Privacy of Health Information

No content found

No content found

Information for Physicians

Overview of Privacy Expectations

This document is intended as an overview of physician obligations and patient rights with respect to personal health information. It cannot address all of the situations which may occur in relation to a physician’s practice.

Physicians who are unsure of their obligations or patients’ rights are encouraged to seek advice from:

- The College of Physicians and Surgeons:  (306) 244-7355
- The Saskatchewan Medical Association:   (306)244-2196 or
- The Canadian Medical Protective Association:   1-800-267-6522.

In addition to the requirements of HIPA, the College of Physicians and Surgeons has adopted bylaws which establish expectations and requirements for Saskatchewan physicians relating to the personal health information of their patients.

I. College Requirements

The parts of the Code ofEthics of the Canadian Medical Association that relate to personal health information are part of College bylaws. Physicians are required to follow the Code of Ethics in their practices. There are several obligations which physicians are expected to meet relating to patient privacy and confidentiality. These include: 

31. Protect the personal health information of your patients. 
32. Provide information reasonable in the circumstances to patients about the reasons for the collection, use and disclosure of their personal health information.
33.   Be aware of your patient’s rights with respect to the collection, use, disclosure and access to their personal health information; ensure that such information is recorded accurately.
34.   Avoid public discussions or comments about patients that could reasonably be seen as revealing confidential or identifying information.
35.   Disclose your patients’ personal health information to third parties only with their consent, or as provided for by law, such as when the maintenance of confidentiality would result in a significant risk of substantial harm to others or, in the case of incompetent patients, to the patients themselves. In such cases take all reasonable steps to inform the patients that the usual requirements for confidentiality will be breached.
37. Upon a patient’s request, provide the patient or a third party with a copy of his or her medical record, unless there is a compelling reason to believe that information contained in the record will result in substantial harm to the patient or others.

Physicians who are trustees as defined in HIPA (physicians who have custody or control of patients’ personal health information) are required to ensure that:

(i) The practice locations in which they practice have established a written privacy policy that complies with HIPA;
(ii) The privacy policy is reviewed on a regular basis and is amended if required; and,
(iii) The privacy policy is provided to all persons who work in the clinic and have access to personal health information.

There are specific requirements for the privacy policy which physicians who are trustees (see previous paragraph) are required to adopt. The documents available from the SaskatchewanMedical Association website are intended to assist physicians to develop privacy policies that comply with College requirements. Bylaw 23.2 of the Regulatory Bylaws, available on the College website, sets out the requirements for such a policy.

Physicians who practise in a location where there is a privacy policy are expected to read and be aware of the contents of that policy.

When physicians renew their licences with the College, they are required to answer questions pertaining to privacy policies and their knowledge of privacy policies.

II. Requirement of the Health Information Protection Act

1.    Physician clinics should make information available to patients to advise them what information is being collected about them and why it is being collected. A poster, sign or brochure should be available to patients that states: i. Possible uses of personal health informationii. Patients’ right of access to their records
iii. Patients’ right to request amendments to their records

suitable poster is available on the Saskatchewan Medical Association website.

