VI of the Drug and Pharmacies Regulation Act.

iv. A laboratory or a specimen collection centre as defined in section 5 of the Laboratory and Specimen Collection Centre Licensing Act.

v. An ambulance service within the meaning of the Ambulance Act.

vi. A home for special care within the meaning of the Homes for Special Care Act.

vii. A centre, program or service for community health or mental health whose primary purpose is the provision of health care.

5. An evaluator within the meaning of the Health Care Consent Act, 1996 or an assessor within the meaning of the Substitute Decisions Act, 1992.

6. A medical officer of health or a board of health within the meaning of the Health Protection and Promotion Act.

7. The Minister, together with the Ministry of the Minister if the context so requires.

8. Any other person prescribed as a health information custodian if the person has custody or control of personal health information as a result of or in connection with prescribed powers, duties or work or any prescribed class of such persons.

PHIPA defines "personal health information" as:

means identifying information about an individual in oral or recorded form, if the information,
(a) relates to the physical or mental health of the individual, including information that consists of the health history of the individual's family,
(b) relates to the providing of health care to the individual, including the identification of a person as a provider of health care to the individual,
(c) is a plan of service within the meaning of the Long-Term Care Act, 1994 for the individual,
(d) relates to payments or eligibility for health care in respect of the individual,
(e) relates to the donation by the individual of any body part or bodily substance of the individual or is derived from the testing or examination of any such body part or bodily substance,
(f) is the individual's health number, or
(g) identifies an individual's substitute decision-maker.
and includes identifying information about the individual that is not personal health information as described above but that is contained in a record that contains personal health information as described above about the individual.

From a review of the definitions of "health information custodian" and "personal health information", it is clear that PHIPA will apply to a charity or not-for-profit organization such as a hospital that collects the names and addresses of individuals in Ontario. As such, charities and not-for-profit organizations that engage in fundraising activities through the use of personal health information in Ontario must ensure that they comply with PHIPA's special rules on fundraising activities.

For the purpose of this charity law bulletin, it is important to note that Ontario's Information and Privacy Commissioner considers "fundraising" to refer to any activity undertaken for a charitable or philanthropic purpose related to the operations of the health information custodian, including contacting patients or former patients through mailings.

It is also important to note that PHIPA applies to charities and not-for-profit organizations as much as it applies to for-profit organizations because PHIPA does not restrict its application to "commercial activities", as PIPEDA did (for more information on PIPEDA and "commercial activities", please refer to Charity Law Bulletin Nos. 28, 42, 70 and 71).

C. HOW DOES PHIPA APPLY TO FUNDRAISING IN ONTARIO?

As already mentioned in the beginning of this Charity Law Bulletin, PHIPA contains special rules that relate to fundraising activities in Ontario. Specifically, PHIPA states the following:

Fundraising
32. (1) Subject to subsection (2), a health information custodian may collect, use or disclose personal health information about an individual for the purpose of fundraising activities only where,
(a) the individual expressly consents; or
the individual consents by way of an implied consent and the information consists only of the individual's name and the prescribed types of contact information.

Requirements and restrictions
32. (2) The manner in which consent is obtained under subsection (1) and the resulting collection, use or disclosure of personal health information for the purpose of fundraising activities shall comply with the requirements and restrictions that are prescribed, if any.

As section 32(1) of PHIPA specifies, charities and not-for-profit organizations in Ontario, whether they are the health information custodian or an agent acting on the health information custodian's behalf, may collect personal information for the purpose of fundraising only either (1) with the individual's express consent, or (2) with the individual's implied consent if the collection is restricted to the individual's name and the prescribed types of contact information.

The prescribed types of contact information are set out in the Regulation to PHIPA¹ (hereinafter referred to as the "Regulation") as follows:

Fundraising
10. (1) The type of contact information that is prescribed for the purposes of clause 32 (1) (b) of the Act is the individual's mailing address.

