Custodian

Custodian

A physician is a custodian of personal health information when, as a result of performing their duties, they have custody or control of personal heath information.

Note: The Office of the Information and Privacy Commissioner (OIPC) (called Review Office in the Act) will, on the request of a custodian, provide advice and comments on the privacy, access and correction provisions (ss. 92 (2)(f) and 92 (3)(e), respectively).

Duties of physicians who are custodians

1. Notification

A custodian may accept knowledgeable implied consent as consent for the collection, use and disclosure of personal health information, unless PHIA requires express consent or makes exception to the requirement for consent. A component of knowledgeable implied consent is the ability for a custodian to reasonably infer that the individual understands the custodian’s purpose for collecting, using or disclosing the individual’s personal health information.

The custodian/physician may either:

  • make readily available a notice describing the purpose in a manner that the purpose is likely to come to the individual’s attention (“notice of purposes”); or
  • explain the purpose(s) to the individual.

2. Notice of purposes

The “notice of purposes” must contain enough information for the individual to understand:

  • why their personal health information is being collected;
  • how it will be used;
  • why it would be disclosed;
  • the individual’s rights under the Act;
  • where the individual can obtain more information about the Act; and
  • how the individual can make a complaint or ask for a review under the Act.

The notice should be placed in appropriate locations throughout the custodian’s facility, where an individual would easily be able to locate and read it. Reception, waiting rooms or examinations rooms are options for the posting.

Doctors Nova Scotia has notice of purpose posters available upon request.

A custodian can’t infer that the individual understands the purposes if the custodian should have known that:

  • the individual has a limited ability to read or understand the language in which the notice or explanation is presented; and/or
  • has a disability or condition that impairs the individual’s ability to read or understand the notice.

Should this be the case, the custodian must make reasonable efforts to assist with the individual’s understanding of the purposes. It may require verbally explaining the purposes to the individual or facilitating an explanation in the individual’s language, either verbally or in writing.

3. Retention and destruction

PHIA doesn’t set out a specific period for which records must be retained by a custodian, allowing the regulatory bodies for regulated professions and professional associations to do so.
 
The College of Physician and Surgeons of Nova Scotia (CPSNS) relies on the  guidance provided to physicians by the Canadian Medical Protective Association on the issue of retention of personal health information: 

The CMPA recommends that physicians retain medical records for at least 10 years from the date of last entry or, in the case of minors, 10 years from the time the patient would have reached the age of majority [19 years in Nova Scotia].

Once the relevant retention period expires, PHIA states that the personal health information must be securely destroyed, erased or de-identified. Under PHIA, “securely destroyed” means “destroyed in such a manner that reconstruction isn’t reasonably foreseeable in the circumstances.” This could include:

  • shredding paper records in a manner that prevents the reassembling of the record (cross-shredding or pulverizing); and
  • wiping the hard drive of any electronic devices.

The Ontario Information and Privacy Commissioner developed a fact sheet on Secure Destruction of Personal Information. It provides guidance on secure destruction for both paper and electronic records. This includes:

  • securely destroying all copies of a record, including duplicate copies, personal copies of records and records on all media (paper and electronic);
  • ensuring that all electronic and wireless media (CDs, USB keys, personal digital assistants and hard drives) are securely destroyed by physically damaging and discarding them or wiping them when the medium is to be re-used; and
  • remembering that office equipment – including photocopiers, fax machines, scanners and printers – may contain hard drives which retain information. Custodians should either disable the hard drives or wipe them before disposing of the equipment.


PHIA also states that personal health information may be “de-identified.”

Appropriate de-identification is important where identifying personal health information is no longer required for a custodian’s primary purpose, but de-identified health information continues to be necessary for a custodian’s secondary purposes, such as research, quality or other management purposes. 
 
De-identified information as defined by PHIA is information that has all had all identifiers removed that:

  • identify the individual; or
  • could foreseeably be utilized, either alone or with other information, to identify the individual.

PHIA doesn’t apply to statistical, aggregate or de-identified health information, allowing a custodian to retain de-identified information beyond the retention schedule.

