FAQs

FAQs

This list of questions and answers about PHIA, sorted by topic, will help physicians interpret the Act appropriately.

General information

Complaints | Corrections | Patient rights

Consent | Disclosure | Retention | Use

Safeguards | Breaches

Insurance companies | Lawyers | WCB

What are the responsibilities of the employees of a custodian to protect personal health information?

Employees of a custodian are considered under PHIA to be “agents.” Agents are persons who, with the authorization of the custodian, act for or on behalf of the custodian in respect of personal health information for the purposes of the custodian, and not the agent’s purposes. It's the custodian’s responsibility to ensure all agents of the custodian are appropriately informed of their duties to protect personal health information as required by PHIA. As a critical first step in ensuring the reasonable security requirements of PHIA, it's recommended that custodians have their agents sign a confidentiality agreement at the commencement of their employment.

When acting as an agent for another physician who is on vacation, does this mean I have to provide treatment the way the physician who is the custodian would?

No. Agents of custodians under PHIA are only acting on behalf of the custodian for the purposes of the personal health information. PHIA doesn't impact patient treatment.

What does the contact person do?

The duties of the contact person are to:

  • Facilitate the custodian’s compliance with PHIA
  • Ensure that all agent’s of the custodian are informed of their duties under PHI
  • Respond to the enquiries about the custodian’s information practice
  • Respond to requests for access and corrections of record
  • Receive and process complaints under PHI
  • Facilitate the communications to and the training of the custodian’s staff about the custodian’s policies and procedures and about PHIA; and
  • Develop information to explain the organization’s policies and procedures.

In a collaborative practice, who is the custodian?

That will depend on the legal structure of the practice and who within the practice has “custody and control” of the personal health information. The custodian could be the corporation if the practice is incorporated; it could be the board of directors if such exists; it could be each of the regulated health professionals practicing within the collaborative practice. It will vary from practice to practice.

For a surgeon, the operating report may be in two places, in the private practice office records and the DHA’s information system? Who is the custodian?

The DHA is the custodian of the operating report that is filed to the patient’s hospital record. If that operating report is copied to the surgeon and filed in the surgeon’s office, he/she is also the custodian of the operating report in the office.

How is PHIA different from PIPEDA?

The federal legislation PIPEDA came into force for the commercial health sector in 2004. In most cases, if your office is compliant with PIPEDA, it's compliant with PHIA. The three exceptions are HIA requires:

  1. That a custodian report a breach of personal health information to an individual if, in the custodian’s opinion, the breach is likely to cause the individual harm or embarrassment;
  2. That a custodian report a breach of personal health information to the OIPC if, in the custodian's opinion, the breach is unlikely to cause the individual harm or embarrassment;
  3. That a custodian must be able to produce a record of user activity for any electronic information system the custodian uses to maintain personal health information; and
  4. That a custodian receives the approval of a research ethics board for research conducted using personal health information the custodian itself has collected for care purposes.

What’s the significance of the Notice of Purposes poster?

By making a Notice of Purposes poster readily available to patients, a custodian may rely on knowledgeable implied consent to collect, use and disclose personal health information within the circle of care, unless the patient has indicated otherwise. The Notice of Purposes poster provides patients with information about the purposes for which the custodian collects, uses and discloses their personal health information. It also provides patients with information about their rights under PHIA to limit or revoke consent, and their right to make a complaint to the custodian and the Privacy Review Officer about how their personal health information is managed. A custodian may choose to explain the purposes for collecting, using and disclosing a patient’s personal health information instead of making a notice readily available.

Where should the poster with the notice of purposes be placed?

The notice of purposes poster should be placed in an area where it's readily available to be seen and read by patients, such as the reception area of a clinic or practice.

How much demand is there for the record of user activity?

What we have heard from the PHIA information sessions is that the record of user activity is seldom requested. However, with the implementation of PHIA, the public will be more aware of their rights so it's best to be prepared for an increase in requests, even if only slight.

How can a record of user activity be produced?

You can request a record of user activity from your EMR provider. It's important to note that any fees arising from that request can't be passed on to the individual requesting the record. If your EMR provider is unable to provide you with a record of user activity, representatives from the Department of Health and Wellness have stated that it will suffice if you provide the individual requesting the record with the following information: the hours your office is open, the names of the people who work in your office and the dates and times they work. The assumption for PHIA purposes is that anyone working in your office may have had access to the individual’s personal health information for the hours they were at work. If your staff has remote access to personal health information at any time, then that information must be included in the description.

Are there any resources available from the government to implement PHIA?