In other words, charities and not-for-profit organizations may only collect the individual's name and address without the express consent of the individual. Any other additional information, such as telephone numbers, may only be collected with the individual's express consent. This means that charities and not-for-profit organizations are not permitted to use the name and address information provided by individuals to obtain the individuals' telephone numbers through publicly available directories and to contact the individuals for the purpose of fundraising. This is because charities and not-for-profit organizations may only use the names and addresses collected for the purpose for which they were authorized at the time of its collection. Since it is highly unlikely that the individuals would have authorized the collection of their names and addresses for the purpose of tracking down their telephone numbers, charities and not-for-profits cannot use such information to collect the individuals' telephone numbers. As such, charities and not-for-profit organizations in Ontario, whether they are the health information custodian or an agent acting on the health information custodian's behalf, will have to either explicitly ask for the individual's telephone number or restrict their fundraising activities to mail solicitations.

Even when restricting its fundraising to mail solicitations, it is important that charities and not-for-profit organizations review the collection, use and disclosure of the individuals' names and addresses to ensure compliance with PHIPA.

As section 32(2) of PHIPA specifies, the manner in which health information custodians obtain consent and the manner in which personal health information is collected, used or disclosed for the purpose of fundraising must comply with the requirements and restrictions that are prescribed.

The prescribed requirements and restrictions are set out in the Regulation to PHIPA² (hereinafter referred to as the "Regulation") as follows:

Fundraising
10. (2) For the purposes of subsection 32 (2) of the Act, the following are prescribed as requirements and restrictions on the manner in which consent is obtained and the resulting collection, use or disclosure of personal health information:
1. Personal health information held by a health information custodian may only be collected, used or disclosed for the purpose of fundraising activities undertaken for a charitable or philanthropic purpose related to the custodian's operations.
2. Consent under clause 32 (1) (b) of the Act may only be inferred where,
i. the custodian has at the time of providing service to the individual, posted or made available to the individual, in a manner likely to come to the attention of the individual, a brief statement that unless he or she requests otherwise, his or her name and contact information may be disclosed and used for fundraising purposes on behalf of the custodian, together with information on how the individual can easily opt-out of receiving any future fundraising solicitations on behalf of the custodian, and
ii. the individual has not opted out within 60 days of when the statement provided under subparagraph i was made available to him or her.
3. All solicitations for fundraising must provide the individual with an easy way to opt-out of receiving future solicitations.
4. A communication from the custodian or a person conducting fundraising on its behalf to an individual for the purpose of fundraising must not include any information about the individual's health care or state of health.

In other words, charities and not-for-profit organizations can only obtain the names and addresses of individuals and can only use and disclose such information for the purpose of fundraising with the implied consent of the individuals on the condition that:³

the fundraising activities are undertaken for a charitable or philanthropic purpose related to the custodian's operations;
at the time the service has been provided to the individual, the custodian has posted, or has made available to the individual, a notice informing that individual of the custodian's intention to use or disclose the information for fundraising purposes and providing information on how the individual can easily opt-out of receiving future fundraising solicitations;
the individual had not opted-out within 60 days from the time the notice had been provided to him or her;
all solicitations contain an easy opt-out from any further solicitations; and
no solicitations or communications contain information about an individual's health or health care.

As is evident from a review of the above, even fundraising through mail solicitations must meet certain requirements and restrictions in order to ensure compliance with PHIPA.

D. CONCLUSION

Although hospitals and health care organizations engage in fundraising activities for charitable purposes such as improving health care services and buying new medical equipment, it is imperative that those charitable activities be undertaken in a manner that complies with privacy legislation.

Endnotes:

¹ Personal Health Information Protection Act, 2004, Ontario Regulation 329/04.
² Personal Health Information Protection Act, 2004, Ontario Regulation 329/04.
³ Fundraising under PHIPA, online: Information and Privacy Commissioner / Ontario available at http://www.ipc.on.ca.