On November 26, the Saskatchewan government introduced amendments to The Health Information Protection Act (HIPA) to better protect personal health information. The changes have definite implications for health care workers.

RR-2014-12-10-HIPA-changesThe legislative amendments introduced are meant to both strengthen the protection of personal health records and increase the accountability of trustees and employees in protecting those records.

The Saskatoon Health Region is considered a trustee as the Region has personal health information under its custody and control.

These amendments are a result of recommendations from the Health Records Protection Working Group, which released a report in April. The group recommended changes to HIPA to help enforce the responsibilities of trustees under the Act, to address possible gaps in legislation, and put a system in place to deal with the discovery of unsecured records, stated a news release from the Government of Saskatchewan.

”I’m confident these amendments will help strengthen the protection of personal health records and increase the accountability of trustees and employees in protecting those records,” stated Health Minister Dustin Duncan.  “We take seriously the protection of privacy of personal health information of Saskatchewan residents.”

“Not only will these changes fill a legislation gap that existed previously, they will also provide peace of mind for people in this province,” noted Justice Minister and Attorney General Gordon Wyant in the release.

The amendments to HIPA include:

  • Strict liability offence: If records are found unsecured, the trustee responsible for the records would need to show they took all reasonable steps to prevent the abandonment.  Sometimes called the “reverse onus” clause, this change will forgo a need to prove the trustee intended to abandon the records.
  • Individual offence for willful disclosure of personal information: This change will make it clear that HIPA offences for intentional disclosure of personal health information apply not only to trustees, but to individuals who are employees of trustees.
  • Snooping offence: A specific offence will be established for inappropriate use of personal health information by employees who access information without a need for that information.
  • Take control of abandoned records: A specific provision will be added to HIPA for a system to be put in place to quickly respond to a discovery of abandoned or unsecured records and to take control of the records.

These changes to HIPA have not yet been finalized, but they are coming.  And health care workers should know what they will mean for them, noted Saskatoon Health Region privacy officer Theresa Aubin-Singh.

“It’s important that our employees be aware of what information they should or should not access, and what can be disclosed and to whom,” she noted.

When it comes to cases of willful disclosure of information, the proposed changes to HIPA mean individuals will be held accountable, she noted. It won’t be the trustee taking responsibility for privacy breaches made by employees anymore.

“Snooping” into electronic or paper health records has never been acceptable, Aubin-Singh noted, but the changes proposed to HIPA make it very clear that in most cases, to access a client’s personal health information for any reason other than to provide care violates the Act.

Accessing patient records for the sake of learning about a client a staff member has not cared for is not allowed.

“You actually have to be caring for that patient to access those files,” Aubin-Singh noted. “You have to have the need to know. Just because you can access them doesn’t mean that you should.”

Under HIPA, health care workers are not to access even their own information at work.  Neither are they allowed to access the information of their children or other family members that way.

“If you are not providing care – and you won’t be to yourself or a family member – you should not access that information either electronically or on paper,” Aubin-Singh explained.

Health care workers, like anyone else, do have the right to access their own health information and that of their young children but they must go through the same process as everyone else.

The proper procedure for accessing current health information involves making a written or verbal request of your health care provider or member of your health care team. Requests from individuals wishing to access personal non-current health records must be made in writing and will be directed to the appropriate health records department or Long Term Care administrator or designate.

Though it might seem easier to just press a button to get their own personal health information, staff should be aware that accessing electronic health records leaves an audit trail. As soon as a health care worker goes into a patient’s electronic health record, the system records that he or she has been in there. Audits of the EMR (electronic health record) system are performed on a regular basis to ensure that those records are being accessed in the proper way, and a patient’s privacy is being protected.

“As a health care team, we have to protect this information so the people of Saskatchewan have confidence that their health records are confidential and secure” Aubin-Singh stated. “That means we all have to follow the rules set out in HIPA.”

Those found guilty of violating HIPA could face fines.

Health care workers with any questions or needing more information about the changes to HIPA can contact Saskatoon Health Region’s Privacy and Access Office.

Anyone can ask that an audit be done of their own electronic health records through eHealth Saskatchewan, Aubin-Singh added.  This means that you can see who has been accessing your health information.  You can also mask some of your information, if you so choose.

The government will be examining the remaining recommendations made by the Health Records Protection Working Group, including creating a single repository for abandoned records, making private record storage solutions available and clarifying the definition of “trustee” for physician practice arrangements.

The Health Records Protection Working Group was formed in 2012 after a large number of medical records were found abandoned in a Regina dumpster. The group included members from the College of Physicians and Surgeons, Saskatchewan Medical Association, College of Pharmacists, Saskatchewan Registered Nurses Association, a patient representative, and the Ministries of Justice and Health.