The Health Information Protection Act (HIPA) assigns significant responsibilities to individuals and organizations that are defined as a trustee under that legislation.
A physician can be a trustee of personal health information if that physician has custody or control of personal health information.
The Information and Privacy Commissioner, who is responsible for enforcing HIPA, has defined custody or control as follows:
Custody is the physical possession of a record by a trustee, who has a measure of control. Control connotes authority.
A record is under the control of a trustee when the trustee has the authority to manage the record, including restricting, regulating and administering its use, disclosure or disposition. Custody is not a requirement.
That means that a physician who has neither custody nor control of personal health information is not a trustee as defined in HIPA. A physician who is not a trustee has legal and ethical obligations to protect the confidentiality of personal health information. However, only the trustee of that information is required to meet the requirements in HIPA.
A trustee’s obligations are summarized at page 3 of the College Guideline: Confidentiality of Patient Information. Those obligations include:
- Informing patients about the anticipated use and disclosure of their personal health information.
- Establishing policies and procedures to protect the integrity, accuracy and confidentiality of patient health information.
- Establishing policies and procedures to limit employee access to only the personal health information that is necessary to carry out the employee’s responsibilities.
The Information and Privacy Commissioner has addressed some circumstances in which physicians have custody or control of personal health information and are trustees:
- If a corporation has custody or control of personal health information, the physicians who are directors of the corporation are trustees.
- If a non-profit corporation or other entity controls the EMR and enters into a relationship with physicians in which the physicians are unable to transfer patients’ information without patient consent, the physicians are not trustees.
Additionally, if a physician is an employee of a trustee (such as the Saskatchewan Health Authority), only the SHA is a trustee of that information. The physician is not a trustee.
Both the Information and Privacy Commissioner and the College of Physicians and Surgeons strongly encourage physicians to ensure that they have an agreement with any clinic in which they practise stating who are the trustees of personal health information held by the clinic. If physicians are only trustees for specific patients, the agreement should make that clear. In a 2022 investigation report the Information and Privacy Commissioner concluded the following:
In the course of this investigation, my office recommended that these agreements specify precisely that the trustee has custody or control over the personal health information of their respective patients, and not simply that they are the trustees of the personal health information. These agreements should specify who is the trustee with custody or control …
A 2020 report states:
I view written agreements between health professionals that describe the trusteeship of personal health information as a fundamental safeguard that all trustees should have in place.
My office has said in previous reports … that is not enough for a trustee to adopt the policies of another organization. It must ensure policies and procedures are tailored to meet the unique and specific needs of the trustee. My office encourages trustees to alter any templates available to them and tailor them to the unique circumstance of their practice.
The College and the SMA worked together to develop the privacy resources that are on the SMA website. Those resources include sample agreements, including a template for an agreement Clinic-Information Sharing Agreement (Shared Practice) which can provide a basis to develop an agreement specifying each physician’s responsibility for medical records within the practice.
As always, we at the College are available to provide advice to physicians on issues of confidentiality of patient information and a physician’s obligations under HIPA.