Advisory from the Office of the Information and Privacy Commissioner of Saskatchewan on health screening of staff and visitors in care homes
We have all heard the news telling us about the number of deaths of seniors in care homes related to COVID-19. Ontario and Quebec have particularly been impacted, but so has Saskatchewan. The Chief Medical Health Officer has ordered health screening to occur in care homes. The Public Health Order, dated June 13, 2020, provides as follows:
1. I hereby ORDER and DIRECT that in the Province of Saskatchewan effective June 13th, 2020:
(c) Visitors to long-term care homes, hospitals, personal care homes, and group homes shall be restricted to family or designates visiting for compassionate reasons. All visitors shall undergo additional health screening prior to entry. Any visitors who display or disclose signs or symptoms of COVID-19 shall be denied entry to the facility.
2. I hereby ORDER and DIRECT that in the Province of Saskatchewan:
(a) For the purposes of section 2 of this Order, “Licensee” refers to:
(i) operator of a special-care home designated pursuant to The Provincial Health Authority Act;
(ii) the licensee of a personal care home licensed pursuant to The Personal Care Homes Act;
(iii) an individual who, or corporation that, under a contract or subcontract with an operator of a special care-home or a licensee of a personal care home, provides or arranges for the provision of health care services or support services within the facility.
(b) For the purposes of section 2 of this Order, “Facility” refers to:
(i) A special-care home designated pursuant to The Provincial Health Authority Act;
(ii) A personal care home licensed pursuant to The Personal Care Homes Act.
3. I hereby ORDER and DIRECT that in the Province of Saskatchewan:
(a) For the purposes of section 3 of this Order, “Facility” means the same as defined in section 2 above but is amended to include:
(i) All facilities designated pursuant to The Provincial Health Authority Act operated by the Provincial Health Authority as defined in The Provincial Health Authority Act;
(ii) Hospital as designated pursuant to The Provincial Health Authority Act operated by an affiliate prescribed in The Provincial Health Authority Administration Regulations;
(iii) The following facilities operated by the Saskatchewan Cancer Agency continued pursuant to The Cancer Agency Act:
i. Saskatoon Cancer Centre;
ii. Allan Blair Cancer Centre;
iii. The Hematology Clinic;
(b) For the purposes of section 3 of this Order, “Licensee” means the same as defined in section 2 above but is amended to include:
(i) The Provincial Health Authority as defined in The Provincial Health Authority Act;
(ii) The Saskatchewan Cancer Agency continued pursuant to The Cancer Agency Act.
(c) For the purposes of Section 3 of this Order, “Staff Member” refers to:
(i) any individual who is employed by, or provides services under a contract with, the Licensee of a Facility; and
(ii) any volunteer or student that assists in the provision of services within the Facility.
(d) For the purposes of Section 3 of this Order, “Individual” means the same as Staff Member but also includes all individuals entering the Facility, except individuals entering for the purposes of receiving care.
(e) Health screening shall occur as follows:
(i) Staff Members shall undergo health screening prior to or upon entry to the Facility, which must include a temperature check. Any Staff Members who display or disclose signs or symptoms of COVID-19 shall be denied entry to the Facility. All Staff Members shall undergo a temperature check prior to leaving the Facility. All exceedances temperatures shall be logged by the Licensee.
(ii) Individuals who are not Staff Members shall undergo health screening, which must include a temperature check prior to or upon entry to the Facility. Any of these Individuals who display or disclose signs or symptoms of COVID-19 shall be denied entry to the Facility. All exceedances temperatures shall be logged by the Licensee.
The Minister of Health or the Chief Medical Health Officer have powers under The Public Health Act, 1994 (P.37.1). In particular, section 45 sets out the broad powers of the Minister and the Chief Medical Health Officer. Further, the Act contains mandatory reporting provisions of certain health care professionals in certain circumstances (e.g. section 32).
This advisory attempts to answer a number of questions related to collection, use, storage, safeguarding and destruction of personal health information involved in carrying out this order.
What privacy legislation might apply?
The Health Information Protection Act (HIPA) applies to health trustees which includes government institutions, the Saskatchewan Health Authority, health care organizations, a licensed personal care home, a health professional licensed under an Act, a pharmacy, and licensed medical laboratories. PARTS III and IV of HIPA deal with collection, use, disclosure, storage, and protection of personal health information.
To be sure, a care home should check HIPA to see if it has any application to it and if necessary, seek legal advice.
What information can be collected of personal health information?
The public health order requires heath screening including temperature checks of staff and visitors be taken and exceedance temperatures be logged. For staff and visitors, recording of a name, an exceedance temperature and answers to questions regarding COVID-19 symptoms is a collection. For visitors, due to the potential need to follow up, it would appear reasonable to ask which resident they were there to visit. It would not be reasonable to ask for the visitor’s Health Services Number (HSN) or other unrelated health information. To ask other unrelated questions and record answers, is going beyond the provisions of the public health order.
In collecting personal health information, the principle is to collect and record the least amount of personal health information necessary to carry out the purpose. The purpose here would be to comply with the public health order, which in turn is intended to keep care home staff and residents safe.
How should care homes notify staff and visitors of the collection?
Care homes should be as open and transparent as possible. They should advise staff that they will be doing temperature checks as they arrive for work and leave work. Care homes should advise visitors that health screening, including temperature checks, will be conducted at their care home through posters at the front door, pamphlets and postings on their website. Care homes should protect the information they collect and let staff and visitors know that the personal health information they have provided will not be shared with other staff and residents at the care home. The care home should not give out names or identify the ones who have exceedance temperatures, as this may be considered a privacy breach.
