E-health Privacy and Security Guide
Doctors Nova Scotia has published a new guide to help community-based physicians comply with personal health information laws. E-health Privacy and Security Guide helps physicians understand privacy legislation and prevent/respond to privacy breaches and cyberattacks in their practices. It also includes the latest recommendations for electronic medical records and integrated solution options.
Click here to download E-health Privacy and Security Guide.
A physician is deemed to be the custodian of the personal health information in their records (both paper and electronic) and therefore, is obligated to ensure processes are in place to protect the personal health information.
A physician who works in a hospital is deemed to be an agent of the personal health information contained in the hospital’s records. As an agent, the physician is required to follow the rules set out by the custodian, in this case, the health authority (Nova Scotia Health Authority and/or IWK).
Consent to collect, use and disclose personal health information can be verbal or written. PHIA also contemplates the notion of “knowledgeable implied consent.” Knowledgeable implied consent is achieved if the custodian clearly explains (verbally or in writing) the purpose of the collection, use or disclosure of personal health information. A poster clearly outlining the purpose, if it is displayed prominently in the physician’s office (for example, the waiting area) will suffice. This poster can be obtained by contacting Doctors Nova Scotia.
Breach of privacy
A privacy breach is any handling of personal health information that is not authorized under PHIA. If the breach is likely to cause an individual harm, that individual must be notified. If the breach is unlikely to cause an individual harm, the Office of the Information Privacy Commissioner must be notified.
Individuals have the right to access their own personal health information that is under the custody or control of a physician who is a custodian. Response to requests is required within 30 days.
In some cases, physicians can recover the costs associated with a request for personal health information under PHIA. What can be charged and the process for doing so are outlined in PHIA and its regulations. The Office of the Information and Privacy Commissioner of Nova Scotia offers a fee fact sheet.
PHIA defines research as a systematic investigation designed to develop or establish principles, facts or generalizable knowledge, or any combination of those three, and includes the development, testing and evaluation of research. Physicians who are custodians and who plan to conduct research on personal health information in their custody or control have additional obligations.