Using Apps for Confidential Health Information


The number of apps for managing health information is increasing at a rapid pace. These apps may be useful for tracking personal data such as heart rate and blood pressure, but many can be used to assist with the administration of patient care including in the hospital setting. For example, a quick search of the online Google and Apple stores shows apps such as Patient Tracker, Inpatient Tracker, Patient Records-EHR, On Call Notes and List Runner, amongst many others. These apps may indeed seem useful, however, one must question and be aware of how the privacy and security of patient information is handled.

Within Alberta, the Health Information Act (HIA) provides the legal framework as to how individually identifying health information must be protected. The HIA requires that any information system that collects, uses or discloses individually identifying health information must have a privacy impact assessment (PIA) be submitted to the Office of the Information and Privacy Commissioner of Alberta (OIPC), before such a system is used:

64(1)  Each custodian must prepare a privacy impact assessment that describes how proposed administrative practices and information systems relating to the collection, use and disclosure of individually identifying health information may affect the privacy of the individual who is the subject of the information.

(2)  The custodian must submit the privacy impact assessment to the Commissioner for review and comment before implementing any proposed new practice or system described in subsection (1) or any proposed change to existing practices and systems described in subsection (1).

The terms of use of an app, even if stated to be compliant with United States privacy law or privacy laws within Canada, may be insufficient in assuring that individually identifying information is adequately protected as required by the HIA. To be in compliance with the HIA, any app in which individually identifying health information is entered must have a PIA submitted to the OIPC by the custodian for that specific instance and context of use.

As such, using an app and/or web based system without a PIA would be considered an unauthorized collection, use or disclosure of individually identifying health information to a third party, and as such be in breach of HIA and therefore subject to investigation and potential penalties.

University of Alberta Faculty of Medicine & Dentistry members, staff and learners should be familiar with the privacy requirements regarding individually identifying health information, including relevant policies and procedures from the FoMD and, when applicable, Alberta Health Services (AHS).