“A” Trustee vs. “THE” Trustee (updated)
If you are reading this blog, I probably don’t need to tell you how complex the healthcare system is. When dealing with The Health Information Protection Act (HIPA), one of the most challenging brain teasers I have to deal with on files is who is the trustee in any given circumstance.
When we start to analyze a HIPA related case, we ask the following three questions to ensure that HIPA applies.
- Is there personal health information?
- Is there a trustee?
- Is the personal health information in the custody or control of the trustee?
It is usually pretty straightforward to determine if data qualifies as personal health information.
It is also fairly simple to determine if an individual or organization can qualify as a trustee for the purposes of HIPA. Subsection 2(1)(t) of HIPA defines a trustee – it is a succinct list of possibilities. Please note the list of trustees was expanded with amendments to the HIPA Regulations that came into force on August 1, 2023.
However, imagine the scenario where a physician works for the Saskatchewan Health Authority (SHA). Both can qualify as a trustee. But who is ultimately the trustee responsible for the personal health information?
Determining who the trustee is hinges on who has custody or control of the personal health information in question.
Custody is the physical possession of the personal health information with a measure of control by a trustee.
Control connotes authority. A record containing personal health information is under the control of a trustee when the trustee has the authority to manage the record, including restricting, regulating and administering its use, disclosure or disposition. Custody is not a requirement.
By the way, for HIPA to apply, the personal health information in question does not have to be in recorded form.
Here are some scenarios for your consideration about the trustee:
- If a medical resident or physician practices medicine only within the SHA, the SHA would be the trustee because the personal health information records would stay with the SHA if the physician left. In this case, the SHA has custody or control of those records.
- If a physician had privileges with the SHA and performed surgery there, the personal health information created there would remain under the SHA’s custody or control. However, if the SHA provided the physician’s office with a copy of the personal health information for follow up purposes, the SHA would be the trustee of the original records and the physician would be the trustee of the copy.
- If a physician joined other physicians to form a partnership, association, medical professional corporation or regular business corporation, it is imperative that those physicians determine, at the outset, how custody and control of personal health information will work. For example, the physicians may decide that the entity itself would be the trustee of the personal health information. In this case, if one of the physicians leaves the group, the personal health information that he/she has created would remain in the custody or control of the group. Perhaps the physicians are just sharing space and each physician is the trustee of the personal health information of the patients that he/she sees. Written agreements are key in these situations especially if a joint EMR is used.
The issue of who is the trustee is raised most commonly in two situations. The first is when a trustee leaves a partnership, association or corporation and there is a dispute over the personal health information. Secondly, the issue is raised when there is a privacy breach and it must be determined who had the ultimate responsibility for protection of the personal health information in question. Again, answering these questions would be easier if healthcare professionals working together and have written agreements in place. I encourage all trustees to consider this issue and ensure proper written agreements are in place.
Finally, it is important to note that the trustee is responsible to make sure its employees including contractors/information management service providers understand and are compliant with HIPA. If an employee or contractor causes a breach and was not adequately trained, the trustee is responsible.