How to Avoid Abandoned Records: Guidelines on the Treatment of Personal Health Information, in the Event of a Change in Practice

Similar documents
PERSONAL HEALTH INFORMATION PROTECTION ACT, 2004: AN OVERVIEW FOR HEALTH INFORMATION CUSTODIANS

What to do When Faced With a Privacy Breach: Guidelines for the Health Sector ANN CAVOUKIAN, PH.D. COMMISSIONER

Moving Information: Privacy & Security Guidelines

Report of the Information & Privacy Commissioner/Ontario. Review of the Canadian Institute for Health Information:

Responsibilities of Custodians and Health Information Act Administration Checklist

Ann Cavoukian, Ph.D.

Data Sharing Agreements: Principles for Electronic Medical Records/Electronic Health Records

Record Keeping. Guide to the Standard for Professional Practice College of Physiotherapists of Ontario

Credit Union Board of Directors Introduction, Resolution and Code for the Protection of Personal Information

Privacy Breach Protocol

Ownership, Storage, Security and Destruction of Records of Personal Health Information STANDARD OF PRACTICE S-022 INTENT DESCRIPTION OF STANDARD

A Guide to Ontario Legislation Covering the Release of Students

A Guide. Personal Health Information Protection Act. to the. December Ann Cavoukian, Ph.D Commissioner

How To Ensure Health Information Is Protected

Closing or Moving a Physician Practice

Privacy Policy on the Collection, Use, Disclosure and Retention of Personal Health Information and De-Identified Data, 2010

Questions and answers for custodians about the Personal Health Information Privacy and Access Act (PHIPAA)

The Health Information Protection Act

PACIFIC EXPLORATION & PRODUCTION CORPORATION (the Corporation )

SUBJECT: VOYAGEUR TRANSPORTATION CORPORATE POLICIES/PROCEDURES TITLE: PRIVACY OF PERSONAL HEALTH INFORMATION

Bermuda s National Pension Scheme

In the event of any inconsistency between this standard and any legislation that governs the practice of physiotherapists, the legislation governs.

HIPAA Business Associate Contract. Definitions

Document Management in the FIPPA Era

3. Consent for the Collection, Use or Disclosure of Personal Information

We ask that you contact our Privacy Officer in the event you have any questions or concerns regarding this Code or its implementation.

GUIDELINE No. 117 THE PHYSICIAN MEDICAL RECORD*

Attorney/Guardian/Client Memorandum: re Personal Care

UNIVERSITY OF MASSACHUSETTS RECORD MANAGEMENT, RETENTION AND DISPOSITION POLICY

Privacy Incident and Breach Management Policy

CMA BUSINESS ASSOCIATE AGREEMENT WITH CMA MEMBERS

PHIA GENERAL INFORMATION

PRINCIPLE IV: THE SOCIAL WORK AND SOCIAL SERVICE WORK RECORD

The Manitoba Child Care Association PRIVACY POLICY

Guide to INFORMATION SECURITY FOR THE HEALTH CARE SECTOR

NOTICE OF PRIVACY PRACTICES Walter Chiropractic Clinic, 5219 Peters Creek Rd Ste 5, Roanoke VA 24019

Witness Protection Act 1995 No 87

Privacy and Security Resource Materials for Saskatchewan EMR Physicians: Guidelines, Samples and Templates. Reference Manual

CANADIAN PRIVACY AND DATA RESIDENCY REQUIREMENTS. White Paper

HIPAA BUSINESS ASSOCIATE AGREEMENT

CHAPTER Committee Substitute for Committee Substitute for Senate Bill No. 494

HIPAA BUSINESS ASSOCIATE AGREEMENT

National Association of Pharmacy Regulatory Authority s Privacy Policy for Pharmacists' Gateway Canada

THE PERSONAL INFORMATION PROTECTION AND ELECTRONIC DOCUMENTS ACT (PIPEDA) PERSONAL INFORMATION POLICY & PROCEDURE HANDBOOK

COLLECTIVE INVESTMENT LAW DIFC LAW No. 2 of 2010

Record keeping 3. Fees and services 4. Using, recommending, providing, or selling client-care products 4. Medication 5

