Virtual healthcare and collaborative research project raising privacy law issues

There is currently a lack of clarity around the de-identification and anonymization of data: lawyers
Virtual healthcare and collaborative research project raising privacy law issues

Virtual care and big data in the healthcare sector have exciting potential for patients and society but also raise privacy law issues that regulators are still ironing out.

Virtual healthcare or telehealth, where patients meet with physicians and other medical professionals through video-conferencing software such as Zoom, has been around for years but accelerated significantly during the COVID-19 pandemic.

During the health crisis, enforcement activity may not have been their highest priority, but now regulators have had time to turn their minds to this area, says Susan Newell, a partner at Osler Hoskin & Harcourt LLP in the firm’s health industry and cannabis groups. She says there is increasing awareness within the health industry of the requirement to comply with existing legislation. Organizations are more likely to ensure they collect the appropriate consent from patients and use technology appropriately when providing health services.

Newell is a corporate commercial lawyer, and her clients include health-service providers, medical-device manufacturers, and producers of food and natural health products, cosmetics, drugs, and cannabis.

Anita Nador, Susan Newell and Wendy Wagner
Anita Nador, Susan Newell and Wendy Wagner

She says there has also recently been a shift in Ontario in how regulators evaluate the standards of the technology healthcare professionals use when providing virtual care. Traditionally, these standards have fallen under the rules of the College of Physicians and Surgeons of Ontario. Physicians have been required to ensure that any service providers they use operate at a standard that allows the physician to comply with their obligations under the applicable privacy legislation.

But Ontario recently changed the rules. The Ministry of Health must now approve the technology used for virtual doctors’ visits. Doctors must use a technology solution from a list of products verified by the ministry. But the requirement applies only to services that the government is paying for. If done virtually, uninsured, elective health services are not required to use a verified solution.

“The funding is now driving the safety standards in a way that’s a bit different than what we’ve seen in the past,” says Newell. The result has two impacts, she says. One, it will hopefully contribute toward greater compliance with the rules. There will also be a “higher barrier to entry” because developers of new virtual platforms will need to align their products with these standards to be included among the verified solutions.

Patient privacy rights are also a key issue for collaborative research initiatives, says Wendy Wagner, a partner at Gowling WLG (Canada) LLP and co-leader of the firm’s cybersecurity and data protection group. Globally, various medical practice areas are creating massive collaborative databases. For example, doctors specializing in shoulder surgery will collect information about treatments, surgical outcomes, descriptions of treatment experiences, and photos of shoulder X-rays as a collaborative learning and research tool. Doctors want to upload de-identified patient data (where information identifying the patient has been removed) to databases to share with doctors worldwide.

“It is really valuable information,” says Wagner. “But it’s also way more complicated from a data perspective than any of our clients recognize. Use of de-identified or anonymized data in healthcare is one of the most difficult things that I think that we’re all grappling with right now.”

Numerous legal issues arise from the de-identification and anonymization of data. While identity markers have been stripped from de-identified data, anonymized data is where those identifying characteristics cannot be reassembled. De-identified data can be re-identified, but anonymized data cannot. The laws around how data is properly de-identified or anonymized differ globally, from jurisdiction to jurisdiction, and within Canada from province to province.

“That is sort of a vexing issue,” says Wagner. “The differing standards in different jurisdictions make it even more complex.”

In Ontario, she says that under the province’s health privacy legislation, the Personal Health Information Protection Act (PHIPA), healthcare professionals are the “health information custodians” with the authority to take patient data and de-identify it. Third-party service providers do not have the authority to de-identify patient data.

There are also questions about whether various laws allow doctors to share de-identified data or whether the laws authorize them to share only anonymized data. Wagner says if doctors are unsure, they can always get consent. But that leads to another question: how can the doctor obtain valid consent when they want to use the data later differently, even 10–15 years after obtaining consent? There is also the risk of re-identification of data by unauthorized parties.

Another legal issue with sharing of personal health information is whether, as technology changes, the de-identification or even the anonymization of data will eventually fail to protect that data’s privacy, says Anita Nador, a partner at Gowlings and a member of the firm’s national life sciences group. She uses a blood sample as an analogy. A blood sample would not be enough to identify a person 50 years ago. But now, with a better understanding of DNA and biometrics, it is.

“You can see how technology can change and change the status of information,” she says.

In Canada, de-identified data is subject to privacy legislation but anonymized data is not, says Newell. She says Canada also does not have a clear set of standards that separates standards for de-identification from the standards for anonymization. “There’s no law that clearly sets that out.”

Osler is part of the Canadian Anonymization Network (CANON), a working group established by several large companies that hold a massive amount of customer data to figure out how to balance privacy protections while maximizing data’s potential. CANON’s objectives include sharing information about data anonymization, identifying emerging issues and challenges, and advocating for “balanced legislative and policy standards” for anonymization. It plans to consolidate a resource on international anonymization standards and develop an “overarching framework of principles” for effective anonymization, among other “deliverables.”

“The purpose is to come up with a means of leveraging data to be able to use it,” says Newell. “Once it’s anonymized, it can be used for secondary purposes. There’s a lot that can be done, and there’s a lot of good that comes to the world.”

“I expect that over the next few years, there will be developments and changes in connection with the identification and anonymization of health data,” she says. “More and more opportunities will open up once industry participants are able to use that data, once it has become anonymized.”

The most significant change over the last year in the regulation of data privacy, says Wagner, was Quebec’s “law 25.” The province’s new privacy law is rolling out in four phases. The first came into force in September 2022; the rest will follow every September until 2025. When the main provisions come into force this September, they will impact many contracts, she says.

“When we’re looking at the contracts we’re making that involve the use of data and the use of service providers who process data, you need to look at the contract to make sure that it meets the law 25 requirements,” says Wagner. “Transfer of information outside of Quebec will require a privacy impact assessment. That’s a big uncertainty and a new compliance area.

“That’s like number one for this year. But that’s just the tip of the iceberg for what’s coming.”

On June 16, 2022, Minister of Innovation, Science and Industry François-Philippe Champagne and Attorney General David Lametti introduced bill C-27, the digital charter implementation act. The federal Liberal government promises the bill will significantly strengthen the Personal Information Protection and Electronic Documents Act, Canada’s private sector privacy law.

Bill C-27 completed second reading on April 24. Wagner says it is expected to be passed by the end of the year.

“That’s going to raise a whole new realm of compliance obligations.”