The Search for Personal Health Information

September 1, 2016 - Diane Aldridge, Director of Compliance

When a patient makes an access to information request for his or her personal health information, the search for responsive records may not be as easy as just checking out the health records department. The Health Information Protection Act (HIPA) applies to all personal health information in the custody or control of the trustee. All records, in any form, that are responsive to the request, must be identified, located and retrieved within 30 calendar days.

The right of access by a patient or an applicant extends to all personal health information that is in the custody or under the control of the trustee regardless of who created it, where it came from or how it is stored.

Records may be in paper or electronic form whether found in a file drawer, legacy system, electronic medical record (EMR) or electronic health record (EHR). Electronic or digital records include electronic documents, such as word processed documents, spreadsheets, e-mail, digital photographs and scanned images and electronic data, such as information stored in databases or registries or in rarer cases, back-up tapes.

Regardless of the medium, a thorough search needs to be conducted. For instance, this office dealt with a request for access to records from the 1960s. The records existed on microfiche only so the trustee had to find a way to read and copy even though the trustee no longer had the technical capability. The take away lesson, as long as records have not been destroyed, access rights of the individual remain intact and records need to be produced wherever they reside.

A request for access may be unduly general or vague because the applicant lacks knowledge of the trustee’s operations or programs and the type of health records that may exist. These types of requests may prove challenging for a large trustee organization (i.e. a regional health authority) as would require a search of all facilities, program areas and information systems. This is why communicating with the applicant early on in the process to clarify the request is critical. This communication is also in keeping with a trustee’s obligations under section 35 of HIPA.

Section 35 is the express duty to assist which requires a trustee to make every reasonable effort to assist an applicant and to respond to each openly, accurately and completely. This means that if the applicant does not understand what records may exist or how they are organized, the trustee should clarify to assist the applicant in obtaining as much information as possible that he or she is entitled to under the Act.

The responsibility to maintain records may fall to many different individuals at different times resulting in records being temporarily retained on the unit, in individual employee’s offices, vehicles or homes, managed off-site by an information management service provider (IMSP) or put into storage while waiting to be culled (i.e. non-active files). When applicable, records in the physical possession of contracted agencies may also have to be located as may have records responsive to an access request (e.g. independent medical examination).

Different kinds of records are also being generated as more electronic information systems come online and are relied for service provision. For instance, individuals may submit a request to eHealth Saskatchewan for the following: “Audit reports are available to individuals upon request. These reports have detailed audit information which outlines who has accessed their profile in PIP, PACS, and/or eHR Viewer.” So, there is interest not only in what personal health information is in the custody or control of a trustee but also who is looking at it and why.

Also, a search at one time may reveal responsive records, but not necessarily all. For instance, what about records that are in the queue, (i.e. not yet dictated)? Patient care is not static. There will always be new responsive records being generated.

There are some exceptions to the right of access. For more advice on this and search and preparation of responsive records, see the IPC Guide to HIPA.

In closing, the best advice that I can give is to start with a search strategy by talking to the ‘people in the know’ before proceeding (e.g. record managers). It will save you a lot of time in the long run! And don’t forget to document both your search strategy and keep details of the actual search. In the event a review is undertaken by my office, those details may be requested and should speed up the process for all involved.

There is also a checklist version of this document available on our website.

Categories: Blog

Back to Blog