So You’re Ready to Practice Medicine: What Residents Should Know About HIPA
Congratulations on making it this far in your medical careers. It is no easy feat. Unfortunately, if your training this far has not included information about The Health Information Protection Act (HIPA), you may have a bit more to learn. While it is impossible to put everything you’ll need to know about HIPA in this short blog, we’ll attempt to cover the basics and show you where to look for more information.
What is HIPA?
HIPA is a provincial law which deals with both the protection of personal health information and an individual’s right to access to their own personal health information.
Who is responsible for compliance with HIPA?
This can be a complicated question. ‘The’ trustee is ultimately responsible for ensuring compliance with HIPA. A wide range of health professionals and health organizations can qualify as ‘a’ trustee. This can include physicians, dentists, chiropractors, nurses, psychologists, the Saskatchewan Health Authority (SHA), the Saskatchewan Cancer Agency, eHealth Saskatchewan, community clinics, etc.
However, it can be tricky to figure out who is ‘the’ trustee – who has ultimate responsibility for the personal health information in a particular situation. For example, if a physician is an employee of the SHA, who is ‘the trustee’? The focus would be on who has custody or control of the information.
For more information on how to determine who is the responsible trustee see our blog “A” trustee vs. “THE” trustee or one of the resources listed at the end of this blog.
As a resident, you are likely working for the SHA. In this case, the SHA would be ‘the’ trustee as the personal health information records would stay with the SHA if you left. In other words, the SHA has custody and control of those records.
How should a trustee protect personal health information?
Most people think that a privacy breach is as simple as disclosing personal health information to someone who should not have the information. In reality, protecting personal health information is multifaceted and there are many ways a breach can occur. Here are some key concepts to keep in mind:
Collection is a term used to describe the action of having gathered, obtained access to, acquired, received or obtained personal health information. An over-collection would qualify as a breach of privacy.
Use includes reference to or manipulation of personal health information by the trustee that has custody or control of the information, but does not include disclosure to another person or trustee. An unauthorized use would be a breach of privacy.
Disclosure is the exposure of personal health information to a separate entity, not a division or branch of the trustee in custody or control of that information. An unauthorized disclosure would be a breach of privacy.
Consent means informed, voluntary agreement with what is being done or proposed with respect to the collection, use of disclosure of personal health information. There are three types, or different standards, of consent: express, implied and deemed. See page 20 of the IPC Guide to HIPA for an infographic that summarizes the different types of consent.
Data minimization principle means that a trustee should collect, use or disclose the least amount of identifying information necessary for the purpose.
Need-to-know principle is the principle that trustees and their staff should only collect, use or disclose personal health information needed for the diagnosis, treatment or care of an individual or other authorized purposes. It’s need-to-know, not nice-to-know!
Safeguards – HIPA requires that a trustee have administrative, technical and physical safeguards to protect personal health information.
HIPA lays out specific rules regarding collection, use and disclosure of personal health information and consent.
What about an individual’s right to access his/her personal health information?
HIPA gives the right to individuals to access their own personal health information from trustees. HIPA does describe some limited circumstances where personal health information can be withheld. HIPA also provides a process in which individuals and trustees should follow when there is a request for personal health information. Individuals can also appeal decisions to this office.
What about an individual’s right to amend his/her personal health information?
HIPA also provides individuals the right to request a correction to personal health information. In general, if a trustee agrees with the request, the correction can be made. If not, the trustee should make a notation. Again, a process is described in HIPA.
What if an individual has concerns about how a trustee handles their personal health information?
This office has oversight over HIPA. An individual can bring their access and privacy complaints to our office. When possible, we will work with the trustee to ensure that processes and the Act are being followed and help trustees be more compliant in the future.
Where can I learn more about HIPA?
You can read about HIPA here: http://www.qp.gov.sk.ca/documents/english/Statutes/Statutes/H0-021.pdf
Our office has a resource, THE IPC Guide to HIPA, which covers most aspects of HIPA. It includes flow charts which explain the access process and provides steps on how to deal with a privacy breach. It is available here: https://oipc.sk.ca/assets/ipc-guide-to-hipa.pdf
The College of Physicians and Surgeons of Saskatchewan and Saskatchewan Medical Association also have resources available for their members.
The SHA has privacy officers who are a wealth of knowledge and may have training material.
Finally, you can contact our office with questions!