RECORDS MANAGEMENT POLICY

SCHEDULE "C" to the MEMORANDUM OF UNDERSTANDING BETWEEN ALBERTA HEALTH SERVICES AND THE ALBERTA MEDICAL ASSOCIATION (CMA ALBERTA DIVISION)

HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT (HIPAA) TERMS AND CONDITIONS FOR BUSINESS ASSOCIATES

GUIDANCE FOR PHYSICIANS WHEN CLOSING A MEDICAL PRACTICE

DATA PROTECTION CORPORATE POLICY

Trust accounting for law practices under the Legal Profession Act 2007 (Tasmania)

Please print the attached document, sign and return to or contact Erica Van Treese, Account Manager, Provider Relations &

Align Technology. Data Protection Binding Corporate Rules Processor Policy Align Technology, Inc. All rights reserved.

AMWELL SERVICE PROVIDER SUBSCRIPTION AGREEMENT

Privacy Impact Assessment Guidelines for the Ontario Personal Health Information Protection Act. Ann Cavoukian, Ph.D. Commissioner October 2005

Business Contact Information

Credit Union Code for the Protection of Personal Information

PROTECTION OF PERSONAL INFORMATION

Conducting Surveys: A Guide to Privacy Protection. Revised January 2007 (updated to reflect A.R. 186/2008)

Guidelines on Data Protection. Draft. Version 3.1. Published by

Document Standards and Guidelines for Occupational Therapists. Managing Client Care Records

HIPAA BUSINESS ASSOCIATE AGREEMENT

Selling/Closing a Medical Practice

M E M O R A N D U M. The Policy provides for blackout periods during which you are prohibited from buying or selling Company securities.

HIPAA BUSINESS ASSOCIATE AGREEMENT

Health Care Provider Guide

Personal Information Protection Act Information Sheet 11

BUSINESS ASSOCIATE AGREEMENT

SaaS. Business Associate Agreement

AVE MARIA UNIVERSITY HIPAA PRIVACY NOTICE

BUSINESS ASSOCIATE AGREEMENT

Infinedi HIPAA Business Associate Agreement RECITALS SAMPLE

White Paper on Financial Institution Vendor Management

Information Sheet: Cloud Computing

Information and Privacy Commissioner of Ontario. Guidelines for Using Video Surveillance Cameras in Schools

Considerations for Outsourcing Records Storage to the Cloud

Professional Solutions Insurance Company. Business Associate Agreement re HIPAA Rules

TORONTO CENTRAL LHIN COMMUNITY BUSINESS INTELLIGENCE PROJECT PRIVACY INCIDENT AND BREACH MANAGEMENT POLICY Policy No. 2

How To Manage Records And Information Management In Alberta

Effective from 1 January Code of Ethics for insolvency practitioners.

Mohawk DI-r: Privacy Breach Management Procedure Version 2.0. April 2011

FORM OF HIPAA BUSINESS ASSOCIATE AGREEMENT

Queensland. Trust Accounts Act 1973

39C-1 Records Management Program 39C-3

United Cerebral Palsy of Greater Chicago Records and Information Management Policy and Procedures Manual, December 12, 2008

Daltrak Building Services Pty Ltd ABN: Privacy Policy Manual

Electronic Health Record Sharing System Bill. Contents. Part 1. Preliminary. 1. Short title and commencement... C Interpretation...

Electronic Health Record Privacy Policies

Procedure for Managing a Privacy Breach

Accounting and Controls in law practices

Personal Data Act (1998:204);

Name of Other Party: Address of Other Party: Effective Date: Reference Number as applicable:

FirstCarolinaCare Insurance Company Business Associate Agreement

Terms and Conditions Relating to Protected Health Information ( City PHI Terms ) Revised and Effective as of September 23, 2013

The Youth Drug Detoxification and Stabilization Act

PRIVACY BREACH POLICY

Access & Correction Policy

Applicant any person who is applying or has applied for registration as a Paralegal;

T RUST ACCOUNT I NTERPLEADER P ROCEDURES AND PUBLISHED BY THE OKLAHOMA REAL ESTATE COMMISSION

Transcription:

