Certified Information Privacy Professional – Canada (CIPP/C) — Question 17

What is required through the "circle of care" concept under Canadian health information privacy law?

Answer options

• A. Health information custodians or trustees be specified only by applicable law or regulation
• B. An individual’s consent may be implied unless the individual has refused consent or if the purpose of the disclosure is not to provide health care.
• C. Notification to the individual be made in the event of a data breach of personal health information (PHI) by an organization that is based in Canada
• D. Consent must be expressed or implied when a custodian discloses personal health information (PHI) to another custodian for the purpose of providing health care.

Correct answer: D

Explanation

The correct answer, D, highlights that consent is necessary when disclosing personal health information between custodians for healthcare purposes, aligning with the 'circle of care' concept. Option A is incorrect as it limits the specification of custodians to laws, while B incorrectly suggests that implied consent is acceptable even when an individual has refused it. Option C is unrelated to the circle of care, as it addresses breach notification rather than consent for information sharing.