Chapter 2 – Getting Started: What Health Information Custodians Should Know
This chapter focuses on some basic responsibilities and other issues that custodians should be aware of under PHIPA.
If you are a custodian under PHIPA, you must take specific steps in order to comply with the Act, including
- naming a contact person,
- developing a public written statement about how you collect, use and disclose personal health information (PHI),
- putting in place appropriate security measures to protect PHI,
- keeping accurate records of PHI,
- meeting certain conditions if you keep records of PHI in a client’s home,
- being responsible for your agents (who collect, use or disclose PHI on your behalf), and
- ensuring that anyone who alerts the Information and Privacy Commissioner to a breach or possible breach of PHIPA is protected from harassment, demotion and other negative actions.
Custodians also need to be aware of
- the possibility of applying to the government to join together with one or more other custodians to act as a single custodian for the purposes of PHIPA (for example, to share their duties under the Act)
- the consequences of not complying with PHIPA, including the possibility of fines.
Duties of a custodian
There are special rules under PHIPA that indicate what steps custodians must take in order to comply with the Act. These duties are described below.
Naming a contact person
You must appoint a “contact person” whose role is to help you meet your obligations under PHIPA. That person should
- take an active role in making sure you are complying with PHIPA,
- make sure your agents are informed about their duties under PHIPA,
- answer any questions and complaints that relate to your information practices, and
- respond to access and correction requests (unless someone else in your agency has that responsibility).
Questions and Answers
Q: I am a health care practitioner in private practice, but I occasionally consult with a community mental health agency. Do I need to name a contact person?
A: When you are in your private practice, you have a choice: you can either name someone else as a contact person under PHIPA, or fulfill the duties yourself.
When you act on behalf of the community agency, the agency is the custodian and you are its agent. In that case, the agency is responsible for appointing someone as its contact person.
Developing a public written statement
You must develop a document such as a notice, fact sheet, brochure or poster that describes the purposes for which you collect, use and disclose PHI. You must include in it a general description of the administrative, technical and physical safeguards and practices that you maintain with respect to the PHI. This document must also inform people
- who your contact person is and how to get in touch with him/her,
- how a client can ask for access to (and correction of) the records of PHI you hold,
- how a client or member of the public can raise questions about your privacy practices or other matters relating to PHIPA, and
- how to complain to you, or about you to Ontario’s Information and Privacy Commissioner.
Note: The goal is to be open about how you handle PHI. You can do this by taking steps that are reasonable under the circumstances to let people know how you will protect their individual privacy and the confidentiality of their PHI. This written statement must be made available to the public, and it is up to you to decide how to do that (for example, you could give clients a privacy notice, post information in your intake area and/or place information on your website).
A sample privacy notice is provided at the end of this chapter.
Protecting PHI with security safeguards
PHI must be protected. Although PHIPA does not tell you exactly what precautions you must take to keep the information secure, you must protect the PHI you hold, which could include the following types of safeguards:
- Administrative: by adopting policies and procedures that reinforce privacy protection
- Physical: by locking drawers and cabinets, and making sure that PHI to be disposed of is not placed in public or unsecured garbage bins
- Technical: by using password protection on computers, encrypting files and using secure servers
You must protect records of PHI against loss, theft or unauthorized
- modification, or
If a security breach occurs in spite of your best efforts to protect the PHI, you must notify your client. A template letter is provided at the end of this chapter for your reference.
You should also consider whether it might be more appropriate to not send a letter, but to use the language in the template letter to inform your client about the situation at his/her next appointment,
- as long as the risk is low that he/she will not be contacted by a third party first, and
- if the appointment will take place in the near future.
The Information and Privacy Commissioner has posted some helpful information about how to safeguard the PHI you hold (including tips on its storage, retention and disposal):
“Safeguarding Personal Health Information,” Fact Sheet #1, January 2005, www.ipc.on.ca
Keeping accurate records
You must take reasonable steps to make sure that the PHI you hold is as accurate, complete and up to date as necessary for the purpose(s) for which you use it. If you are going to give PHI to someone else (outside your agency, for example), you need to tell that person or organization whether there are any limits to the PHI being accurate, complete or up-to-date for the purpose(s) that they require it.
Questions and Answers
Q: My agency has pretty good record-keeping practices and my staff members take care to make sure our client files are accurate.
If a client asks me to disclose PHI to someone I don’t know, how will I know whether the information is accurate for their purposes?
A: You cannot possibly anticipate every situation where a client might ask you to give PHI to someone else. However, many requests involve releasing information to:
- other health-care practitioners or facilities,
- employers, or
If it is very obvious that something relevant is missing from the information that you are going to release, or that the record is otherwise incomplete or inaccurate, you may note that or identify that information is missing. Otherwise, you should make a note every time you disclose information that the PHI you are providing is up to date for your own purposes only. (Some custodians have dealt with this by stamping the document to be disclosed, or adding a cover letter to documents they disclose.)
