Obligations of Health Information Custodians

AuthorHalyna N. Perun; Michael Orr; Fannie Dimitriadis
1 S.O. 2004, c. 3, Sch. A [PHIPA].
In addition to the substantive rules that the Personal Health Information Protec-
tion Act1imposes for the collection, use, and disclosure of personal health
information and for providing patients with a right to access and correct their
records of personal health information, the Act also imposes on health infor-
mation custodians certain obligations consistent with fundamental principles
of informational privacy and the confidentiality of personal health information.
These basic requirements, largely set out in Part II of PHIPA, require a health
information custodian to be accountable and open about the custodian’s infor-
mation practices to ensure patients are aware of the custodian’s collection, use,
and disclosure of patient information, and about avenues of recourse open for
addressing any problems. Custodians must also ensure the accuracy and secu-
rity of personal health information in their custody or control. These obliga-
tions embody several of the ten principles set out in the CSA Privacy Code,
specifically accountability, accuracy, safeguards, and openness. The fulfilment
of these requirements creates a transparency and assurance of reliability that
serves to foster public trust in health care providers and in the health system
4Obligations of Health
Information Custodians
1) Designating a Contact Person
Under PHIPA, all health information custodians are required either to desig-
nate a contact person, or to take on the role of contact person themselves.
While a health information custodian who is a natural person (such as a physi-
cian in private practice, as opposed to a corporation or partnership)2has the
option of either designating a contact person or performing the functions of a
contact person him- or herself, a custodian that is not a natural person (such
as a hospital or long-term care facility) must designate a contact person.3
In some instances, separate health information custodians may address
the requirement in the Act concerning the function of the contact person more
efficiently by appointing a common person to act as the contact person for
them all. This strategy may be attractive for health care practitioners who pro-
vide health care in the course of their employment duties for a non-health
information custodian (e.g., nurses and speech language pathologists employed
by a school board, or social workers and social service workers employed by a
children’s aid society). They may all appoint a common person within the
employer’s organization, perhaps a person with established responsibilities for
privacy or records management, to help them all comply with PHIPA in an
efficient and co-ordinated manner that will also be harmonious with the infor-
mation practices of the employer’s organization as a whole.4
The designation of one person as having the responsibilities of the contact
person does not mean that other agents of the health information custodian do
not participate in the fulfilment of the custodian’s responsibilities under the
Act. The contact person can delegate duties to others with the custodian’s per-
mission. A health information custodian may give several agents specific
assignments with respect to the custodian’s information practices. The contact
person, however, retains overall responsibility for the activities assigned by
PHIPA to contact persons, as described below in this chapter.
Obligations of Health Information Custodians 149
2PHIPA, s. 2, definition of “person.”
3Ibid., ss. 15(1), (2), and (4).
4 The contact person, however, must take care to ensure that he or she does not act as a
conduit for personal health information through which the custodians may flow per-
sonal health information to each other or to the employer where PHIPA does not
authorize such a disclosure.
2) Role of a Contact Person
Under PHIPA, the contact person is deemed an agent5of the custodian and is
authorized to perform five categories of activities on behalf of the custodian.6
The contact person
a) facilitates the custodian’s compliance with the Act;
b) ensures that all agents of the custodian are appropriately informed of their
duties under the Act;
c) responds to inquiries from the public about the custodian’s information
d) responds to requests of a patient for access to or correction of a record of
personal health information about the patient that is in the custody or
under the control of the custodian; and
e) receives complaints from the public about the custodian’s alleged contra-
vention of the Act or the regulations.
The nature of the position of a “contact person” will depend largely on the
size and complexity of the health information custodian. In larger facilities,
such as hospitals, an agent dedicated to work arising from the custodian’s obli-
gations under the Act, such as a Chief Privacy Officer, may be a practical neces-
sity. In other instances, the responsibilities of the contact person may be added
to the duties of an employee or other agent, such as a health care practitioner,
health information manager, or administrative assistant. An agent who acts as
a contact person need not dedicate all his or her time to activities related to the
health information custodian’s obligations under the Act. Health information
custodians with smaller operations, such as health care practitioners and com-
munity health centres, are more likely to take this latter approach. A sole prac-
titioner may perform the duties of the contact person him- or herself.
Where PHIPA does not delineate specific processes or actions for health infor-
mation custodians, it typically requires custodians to act “reasonably.” For
example, health information custodians must take steps that are “reasonable
in the circumstances” to protect personal health information. Custodians may
Guide to the Ontario Personal Health Information Protection Act
5 See Chapter 2, Section B(2) for a discussion of “agents.”
6PHIPA, s. 15(3).

To continue reading

Request your trial

VLEX uses login cookies to provide you with a better browsing experience. If you click on 'Accept' or continue browsing this site we consider that you accept our cookie policy. ACCEPT