Information and Privacy Commissioner / Ontario How to Avoid Abandoned Records: Guidelines on the Treatment of Personal Health Information, in the Event of a Change in Practice Ann Cavoukian, Ph.D. Commissioner May 2007

Table of Contents 1. Who is the Custodian in the Event of a Change in Practice?... 1 2. What Obligations are Imposed on Custodians by PHIPA in the Event of a Change in Practice?... 2 Duty to Securely Retain and Safeguard Records of Personal Health Information... 2 Duty to Transfer Records of Personal Health Information in a Secure Manner... 3 Duty to Dispose of Records of Personal Health Information in a Secure Manner... 3 Duty to Notify... 4 3. Best Practices in the Event of a Change in Practice... 4 Record Storage Companies... 4 Notification of Changes in Practice... 5 Be Proactive... 7

Guidelines on the Treatment of Records of Personal Health Information in the Event of a Change in Practice Changes in the practice of health information custodians may occur in a variety of circumstances death, bankruptcy, retirement or relocation, to name a few. The failure to adequately address privacy and security issues with respect to the treatment of records of personal health information in the event of a change in practice may have harmful consequences for the individuals to whom the personal health information relates. Inadequate records management policies and procedures following a change in practice may not only lead to breaches of privacy, but may also deprive individuals of their right to access and correct records of personal health information. Furthermore, to the extent that records of personal health information are not available to individuals and their health care providers following a change in practice, the continuity of care of the individuals may be put in jeopardy. While it is recognized that changes in practice may raise broader issues in relation to the provision of health care, these Guidelines focus on compliance with the requirements under the Personal Health Information Protection Act, 2004 (PHIPA) and adherence to privacy and access best practices with respect to the management of records of personal health information. These Guidelines are primarily directed to health care practitioners, including those operating in a group practice of health care practitioners, but may be adapted to suit the needs of other custodians as well. Custodians should also consult their governing legislation, for example the Medicine Act, 1991, the Dentistry Act, 1991 and the Physiotherapy Act, 1991 to name a few, as well as the policies and standards of practice of the college of their health profession. 1. Who is the Custodian in the Event of a Change in Practice? Generally, a health information custodian (custodian) remains a custodian with respect to a record of personal health information (record) until complete custody and control of the record passes to another person who is legally authorized to hold it. Accordingly, those who are custodians immediately before a change in practice continue to be custodians with respect to those records after the change in practice, unless custody and control of the records is passed on in the following circumstances. If a custodian dies, section 3(12) of PHIPA deems the estate trustee of the deceased custodian or if there is no estate trustee, the person who assumed responsibility for the administration of the deceased custodian s estate, to be the custodian for the records until custody or control passes to another person who is legally authorized to hold them. As a result, the estate trustee or alternatively, the person who assumes responsibility for the administration of the estate, must comply with the duties and obligations imposed on custodians under PHIPA. See section 3(11) of PHIPA.

