Data Privacy is January 28, 2023. Our office has put together a brief presentation, to learn more please see our blog which has a link to the presentation here.


The Search for Personal Health Information

September 1, 2016 - Diane Aldridge, Director of Compliance

When a patient (applicant) makes an access to information request for their personal health information, the search for responsive records may not be as easy as just checking out the health records department. The Health Information Protection Act (HIPA) applies to all personal health information in the custody or control of a trustee regardless of who created it, where it came from or how it is stored.  All records, in any form, that are responsive to the request, must be identified, located and retrieved within 30 calendar days.

Records may be in paper or electronic form whether found in a file drawer, legacy system, electronic medical record (EMR) or electronic health record (EHR).  Electronic or digital records include electronic documents such as word-processed documents, spreadsheets, email, digital photographs, scanned images and electronic data, such as information stored in databases or registries or in rarer cases, back-up tapes.

Regardless of the medium, a thorough search needs to be conducted. For instance, this office dealt with a request for access to records from the 1960s. The records existed only on microfiche, so the trustee had to find a way to read and make a copy for the applicant, even though the trustee no longer had the technical capability. The take-away lesson is that as long as records have not been destroyed, access rights of the individual remain intact, and records need to be produced wherever they reside.

A request for access may be unduly general or vague because the applicant lacks knowledge of the trustee’s operations, systems or programs and the type of health records that may exist. These types of requests may prove challenging for a large trustee organization (e.g., Saskatchewan Health Authority) as could potentially require a search of a number of different facilities, program areas and information systems. This is why communicating with the applicant early on in the process to clarify the request is critical. This communication is also in keeping with a trustee’s obligations under section 35 of HIPA which is the trustee’s duty to assist. This express duty obligates the trustee to make every reasonable effort to assist an applicant by responding to each request openly, accurately and completely.

The responsibility to maintain records may fall to many different individuals at different times resulting in records being temporarily retained on the unit, in individual employee’s offices, vehicles or homes, managed off-site by an information management service provider or put into storage while waiting to be culled (i.e., non-active files). When applicable, records in the physical possession of contracted agencies may also have to be located as may have records responsive to an access request (e.g., independent medical examination).

Different kinds of records are also being generated as more electronic information systems are relied on for service provision. For instance, patients may submit a request to eHealth Saskatchewan for eHR Viewer Event Audits (shows who has looked at their records in the eHR Viewer).

Also, a search at one time may reveal responsive records, but not necessarily all. For instance, what about records that are in the queue (i.e., not yet dictated)? Patient care is not static. There will always be new responsive records being generated as long as a patient continues to interact with the health care system.

There are some exceptions to the right of access and may depend on who is making the request. The most common ones are subsection 27(1) and section 38 of HIPA.

In closing, the best advice that I can give if you are processing such a request is to start with a search strategy by talking to the ‘people in the know’ before proceeding (e.g., record managers).  It will save you a lot of time in the long run. And, don’t forget to document both your search strategy and keep details of the actual search conducted. Those details come in handy if the applicant is dissatisfied and requests a review of my office down the road.


Categories: BlogTags: , , , , , , , , , , ,

Back to Blog