Federal Privacy Commissioner on Bill c-27 news release.

Report into the 2021 cyber attack on Newfoundland health information systems released.

Privacy Commissioner of Canada announced his office is launching a joint investigation into OpenAI

Federal Privacy Commissioner launches new guidance on workplace privacy

Cybersecurity: Best Practices for Setting Up a Security Operations Centre

Alberta IPC finds risk of significant harm from stolen server.

Updates to Chapter 3 for the Guide to FOIP and the Guide to LA FOIP are now available!

Steps for effectively deploying multi-factor authentication.

Concerns about AI


“A” Trustee vs. “THE” Trustee

January 18, 2017 - Melanie Coyle, Analyst

If you are reading this blog, I probably don’t need to tell you how complex the healthcare system is. When dealing with The Health Information Protection Act (HIPA), one of the most challenging brain teasers I have to deal with on files is who is the trustee in any given circumstance.

When we start to analyze a HIPA related case we ask the following three questions to ensure that HIPA applies.

  • Is there personal health information?
  • Is there a trustee?
  • Is the personal health information in the custody or control of the trustee?

It is usually pretty straightforward to determine if data qualifies as personal health information.

It is also fairly simple to determine if an individual or organization can qualify as a trustee for the purposes of HIPA.  Subsection 2(t) of HIPA defines a trustee – it is a succinct list of possibilities.

However, imagine the scenario where a physician works for the Saskatchewan Health Authority (SHA). Both can qualify as a trustee.  But who is ultimately the trustee responsible for the personal health information?

Determining who the trustee is hinges on who has custody or control of the record.

Custody is the physical possession of a record by a trustee.

Control connotes authority. A record is under the control of a trustee when the trustee has the authority to manage the record, including restricting, regulating and administering its use, disclosure or disposition. Custody is not a requirement.

Our office’s resource, the IPC Guide to HIPA, explains this concept in more detail and provides questions that can help determine who has control of personal health information.

Here are some scenarios for your consideration about the trustee:

  • If a medical resident or physician practices medicine only within the SHA, the SHA would be the trustee because the personal health information records that would stay with the SHA if the physician left. In this case, the SHA has custody and control of those records.
  • If a physician had privileges with the SHA and performed surgery there, the personal health information created there would remain under the SHA’s custody or control. However, if the SHA provided the physician’s office with a copy of the personal health information for follow up purposes, the SHA would be the trustee of the original records and the physician would be the trustee of the copy.
  • If a physician joined other physicians to form a partnership, association, medical professional corporation or regular business corporation, it is imperative that those physicians determine, at the outset, how custody and control of personal health information will work. For example, the physicians may decide that the entity itself would be the trustee of the personal health information. In this case, if one of the physicians leaves the group, the personal health information that he/she has created would remain in the custody or control of the group. Perhaps the physicians are just sharing space and each physician is the trustee of the personal health information of the patients that he/she sees? Written agreements are key in these situations.

The issue of who is the trustee is raised most commonly in two situations.  The first is when a trustee leaves a partnership, association or corporation and there is a dispute over the personal health information.  Secondly, the issue is raised when there is a privacy breach and it must be determined who had responsibility for protection of the personal health information.  These processes will be smoother for trustees if they have written agreements in place. I encourage all trustees to consider this issue and ensure proper written agreements are in place.

Finally it is important to note that the trustee is responsible to make sure its employees understand and are compliant with HIPA.  If an employee causes a breach and was not adequately trained, the trustee may be found responsible.  If the employee has been properly trained responsibility for the breach may fall to the employee.  Offences by both could result in fines and jail time.


Categories: BlogTags: , ,

Back to Blog