This is an archive of CharityVillage NewsWeek.
To find a word on the page, use your browser's "find" feature (CTRL-F or CMD-F).
To view other articles in the archive, use our Chronological Index.
Please note: While we ensure that all links and e-mail addresses are
accurate at their publishing date, the quick-changing nature of the
web means that some links to other web sites and e-mail addresses may
no longer be accurate.
Ethics Q & A
April 26, 2004
By Jane Garthson, Mills
Garthson & Associates
The dilemma:
I am a nurse at a nonprofit organization with a primary mission other than health care. My boss fired me for refusing to give out confidential health information without client consent.
Jane says...
Inappropriate release of health care information could violate your professional code of ethics, and make you subject to professional investigation and discipline. You cannot stay employed in an organization that demands that you act unprofessionally.
However, I do not have enough information to confirm that consent was needed, or to know if any privacy laws were broken. Let's start with the laws.
The federal Personal Information Protection and Electronic Documents Act
(PIPEDA) states that it is an offense to "retaliate against an employee
who...refuses to contravene Sections 5 - 10 of the Act." Consent is Section
7 and personal health information is included. The federal legislation
applies unless a province has passed substantially similar legislation.
However, it applies only to "commercial activity".
Their guidance document suggests that private (meaning non-government)
nonprofits check with a lawyer to see if they are covered. But the legal
community is not in agreement on how to interpret the application and
scope of this law, and it also varies a lot by province. From my review,
I believe this law does NOT affect most Canadian charities and nonprofits,
even if they handle personal health information. The law covers those
that sell, trade, or barter donor or membership lists for consideration.
Caveat - I am not a lawyer and this is not legal advice.
I don't know which province you are in. Quebec, BC, and Alberta have privacy legislation applicable to charities and nonprofits. Ontario's draft legislation protecting personal health information just passed second reading. Some existing Ontario laws have references to privacy of health information. And to confuse the issue further, provincial or municipal freedom of information/protection of privacy laws apply to some nonprofits that are closely tied to government.
So you may or may not have legal recourse under privacy law. Contact the Federal Privacy Commissioner and provincial equivalent to see if your organization falls under their laws. The call might save you from paying a lawyer to handle an unjust dismissal case. Even if no law applies, a Commissioner might choose to help educate your former employer.
Second, are you sure that consent was required? Consent is the norm, but there are exceptions even if a privacy law applies. Some examples are:
- Releases required by law, e.g. a court order or subpoena
- Emergencies that threaten the life, health, or security of an individual
- Notifications of suspected child abuse
- Notifications to a medical officer of health of a communicable disease like SARS or TB
As a nurse, you likely know about these, but my other readers may not. A privacy commissioner or lawyer can help you determine if such an exemption applies in your situation and province. The disclosure should still be limited to what the receiving body needs to know.
Keep in mind that consent can be implicit rather than explicit. Releasing personal health information to another health provider can be done with implied consent. The use would have to be consistent with what a reasonable person would deem appropriate given the nature of the relationship with your organization. For example, if the client agrees to be referred to a specialist, they might reasonably expect that the specialist will be given their contact information and the reason for the referral. They might also reasonably expect that you have to give enough information to government for your organization to be funded to give health services. It may be safer to obtain explicit consent, but that does not make it mandatory even under law.
Other releases, such as to another nonprofit that is not a health care provider, should definitely involve explicit consent. Releases for fundraising purposes again depend on which legislation applies. In Ontario, if Bill 31 as amended is enacted, implicit consent will be sufficient to use a person's name and contact information for fundraising. Such consent can be denied or withdrawn, and in any case would not include personal health information without explicit consent.
I suspect that none of these exemptions or clarifications help in your situation. Perhaps you were being asked to give whole lists to a commercial sponsor of the organization, or provide health data along with contact information for fundraising. These sorts of requests result in major ethics dilemmas. We know they are wrong but refusing could leave clients we care about without service, or our families without income. I hope you have found other employment with an organization that values your ethics.
The federal Privacy Commissioner states that "the right to privacy means that individuals get to decide what and how much information to give up, to whom it is given, and for what uses."
You were right to challenge whether or not you had the legal right to give out personal health information. If your organization did not attempt to justify its demand based on any of the above considerations, it seems they either did not know the law or chose to violate the law. You could not ethically be a part of that.
All organizations that handle personal health information or use personal
information for commercial purposes should do a Privacy Impact Assessment.
There are some guidelines at www.privcom.gc.ca.
Canadian clients, donors, members, volunteers, and employees have expectations
of privacy for their personal information whether the guiding force is
law or ethics.
As organizations implement or change programs, they should update their
assessments. For example, nonprofits that have not been doing active fundraising
should plan for privacy before they start. Know the risks and learn how
to manage them. Boards should demand these assessments, as irresponsible
use of personal information can cause not only legal problems but also
unmet expectations on the part of their stakeholders. And the new laws
have heavy fines for offences - up to $250,000 under Ontario's draft Bill
31.
To return to the federal Privacy Commissioner: "Most people consider privacy
to be a precious resource that, if lost, whether through intentional means
or inadvertently, can rarely be recaptured. It is undoubtedly something
worth protecting." Canadians should applaud a nurse who took care not
to release sensitive personal data inappropriately.
***********
Because nonprofit organizations are formed to do good does not mean
they always are good in their own practices. Send us your ethical questions
dealing with volunteers, staff, clients, donors, funders, sponsors, and
more. Please identify yourself and your organization so we know the questions
come from within the sector. No identifying information will appear in
this column.
To submit a dilemma for a future column, or to comment on a previous one,
please contact help@charityvillage.com. For paid professional advice about an urgent or complex situation, contact Jane directly.