4. Written retention schedule

Under PHIA, a custodian is required to have a written retention schedule for personal health information in its custody or under its control. The schedule should include the following:

  • Original documents
    Description of type
  • Guidelines for retention
    Indicate the authority for retention guidelines, e.g., the College of Physicians and Surgeons of Nova Scotia (CPSNS)
  • Authority for disposal
    The person or position in the custodian organization responsible for authorizing disposal
  • Retention period
    The minimum time that the records must be retained by the custodian
  • Retention mode
    The format on which the record will be held, e.g., paper, electronic, film
  • Disposition date
    The date when the records will be securely destroyed, erased or de-identified, e.g., at the end of the minimum retention period for each record

Download the Retention Schedule template (Section 1, b) (Microsoft Word document)

5. Information practices

PHIA requires custodians to put in place “information practices” that:

  • meet the requirements of the Act and the regulations;
  • are reasonable in the circumstances; and
  • ensure that personal health information in the custodian’s custody or under its control is protected against:
    • theft or loss of the information; and
    • unauthorized access to or use, disclosure, copying or modification of the information.

“Information practices” are defined in PHIA as the policies of the custodian for actions in relation to personal health information, including:

  • when, how and the purposes for which the custodian routinely collects, uses, discloses, retains, de-identifies, destroys or disposes of personal health information; and
  • the administrative, technical and physical safeguards and practices that the custodian maintains with respect to the information.

Templates and forms related to PHIA can be tailored to individual practices and clinics. The templates and forms include a privacy policy, managing a privacy or security breach, notifying patients or the Review Officer of a breach and practices on administrative, physical and technical safeguards.

6. Complaints policy

PHIA requires physicians who are custodians to implement, maintain and comply with a complaints policy. The policy should address how an individual can make a complaint under PHIA. 

Download Complaints Policy template (Section 1, g) (Microsoft Word document)

7. Electronic medical records

Physicians using electronic medical records (EMRs) have certain obligations under PHIA. They must be able to:

  • Produce a record of user activity for the EMR as soon as possible after a patient request but no later than 30 days. Retain the information used to update a record of user activity for at least one year after each date of access. The record of user activity must include the following:
    • name of the individual whose personal health information was accessed;
    • unique identification number for the individual whose personal health information was accessed, including health card number or a number assigned by the custodian to uniquely identify the individual;
    • name of the person who accessed the personal health information;
    • any additional identification of the person who accessed the personal health information, including an electronic information system user identification name or number;
    • description of the personal health information accessed or, if the specific personal health information accessed cannot be determined, all possible personal health information that could have been accessed; and
    • date and time the personal health information was accessed or, if the specific dates and times cannot be determined, a range of dates when the information could have been accessed by the person.
  • Maintain a record of security breaches, including details of all corrective procedures taken by the custodian to diminish the likelihood of future security breaches.

8. Contact person

Under PHIA, a custodian is required to designate a contact person to perform the functions set out in the Act.

This contact person must have sufficient knowledge of the duties to be able to assist individuals who have questions about their personal health information and how it is managed by the custodian. The contact person must also have an understanding of the requirements in PHIA to a level that would support their training of the custodian’s staff and provide information to the custodian’s agents and to the public. No specific education or professional background is required.

The duties of a contact person are to:

  • facilitate the custodian’s compliance with the Act;
  • ensure that all agents of the custodian are informed of their duties under the Act;
  • respond to inquiries about the custodian’s information practices;
  • respond to requests for access to and correction of records;
  • receive and process complaints under the Act;
  • facilitate the communications to and the training of the custodian’s staff about the custodian’s policies and procedures and about the Act; and
  • develop information to explain the organization’s policies and procedures.

If appropriate, a custodian can take on the role of contact person. These duties can also be shared by more than one person in the custodian’s organization. All privacy notices related to PHIA must include the name and contact information for any contact person(s). If there is more than one contact persons and a division of duties, specific duties should be listed with their name and contact information.

Privacy statement

Physicians who are custodians are required to make available to the public a written statement that:

  • provides a general description of their information practices;
  • describes how to reach the contact person or the custodian;
  • describes how an individual may obtain access to or request a correction of a record of personal health information in the custodian’s custody or control; and
  • describes how to make a complaint under PHIA to the custodian and to the review officer.

Download Privacy Policy template (Section 1, d) (Microsoft Word document)

10. PHIA Compliance Checklist

The PHIA Compliance Checklist was developed by the Department of Health and Wellness to help custodians comply with the requirements of PHIA.

11. Breach of personal health information

A physician who is a custodian is required to report a breach of an individual’s personal health information:

  • to the individual if, in the physician’s opinion, the breach is likely to cause the individual harm or embarrassment; or
  • to the Office of the Information Privacy Commissioner if the breach is not likely to cause the individual harm or embarrassment.

Learn more about breaches