The Personal Health Information Act (PHIA) sets out the obligations of those identified as custodians (including health care professionals and providers) regarding the collection, use, disclosure, and protection of personal health information (PHI).
Protection of Personal Health Information
PHIA requires that each custodian take steps that are reasonable in the circumstances to protect PHI in its custody or control. What is reasonable will depend on factors such as the sensitivity of the information, the degree of difficulty or cost associated with a particular security measure, etc. All safeguards should be periodically reassessed to ensure they remain effective and continue to meet the reasonableness standard set out in PHIA. This is particularly true for technical safeguards, given the rapid pace at which technology advances.
Administrative safeguards consist of written policies, procedures, standards and guidelines that protect patient, employee, and business information.
Technology safeguards control access to and use of technology including password use, ensuring encryption of mobile device (i.e. laptops and iPads), firewalls, and logging off computers.
Physical safeguards consist of measures such as locked filing cabinets, security alarms, keeping computer terminals and white boards away from public areas, and restricting access to unauthorized personnel.
Access to or Correction of Personal Health Information
Patients have a right of access to their own PHI under the Act. Requests for access are made directly to you and may be verbal or in writing. A request must contain sufficient information to allow you to locate the records. If it does not, you should assist the patient in clarifying their request. The response deadline for access requests is 60 days, unless an extension is allowed under the Act. If you refuse access (a list of reasons to do so are set out at section 58), the patient may file a complaint with the Commissioner or proceed to Court. A reasonable fee may be charged for providing access. The OIPC has recently recommended a $25 base fee, which would include up to 50 pages, and then $0.25 per page, and that such fees should be waived when they present a barrier to access. A record of only a few pages which can be found and produced with little effort should be provided at minimal or no cost.
Patients also have a right to have errors in their PHI corrected. A person may make a request for correction to you directly, in writing or verbally, and you must respond within 30 days, unless an extension is allowed under the Act. If you refuse to correct the information, you must make a note that a request for correction was filed and advise the patient why you refused to make it. Section 62 sets out the reasons for refusing to correct that are permitted under the Act.
A privacy breach is any collection, use or disclosure of personal health information that is not authorized under PHIA. For example, PHI may be lost (a patient’s file is misplaced), stolen (a laptop computer is taken from your office) or inadvertently disclosed to an unauthorized person (a letter addressed to patient A is actually mailed to patient B). However, a custodian may also become aware of breaches that are intentional; for example, an unauthorized access of patient files by staff. Most privacy breaches, unless the risk of harm is very low, must be reported to the affected individuals. More serious breaches must be reported to the Commissioner, in addition to the affected individual. These are called material breaches.
Section 5 of the Personal Health Information Regulations of PHIA outlines the factors that are relevant in determining what constitutes a material breach, including the sensitivity of the information involved, the number of people whose PHI was involved, the potential for the information to be misused and whether the cause of the breach indicates a systemic problem. Material breaches must be reported to the OIPC.
Finally, as a custodian, you are also responsible for ensuring that your employees, agents, contractors and volunteers are aware of their obligations under PHIA and of your policies and procedures that support the legislation. What follows is a quick checklist to help get you thinking about your obligations under PHIA and how well you are meeting these obligations. It should not be taken as a comprehensive or definitive guide on how to fulfill your responsibilities as a Custodian. If you have any questions or would like more information, we would be happy to meet with you and discuss these issues further. We can be reached at 729-6309, 1-877-729-6309, or firstname.lastname@example.org.
|1. Do you have policies in place regarding PHI?|
|2. Do you have confidentiality agreements for employees, contractors and volunteers?|
|3. Are your employees aware of their obligations? Has there been privacy training?|
|4. Do you have reasonable physical security measures in place?|
|5. Do you have reasonable technical security measures in place?|
|6. Do you have reasonable administrative security measures in place?|
|7. Do you have a PHIA public written statement posted or provided?|
|8. How well do you inform your patients of their rights under PHIA?|
|9. How aware of you of what do in case of a privacy breach?|
The OIPC would be delighted to speak with custodians and offer assistance in increasing their compliance with PHIA.