Consent must be obtained from an individual by a custodian if the custodian is collecting, using or disclosing the individual’s personal health information unless the collection, use or disclosure is permitted without consent or required without consent by PHIA.
Consent for the collection, use or disclosure of personal health information by a custodian, whether express or knowledgeable implied, must meet the following requirements:
- be given by the individual;
- be knowledgeable;
- be related to the specific information at issue; and
- be voluntary.
Knowledgeable implied consent
PHIA introduces the concept of knowledgeable implied consent. Consent is “knowledgeable” when it is reasonable in the circumstances for the custodian to believe that the individual knows:
- the purpose of the collection, use or disclosure, as the case may be; and
- that they may give or withhold consent.
If the individual then proceeds to pursue services, the custodian may infer that the individual is consenting to the collection, use and/or disclosure of the personal health information.
To ensure consent is “knowledgeable,” a custodian must provide information directly to the individual describing the purpose of the collection, use and disclosure of personal health information. This information can be verbal or written (a posted notice or brochure) and must be readily available to the public.
Providing written information, posting notices or distributing brochures is not sufficient if the custodian should have known the individual cannot read or cannot understand the notice. If the custodian determines an individual requires assistance understanding the notice, the custodian may assist the individual by using an interpreter (if available), or explaining the information in the notice directly to the individual.
Express consent is not defined in PHIA, but is understood to be a clear and voluntary indication of preference or choice, usually oral or written, and freely given in circumstances where the available options and their consequences have been made clear. Express consent of the individual to whom the personal health information relates is required in several different sections of the Act for collection, use and disclosure of that personal health information.
Express consent can be written or oral.
Express consent of the individual to whom the personal health information relates is required for the disclosure of the information:
- by a custodian to a non-custodian who is not within the individual's circle of care (unless required or authorized by law)
- by a custodian to another custodian who is not within the individual's circle of care if it is not for the purpose of providing health care (unless required or authorized by law)
- for fund-raising activities
- for market research or marketing any service for a commercial purpose
- to the media
- to a person or organization for the purpose of research (unless provided for in section 57)
PHIA provides for circumstances where personal health information may be collected, used or disclosed without consent. For example, if a person is deceased, a custodian may disclose their PHI for the purposes of identifying the identity of the deceased, or for the purpose of informing any person whom it is reasonable to inform that the individual is deceased.
Circle of care: Although not specifically referred to in PHIA, the Act does allow disclosure of personal health information to other custodians involved in the person’s care if the information is reasonably necessary for the provision of health care to the individual (and the individual has not expressed an objection to such disclosure).
Any disclosure without consent must be documented.
In circumstances where disclosure without consent is permitted by the Act, a custodian isn’t obliged to disclose information to a third party unless required to do so under another law or enactment. In addition, the custodian may choose to obtain the individual’s consent for the disclosure or give notice to the individual of the disclosure.
Limiting or revoking consent
An individual may request to limit or revoke consent for the collection, use or disclosure of personal health information in the control of a custodian by giving notice to the custodian. In the context of electronic health records, this limitation or revocation of consent is often referred to as a “lockbox.” The terms “consent directives” and “masking” are also used in reference to both paper and electronic records.
An individual may request to limit or revoke their consent at any time, but it is not retroactive. This means if an individual informs a custodian they are withdrawing consent to have information disclosed to one of their health providers, the custodian is not required to request that any information previously disclosed to the other provider be returned. However, the custodian must inform the provider named by the individual that the individual’s record is not complete, meaning the custodian considers the information disclosed to that provider is not what is “reasonably necessary” for the care of the individual.
The custodian must also inform the individual of the consequences of limiting or revoking consent, including the fact the other provider may decide that they are not confident in providing care to the individual without understanding what information has been withheld and may refuse to provide care to the individual.
In circumstances where an individual lacks the capacity to make a decision, a substitute decision-maker may give or refuse consent to the collection, use and disclosure of personal health information on behalf of the individual.
PHIA lists the following substitute decision-makers, in descending order:
- A person authorized or required by law to act on an individual’s behalf
- The individual’s court-appointed guardian
- The individual’s spouse
- The individual’s adult child
- A person who stands in the place of a parent to the individual
- The individual’s adult sibling
- The individual’s grandparent
- The individual’s adult grandchild
- The individual’s adult aunt or uncle
- The individual’s adult niece or nephew
- Any other adult next of kin of the individual
- The Public Trustee
The person has to:
- be willing to accept the responsibility of being the substitute decision-maker;
- know of no other person in a higher category who is able and willing to make the decision; and
- make a written statement of his or her personal relationship to the individual and the required criteria.
People in categories B to G are not authorized to be a substitute decision-maker unless they have been in personal contact with the individual throughout the preceding 12-month period or have a court order to shorten or waive the 12-month requirement.