Skip header and navigation
CMA PolicyBase

Policies that advocate for the medical profession and Canadians


4 records – page 1 of 1.

Data on maternal morbidity and mortality and infant births and deaths

https://policybase.cma.ca/en/permalink/policy8505
Last Reviewed
2020-02-29
Date
2006-08-23
Topics
Population health/ health equity/ public health
Health information and e-health
Resolution
GC06-13
The Canadian Medical Association and its divisions and affiliates will call on governments to ensure that the data collected on maternal morbidity and mortality and infant births and deaths are comparable across Canada.
Policy Type
Policy resolution
Last Reviewed
2020-02-29
Date
2006-08-23
Topics
Population health/ health equity/ public health
Health information and e-health
Resolution
GC06-13
The Canadian Medical Association and its divisions and affiliates will call on governments to ensure that the data collected on maternal morbidity and mortality and infant births and deaths are comparable across Canada.
Text
The Canadian Medical Association and its divisions and affiliates will call on governments to ensure that the data collected on maternal morbidity and mortality and infant births and deaths are comparable across Canada.
Less detail

Review of the Personal Information Protection and Electronic Documents Act (PIPEDA) : CMA's Presentation to the House of Commons Standing Committee on Access to Information, Privacy and Ethics - December 13, 2006

https://policybase.cma.ca/en/permalink/policy8668
Last Reviewed
2019-03-03
Date
2006-12-13
Topics
Health care and patient safety
Health information and e-health
Ethics and medical professionalism
  1 document  
Policy Type
Parliamentary submission
Last Reviewed
2019-03-03
Date
2006-12-13
Topics
Health care and patient safety
Health information and e-health
Ethics and medical professionalism
Text
The Canadian Medical Association (CMA) is pleased to be here today to participate in your review of the Personal Information Protection and Electronic Documents Act, or PIPEDA. The CMA has had a long-standing interest in privacy-related matters, including enhancing measures to protect and promote the privacy of health information. We welcome the opportunity to share our policies and thoughts on these vital matters. As a pediatric oncologist from Winnipeg and Chair of the CMA's Committee on Ethics, I come here today with one bottom line: Physicians have always- and continue to - take their patients' privacy very seriously. This is the cornerstone of the special bond between patients and their doctor and has been thus since the time of Hippocrates. In recognition of the importance of privacy, the CMA has produced such documents as the CMA Code of Ethics and the CMA Health Information Privacy Code to guide our more than 64,000 members across the country. These documents existed before the federal government introduced PIPEDA. It is out of our concern for protecting and ensuring the privacy of medical information that we speak to you today. There are three specific areas which we would like to raise: 1) Recognition in law of the unique nature of health care; 2) Physician information as "work product"; and 3) Emerging Privacy and Health information issues. 1. Recognition in law of the unique nature of health care I would like to highlight the importance of recognizing in law the special circumstances of protecting health information. In fact, when PIPEDA was first being debated, CMA posed questions about the scope of the Act and was told that the legislation, originally designed for commerce and the private sector, would not capture health information. We were also told that even if it did, PIPEDA wouldn't change how we practiced medicine. The passing of PIPEDA generated enough concern and uncertainty that government agreed to delay its application to health for 3 years. For example, PIPEDA failed to clarify the issue of implied consent for the sharing of patient information between health professionals providing care. For example, when the family physicians says to a patient "I'm going to send you to see an oncologist to run some tests" and the patient agrees and follows that course of action, then clearly there is "consent" to the sharing of their health information with others. As an oncologist I assume there is consent to send the test results to other specialists that I may need to consult in order to advance the patient's care in a timely fashion. This, however, needed to be addressed before PIPEDA was applied to health care. The delayed application allowed the federal government and health care community to work together and develop a set of guidelines for how PIPEDA would be applied. The resulting PIPEDA Awareness Raising Tools, known as PARTs, contain a series of questions and answers that make up guidelines for health care providers. They answered many of our concerns, provided necessary definitions and allowed for the implied consent model to continue to be used within the circle of care. The CMA applauds the government for this collaborative effort and the resulting guidelines have been used by health care providers ever since. However, we remain concerned that the PARTs guidelines have no legal status. This limitation creates a degree of uncertainty that the CMA would like this legislative review to see addressed by ensuring the PARTs series of questions and answers are referenced in PIPEDA. In addition to participating in the PARTS initiative, since PIPEDA's implementation, the CMA has designed practical tools for physicians and patients: * adopted the CMA policy Principles Concerning Physician Information to address the importance of protecting the privacy of physician information; * produced Privacy in Practice: a handbook for Canadian physicians to help physicians maintain best practices in the protection of patient health information; and * created the PRIVACYWIZARD(tm) designed to help physicians record their current privacy practices, communicate these to patients and identify possible areas for enhancement. 