A patient’s health information is sacred and a fertility practice’s community of adoring supporters is invaluable. In a world where social media and communication technology develop years ahead of the law, how do we safeguard both privacy and engagement without sacrifice to one or the other? I have interviewed several attorneys regarding the Health Information Portability and Accountability Act (HIPAA) and other regulatory schemes in the United States, but I’ve yet to investigate the law relevant to you, the leaders in reproductive health across Canada.
That is, until now. Dr. Alan West is a physician and a partner at the law firm of Gowling WLG in Toronto. He specializes in healthcare advertising law. Mr. Evan Atwood is a senior associate at the same office who specializes in consumer and healthcare privacy law. You should always consult an attorney for specific legal advice, which Dr. West and Mr. Atwood do not give here, but they offer us some education about how the law can pertain to a Canadian fertility clinic’s internet presence.
Federal and provincial regulations
“We don’t have HIPAA. My head spins when I have to deal with HIPAA.” West clarifies. “We have a mix of federal and provincial laws”. Canada’s PIPEDA (Personal Information Protection and Electronic Documents Act), applies to health information as well as consumer information and applies only in provinces that haven’t passed their own statutes with privacy protections equivalent to those contained in the federal statute. .
Several provinces, including British Columbia and Ontario, have their own health privacy laws. In Ontario, the law is called PHIPA (the Personal Health Information Protection Act). Atwood explains, “Both fortunately and unfortunately, the law does not explicitly state what information is prohibited from being released without authorization.” Unlike HIPAA in the United States, which has a data set of 18 identifying factors (name, date of birth, license plate number, etc.) for Protected Health Information (PHI), there is no concept of a data set in Canadian privacy law. The principles are much more general.
HIPAA’s 2013 Omnibus rule, adds liability to “business associates”, those who receive and send PHI to “covered entities” (healthcare providers). The obligations of a business associate are explicit. Again, in Canada, the law is not as specific, but the health records custodian (you, the fertility centre) is obliged to see that its vendors only store that data on behalf of the health records custodian, with the same protections in place.
“The law is always behind the actual practice of medicine.”
In some provinces, medical practices are prohibited from mentioning the brand names of pharmaceuticals and devices in their advertisements. The regulation of marketing falls more on the practices than on the drug companies. “Doctors are allowed to advertise their own services, but they are not supposed to identify or associate themselves with specific products or drugs. Although many do so.” West finds. West and Atwood point to the example of “physician locators”, search engines within pharmaceutical or manufacturer websites, that list nearby physician offices who administer their products. These websites may be impermissibly marketing directly to the consumer, but “I know of no prosecution for using brand names in advertising,” West says.
West offers some insight as to why there is a lack of enforcement of some laws in healthcare advertising. Provincial boards of medical examiners have limited resources, and they spend their attention on investigating serious cases of fraud and malpractice, not on the use of brand names in advertising, which in some instances, have found their way into the public vernacular. In some provinces, there is no obligation to investigate every complaint that is reported to the provincial board. In others, such as Ontario, the board is obliged to investigate every written complaint. They might not take an enforcement action, but the risk is higher because they have to at least open the file.
This is important to know, because what is permissible in one province, may be prohibited by another province’s advertising law. In Ontario for instance, under the Medicine Act, patient testimonials are not permissible. Nonetheless, some medical practices may include testimonials on their websites, including some fertility centres. Whether you use testimonials on your website or not, what about the content posted by a patient to your Facebook or Google Places profile? In that case, it might be advisable not to solicit reviews. “It might not be the intent of the law, but I would rather be the prosecuting attorney than the defendant in such a scenario,” West opines. “As the law is written, I think the doctor has an obligation to police the postings on his or her social media channel”.
“The law has not caught up to reality, to put it mildly”, Atwood adds. “Still, there’s never been a prosecution for what a patient has put on a provider’s social media channel”.
Digital Media and Privacy Law
This wisdom comes with regard to provinces with regulations prohibiting patient testimonials, not with regard to health privacy. Consent is implied when a patient posts his or her own information on a clinic’s blog or social media channel. The doctor can leave it on their site. “Doctors and practices are allowed to respond to reviews and comments because the patient waives his or her right to privacy when they post their own information” West says.
“Implied consent has limits,” Atwood cautions. “You can’t take that content and use it somewhere else”. Failing to obtain the proper consent is a mistake that Atwood and West commonly see. Though Canadian law does not specify six core elements for what is required in an authorization (as in HIPAA), expressed, written consent should be obtained whenever you use patient information outside of what is specified in the law.
West leaves us with a bit of caution. While provincial boards have not yet enforced certain regulations, such as those against the use of brand names in physician advertising, he believes punitive measures could be likely in the future. “Be forewarned of enforcement action. That may be something we see quite a bit more.”
Get specific legal advice
In every country, the technologies and media that people use to communicate develop much more rapidly than the laws that regulate them. We have to engage our online communities in a way that respects patient privacy and also complies with the law. In my opinion, Canada’s laws seem to follow common sense more so than the ambiguity of other regulatory schemes, but I’m not an attorney. I recommend you always consult an attorney about the federal, provincial, and local regulations specific to your area.
Dr. Alan West is a partner in Gowling WLG's Toronto office, practicing primarily in areas of law related to pharmaceuticals and health care.
Mr. Evan Atwood is a senior associate at Gowling WLG’s Toronto office, with experience in guiding clients with advertising compliance issues with Health Canada.