Information for Physicians
Overview of Privacy Expectations
This document is
intended as an overview of physician obligations and patient rights with
respect to personal health information. It cannot address all of the situations
which may occur in relation to a physician’s practice.
Physicians who are unsure of their obligations or patients’ rights are encouraged to seek advice from:
- The College of Physicians and Surgeons: (306) 244-7355
- The Saskatchewan Medical Association: (306)244-2196 or
- The Canadian Medical Protective Association: 1-800-267-6522.
In addition to the requirements of HIPA, the College of Physicians and Surgeons has adopted bylaws which establish expectations and requirements for Saskatchewan physicians relating to the personal health information of their patients.
I. College Requirements
The parts of the Code ofEthics of the Canadian Medical Association that relate to personal health
information are part of College bylaws. Physicians are required to follow the
Code of Ethics in their practices. There are several obligations which
physicians are expected to meet relating to patient privacy and
confidentiality. These include:
31. Protect the personal
health information of your patients.
32. Provide information
reasonable in the circumstances to patients about the reasons for the
collection, use and disclosure of their personal health information.
33. Be aware of your
patient’s rights with respect to the collection, use, disclosure and access to
their personal health information; ensure that such information is recorded
accurately.
34. Avoid public discussions
or comments about patients that could reasonably be seen as revealing
confidential or identifying information.
35. Disclose your patients’
personal health information to third parties only with their consent, or as
provided for by law, such as when the maintenance of confidentiality would
result in a significant risk of substantial harm to others or, in the case of
incompetent patients, to the patients themselves. In such cases take all
reasonable steps to inform the patients that the usual requirements for
confidentiality will be breached.
37. Upon a patient’s
request, provide the patient or a third party with a copy of his or her medical
record, unless there is a compelling reason to believe that information
contained in the record will result in substantial harm to the patient or
others.
Physicians who are
trustees as defined in HIPA (physicians who have custody or control of
patients’ personal health information) are required to ensure that:
(i) The practice locations in which they
practice have established a written privacy policy that complies with HIPA;
(ii) The privacy policy is reviewed on a
regular basis and is amended if required; and,
(iii) The privacy policy is provided to
all persons who work in the clinic and have access to personal health
information.
There are specific requirements for
the privacy policy which physicians who are trustees (see previous paragraph)
are required to adopt. The documents available from the SaskatchewanMedical Association website are intended to assist physicians to
develop privacy policies that comply with College requirements. Bylaw 23.2 of
the Regulatory Bylaws, available on the College website, sets
out the requirements for such a policy.
Physicians who practise
in a location where there is a privacy policy are expected to read and be aware
of the contents of that policy.
When
physicians renew their licences with the College,
they are required to answer questions pertaining to privacy policies and their
knowledge of privacy policies.
II. Requirement of the Health Information Protection Act
1.
Physician clinics should
make information available to patients to advise them what information is being
collected about them and why it is being collected. A poster, sign or brochure
should be available to patients that states: i. Possible uses of personal
health informationii. Patients’ right of access to
their records
iii. Patients’ right to request
amendments to their records
A suitable poster is available on the Saskatchewan
Medical Association website.
2.
Physician clinics should
have established procedures to ensure that personal health information is only
provided to third parties with the consent of the patient, or that the
information can be provided without patient consent:a. Deemed
consent or implied consent is generally sufficient to provide personal
health information to other caregivers to assist them to provide care to
the patient. Release of information within the care team should be on a
need-to-know basis.
b. If
the information relates to a child under the age of 18, and the child is
sufficiently mature to understand their rights and responsibilities
relating to their personal health information, the child can
determine who can obtain their personal health information and can deny
any other person access to their personal health information.
Generally, that means if the child is capable of providing informed
consent to treatment, the child can control their personal health
information.
c. If
the information relates to a child under the age of 18, personal health
information can be provided to the child’s legal custodian if that would
not constitute an unreasonable invasion of the child’s privacy
(subject to the child’s right to control their personal health
information described in the previous paragraph).
d. HIPA
sets out circumstances in which information can be provided to a third
party without patient consent (where the physician believes, on
reasonable grounds, that the disclosure will avoid or minimize a
danger to the health or safety of any person, where the information is
provided to the College in response to a request for information,
etc.). The circumstances in which personal health information can be
provided to others without patient consent are set out in HIPA and
HIPA regulations.
e. If
a third party seeks personal health information without the consent of
the patient, that party should be able to identify the legal authority
that authorizes disclosure of the information without patient
consent.
f. Express
(usually written) consent should be obtained to disclose personal health
information to third parties unless the information can be
provided without patient consent.
g. Patients
have the right to limit consent.
h. Consent
must be informed and free of coercion.
i. Patients can withdraw express or implied consent at
any time.
3.