The Department of Health and Wellness (DHW) has a comprehensive toolkit available on its website, as well as an email address and toll-free number for questions. And the Office of the Information and Privacy Commissioner for Nova Scotia has extensive resources available and is available and willing to provide advice on privacy, and access, and correction provisions.

What are the rights of patients under PHIA?

Access to their information: A patient can request to view or receive a copy of his/her personal health information. The custodian has the right to charge a fee for this service as set out in the PHIA regulations. Request corrections: A patient can request, in writing, the custodian correct their record. The custodian must respond within 30 days. Request a record of user activity: If a patient’s information is held in an electronic information system, he/she can request a record of user activity (i.e. a history as to who has accessed his/her electronic record). File a complaint: A patient can make a complaint to a custodian about any aspect of the custodian’s conduct in relation to the privacy provisions of PHIA. Request a review: A patient may ask the provincial review officer to conduct a review if a custodian has refused access to a patient’s personal health record information or to make a correction to his/her information.

What can an individual make a privacy complaint about under PHIA?

An individual may make a complaint about any aspect of the custodian’s conduct in relation to the privacy provisions of PHIA. The privacy provisions of PHIA include: consent; substitute decision-maker; collection/use/disclosure of personal health information; retention/destruction/disposal/de-identification; research; practices to protect personal health information; and reporting a privacy breach. An individual may also make a complaint if he or she is refused access to their personal health information or if a custodian refuses to make a correction.

If a patient requests a correction to his or her personal health information, is the custodian obligated to make the change?

PHIA directs that a custodian shall grant a request for a correction if the individual demonstrates to the satisfaction of the custodian that the record is not complete, accurate or up-to-date and gives the custodian the information necessary to enable the custodian to correct the record. The custodian isn't required to correct a record if:

  1. it consists of a record that was not originally created by the custodian and the custodian does not have sufficient knowledge, expertise and authority to correct the record; and
  2. it consists of a professional opinion or observation that a custodian has made in good faith about the individual.

PHIA directs that corrections are recorded by striking out the incorrect information in a manner that does not obliterate the record, or where that is not possible, labeling the information as incorrect, severing the incorrect information from the records, storing it separately from the record and maintaining a link in the record that indicates that a correction has been made, enabling a person to trace the incorrect information. If it's not possible to record the correct information in the record, the custodian must ensure that there is a practical system in place to inform a person accessing the record that the information is incorrect and to direct the person to the correct information.

What is personal health information?

Personal health information is defined by PHIA as identifying information about an individual, whether living or deceased (in both recorded and unrecorded forms), if the information:

  • Relates to the physical or mental health of the individual, including information that consists of the health history of the individual’s family.
  • Relates to the application, assessment, eligibility and provision of health to the individual, including the identification of a person as a provider of health care to the individual.
  • Relates to payments or eligibility for health care in respect of the individual.
  • Relates to the donation by the individual of any body part or bodily substance of the individual or is derived from the testing or examination of any such bodily part or substance.
  • Is the individual’s registration information, including the individual’s health-card number.
  • Identifies an individual’s substitute decision-maker.

Consent for the collection, use or disclosure of personal health information by a custodian under PHIA (whether express consent or knowledgeable implied consent) must:

  • Be given by the individual
  • Be knowledgeable
  • Be related to the specific information at issue
  • Be voluntary

Consent is “knowledgeable” when it is reasonable in the circumstances for the custodian to believe that:

  • The individual knows the purpose of the collection, use or disclosure, as the case may be; and
  • The individual knows that s/he may give or withhold consent.

PHIA doesn't require a consent form for express consent, but it seems to be accepted practice to document it somewhere where it can be retrieved if needed later on.

Should physicians document oral consent?

It's a recommended practice to document express consent that is provided in oral form.

At what age do teenagers have capacity to provide consent?

PHIA doesn't specify an age of consent. It requires an individual to have capacity, which in the context of collection, use and disclosure of their personal health information means:

  • The ability to understand information that is relevant to the making of a decision related to the collection, use or disclosure of personal health information; and
  • The ability to appreciate the reasonable foreseeable consequences of a decision or a lack of a decision.

PHIA requires that the capacity of an individual must be considered in each instance consent is being sought as an individual may have capacity at a particular time, but may be incapable of consenting at another time.

In a walk-in clinic, can the patient request that the information not be shared with his or her family doctor?

Yes, PHIA allows an individual to request to limit or revoke consent for the collection, use or disclosure of personal health information in the custody or control of a custodian by giving notice to the custodian (note: the request isn't retroactive). If the custodian disclosing the information determines that the information disclosed to that provider is not what is "reasonably necessary" for the care of the individual, it's the responsibility of the custodian to then inform the provider named by the individual that the individual's record isn't complete. The custodian must also inform the individual of the consequences of limiting or revoking consent, including the fact that the other provider may decide that s/he is not confident in providing care to the individual without understanding what information has been withheld.

