Privacy of pharmacy prescription records

Barbara Wells

doi:10.1503/cmaj.1040772

On behalf of the National Association of Pharmacy Regulatory Authorities (NAPRA), Canada's voluntary umbrella association of provincial and territorial pharmacy regulatory bodies, I am writing to respond to the commentary by Dick Zoutman and associates1 about pharmacy prescription records.

The statement in that commentary that “patient identifiers . . . stream from pharmacy computers via commercial compilers to pharmaceutical companies” is incorrect, and there is no basis for the broad allegation that patient information has been improperly disclosed from pharmacies. The authors state that they “are unaware of a PIPEDA- [Personal Information Protection and Electronics Documents Act] based challenge to the selling of patient information by Canadian pharmacies.” The simple reason why they are unaware of any challenge is that such disclosure does not occur.

The personal health information of patients (“patient information”) and professional practice information about physicians (“physician-linked prescription information”) are not equivalent. Patients' health information is personal information about the patient and deserving of the highest level of protection the privacy legislation can confer. However, physician-linked prescription information is not personal information under PIPEDA and is afforded no such protection. This situation has been confirmed in a decision of the Privacy Commission of Canada.2

The legislative mandate of pharmacy licensing bodies is to protect the health and safety of the public, not to protect the interests of health care providers, including pharmacists. Although requirements, standards and guidelines for the practice of pharmacy may vary at the provincial level — because each province has its own legislation in this area — the requirement for patient consent for the disclosure of identifiable patient information (absent a legal exception) is universal. As of January 2004, PIPEDA applied to pharmacies and private practice in all provinces that have not enacted substantially similar privacy legislation.

NAPRA has publicly available guidelines for the protection of an individual's health-related information.3 The guidelines do not permit disclosure of any information to a third party, such as a commercial data compiler, where there is a reasonable expectation that such disclosure would identify the patient.

Barbara Wells Executive Director National Association of Pharmacy Regulatory Authorities Ottawa, Ont.

References

1.↵
Zoutman DE, Ford BD, Bassili AR. The confidentiality of patient and physician information in pharmacy prescription records [editorial]. CMAJ 2004; 170(5):815-6.
OpenUrl FREE Full Text
2.↵
Radwanski G. PIPED Act case summary #15. Ottawa: Office of the Privacy Commissioner of Canada; 2001 Oct 2 [updated 2004 Apr 1]. Available: www.privcom.gc.ca/media/an/wn_011002_e.asp (accessed 2004 Jun 21).
3.↵
Model guidelines for pharmacists to comply with provincial privacy legislation. Ottawa (ON): National Association of Pharmacy Regulatory Authorities; upated 2002 Mar 21. Available: www.napra.org/docs/0/95/158/188.asp (accessed 2004 Jun 8).