Nunavut’s privacy commissioner investigates government’s mail practices

Alberta promises increased privacy protections

British Columbians facing longer wait times to access records from BC Government

Ontario IPC blog on AI and the public sector

England’s ICO issues Tech Horizons Report

Guidelines for use of AI by lawyers

Federal Privacy Commissioner issues report on RCMP collection of data from third parties

Ontario IPC issues guidance on police use of facial recognition and mug shots

European Parliament passes landmark AI Act on March 13

Princess Kate-attempted breach of her personal information

Blog

The Search for Personal Health Information

March 14, 2023 - Diane Aldridge, Deputy Commissioner

When a patient makes an access to information request for their personal health information, the search for responsive records may not be as easy as just checking out the health records department. The Health Information Protection Act (HIPA) applies to all personal health information in the custody or control of a trustee which includes all government institutions. All records, in any form, that are responsive to the request, must be identified, located, retrieved and ready for release within 30 calendar days.

The right of access by a patient or an applicant extends to all personal health information that is in the custody or under the control of the trustee regardless of who created it, where it came from, how old it is or how it is stored.

Records may be in paper or electronic form whether found in a file drawer, legacy system, electronic medical record (EMR) or electronic health record (EHR). Electronic or digital records include electronic documents such as word-processed documents, spreadsheets, email, digital photographs, scanned images and electronic data, such as information stored in databases or in registries or in rarer cases, back-up tapes.

Regardless of the medium, a thorough search needs to be conducted. For instance, this office dealt with a request for access to records from the 1960s. The records existed on microfiche only so the trustee had to find a way to read and copy even though the trustee no longer had the technical capability. The take-away lesson is that, as long as records have not been destroyed, access rights of the individual remain intact, and records need to be produced wherever they reside.

A request for access may be unduly general or vague because the applicant lacks knowledge of the trustee’s operations or programs and the type of health records that may exist. These types of requests may prove challenging for a large trustee organization (i.e., Saskatchewan Health Authority) as could require a search of all facilities, program areas and information systems depending on the scope of the request. This is why communicating with the applicant early on in the process to clarify the request is critical. This communication is also in keeping with a trustee’s obligations under section 35 of HIPA.

Section 35 of HIPA is the express duty to assist which requires a trustee to make every reasonable effort to assist an applicant and to respond to each openly, accurately and completely. This means that if the applicant does not understand what types of records may exist, the trustee should explain what is available and how to get it. For example, many may not realize that eHR Viewer event audit reports are available through eHealth Saskatchewan upon request.

The responsibility to maintain records may fall to many different individuals at different times resulting in records being temporarily retained on the unit, in individual employee’s offices, managed off-site by an information management service provider (IMSP) or put into storage while waiting to be culled (i.e., non-active files). When applicable, records in the physical possession of contracted agencies may also have to be located as may have records responsive to an access request (e.g., independent medical examination).

Also, a search at one time may reveal responsive records, but not necessarily all. For instance, what about records that are in the queue, (i.e., not yet dictated)?  Patient care is not static.  There will always be new responsive records being generated.

There are some exceptions to the right of access. For more advice on this and search and preparation of responsive records, see the IPC Guide to HIPA at https://oipc.sk.ca/guides/ipc-guide-to-hipa/.

In closing, the best advice that I can give is to start with a search strategy by talking to the ‘people in the know’ before proceeding (e.g., record or health information managers).  It will save you a lot of time in the long run!  And don’t forget to document both your search strategy and keep details of the actual search.  In the event a review is undertaken by my office, those details may be requested and should speed up the process for all involved.

Categories: BlogTags: , , , , , , , , , ,

Back to Blog