Diane McLeod-McKay, the Information and Privacy Commissioner (IPC) for the Yukon has issued her comments and recommendations regarding changes to the Health Information Privacy and Management Act (HIPMA) on Sept. 2.
HIPMA came to be in 2016 and is under current review by the Yukon government. Legislation requires a review to have begun by Aug. 2020.
In her comments, McLeod-McKay said the “social and technological context for the provision of health care has changed” since HIPMA’s inception.
“The COVID-19 pandemic has given rise to or accelerated developments that impact personal health information such as remote health care, digital contact tracing and exposure notification, the idea of digital vaccination passports and, coincidentally, accelerated adoption of underlying technologies such as cloud computing, the internet of things and artificial intelligence,” said McLeod-McKay.
McLeod-McKay gave 18 recommendations to protect the “privacy rights of Yukoners in this environment by ensuring HIPMA includes the proper controls to allow innovation while protecting privacy.”
The IPC made the recommendation to strengthen the powers of the IPC to enforce the Act, including McLeod-McKay being given order-making powers.
She also recommended enhanced “security measures to better protect personal health information in this environment from a breach.”
McLeod-McKay said the complex nature of data processing, including the use of artificial intelligence, is a “game-changer.”
Today, vast amounts of personal health information are being processed by health care providers in an environment that is extremely complex and opaque,” said McLeod-McKay.
“It is no longer reasonable in this environment to leave it up to individuals to fight for their rights in court as in doing so they would be at a significant disadvantage in trying to advance their case with limited knowledge about this complex environment.”
To promote compliance, she recommends expanding the IPC’s authority to assist custodians in meeting their obligations under HIPMA, including through such activities as conducting compliance audits.
Custodian, in this context, refers to an authorized person who may collect, use and disclose personal health information only in accordance with legislation.
To deter non-compliance, she recommended stronger offence and penalty provisions.
McLeod-McKay made several recommendations on the need to clarify the scope and application of HIPMA and some of its provisions.
The IPC’s comments and recommendations can be found on the IPC website.
Contact John Tonin at firstname.lastname@example.org