Privacy is important, especially in our digital age, and when it comes to our personal health information.

“People want to be assured that their health information is protected,” said Saskatoon Health Region privacy officer Theresa Aubin-Singh. “They want to know that no one without a ‘need to know’ will see when they last came into the hospital for a medical procedure, and the results of their latest blood work. And that’s the work our office does.”

Saskatoon Health Region’s Privacy and Access Office ensures that the right people are getting the right information, and that no one is looking at information they shouldn’t be.

Heatlh Records“Saskatoon Health Region is a trustee under HIPA which requires us to have policies and procedures in place to safeguard health information, both paper and electronic.” Aubin-Singh explained. “As healthcare providers, this type of information is important to provide the right care, but we also need to ensure that same information is protected.”

The “need to know”

It’s important that employees be aware of what information they should or should not access.

“Snooping” into electronic or paper health records has never been acceptable, and recent changes to HIPA will make it very clear that in most cases, to access a client’s personal health information for any reason other than to provide care violates the Act.

Accessing patient records for the sake of medical curiosity about a client that a staff member has not cared for is not acceptable.

“You actually have to be in the ‘need to know’ for that patient to access those files,” Aubin-Singh noted. “That ‘need to know’ is outlined in the HIPA legislation, but if there is any confusion I would encourage our healthcare staff to contact our office and we would be happy to answer their questions.”

This way, patients and clients are assured that their private information remains private.

“Your healthcare team accesses your health record on a need-to-know basis and views only the information required to plan for and provide you with appropriate care,” Aubin-Singh said. “Others, such as lawyers or insurance companies, need your written consent before it’s possible to access your information.”

What about my own information?

Under HIPA, healthcare workers are not to access even their own information at work. Neither are they allowed to access the information of their children or other family members that way.

“If you are not providing care, and you won’t be to yourself or a family member, you should not access that information either electronically or on paper,” Aubin-Singh explained.

Healthcare workers, like anyone else, do have the right to access their own health information and that of their young children, but they must go through the same process as everyone else.

The proper procedure for accessing your current health information involves making a written or verbal request of your healthcare provider or member of your healthcare team. Requests from individuals wishing to access personal non-current health records must be made in writing and will be directed to the appropriate health records department or long-term care  administrator or designate.

What happens if you don’t follow the rules?

It’s likely you will be caught.

With the new electronic-based systems, it’s not only easier to access patient files; it’s easier to see who has opened them.

Accessing electronic health records leaves an audit trail. As soon as a healthcare worker goes into a patient’s electronic health record, the system records that he or she has been in there. Audits of the EMR (electronic medical record) system are performed on a regular basis to ensure that those records are being accessed in the proper way, and a patient’s privacy is being protected.

“As a healthcare team, we have to protect this information so the people of Saskatchewan have confidence that their health records are confidential and secure,” Aubin-Singh stated. “That means we all have to follow the rules set out in HIPA.”

Protecting information means educating healthcare workers to keep their computer passwords secret from their co-workers. When they leave their computer, even if it’s for a minute, they should log out so that no one can sit down at their workstation and look up patient information.

Those found guilty of violating HIPA could face fines or other disciplinary actions.

Questions about access and handling

Anyone with questions about privacy, HIPA, or with any other concerns can contact Saskatoon Health Region’s Privacy and Access Office, or visit https://www.saskatoonhealthregion.ca/patients/Pages/Privacy-and-Health-Records.aspx.

Anyone can ask that an audit be done of their own electronic health records through eHealth Saskatchewan, Aubin-Singh added. This means that you can see who has been accessing your health information. You can also mask some of your information, if you so choose.

While handling privacy issues represents a large part of their job, there is another piece which is access.

The Local Authority Freedom of Information and Protection of Privacy Act (LaFOIPP) strives to balance the public’s right to know with an individual’s right to privacy. The Act allows access to most records that are under the control of Saskatoon Health Region with the exception of personal health information.

“We suggest people contact us before they submit a formal access to information request,” says Aubin-Singh. “A lot of times this information already exists and we can help with the request without making people feel like they have to cut through a lot of red tape.”