The consent provisions of PHIA apply only to the collection, use and disclosure of personal health information, and aren't applicable to treatment. PHIA provides that any capable individual, regardless of age, may consent or withdraw consent for the collection, use and disclosure of their personal health information for the purposes of the act. PHIA also states that an individual may have capacity at a particular time but be incapable of consenting at another time. In addition, an individual may have capacity to consent to the collection, use or disclosure to some parts of personal health information but not others. Where an individual is deemed to have capacity to consent to the collection, use and disclosure of personal health information, this capacity includes refusing consent for disclosure to a parent, guardian or substitute decision-maker

Which parent can access the children’s personal health information if there is joint custody?

This will be determined by the courts and should be stated in the custody order.

Can you share information with another physician; for instance, regarding prescriptions requested by a patient?

If the other physician is in the individual’s “circle of care,” the information may be shared, unless the patient has requested that the information not be shared. If not, express consent from the individual is required before sharing the personal health information.

Is family in the circle of care?

A patient’s family isn't considered to be within the circle of care. The term “circle of care” isn't used in PHIA, but is used in the health sector to refer to the custodians who provide or support care to an individual in each instance of care provision. It is important to note that personal health information may only be disclosed by a custodian to another custodian (or his/her agent) within the circle of care. Under PHIA, a custodian has the discretion to disclose personal health information related to the presence, location and general condition of an individual on the day that information is requested to family members of the individual, unless the individual has expressly asked the custodian not to. Note: The act permits this disclosure; it doesn't require it unless the disclosure is required under another statute.

Can family members access a deceased patient’s health history?

Under section 40(1) of the act, a custodian may release information about an individual who is deceased for the following purposes:

  • For the purpose of identifying the individual;
  • For the purpose of informing any person whom it is reasonable to inform that the individual is deceased;
  • To a spouse, parent, sibling, or child of the individual if the recipient of the information reasonable requires the information to make decisions about the recipient’s own health care or the recipient’s children’s health care and it is not contrary to a prior express request of the deceased individual.
  • For carrying out the deceased person’s wishes for the purpose of tissue or organ donation.
  • Under section 40(2) of the act, a custodian may disclose personal health information about a deceased individual to:
  • A family member of the individual; or
  • Another person if the custodian has a reasonable belief that the person has a close personal relationship with the individual

If the information relates to circumstances surrounding the death of the individual or to health care recently received by the individual and the disclosure is not contrary to a prior express request of the individual. In other circumstances, consent should be obtained from the administrator of the deceased patient’s estate.

Consent isn't required to disclose personal health information about a deceased individual in the following circumstances:

  • A custodian may disclose personal health information about a deceased individual or an individual who is believed to be deceased for the following purposes:
  • To identify the deceased individual;
  • To inform any person whom it is reasonable to inform that the individual is deceased;
  • To a spouse, parent, sibling or child of the individual if the recipient of the information reasonably requires it to make decisions about their own health care or their children’s health care and it isn't contrary to a prior express request of the deceased;
  • For carrying out the deceased person’s wishes for the purpose of tissue or organ donation.
  • Where an individual is deceased, a custodian may disclose personal health information to a family member of the individual or a person who had a personal relationship with the individual, if the information relates to circumstances surrounding the death of the individual or to health care recently received by the individual and the disclosure isn't contrary to a prior express request of the deceased individual. In other circumstances, a custodian should only disclose personal health information to the deceased patient’s administrator of the estate or a person appointed by a court of law for that purpose, if the disclosure is for the purpose of the estate.

Are physicians able to send information to the Registrar of Motor Vehicles if there a concern about a patient’s ability to drive?

Under PHIA, custodians may disclose personal health information if it's required or permitted by law. Physicians are able to disclose personal health information to the Registrar of Motor Vehicles, pursuant to the Motor Vehicle Act, if an individual is afflicted with mental or physical infirmities or disabilities rendering it unsafe for such patient to drive a motor vehicle upon the highways.

PHIA requires a retention schedule. Does it specifically say how long you should retain personal health information before destroying these records?

No, it doesn't say how long you should retain personal health information, only that you must have a retention schedule and implement it. The source of information for determining how long to retain medical records is the College of Physicians and Surgeons of NS Guidelines for Medical Record-Keeping, 2008. PHIA requires a retention schedule whether the records are paper or electronic.

Does PHIA say when should a physician dispose of electronic medical records?