If a custodian becomes bankrupt or insolvent and as a result another person (i.e. a trustee in bankruptcy) obtains complete custody or control of the records of personal health information held by the custodian, then pursuant to section 3(7) of Regulation 329/04 under PHIPA, that other person is the custodian with respect to the records. If a custodian transfers records of personal health information to a successor in accordance with the requirements in section 42(2) of PHIPA, the successor becomes the custodian with custody or control of the records of personal health information. For example, where a physician retires and transfers the records to another physician, the latter becomes the custodian of the records. Finally, under section 42(3) of PHIPA, a custodian may divest itself of responsibility for records by transferring them to the Archives of Ontario, or to a prescribed person whose functions include the collection and preservation of records of historical or archival importance. 2 If the archive is not acting as an agent, then this is the only circumstance where a transfer of records may be to a person who is not a custodian, as defined under PHIPA. 2. What Obligations are Imposed on Custodians by PHIPA in the Event of a Change in Practice? Duty to Securely Retain and Safeguard Records of Personal Health Information Section 13(1) of PHIPA requires a custodian to ensure that records of personal health information in its custody or control are retained in a secure manner and in accordance with prescribed requirements, if any. To date, no requirements have been prescribed in the regulations under PHIPA mandating the method by which records of personal health information must be securely retained or establishing the specific retention period for records of personal health information. Section 13(2) of PHIPA merely requires a custodian with custody or control of personal health information that is the subject of a request for access under section 53 of PHIPA, to retain the personal health information for as long as necessary to allow the individual to exhaust any recourse under PHIPA regarding the request. Custodians should consult their governing legislation and the policies and standards of practice of the college of their health profession in regard to the specific retention periods for records of personal health information. The requirement imposed on a custodian, pursuant to section 13(1) of PHIPA, to ensure that records of personal health information in its custody or control are retained in a secure manner, may either be fulfilled by the custodian personally or through an agent of the custodian such as a record storage company. Section 2 of PHIPA generally defines an agent as a person that, with the authorization of the custodian, acts for or on behalf of the custodian in respect of personal health information for the purposes of the custodian. Accordingly, when a custodian decides to retire or cease to practice, or if other changes in practice are being contemplated, the custodian may either continue to fulfill its obligation to retain records in a secure manner or employ the services of an agent to do so on its behalf. 2 For specific conditions, details and requirements, see sections 42(3)(a) and 42(3)(b).

It is important to note however, that pursuant to section 17(1) of PHIPA, a custodian remains responsible for records of personal health information even where the records are being retained by an agent of the custodian, such as a record storage company. It is also important to note that an agent of a custodian may only collect, use, disclose, retain and dispose of personal health information on the custodian s behalf if the custodian permits the agent to do so in accordance with certain requirements. Specifically, the custodian must be permitted or required to collect, use, disclose, retain or dispose of the information; the collection, use, disclosure, retention or disposition of the information must be in the course of the agent s duties and not contrary to the limits imposed by the custodian or by law; and any prescribed requirements must be met. For best practices relating to the retention of records through an agent, please refer to Section 3 of these Guidelines entitled Best Practices In the Event of a Change in Practice. Further, section 12(1) of PHIPA requires a custodian to take steps that are reasonable in the circumstances to ensure that personal health information in its custody or control is protected against theft, loss and unauthorized use or disclosure and to ensure that records containing personal health information are protected against unauthorized copying, modification or disposal. For additional information and best practices relating to the safeguarding of personal health information, including the implementation of physical, administrative and technical safeguards, please refer to Fact Sheet No 1: Safeguarding Personal Health Information of the Information and Privacy which is available at www.ipc.on.ca. Duty to Transfer Records of Personal Health Information in a Secure Manner Section 13(1) of PHIPA requires a custodian to ensure that records of personal health information in its custody or control are transferred in a secure manner and in accordance with prescribed requirements, if any. To date, no requirements have been prescribed mandating the method by which records of personal health information must be securely transferred. As noted in Section 1 of these Guidelines, PHIPA permits the transfer of records to a successor or to an archive. Duty to Dispose of Records of Personal Health Information in a Secure Manner A custodian may securely dispose of records of personal health information when permitted to do so under PHIPA and after the specific retention period applicable to the records, if any, has expired. Retention periods may be set out in governing legislation and in policies and standards of practice of the applicable college of the health profession. Section 13(1) of PHIPA requires a custodian to ensure that records of personal health information are disposed of in a secure manner and in accordance with any prescribed requirements, if any. Section 1(5.1) of Regulation 329/04 under PHIPA defines disposed of in a secure manner for the purpose of section 13(1). According to this definition, when records of personal health