2. Physician Practice Information as "Work Product" I referred earlier to CMA's Policy document on physician information. The CMA strongly believes that physicians have legitimate privacy concerns about the use by third parties of information - such as prescribing and other practice data for commercial purposes. Currently deemed "work product" this information can be collected, used and disclosed without consent. We feel PIPEDA inadequately protects this information. We recognize that it is information generated out of the patient-physician relationship. We disagreed with findings of the previous Privacy Commissioner that physician prescribing information is not subject to PIPEDA's privacy protection provisions for "personal information". The CMA has consistently advocated that physician prescribing data and other practice information is personal information and appeared as an intervener in a Federal Court review of this issue that was ultimately settled by the main parties. Also, insufficient regard for the privacy of prescribing and other physician data could have a negative impact on the sanctity of the physician-patient relationship. Patients confide highly sensitive information to physicians with the expectation this information will be kept in the strictest confidence. This expectation exists because they know that physicians are under ethical and regulatory dictates to safeguard their information and that physicians take this responsibilities very seriously. The perceived and indeed actual loss of control by physicians over information created in the patient encounter, such as prescribing data, could undermine the confidence and faith of our patients that we are able to safeguard their health information. This concern is not hypothetical. For physicians, so called "work product" information also encompasses practice patterns such as discharge rates, referral rates, billing patterns, hospital length of stays, complaints, peer review results, mortality and re-admittance rates. With the advent of electronic medical records and growth in pay-for-performance and outcome-based incentive programs for physicians, there is an enormous potential for the resulting physician "performance" data or "work product" to be "mined" by other parties and used to influence performance review (traditionally the purview of the medical licensing authorities) as well as decisions around treatment funding and system planning. The lack of transparency in the sale and compilation of physicians' prescribing and other performance data means that physicians might find themselves to be the unwitting subject and targets of marketing research. We believe practice decisions must be made in the best interest of patients and not the bottom-line interests of businesses and marketers. CMA therefore recommends a legislative change to include physician information as personal information under PIPEDA. Legislation in Quebec provides an example that is consistent with CMA's approach since it requires regulatory oversight and gives individuals the right to opt out of the collection, use and disclosure of "professional" information. 3. Emerging Privacy and Health information issues With budgetary and demographic pressures, our health care system is under strain and physicians are striving to deliver timely, quality care to patients, often with competing and multiple demands. Physicians are therefore seeking assurances from law makers that any amendments to PIPEDA will take into account the potential impact on them and their patients. Therefore, we seek assurances that: * health care is recognized as unique when it comes to the disclosure of personal information before the transfer of a business (one physician transferring his/her practice to another) because it is regulated at the provincial level through the appropriate licensing body. As a general rule, physicians must give notice to the public, whether via a newspaper ad or a notice in the office about the change in practice. * the federal government will consider the impact of the trans-border flow of personal information on telehealth and Electronic Health Record activities. Communications between patients and physicians via electronic means are likely to increase and to move across geographic boundaries with increasing frequency; and * the federal government will study the issue of international cross border data flows, particularly among Canadian researchers who receive funding from US drug companies. These arrangements should be governed by Canadian law (PIPEDA) not American (HIPAA or the US Patriot Act). In closing, the privacy protection of personal health information is a responsibility that my colleagues and I do not take lightly. It is a key pillar of our relationship with Canadians, they not only expect it-they deserve it. I look forward to taking questions from Committee members. Canadian Medical Association Ottawa, December 13, 2006
Documents
Less detail