PHIA requires that a custodian have a written retention schedule. PHIA doesn't determine the length of the retention period for paper or electronic medical records. A physician should consult the College of Physicians and Surgeons of Nov Scotia’s Guidelines for Medical Record Keeping, 2008 for guidance on retention periods for medical records.

Is use of personal health information for quality control considered research, or is there another section in PHIA that permits this?

Section 35 permits a custodian to use personal health information for the purpose of ensuring quality or standards of care within a quality review program within the custodian’s organization. The use of personal health information in this circumstance must be part of a quality review program. It can't be a review initiated by an individual employee of the custodian. Section 38 permits a custodian to disclose personal health information to another custodian for the same purpose.

I want to use personal health information from my patient records for research. What do I need to do to be compliant with PHIA?

Different rules apply to disclosure for research purposes.

  • If the personal health information is de-identified, aggregated or in statistical form, then PHIA doesn't apply.
  • If the personal health information isn't de-identified, aggregated or in statistical form, then you must:
  • Write a research plan
  • Submit the plan to a REB and obtain approval from a REB
  • Meet any conditions imposed by the REB
  • In the research plan, address the issue of consent and if you are not seeking consent from the individuals whose PHI is the subject of the subject, you must explain why seeking consent would be impracticable.

When does PHIA not apply?

PHIA doesn't apply to:

  • Statistical, aggregate, or de-identified health information; and
  • Personal health information about an individual 50 years after his/her death or 120 years after the record containing the information was created, whichever comes first; and
  • Personal health information collected, used or disclosed outside of the health sector.

Do USB keys and mobile devices that contain personal health information have to be encrypted?

While PHIA doesn't specifically address encryption, it does require custodians to ensure that the personal health information in their custody or control is protected against theft or loss of the information, and unauthorized access to or use, copying or modification of the information. Encryption is recommended in the event that a mobile device or USB key is lost or stole to prevent unauthorized access.

How do I protect personal health information that is stored on computers/USB drives?

Computers: PHIA requires that custodians take additional safeguards to protect personal health information held electronically from theft/loss and from unauthorized access. Such safeguards include:

  • Protection of network infrastructure, including physical and wireless networks, to ensure secure access (e.g. protection from malware and hackers; network operational centres should be kept locked);
  • Protection of hardware and its supporting operating systems to ensure that the system functions consistently and only those authorized to access the system have access (e.g. secure storage of back-up information); and
  • Protection of the system’s software, including the way it authenticates a user’s identity before allowing access (e.g. up-to-date back-ups of all data, encryption and authentication; antivirus/antimalware software; internet access should be through a firewall)

Mobile devices: Devices such as laptops, memory sticks and smart phones may facilitate mobility; however, these devices should only be used for personal health information if the appropriate security measures are in place. Such measures include: encryption and protection of user IDs and passwords.

Is email OK to send referral and medical information?

PHIA requires a custodian to protect the confidentiality of personal health information that is in its custody or control and the privacy of the individual who is the subject of that information. A custodian is also required to implement information practices that meet the requirements of the act, are reasonable in the circumstances, and that ensure the personal health information is protected against theft or loss, and unauthorized access to or use, disclosure, copying or modification. Generally, email isn't secure and any personal health information included in an email could be subject to unauthorized access, use, disclosure or copying. Any custodian contemplating using email to send referral and medical information should ensure the patient provides express consent, the consent is documented, and a minimum amount of information is sent.

A lot of facilities have back-up electronic data storage off site. What is a custodian’s responsibility there?

  • Custodians are accountable for the personal health information in their custody or control, irrespective of where or how it is stored.
  • The EMR service provider should have measures in place to ensure the personal health information is protected against theft or loss, and unauthorized access to or use, disclosure, copying, or modification. This should be reflected in the custodian’s agreement with the service provider.

How does a physician know if there is potential for harm or embarrassment when personal health information is lost or stolen?

  • The custodian is required to notify individuals at the first reasonable opportunity if the custodian believes on a reasonable basis that personal health information was stolen, lost or subject to unauthorized access, use, disclosure, copying or modification; and as a result, there is potential for harm or embarrassment to the individuals.
  • Some factors to consider in determining if there is potential for harm or embarrassment to individuals include:
    • Who accessed or could have accessed the personal health information?
    • Were mobile devices encrypted to prevent unauthorized access?
    • What kind of personal health information was accessed, how much and for how many individuals?
    • Is there evidence of a malicious purpose (theft, hacking) or was it accidental?
    • Could the personal health information be used for identity theft or fraud?
    • Was the personal health information of vulnerable individuals involved (e.g. youth or seniors)?
    • The OIPC has developed a tool "Key Steps to Responding to Privacy Breaches", which provides a comprehensive checklist for analyzing a privacy breach.