information are destroyed, they must be destroyed in such a manner that their reconstruction is not reasonably foreseeable. Accordingly, when a custodian decides to retire or cease to practice, or if other changes in practice are being contemplated, the custodian may destroy records where permitted to do so. For additional information and best practices relating to the secure disposal of personal health information in both paper and electronic formats, including best practices for selecting and engaging service providers to destroy records, please refer to Fact Sheet No 10: Secure Destruction of Personal Information of the Information and Privacy which is available at www.ipc.on.ca. Duty to Notify Section 42(2) of PHIPA permits a custodian to transfer records to a successor if the custodian makes reasonable efforts to give notice to the individual to whom the personal health information relates before transferring the records or, if that is not reasonably possible, as soon as possible after transferring the records. 3. Best Practices in the Event of a Change in Practice Record Storage Companies As noted above, section 13(1) of PHIPA requires a custodian to ensure that records of personal health information in its custody or control are retained in a secure manner and in accordance with prescribed requirements, if any. This requirement may either be fulfilled personally by the custodian or through an agent of the custodian, such as a record storage company. It is recommended that in the event of a change in practice, prior to retaining records of personal health information through an agent such as a record storage company, the custodian provide notice to individuals as outlined below. Furthermore, it is recommended that the custodian enter into a written agreement with the agent setting out: That the agent must abide by the information practices of the custodian with respect to the records of personal health information that it stores on behalf of the custodian; That the agent may only collect, use, disclose, retain and dispose of personal health information on the custodian s behalf if the custodian permits it to do so in accordance with certain requirements. Specifically, the custodian must be permitted or required to collect, use, disclose, retain or dispose of the information; the collection, use, disclosure, retention or disposition of the information must be in the course of the agent s duties and not contrary to the limits imposed by the custodian or by law; and any prescribed requirements must be met;

The purpose(s) for which the agent may collect, use, disclose, retain and dispose of person health information on behalf of the custodian; Any limits the custodian imposes on the agent with respect to the collection, use, disclosure, retention, or disposal of personal health information; The steps that must be taken by the agent to ensure that personal health information that it stores on behalf of the custodian is protected against theft, loss and unauthorized use or disclosure and to ensure that the records are protected against unauthorized copying, modification or disposal; The steps that must be taken by the agent to ensure that personal health information that it stores on behalf of the custodian is retained, transferred and disposed of in a secure manner; The procedures the agent must follow to allow individuals to access and correct records of personal health information in accordance with PHIPA; The fees that the agent may charge on behalf of the custodian for access to records of personal health information; and That the agent must notify the custodian at the first reasonable opportunity if personal health information handled by the record storage company is stolen, lost or accessed by unauthorized persons. Notification of Changes in Practice It is important that individuals be notified of changes in practice of custodians. The following best practices address the method of notification, who should provide such notice and the content of the notice. Method of Notification Notification may take a variety of forms. As a best practice, individuals should be directly notified of a change in practice using one of the following means: In person, at a scheduled appointment; By letter to the individual; By telephone call to the individual. 3 3 Individualized notice is effective. However, custodians should be cautious when providing such notice as it raises a concern that the individual s personal health information may be inadvertently disclosed to others. For example, various family members may have access to a patient s telephone answering machine. The methods of notification listed in this section were adapted from those provided in Policy #5-06 issued by the College of Physicians and Surgeons of Ontario, entitled Practice Management Considerations for Physicians Who Cease to Practise or Take an Extended Leave of Absence.

Since it may not be possible to reach every affected individual through direct notification, indirect notification may be used to supplement direct notification. However, indirect notification alone should occur only where direct notification would be impractical or not possible. For example, direct notification may not be practical or possible where a large number of individuals must be notified and the cost would be prohibitive, or where contact information is inadequate (i.e., out-of-date, missing, or incomplete). Indirect notification of changes in practice may include: A notice posted in the custodian s office; A notice posted on a website; A recorded message on the custodian s telephone answering machine; or Printed newspaper advertisements. Ideally, multiple forms of notification are recommended, particularly where direct notification to every individual is not practical or possible. Who Should Provide Notice When a custodian transfers records to a successor, PHIPA requires the transferring custodian to provide notice to the individual before or, if that is not reasonably possible, as soon as possible after the transfer. Where other changes in practice are planned, it is also recommended as a best practice that the custodian initiating or undergoing the change in practice similarly provide notice to individuals. If the estate trustee or person who assumes responsibility for the estate is deemed to be the custodian with respect to records of personal health information, as described above, that person should notify individuals about the change in practice. Ideally, individuals should be notified by someone who they would expect to have access to their personal health information. Accordingly, notification by the custodian is preferable to notification by an agent of the custodian that is not known to the individual, such as a record storage company. Content of Notice As a best practice, notification of a change in practice should impart a clear message which should be adapted to the circumstances. At a minimum, the message should include: A description of the planned change in practice; Where a practice will be transferred to a successor custodian, the contact information of the successor custodian; Where the custodian has died, the contact information for the person deemed to be the custodian with respect to the records of personal health information held by the deceased

