As the pandemic persists, a health practitioner’s office must maintain measures that protect its community’s safety in the most contactless way possible. Biometric kiosks are one way to achieve this objective. Biometric kiosks instantly read a patient’s body temperature as they enter a waiting room, typically without requesting consent. A reading above normal body temperature (above 38°C or 100.4°F in adults) qualifies as a fever—one of the most suggestive symptoms of COVID-19. An above normal temperature reading assists the health information custodian (“HIC”) in determining whether the patient requires a secondary COVID-19 assessment. This current practice carries a host of privacy concerns regarding the expectation of privacy.
Body Temperature as Personal Health Information (“PHI”)
In Ontario, the Personal Health Information Protection Act, 2004 (“PHIPA”) governs PHI such as body temperature. Privacy legislation does not address biometric technologies, which raises an issue pertaining to one of the most important elements of healthcare: consent.
The requirement to obtain consent, either express or implied, is subject to very narrow exceptions. In a non-pandemic world, the collection, use and disclosure of body temperature through biometric kiosks would require consent. However, PHIPA is silent on its interpretation during a public health emergency. As a result, HICs can likely defer to the federal privacy equivalent, the Personal Information Protection and Electronic Documents Act (“PIPEDA”), to fill the gaps on the question of consent.
Based on a reading of PHIPA and PIPEDA together, it appears that a HIC does not require consent to collect, use and disclose a patient’s body temperature through a biometric kiosk during a public health emergency. In March 2020, the Office of the Privacy Commissioner of Canada (“OPC”) released a notice stating that public health situations may constitute an emergency. Under PIPEDA, organizations do not need to obtain an individual’s consent when acting in respect of an emergency that threatens life or health. The OPC’s notice goes further to declare that “[d]uring a public health crisis, privacy laws still apply, but they are not a barrier to appropriate information sharing.” The federal legislation and notice guidelines may help legitimize and permit the simultaneous collection, use and disclosure of body temperature through a biometric kiosk.
Both PHIPA and PIPEDA discuss the importance of safeguarding sensitive information through physical, administrative and technological measures. HICs should consider the following practices if a biometric kiosk or even a handheld thermometer is being used to measure body temperature:
- Receive patient consent in advance. Many HICs already implement a COVID-19 telephone questionnaire. The questionnaire should specifically ask patients for their consent to body temperature readings by a biometric kiosk. Legal effect: Until there is clarity from the OPC or the Government of Ontario, HICs should strive to obtain express consent. If the patient does not consent, the patient can arrange for alternative measures.
- Publish privacy policies, statements, or notices outlining how PHI is collected, used, and disclosed during COVID-19. Legal effect: This practice is consistent with the federal principle of transparency and the provincial obligations of openness and accountability.
- Publish notices on how the HIC’s current privacy practices meet the federal and provincial COVID-19 privacy framework. Legal effect: This can increase confidence from the public that their PHI is properly protected.
In light of the pandemic, an unsaturated marketplace exists for entrepreneurs and start-up companies to invent technologies that strike a balance between preserving patient privacy while collecting critical information to aid in the fight against COVID-19.
 Personal Health Information Protection Act, 2004, SO 2004, c 3, Sched A [PHIPA].
 Ibid at s 18 and 36(1)(b).
 Personal Information Protection and Electronic Documents Act, SC 2000, c 5 (this piece of legislation is deemed substantially similar to ours in Ontario) [PIPEDA].
 PIPEDA, supra note 3 at Principle 3, ss. 7(2)(b) and 7(3)(e).
 OPC Notice, supra note 4.
 PIPEDA, supra note 3 at Principle 7; PHIPA, supra note 1 at s 10.
 PIPEDA, supra note 3 at Principle 8; PHIPA, supra note 1 at Part II Accountability and Openness.
 OPC, “A Framework for the Government of Canada to Assess Privacy-Impactful Initiatives in Response to COVID-19” (17 April 2020), online: Office of the Privacy Commissioner of Canada <https://www.priv.gc.ca/en/privacy-topics/health-genetic-and-other-body-information/health-emergencies/fw_covid/> (principles of the framework are: legal authority, necessity and proportionality, purpose limitation, de-dentification and other safeguarding measures, vulnerable populations, openness and transparency, open data, oversight and accountability, and time limitation).
Any article or other information or content expressed or made available in this Section is that of the respective author(s) and not of the OBA.