Obligations of Health Information Custodians

• Author: Halyna N. Perun; Michael Orr; Fannie Dimitriadis
• Pages: 148-194

148

1 S.O. 2004, c. 3, Sch. A [PHIPA].

A. GENERALLY

In addition to the substantive rules that the Personal Health Information Protec-

tion Act1imposes for the collection, use, and disclosure of personal health

information and for providing patients with a right to access and correct their

records of personal health information, the Act also imposes on health infor-

mation custodians certain obligations consistent with fundamental principles

of informational privacy and the confidentiality of personal health information.

These basic requirements, largely set out in Part II of PHIPA, require a health

information custodian to be accountable and open about the custodian’s infor-

mation practices to ensure patients are aware of the custodian’s collection, use,

and disclosure of patient information, and about avenues of recourse open for

addressing any problems. Custodians must also ensure the accuracy and secu-

rity of personal health information in their custody or control. These obliga-

tions embody several of the ten principles set out in the CSA Privacy Code,

specifically accountability, accuracy, safeguards, and openness. The fulfilment

of these requirements creates a transparency and assurance of reliability that

serves to foster public trust in health care providers and in the health system

overall.

4Obligations of Health

Information Custodians

B. ACCOUNTABILITY

1) Designating a Contact Person

Under PHIPA, all health information custodians are required either to desig-

nate a contact person, or to take on the role of contact person themselves.

While a health information custodian who is a natural person (such as a physi-

cian in private practice, as opposed to a corporation or partnership)2has the

option of either designating a contact person or performing the functions of a

contact person him- or herself, a custodian that is not a natural person (such

as a hospital or long-term care facility) must designate a contact person.3

In some instances, separate health information custodians may address

the requirement in the Act concerning the function of the contact person more

efficiently by appointing a common person to act as the contact person for

them all. This strategy may be attractive for health care practitioners who pro-

vide health care in the course of their employment duties for a non-health

information custodian (e.g., nurses and speech language pathologists employed

by a school board, or social workers and social service workers employed by a

children’s aid society). They may all appoint a common person within the

employer’s organization, perhaps a person with established responsibilities for

privacy or records management, to help them all comply with PHIPA in an

efficient and co-ordinated manner that will also be harmonious with the infor-

mation practices of the employer’s organization as a whole.4

The designation of one person as having the responsibilities of the contact

person does not mean that other agents of the health information custodian do

not participate in the fulfilment of the custodian’s responsibilities under the

Act. The contact person can delegate duties to others with the custodian’s per-

mission. A health information custodian may give several agents specific

assignments with respect to the custodian’s information practices. The contact

person, however, retains overall responsibility for the activities assigned by

PHIPA to contact persons, as described below in this chapter.

Obligations of Health Information Custodians 149

2PHIPA, s. 2, definition of “person.”

3Ibid., ss. 15(1), (2), and (4).

4 The contact person, however, must take care to ensure that he or she does not act as a

conduit for personal health information through which the custodians may flow per-

sonal health information to each other or to the employer where PHIPA does not

authorize such a disclosure.

2) Role of a Contact Person

Under PHIPA, the contact person is deemed an agent5of the custodian and is

authorized to perform five categories of activities on behalf of the custodian.6

The contact person

a) facilitates the custodian’s compliance with the Act;

b) ensures that all agents of the custodian are appropriately informed of their

duties under the Act;

c) responds to inquiries from the public about the custodian’s information

practices;

d) responds to requests of a patient for access to or correction of a record of

personal health information about the patient that is in the custody or

under the control of the custodian; and

e) receives complaints from the public about the custodian’s alleged contra-

vention of the Act or the regulations.

The nature of the position of a “contact person” will depend largely on the

size and complexity of the health information custodian. In larger facilities,

such as hospitals, an agent dedicated to work arising from the custodian’s obli-

gations under the Act, such as a Chief Privacy Officer, may be a practical neces-

sity. In other instances, the responsibilities of the contact person may be added

to the duties of an employee or other agent, such as a health care practitioner,

health information manager, or administrative assistant. An agent who acts as

a contact person need not dedicate all his or her time to activities related to the

health information custodian’s obligations under the Act. Health information

custodians with smaller operations, such as health care practitioners and com-

munity health centres, are more likely to take this latter approach. A sole prac-

titioner may perform the duties of the contact person him- or herself.

C. DETERMINING WHAT IS REASONABLE

Where PHIPA does not delineate specific processes or actions for health infor-

mation custodians, it typically requires custodians to act “reasonably.” For

example, health information custodians must take steps that are “reasonable

in the circumstances” to protect personal health information. Custodians may

Guide to the Ontario Personal Health Information Protection Act

150

5 See Chapter 2, Section B(2) for a discussion of “agents.”

6PHIPA, s. 15(3).