Physician clinics should
have a process to permit patients to access their personal health information.a. Patients
must be permitted to see information in their records and to obtain
copies of their records upon request. The physician should retain
original documents.
b. There
are limited circumstances in which patients may be refused access to all
or part of their record. Generally this is limited to circumstances in
which disclosure is likely to endanger the mental or physical health
or safety of the patient or another person, would disclose confidential
information about someone other than the patient, or would
identify a third party who provided information to the physician in
confidence.
c. Prudent
physicians will ensure that patient access to records is supervised.
d. Physicians
may charge a reasonable fee for providing access and/or copies. The
Introduction/Preamble section and Section A1 of the SMA Relative Value Guide provides some
recommended cost recovery fees that may be charged. A patient may be able
to request that the fee be waived.
4.
Physician clinics should
have a mechanism to update and correct information in personal health records.a. Registration
and billing data should be updated as required.
b. Clinical
records should be complete and accurate. Amendments to the clinical
record should not erase any previous entries to the chart, should be
dated and should indicate clearly that an addition or amendment is
being made.
c. Corrections
can be made to inaccurate or incomplete factual information. A physician
is not required to make an amendment to a patient record
merely because a patient disagrees with the physician’s diagnosis or
opinion.
d. Physicians
who use electronic medical records should ensure that their medical
record software tracks additions/amendments.
5.
Physician clinics should
have policies and procedures to ensure that all personal information
(registration data, billing data, health records, staff/employee records, etc.)
are kept appropriately secure.a. Consider
locks, alarms and other physical security devices.
b. Electronic
records should be password protected, and electronic systems should have
appropriate firewalls and other electronic security
mechanisms. Consider handcuffing (limiting access to portions of the
electronic record to defined users.)
c. Office
policies and procedures should ensure that records are kept secure, that
written information cannot be seen by unauthorized persons,
that conversations cannot be overheard, and that all physicians and
employees understand the importance of complete confidentiality.
d. If
an information manager (computer support person, offsite storage company,
etc.), has access to personal health information, a written
agreement should be in place whereby the information manager agrees
to ensure confidentiality and limit access to the records.
6.
Physician clinics should
designate an individual (ideally a physician) to act as Privacy Officer to
oversee management of personal health information.a. The
Privacy Officer should be familiar with the obligations under HIPA.
b. This
individual should develop and implement the privacy policies for the
clinic and provide clinic staff with advice regarding HIPA compliance.
c. All
employees should know who the Privacy Officer is.
7.
Physician clinics should
educate all staff so that they understand what types of information may be
disclosed, to whom, and under what conditions.a. Disclosure
to other caregivers providing care to the patient does not generally
require patient consent. The information disclosed should be limited to
the information that the caregiver requires to provide that care.
b. HIPA
allows disclosure without consent in a limited number of other situations
(e.g. to a proxy for the patient in the case of advanced care directives,
to a quality of care committee, for professional review/audit, to
minimize danger to the health or safety of an individual). Disclosures of
this type should be well-documented and overseen by the clinic’s Privacy
Officer.
c. The
office should have explicit policies that define whether staff may
respond to requests for information about patients.
d. Where
information is shared among providers (or among trustees as defined in
HIPA), consideration should be given to formal data sharing
agreements signed by both parties. Data sharing agreements may be
particularly important when data are shared electronically. Such
agreements should bind both parties to comply with privacy
requirements.
e. When
in doubt, staff should forward requests for information to the Privacy
Officer.
8.
Physician clinics should
have specific office policies and procedures for information management. All
staff members should receive training about the policies and procedures and
sign confidentiality agreements.a. Staff
policies and procedures should contain an explicit privacy policy.
Non-compliance with the privacy policy should be grounds for disciplinary
action.
b. Staff
should receive regular in-service training on issues related to
information handling.
c. Staff
should be required to sign a confidentiality agreement at the time of hiring.
Consider annual renewals of the agreement. The Agreement should
state that:i. The
employee is familiar with the office privacy policies and procedures.
ii. The
employee will not read, use or disclose information in any patient
record unless required for patient care, or to fulfill their job
responsibilities.
iii. The
employee will not disclose any personal health information to anyone
except in accordance with the clinic’s policies and procedures or
as directed by the clinic’s Privacy Officer.
iv.The
clinic’s privacy policy should be available to patients upon request.
9.
Physician clinics should
follow accepted guidelines for the retention and destruction of personal health
information.a. College
bylaws require physician clinics to retain patient records for six years
after the date the patient was last seen or, if the patient is not an
adult, for six years after the date the patient was last seen or the
patient’s 20th birthday, whichever is last.
b. Destruction
of personal health information should always be by a method that removes
personal identifiers and minimizes the chance of any
inadvertent disclosure of information.
c. If
the office utilizes a third party to store or destroy records, there
should be a signed agreement in which the third party agrees to maintain
confidentiality with respect to the information in those records.
10.
Physician clinics should
have a process should be in place for handling complaints about management of
personal information.a. The
process should be defined in the office privacy policies and procedures,
and usually should be handled by the Privacy Officer.
b. In
the event that a complaint cannot be resolved, the Privacy Officer or
designated individual should know the mechanisms for referral of the
complaint to the College of Physicians and Surgeons or to the Office
of the Information and Privacy Commissioner.