Records in the home or elsewhere
If you want to keep records of PHI in the client’s home or at other premises that you do not control, you can do so with the client’s consent.
If you do, however, the records must be kept and protected in a reasonable manner. Before doing so, you must also abide by any relevant rules or restrictions of your professional college or other body that registers you to practice.
Questions and Answers
Q: Our assignments require us to carry client PHI with us into the community. Does PHIPA prevent or place restrictions on this practice?
A: The Act does not prevent you from carrying PHI into the community. However, it does state that a patient is to be notified if their record is lost, stolen or accessed inappropriately. You should take every precaution with the record to ensure its safety. For example, don’t leave the record on the seat of your car when you are not in the car.
There are special rules about leaving records of PHI in a client’s home or other premises you don’t control. You will need the client’s consent, and should also consider what is reasonable in the circumstances. You may also be bound by any rules of your professional college, where they exist.
As discussed above, an agent is anyone who collects, uses or discloses PHI on your behalf (including staff or consultants, health-care practitioners, researchers, volunteers, independent contractors and students). As a custodian, you are responsible for your agents.
- act within the scope of the custodian’s authority (in other words, you cannot tell your agent to do something that you would not be allowed to do under PHIPA),
- notify you immediately if the PHI they hold on your behalf is stolen or lost, or if someone without proper authority accesses or has already accessed it, and
- comply with their legal reporting duties (such as to report child abuse under the Child and Family Services Act), even if the custodian has not specifically authorized the agent to do so, or has told the agent not to make the report.
General limiting principles
Under PHIPA, you should be careful to collect, use and disclose PHI
- only if it is specifically required (for example, if all you need is non-PHI, use it instead), and
- as judiciously and infrequently as possible. For example, staff should collect PHI only as necessary and when it is required from clients. Of course, you will want to ensure that all professional standards (and any policies of your agency) for documenting client information continue to be met.
Protection for “whistleblowers”
No one is allowed to dismiss, suspend, demote, discipline, harass or disadvantage another person because that person has reported to the Information and Privacy Commissioner (who oversees compliance with the Act) about a past or future breach of the Act. This includes taking steps to stop the breach from occurring, or refusing to do something that would amount to a breach.
In other words, if someone genuinely thinks that you are not complying with the Act, PHIPA does not allow you to take punitive measures against that person because he/she has reported you to the Information and Privacy Commissioner.
Applying for single custodian status
Two or more custodians may apply to the Ministry of Health and Long-Term Care to be named as a single custodian for the purpose of PHIPA. Doing so would cover them for all purposes of PHIPA, not just for a specific purpose such as responding to client requests to access information in a shared database (discussed above).
In this case, you will have to provide specific information, including but not limited to
- a description of why such an order would be in the public interest,
- how you would ensure that clients have reasonable access to their records of PHI,
- how single custodian status would allow you and the other custodians to provide integrated health care,
- how the order would affect your ability to comply with the Act, and
- any safeguards or other measures that you would put in place to ensure continued compliance with the Act.
You can learn more about the single custodian application process at www.health.gov.on.ca.
Note: An agency that has a head office but provides services at more than one location is already considered to be a single custodian under PHIPA. There is no need to apply to the Ministry for a special designation.
Consequences of not complying with PHIPA
Being found guilty by Ontario’s Information and Privacy Commissioner of an offence under PHIPA could result in fines of up to
- $50,000 for individuals, or
- $250,000 for corporations.
Most of the offences under PHIPA happen either if you knowingly, wilfully or deliberately do something you know you should not do, or if you fail to do something that you should do. However, PHIPA protects you if you acted in good faith, so it could be important to show that you did.
Once an offence has been proven, the person affected by your breach of the Act could also go to court to ask for compensation. This could include up to $10,000 for mental anguish, as well as general damages (a sum of money decided by the court).
Employees, agents, senior management and board members of community mental health agencies and community-based addictions programs should be aware of the possibility, however remote, that they could be personally liable under PHIPA. This could happen if they
- have authorized someone to commit an offence, or
- had the authority to prevent an offence but chose not to do so.
The overall message is not to frighten people about PHIPA, but to effectively secure the rights of all. You are protected under the Act if you act in good faith. However, it is always important to remember that you could someday be asked to prove that you acted in good faith, and that your privacy practices may be scrutinized.
Complying with federal privacy legislation
A mental health or addictions program may be subject to both PHIPA and to the federal privacy legislation, the Personal Information Protection and Electronic Documents Act. The federal legislation applies if you collect, use or disclose personal information in the course of a commercial transaction. For example, if you run a parking lot or some type of retail store, act as a landlord or collect money in exchange for a service such as an education session, the federal legislation will apply if you collect personal information on a credit card or otherwise.
The federal legislation also applies to PHI. However, because PHIPA is likely to be designated by the federal government as being “substantially similar” to the federal legislation, you must follow the PHIPA rules.