2.    Physician clinics should have established procedures to ensure that personal health information is only provided to third parties with the consent of the patient, or that the information can be provided without patient consent:a. Deemed consent or implied consent is generally sufficient to provide personal health information to other caregivers to assist them to provide care to the patient. Release of information within the care team should be on a need-to-know basis.
b. If the information relates to a child under the age of 18, and the child is sufficiently mature to understand their rights and responsibilities relating to their personal health information, the child can determine who can obtain their personal health information and can deny any other person access to their personal health information. Generally, that means if the child is capable of providing informed consent to treatment, the child can control their personal health information.
c. If the information relates to a child under the age of 18, personal health information can be provided to the child’s legal custodian if that would not constitute an unreasonable invasion of the child’s privacy (subject to the child’s right to control their personal health information described in the previous paragraph).
d. HIPA sets out circumstances in which information can be provided to a third party without patient consent (where the physician believes, on reasonable grounds, that the disclosure will avoid or minimize a danger to the health or safety of any person, where the information is provided to the College in response to a request for information, etc.). The circumstances in which personal health information can be provided to others without patient consent are set out in HIPA and HIPA regulations.
e. If a third party seeks personal health information without the consent of the patient, that party should be able to identify the legal authority that authorizes disclosure of the information without patient consent.
f. Express (usually written) consent should be obtained to disclose personal health information to third parties unless the information can be provided without patient consent.
g. Patients have the right to limit consent.
h. Consent must be informed and free of coercion.
i. Patients can withdraw express or implied consent at any time.
3.    Physician clinics should have a process to permit patients to access their personal health information.a. Patients must be permitted to see information in their records and to obtain copies of their records upon request. The physician should retain original documents.
b. There are limited circumstances in which patients may be refused access to all or part of their record. Generally this is limited to circumstances in which disclosure is likely to endanger the mental or physical health or safety of the patient or another person, would disclose confidential information about someone other than the patient, or would identify a third party who provided information to the physician in confidence.
c. Prudent physicians will ensure that patient access to records is supervised.
d. Physicians may charge a reasonable fee for providing access and/or copies. The Introduction/Preamble section and Section A1 of the SMA Relative Value Guide provides some recommended cost recovery fees that may be charged. A patient may be able to request that the fee be waived.
4.    Physician clinics should have a mechanism to update and correct information in personal health records.a. Registration and billing data should be updated as required.
b. Clinical records should be complete and accurate. Amendments to the clinical record should not erase any previous entries to the chart, should be dated and should indicate clearly that an addition or amendment is being made.
c. Corrections can be made to inaccurate or incomplete factual information. A physician is not required to make an amendment to a patient record merely because a patient disagrees with the physician’s diagnosis or opinion.
d. Physicians who use electronic medical records should ensure that their medical record software tracks additions/amendments.
5.    Physician clinics should have policies and procedures to ensure that all personal information (registration data, billing data, health records, staff/employee records, etc.) are kept appropriately secure.
a. Consider locks, alarms and other physical security devices.
b. Electronic records should be password protected, and electronic systems should have appropriate firewalls and other electronic security mechanisms. Consider handcuffing (limiting access to portions of the electronic record to defined users.)
c. Office policies and procedures should ensure that records are kept secure, that written information cannot be seen by unauthorized persons, that conversations cannot be overheard, and that all physicians and employees understand the importance of complete confidentiality.
d. If an information manager (computer support person, offsite storage company, etc.), has access to personal health information, a written agreement should be in place whereby the information manager agrees to ensure confidentiality and limit access to the records.
6.    Physician clinics should designate an individual (ideally a physician) to act as Privacy Officer to oversee management of personal health information.a. The Privacy Officer should be familiar with the obligations under HIPA.
b. This individual should develop and implement the privacy policies for the clinic and provide clinic staff with advice regarding HIPA compliance.
c. All employees should know who the Privacy Officer is.
7.    Physician clinics should educate all staff so that they understand what types of information may be disclosed, to whom, and under what conditions.a. Disclosure to other caregivers providing care to the patient does not generally require patient consent. The information disclosed should be limited to the information that the caregiver requires to provide that care.
b. HIPA allows disclosure without consent in a limited number of other situations (e.g. to a proxy for the patient in the case of advanced care directives, to a quality of care committee, for professional review/audit, to minimize danger to the health or safety of an individual). Disclosures of this type should be well-documented and overseen by the clinic’s Privacy Officer.
c. The office should have explicit policies that define whether staff may respond to requests for information about patients.
d. Where information is shared among providers (or among trustees as defined in HIPA), consideration should be given to formal data sharing agreements signed by both parties. Data sharing agreements may be particularly important when data are shared electronically. Such agreements should bind both parties to comply with privacy requirements.
e. When in doubt, staff should forward requests for information to the Privacy Officer.
8.    Physician clinics should have specific office policies and procedures for information management. All staff members should receive training about the policies and procedures and sign confidentiality agreements.a. Staff policies and procedures should contain an explicit privacy policy. Non-compliance with the privacy policy should be grounds for disciplinary action.
b. Staff should receive regular in-service training on issues related to information handling.
c. Staff should be required to sign a confidentiality agreement at the time of hiring. Consider annual renewals of the agreement. The Agreement should state that:i. The employee is familiar with the office privacy policies and procedures.
ii. The employee will not read, use or disclose information in any patient record unless required for patient care, or to fulfill their job responsibilities.
iii. The employee will not disclose any personal health information to anyone except in accordance with the clinic’s policies and procedures or as directed by the clinic’s Privacy Officer.
iv.The clinic’s privacy policy should be available to patients upon request.
9.    Physician clinics should follow accepted guidelines for the retention and destruction of personal health information.
a. College bylaws require physician clinics to retain patient records for six years after the date the patient was last seen or, if the patient is not an adult, for six years after the date the patient was last seen or the patient’s 20th birthday, whichever is last.
b. Destruction of personal health information should always be by a method that removes personal identifiers and minimizes the chance of any inadvertent disclosure of information.
c. If the office utilizes a third party to store or destroy records, there should be a signed agreement in which the third party agrees to maintain confidentiality with respect to the information in those records.
10. Physician clinics should have a process should be in place for handling complaints about management of personal information.a. The process should be defined in the office privacy policies and procedures, and usually should be handled by the Privacy Officer.
b. In the event that a complaint cannot be resolved, the Privacy Officer or designated individual should know the mechanisms for referral of the complaint to the College of Physicians and Surgeons or to the Office of the Information and Privacy Commissioner.

No content found

No content found