You are only seeing posts authors requested be public.

Register and Login to participate in discussions with colleagues.

Don’t FIPPA your PIPA without knowing this when it comes to personal health information.

Share this

Vancouver, BC – May 3, 2010

Stethoscope and keyboardWhen it comes to the privacy of personal health information everyone in British Columbia needs to know how FIPPA (also known as FOIPPA) is different from PIPA, and the same may apply in other jurisdictions across Canada and elsewhere.

This is of particular importance when information is shared between your doctor's private office and a hospital or clinic operated by the Health Authority which is a public body.

In BC, three different legislative Acts govern the privacy and protection of individual personal health information.  There are some very important differences in how these work and the results they have that should be known to all doctors, health providers and patients/clients.


BC Health Privacy Acts include:

  • The “Freedom of Information and Privacy Protection Act” (FIPPA or FOIPPA), which came into effect in 1993, applies to public bodies.  This includes Health Authorities and the hospitals and clinics they operate and other BC Government Ministries that deliver health and social services.
  • The “Personal Information and Protection Act” (PIPA) that applies to the private sector including doctors offices.
  • Bill 24, the “E-Health (Personal Information Access and Protection of Privacy) Act” enacted in early 2008. This law allows the Minister of Health to designate certain health care databases as "health information banks".


What is Personal Information?

“Personal information” is information about an individual who can be identified by the information itself, or in combination with other information available in the particular circumstances.

Personal information is not only information that you might expect to be private, like health information, PINs or workplace reviews. It is any information that allows you to be identified, except business contact information.

In terms of consent, there are three types – express, deemed or implied.


In the Doctors Office.

Norman Rockwell, doctor and boyWhen a patient sees a doctor a record of the visit is made whether on paper or on computer and possibly consisting of different parts; the medical chart and billing records.

Patient information provided to the doctor is with the understanding of confidentiality and the doctor is responsible for assuring that confidentiality is maintained regardless of how the information is stored and formatted, whether it is paper or electronic.

The Personal Information Protection Act (PIPA) applies to private doctors office in BC and sets out how private organizations may collect, use, disclose and secure personal information.

In particular, the individual’s consent is required for the sharing of that information.  A common example would be when a patient is referred to a specialist; information would be communicated between the referring and consulting physician’s offices.  This may be through implied consent rather than express consent, but nonetheless consent is required.


In a Hospital or Clinic operated by the Health Authority.

HospitalWhat happens when your doctor shares information with a hospital or a clinic operated by the Health Authority?

The Health Authority is a public body and as such PIPA does not apply, but instead The “Freedom of Information and Privacy Protection Act” (FIPPA or FOIPPA) applies.

How is this different?

Under FIPPA, while patients need to be notified their information is collected, no consent is needed for the use or access to this information as long as it is "consistent with the initial purpose".  This can be used to allow “role-based” access to personal information that hasn’t been well defined and other more broad use of the personal information all of which will be more significant with electronic health records (EHR).

This means that while information access is supposed to be somewhat restricted, it may not be.  Patients and physicians need to be aware of this when working with the health authority.

This may sound reasonable, but we do not know for certain who will access the information.  Everyone should be aware of this, doctors and their patients, so the patient has a full understanding of the potential access to their information under these circumstances, as the information will no longer be under direct control of the doctor.

FIPPA also permits personal information to be used or disclosed for certain additional purposes that are extremely broad and include purposes related to the payments made to a public body, licensing and regulatory purposes, law enforcement purposes or for any purpose authorized by law.

Unlike PIPA, in FIPPA there is no requirement that the collection, use and disclosure must be for purposes that are reasonable and appropriate in the circumstances.

Furthermore, because FIPPA states that personal information may be used for any purpose authorized by law, the government can do just about anything with personal information once they have collected it, simply by passing a law to give it the necessary authority.


Bill 24, the E-Health Act of BC

Audio podcast, Michael Vonn on Privacy Issues with Healthcare DatabasesThe BC Government enacted Bill 24, the E-Health (Personal Information Access and Protection of Privacy) Act in early 2008 allowing the Minister of Health to designate certain health care databases as "health information banks".

The information in the health information bank can be shared and used by various health care providers and administrators for purposes ranging from providing health care to managing the health care system. Individual consent is not required, and there is no requirement for individuals to be told that their health information has been put into a health information bank.

The law gives individuals limited rights to restrict who can see and use their personal health information and limited rights of access to their health information held in a health information database.


Z. Essak, MD


Web links (resources):

SGP-BC Critical Issues:

BC Freedom of Information and Privacy Association

BC Civil Liberties website

BC Office of the Information and Privacy Commissioner

BC Physician Privacy Toolkit, 2nd Ed Jun 15, 2009 (97 pages)

Practice Tool for Exercising Discretion

eHealth Information Laboratory


Bill 24, E-Health Act (2008)


BC Civil Liberties, selected resources:

Governments and Your Privacy Rights

Federal and Provincial Privacy Protection – Private Sector

The Common Law

Privacy Laws and Health Care

What Are Your Personal Health Information Rights in BC?

2010-03-15 BC Civil Liberties Association submission to Review of FOIPPA
See page 3. E-health and beyond.

2009 Podcast - Michael Vonn on Privacy Issues with Healthcare Databases
Or read “Database Nation and Health Privacy”


The End.


Cease fire banner, you don't speak for the people.