Health Apps in Canada: Preventing Adverse Legal Outcomes

The legal landscape for health apps in Canada is complex. While most health app providers are likely subject to private sector legislation, it may be less obvious when and how health privacy legislation applies. This is important because health privacy laws tend to be more complex and less harmonised in Canada, and may include specific requirements and enforcement provisions not found in private sector laws.

Health app providers seeking to enter the Canadian market should review not only on their obligations, but the obligations of their clients who may flow-down requirements by contract. App providers may also want to prepare white papers and other informational tools to anticipate and respond to objections and concerns of potential clients about legal compliance.

Healthcare delivery falls within the domain of the provinces and territories. Each jurisdiction is responsible for developing its own health privacy legislation. There are privacy laws broadly applicable to the healthcare sector in ten jurisdictions; health privacy legislation in British Columbia and Quebec are narrower in focus, and there is currently no health privacy legislation in Nunavut.

These laws apply to a broad range of participants in the healthcare sector, generally referred to as custodian depending on the jurisdiction, they may also be referred to as health information custodian or trustees who process personal health information (PHI) for the purposes of providing healthcare or related objectives. This includes, for example, healthcare providers such as physicians, physiotherapists, mental health professionals, and entities such as provincial health departments, health authorities, hospitals and clinics. Custodians are primarily accountable for compliance with health privacy laws.

Although the types of entities subject to health privacy legislation are generally similar throughout Canada, the scope of application varies depending on how a custodian is defined. For example, in Alberta, an exhaustive list of entities is provided. However, in New Brunswick, a custodian is defined more broadly as an individual or organization that collects, maintains or uses personal health information for the purpose of providing or assisting in the provision of health care or treatment/

These health privacy laws also apply to other entities that provide services to custodians, such as agents, and providers of electronic services sometimes referred to as information managers. The direct obligations on service providers are narrower. However, app providers should not take too much comfort, as an app provider needs to provide the tools for the custodian to comply. This means that, as a practical matter, the custodian will push many additional obligations down to the app provider by contract.

In Nova Scotia, for example, the Personal Health Information Act requires custodians to create and maintain, or have created and maintained, a record of user activity for any electronic information system it uses to maintain personal health information, and the specific log content requirements are prescriptive. There are similar provisions in Ontario that will come into force in the future. Any app provider seeking to enter these markets will need to comply with these requirements if they want to win business. 

A healthcare marketplace refers to apps that facilitate the delivery of healthcare by connecting patients with providers. In many respects, a marketplace resembles a virtual clinic by collecting information about patients, connecting the patient with the provider, scheduling, collecting payment, and providing videoconferencing and other tools to facilitate communication. Examples include Wellin5, TELUS Health MyCare (formerly called Babylon), WellHealth, eVisit, iamsick.ca and Healthcare Marketplace.

In many jurisdictions the provider of a healthcare marketplace could be a custodian. This may depend on how the relationship with the healthcare practitioners is defined through contracts, and there could be some choice in the matter. For example, the provider of the marketplace could be considered a custodian, with providers acting as agents on behalf of the marketplace, or vice versa.

In jurisdictions where the definition of a custodian is exhaustive and would preclude a marketplace from being a custodian, such as Alberta, the provider of a healthcare marketplace could still be an agent. Custodians would then want to flow-down those obligations to the agent.

Remote monitoring tools enable healthcare providers to remotely collect data such as blood glucose levels, oxygen levels, heart rate and blood pressure. Examples of this category of health app include Mozzaz, HealthArc, Huma, Chronisense Medical, Ejenta, Cardiomo, and 100 Plus. On its own, a remote monitoring tool would not be a custodian, but it could be an agent by processing PHI on behalf of custodians that use the tool.

A new category of entity that may soon be regulated in Ontario. The Ontario Personal Health Information Protection Act (PHIPA) was amended to open the door to regulation of consumer electronic service providers (CESPs). A CESP would include an app provider whose services are primarily for the purpose of allowing individuals to access, use, disclose, modify, maintain or otherwise manage their records or personal health information. A provider of a personal health records vault would be a CESP.

It is also possible that a remote monitoring tool could be a CESP if marketed directly to consumers, rather than as a tool to be used by a healthcare provider. Although the CESP provisions are not yet in force, this is a significant development as it will expand the application of PHIPA beyond traditional boundaries into commercial apps directed to consumers rather than healthcare professionals. 

For more information, visit www.nnovation.com.