custodian (i.e., the estate trustee), or, where applicable, the contact information for the person who is legally authorized to hold the records and to whom custody and control of the records has passed; Where the custodian has become bankrupt or insolvent, the contact information for any person who is deemed to be the custodian of the records of personal health information as a result of the bankruptcy or insolvency; Where a practice will cease and the custodian plans to retain the records of personal health information personally, the contact information for the custodian once the practice has ceased; Where a practice will cease and the records will be stored by an agent of the custodian such as a record storage company, the contact information for the agent who will be responsible for storing the records on behalf of the custodian; Information about the length of time that the records will be retained by the custodian or the agent of the custodian; Information about how individuals may request access to or correction of their records or request transfer of their records to another custodian prior to and following the change in practice; Be Proactive From the outset, custodians should think proactively about how they will continue to meet their obligations under PHIPA, in the event of a change in practice. The following best practices may assist in this regard. Be Aware of Privacy Protective Record-Keeping Practices First and foremost, a basic understanding of the requirements of PHIPA and record management practices is essential to enable custodians to implement privacy protective practices on a dayto-day basis and in the event of a change in practice. Clearly Identify the Custodian While the determination of who is the health information custodian may be obvious for sole practitioners, it may not be as clear for health care practitioners who work together in a group practice. In some situations, two or more practitioners may establish a partnership, with each being a custodian. In other cases, custodians may employ one or more health care practitioners to work as their agents. Where a group practice is incorporated, the professional corporation is the custodian and the practitioners are its agents.

In group practice settings, there must be clear identification of who the custodian is and formal agreements about the obligations of each person involved in the group practice with respect to records of personal health information in the event of a change in practice. Address Privacy Safeguards and the Continuity of Record Management Whether practicing solo or in a group, custodians should turn their minds to possible future changes in practice. Some considerations may include: Establishing policies and procedures, such a procedure for notifying individuals as suggested in these Guidelines, to be followed in the event of a change in practice; Trying to arrange for a future successor prior to an event triggering a change in practice (e.g., death or cessation of practice); If a future successor has not been identified, custodians should consider: o Appointing an estate trustee in their will who is willing and able to fulfill the obligations of a custodian; o Arranging for secure record storage upon cessation of practice. Group Practice Agreement Custodians engaged in group practice should address the continuity of record management in their practice agreement. In formalizing such agreements, all health care practitioners should bear in mind that they may have professional obligations with respect to the handling of records of personal health information, regardless of whether they are considered to be health information custodians under PHIPA. As a best practice, the following privacy safeguards should be addressed in the agreement: Arrangements for the secure storage of records. If the services of an agent (e.g. record storage company) are used, then the practice agreement should clearly identify the agent and its responsibilities. As discussed above, it is a best practice to have a separate agreement with the agent that clearly sets out its obligations with respect to personal health information. The method of distribution of records in the event of a change in practice. The requirement to notify individuals as suggested in the Guidelines in the event of change in practice. How to deal with the unforeseen departure of a custodian. In these situations, at a minimum: o Individuals should be notified of the change in practice; and o Records should be kept in a secure location until another custodian assumes responsibility for the records, or an individual directs the file to be transferred to another custodian.

Unforeseen Circumstances Although it is advisable for custodians to try to plan for changes in practice, there may be events that are not possible to anticipate. For example, a loss of custody and control of records could occur where the custodian has a dispute with a landlord over rental payments. It is important to note that, even in unforeseen circumstances, custodians are still responsible for ensuring the security of records at all times and for fulfilling their obligations under PHIPA. To the extent possible, custodians should fulfill all business-related obligations (e.g. rental payments) necessary to ensure that they are able to maintain custody or control of records of personal health information at all times. However, should a temporary loss of custody or control occur, custodians should immediately take all necessary steps to regain custody or control of the records as soon as possible.

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information