Best practices for smartphone and smart-device clinical photo taking and sharing

https://policybase.cma.ca/en/permalink/policy13860
Date
2018-03-03
Topics
Health information and e-health
Ethics and medical professionalism
  1 document  
Policy Type
Policy document
Date
2018-03-03
Topics
Health information and e-health
Ethics and medical professionalism
Text
Clinical photography is a valuable tool for physicians. Smartphones, as well as other devices supporting network connectivity, offer a convenient, efficient method to take and share images. However, due to the private nature of the information contained in clinical photographs there are concerns as to the appropriate storage, dissemination, and documentation of clinical images. Confidentiality of image data must be considered and the dissemination of these images onto servers must respect the privacy and rights of the patient. Importantly, patient information should be considered as any information deriving from a patient, and the concepts outlined therefore apply to any media that can be collected on, or transmitted with, a smart-device. Clinical photography can aid in documenting form and function, in tracking conditions and wound healing, in planning surgical operations, and in clinical decision-making. Additionally, clinical photographs can provide physicians with a valuable tool for patient communication and education. Due to the convenience of this type of technology it is not appropriate to expect physicians to forego their use in providing their patients with the best care available. The technology and software required for secure transfer, communication, and storage of clinical media is presently available, but many devices have non-secure storage/dissemination options enabled and lack user-control for permanently deleting digital files. In addition, data uploaded onto server systems commonly cross legal jurisdictions. Many physicians are not comfortable with the practice, citing security, privacy, and confidentiality concerns as well as uncertainty in regards to regional regulations governing this practice.1 Due to concern for patient privacy and confidentiality it is therefore incredibly important to limit the unsecure or undocumented acquisition or dissemination of clinical photographs. To assess the current state of this topic, Heyns et al. have reviewed the accessibility and completeness of provincial and territorial medical regulatory college guidelines.2 Categories identified as vital and explored in this review included: Consent; Storage; Retention; Audit; Transmission; and Breach. While each regulatory body has addressed limited aspects of the overall issue, the authors found a general lack of available information and call for a unified document outlining pertinent instructions for conducting clinical photography using a smartphone and the electronic transmission of patient information.2 The discussion of this topic will need to be ongoing and it is important that physicians are aware of applicable regulations, both at the federal and provincial levels, and how these regulations may impact the use of personal devices. The best practices supported here aim to provide physicians and healthcare providers with an understanding of the scope and gravity of the current environment, as well as the information needed to ensure patient privacy and confidentiality is assessed and protected while physicians utilize accessible clinical photography to advance patient care. Importantly, this document only focusses on medical use (clinical, academic, and educational) of clinical photography and, while discussing many core concepts of patient privacy and confidentiality of information, should not be perceived as a complete or binding framework. Additionally, it is recommended that physicians understand the core competencies of clinical photography, which are not described here. The Canadian Medical Association (CMA) suggests that the following recommendations be implemented, as thoroughly as possible, to best align with the CMA policy on the Principles for the Protection of Patient Privacy (CMA Policy PD2018-02). These key recommendations represent a non-exhaustive set of best practices - physicians should seek additional information as needed to gain a thorough understanding and to stay current in this rapidly changing field. KEY RECOMMENDATIONS 1. CONSENT * Informed consent must be obtained, preferably prior, to photography with a mobile device. This applies for each and any such encounter and the purpose made clear (i.e. clinical, research, education, publication, etc.). Patients should also be made aware that they may request a copy of a picture or for a picture to be deleted. * A patient's consent to use electronic transmission does not relieve a physician of their duty to protect the confidentiality of patient information. Also, a patient's consent cannot override other jurisdictionally mandated security requirements. * All patient consents (including verbal) should be documented. The acquisition and recording of patient consent for medical photography/dissemination may be held to a high standard of accountability due to the patient privacy and confidentiality issues inherent in the use of this technology. Written and signed consent is encouraged. * Consent should be considered as necessary for any and all photography involving a patient, whether or not that patient can be directly recognized, due to the possibility of linked information and the potential for breach of privacy. The definition of non-identifiable photos must be carefully considered. Current technologies such as face recognition and pattern matching (e.g. skin markers, physical structure, etc.), especially in combination with identifying information, have the potential to create a privacy breach. * Unsecure text and email messaging requires explicit patient consent and should not be used unless the current gold standards of security are not accessible. For a patient-initiated unsecure transmission, consent should be clarified and not assumed. 