Care homes should develop a policy on health screening, including temperature checks, share that policy with staff, residents and visitors and post on the care home’s website.
To support the advice and principles above, the Information Commissioner (ICO) of Great Britain has stated:
In order to not collect too much data, you must ensure that it is:
adequate – enough to properly fulfil your stated purpose;
relevant – has a rational link to that purpose; and
limited to what is necessary – you do not hold more than you need for that purpose.
Can the care home use the information for any other purpose?
The care home is subject to the public health order, and has authority to collect personal health information for that purpose. The care home cannot use that information for any other purpose without getting the consent of the staff member or visitor whose information was collected.
If the staff member or visitor has an exceedance temperature, who can the care home share the information with?
Since the care home has collected the information that the staff member or visitor has an exceedance temperature, the care home needs to determine who in the organization needs to know. Once the staff member or visitor is refused entry, very few people need to know. If a staff member has an exceedance temperature, only the staff member’s supervisor or director of the care home needs to know. The rest of the staff do not need to know. If a visitor has an exceedance temperature, that visitor should be asked whether the information can be shared with the resident that the visitor came to visit and the information should not be shared with other staff.
Where does a care home store this personal health information?
The public health order requires exceedance temperatures to be logged. The log could be a separate sheet of paper for each person with an exceedance temperature, a log book where all the persons with an exceedance temperature are recorded or an electronic spreadsheet (such as excel) where all persons with an exceedance temperature are recorded. For visitors, there is no need to store the information anywhere else. For staff, a decision needs to be made whether a notation is made in the staff member’s HR file. Best practice would suggest that the care home only record on the HR file that the staff member is away on sick leave or another type of leave. There is no need to store it anywhere else.
Is a care home obliged to secure the information?
Under HIPA, section 16, there is an obligation for a care home to protect the personal health information collected and stored.
Once the care home collects personal health information about a staff member, it is the care home’s obligation to ensure it is protected. For example, leaving the log book at the front entrance would not be securing or protecting the personal health information and should not be accessible to all staff. Similarly, having a computer monitor at the front entrance, making the log accessible to all that pass by would be unacceptable.
Other resources detail suggestions on securing information and a few tips are given by the British Columbia Information and Privacy Commissioner:
Your organization must make reasonable security arrangements to protect personal information in its custody or under its control. For example, if the collected information is in paper form, it should not be left in a publicly accessible area. Rather, it should be stored in a locked file cabinet. If you are storing the list on a computer, make sure the computer is password protected, encrypted, and on a secure network. Position computer monitors so that personal information displayed on them cannot be seen by visitors.
When should the care home destroy the personal health information?
How long is a care home going to keep this information? Will it get destroyed in accordance with the destruction of documents policy of the care home? Should it have a special destruction period, shorter than the normal? Could it or should it be destroyed after 30 days after the public health order is rescinded or should it just be destroyed after 30 days? The care home should develop a policy including destruction guidelines.
Should care homes share the exceedance temperature information with the Medical Health Officer?
The Public Health Act, 1994 provides:
Responsibility to report
32(1) The following persons shall report to a medical health officer any cases of category I communicable diseases in the circumstances set out in this section:
(a) a physician or nurse who, while providing professional services to a person, forms the opinion that the person is infected with or is a carrier of a category I communicable disease;
(3) A report submitted pursuant to subsection (1) must include:
(a) the name, sex, age, address and telephone number of the person who has or is suspected to have, or who is or is suspected to be a carrier of, a category I communicable disease; and
(b) any prescribed information.
The Disease Control Regulations lists COVID-19 as a category 1 communicable disease.
If a doctor or nurse performing the health screening concludes that an individual may have COVID-19, the doctor or nurse will have to determine whether section 32 of The Public Health Act, 1994 applies. If the health screening is done by someone other than a doctor or nurse, section 32 would not apply. Since the exceedance temperature and answers to questions on COVID-19 symptoms may be an indication of COVID-19, best practice would suggest the care home request that the staff member or visitor call the healthline 811 or go to a testing centre.
Do care homes need to document their questions and testing plan?
Best practice would suggest that a care home develop a policy regarding its practices and procedures on temperature checking and make that policy available to staff, residents, and visitors. The policy should contain:
- a statement of the purpose;
- a statement that health screening will include, a temperature check and specific questions related to other symptoms of COVID-19;
- a statement on possible actions taken based on the results of health screening;
- a statement on how and where information will be stored;
- a statement as to who will have access;
- a statement that the information will be shared will only those that need-to-know and will not be shared with all staff and residents;
- a statement on how the personal health information will be protected;
- a statement as to who it will be shared with (public authorities or not); and
- a statement as to when the information will be destroyed.
A policy should be made available to staff, residents and visitors including postings on the care home’s website.
The principles are simple; establish the purpose, authority, and collect the least amount of personal health information to meet the purpose. Share it only with those who need-to-know, store it, keep it secure and destroy it when no longer needed.
The Information Commissioner’s Office in Great Britain has issued a document regarding “Work Testing – Guidance for Employers”. Although British legislation is different from the legislation in Saskatchewan, the principles set out are good ones and may have some application to public bodies and health trustees in Saskatchewan.
Ronald J. Kruzeniski
Information and Privacy Commissioner