A Privacy Agreement? What is it?
Many employees working with or around personal health information (PHI), whether current or newly employed, will most likely be required to sign an agreement indicating they understand their obligations to keep information confidential. These agreements usually address a variety of information including PHI, personal information (PI), business information and information about an organization’s business partners. The IPC recommends that public bodies and trustees establish separate agreements for confidentiality of information where the information does not contain PI or PHI and privacy agreements that outline the legislative obligations to protect individual’s PI and PHI. What should be included in a privacy agreement though? The IPC has recently developed a Sample Privacy Agreement for Trustees: Protection of Personal Health Information to assist trustees as defined in The Health Information Protection Act (HIPA) in meeting privacy obligations.
HIPA includes a duty to protect PHI. Trustees should ensure all policies, procedures, agreements and training provide clear expectations and obligations for employees.
The IPC’s Sample Privacy Agreement provides the basic obligations to protect PHI under HIPA. Trustees should consult this resource and tailor it to meet the needs of their organization and employees. This includes meeting not only the requirements set out by HIPA but also any other provincial or federal legislative requirements for the protection of PI.
The IPC recommends that all public bodies and Trustees provide mandatory annual access and privacy training to all employees and that all agreements such as a privacy agreement be reviewed and re-signed annually.