2. TRANSMISSION * Transmission of photos and patient information should be encrypted as per current-day gold standards (presently, end-to-end encryption (E2EE)) and use only secure servers that are subject to Canadian laws. Explicit, informed consent is required otherwise due to privacy concerns or standards for servers in other jurisdictions. Generally, free internet-based communication services and public internet access are unsecure technologies and often operate on servers outside of Canadian jurisdiction. * Efforts should be made to use the most secure transmission method possible. For data security purposes, identifying information should never be included in the image, any frame of a video, the file name, or linked messages. * The sender should always ensure that each recipient is intended and appropriate and, if possible, receipt of transmission should be confirmed by the recipient. 3. STORAGE * Storing images and data on a smart-device should be limited as much as possible for data protection purposes. * Clinical photos, as well as messages or other patient-related information, should be completely segregated from the device's personal storage. This can be accomplished by using an app that creates a secure, password-protected folder on the device. * All information stored (on internal memory or cloud) must be strongly encrypted and password protected. The security measures must be more substantial than the general password unlock feature on mobile devices. * Efforts should be made to dissociate identifying information from images when images are exported from a secure server. Media should not be uploaded to platforms without an option for securely deleting information without consent from the patient, and only if there are no better options. Automatic back-up of photos to unsecure cloud servers should be deactivated. Further, other back-up or syncing options that could lead to unsecure server involvement should be ascertained and the risks mitigated. 4. Cloud storage should be on a Canadian and SOCII certified server. Explicit, informed consent is required otherwise due to privacy concerns for servers in other jurisdictions. 5. AUDIT & RETENTION * It is important to create an audit trail for the purposes of transparency and medical best practice. Key information includes patient and health information, consent type and details, pertinent information regarding the photography (date, circumstance, photographer), and any other important facts such as access granted/deletion requests. * Access to the stored information must be by the authorized physician or health care provider and for the intended purpose, as per the consent given. Records should be stored such that it is possible to print/transfer as necessary. * Original photos should be retained and not overwritten. * All photos and associated messages may be considered part of the patient's clinical records and should be maintained for at least 10 years or 10 years after the age of majority, whichever is longer. When possible, patient information (including photos and message histories between health professionals) should be retained and amalgamated with a patient's medical record. Provincial regulations regarding retention of clinical records may vary and other regulations may apply to other entities - e.g. 90 years from date of birth applies to records at the federal level. * It may not be allowable to erase a picture if it is integral to a clinical decision or provincial, federal, or other applicable regulations require their retention. 6. BREACH * Any breach should be taken seriously and should be reviewed. All reasonable efforts must be made to prevent a breach before one occurs. A breach occurs when personal information, communication, or photos of patients are stolen, lost, or mistakenly disclosed. This includes loss or theft of one's mobile device, texting to the wrong number or emailing/messaging to the wrong person(s), or accidentally showing a clinical photo that exists in the phone's personal photo album. * It should be noted that non-identifying information, when combined with other available information (e.g. a text message with identifiers or another image with identifiers), can lead to highly accurate re-identification. * At present, apps downloaded to a smart-device for personal use may be capable of collecting and sharing information - the rapidly changing nature of this technology and the inherent privacy concerns requires regular attention. Use of specialized apps designed for health-information sharing that help safeguard patient information in this context is worth careful consideration. * Having remote wipe (i.e. device reformatting) capabilities is an asset and can help contain a breach. However, inappropriate access may take place before reformatting occurs. * If a smartphone is strongly encrypted and has no clinical photos stored locally then its loss may not be considered a breach. * In the event of a breach any patient potentially involved must be notified as soon as possible. The CMPA, the organization/hospital, and the Provincial licensing College should also be contacted immediately. Provincial regulations regarding notification of breach may vary. Approved by the CMA Board of Directors March 2018 References i Heyns M†, Steve A‡, Dumestre DO‡, Fraulin FO‡, Yeung JK‡ † University of Calgary, Canada ‡ Section of Plastic Surgery, Department of Surgery, University of Calgary, Canada 1 Chan N, Charette J, Dumestre DO, Fraulin FO. Should 'smart phones' be used for patient photography? Plast Surg (Oakv). 2016;24(1):32-4. 2 Unpublished - Heyns M, Steve A, Dumestre DO, Fraulin FO, Yeung J. Canadian Guidelines on Smartphone Clinical Photography.
Documents
Less detail

Confidentiality of medical records

https://policybase.cma.ca/en/permalink/policy598
Last Reviewed
2017-03-04
Date
1979-06-20
Topics
Health information and e-health
Ethics and medical professionalism
Resolution
GC79-2
The Canadian Medical Association deplores any action taken by any level of government which threatens confidentiality of medical records.
Policy Type
Policy resolution
Last Reviewed
2017-03-04
Date
1979-06-20
Topics
Health information and e-health
Ethics and medical professionalism
Resolution
GC79-2
The Canadian Medical Association deplores any action taken by any level of government which threatens confidentiality of medical records.
Text
The Canadian Medical Association deplores any action taken by any level of government which threatens confidentiality of medical records.
Less detail