What can happen if a custodian doesn’t notify anyone that a breach occurred?

You are obligated to notify the individual whose personal health information has been breached if, as a result of the breach there is potential for harm or embarrassment to the individual. If you decide not to notify the individual, you must notify the Privacy Review Officer. Failure to comply with PHIA may result in a penalty. For an individual, the penalty may be up to $10,000 or 6 months in prison; for a corporation, the penalty may be up to $50,000.

How do you notify patients of a breach?

PHIA doesn't provide direction on how to notify of a breach. It states that the custodian “.... shall notify the individual at the first reasonable opportunity if the custodian believes on a reasonable basis that the information is stolen, lost or subject to unauthorized access, use, disclosure, copying or modification”. Ideally, each individual whose personal health information was breached would be contacted individually. PHIA permits the Privacy Review Officer to, on the request of a custodian, provide advice and comments on the privacy provisions of the act. If the nature of the breach is such that contacting individuals individually is impractical, the Privacy Review Officer should be consulted.

What should a physician do if office cleaning staff access medical records without authorization and what should you do to prevent this from occurring?

  • Custodians are responsible to take reasonable measures to protect the personal health information in their custody or control. In the circumstance where there was unauthorized access of personal health information, the custodian would need to determine if there is potential for harm or embarrassment to the individuals whose personal health information was accessed. If there is potential for harm or embarrassment, the custodian must notify each patient whose record was accessed. If there is no potential for harm or embarrassment to the patients as a result of the unauthorized access, PHIA requires that the custodian must notify the Privacy Review Officer as soon as possible.
  • Steps to take in order to prevent this from occurring include:
    • Locking paper records in cabinets where practicable; and/or
    • Ensure that landlords have agreements with their employees or contractors prohibiting them from accessing confidential information on the premises and requiring them to keep confidential any personal health information they access inadvertently.
    • Requiring landlords and their agents who have access to a custodian’s premises to sign a confidentiality agreement.

In the application of offences and penalties, is an incorporated physician considered a corporation and thus subject to the higher penalties?

Yes, an incorporated physician is subject to the penalties for corporations, which are up to $50,000.

Is anyone exempt from paying fees under PHIA?

According to the Office of the Information and Privacy Commissioner, the fees do not apply to any of the following:

  • User activity report: Where a custodian has an electronic information system, the custodian shall make a record of user activity available at the individual’s request and at no charge to the individual.
  • New patients: A request from a regulated health professional who is entitled to personal health information in accordance with a consent given by the individual whose personal health information is the subject of the request.
  • Legal aid representation: A request made by a solicitor representing a legal aid client.
  • Review Board appearance: A request from an individual for the purposes of appearing before the Review Board under Section 68 of the Involuntary Psychiatric Treatment Act.
  • Police officer: A search warrant presented by a police officer under section 487 of the Criminal Code (Canada) or a production order presented by a police officer under section 278.7 of the Criminal Code (Canada).
  • Police and probation: A request by a police officer or probation officer who is entitled to personal health information because the individual whose personal health information is the subject of the request has consented to disclosure.
  • Investigation by regulatory colleges: A request from a regulated health-profession body that is using the information for the purposes of regulating the health profession.
  • Workers’ Compensation: A request from the Workers’ Compensation Board of Nova Scotia.

How do you know what personal health information you can or can’t give insurance companies? What if a patient doesn’t want you to send certain information because it may have a negative impact on a claim?

In order to disclose personal health information to an insurance company or other non-custodian, the insurance company must provide the physician with express consent from the patient. The physician can only disclose personal health information to the insurance company based on the scope of the express consent. There is no basis in PHIA for a physician to withhold relevant personal health information from an insurance company when the individual has provided express consent for the disclosure. Physicians are required to follow the Canadian Medical Association Code of Ethics.

What does PHIA say about insurance companies or lawyers wanting all of a patient’s personal health information?

PHIA doesn't address this specifically. PHIA requires valid express consent from the individual whose personal health information it is, in order for a custodian to disclose to third parties such as insurance companies.

What should I do if a client doesn’t want certain information released to an insurance company but then the client doesn’t get the insurance?

Whether or not the insurance company accepts the individual’s claim has nothing to do with the protection of an individual’s personal health information. If the individual has consented to the insurance company receiving the information, the custodian must release it if requested to do so.

Is Workers’ Compensation Board (WCB) in the circle of care?

No, but WCB is entitled by statute to request and receive whatever personal health information it needs to process claims.