Reminder to Physicians - Obligations as a Health Information Custodian
August 05, 2015
Under the Personal Health Information Protection Act, 2004 (PHIPA), physicians are Health Information Custodians (HICs) and have a responsibility to protect personal health information (PHI).
In a group practice or clinic setting, it may not be clear which physician is the HIC for each electronic medical record. It is recommended that each group and/or clinic set out in writing who is the HIC responsible for which EMR(s).
PHIPA requires HICs who have custody or control of PHI to establish and implement information practices that comply with its provisions. This does not mean that custodians are expected to completely set aside their existing policies and practices. In fact, PHIPA builds upon existing policies and guidelines for health care professionals and provides enforceable rules relating to the collection, use or disclosure of PHI as well as its secure retention, transfer and disposal.
For example, PHIPA requires HICs to:
- Obtain an individual's consent when collecting, using and disclosing PHI, except in limited circumstances as specified under PHIPA;
- Only collect, use and disclose PHI were it is necessary and no more than is reasonably necessary;
- Take reasonable precautions to safeguard PHI, including:
- Protection against theft or loss; and
- Protection against unauthorized use, disclosure, copying, modification or destruction;
- Notify an individual at the first reasonable opportunity if PHI is stolen, lost or accessed by an unauthorized person;
- Ensure health records are as accurate, up-to-date and complete as necessary for the purposes which they use or disclose PHI;
- Ensure health records are retained, transferred and disposed of in a secure manner;
- Designate or take on the role of a contact person who is responsible for:
- Responding to access/correction requests;
- Responding to inquiries about the custodian's information practices;
- Receiving complaints regarding any alleged breaches of PHIPA; and
- Ensuring overall compliance with PHIPA.
- Provide a written statement that is readily available to the public and describes:
- A custodian's information practices;
- How to reach the contact person; and
- How an individual may obtain access, request a correction or make a complaint regarding his/her PHI.
- Inform an individual of any uses and disclosures of PHI without the individual's consent that occurred outside the custodian's information practices; and
- Ensure that all agents of the custodian are appropriately informed of their duties under PHIPA.
When using HRM or when seeking HRM-related technical support, physicians should remember that PHI, including screen shots, should not be sent via email. All PHI should be removed/redacted prior to sending email and requesting assistance.
For more information about what physicians and their staff should know about their privacy obligations under PHIPA, please consult the Frequently Asked Questions for Physicians and Staff.