data-security-regulations-canada

Electronic Health Record Privacy and Security Regulations for Canadian Extended Health Care Providers

When looking into Clinic Management software, and considering Patient Records management, there is a lot of different, and sometimes misleading information on what your requirements, as a provider and as a clinic are. We’ve looked extensively into the rules, regulations, and legislation to answer the most commonly asked questions about health care provider responsibilities regarding patient records and data security.  Here is what you need to know as a practicing health professional in Canada.

Am I required by law to keep my patient records on Canadian servers?

No, as clearly defined in PHIPA (Personal Health Information Protection Act), companies operating in Canada can store data wherever they want as long as they take measures to secure personal data.  The only exception is for service providers working with public bodies (officers of the Legislature and their employees) in BC and Nova Scotia.  These specific health care workers must follow a slightly different set of rules outlined in the provincial legislation of FOIPPA(BC) and PHIA(NS). *see below for details

If you are a healthcare provider in Canada and you aren’t servicing BC or NS members of the legislature, you do not need to keep your patient records on Canadian servers.  

(Source: http://www.optimusinfo.com/data-sovereignty-in-canada/)

What parts of Canada’s Privacy Legislation am I responsible for, as a Canadian Health Care provider?

Your responsibilities as a Canadian health care provider, fall under the Personal Health Information Protection Act (PHIPA) which is a Federal Act.

According to PHIPA, as a health care provider, you are a Health Information Custodian, meaning a person or organization who has custody or control of personal health information as a result of or in connection with performing the person’s or organization’s powers or duties or the work

What parts of Canada’s Privacy Legislation do I have to follow as a Canadian Health Care provider?

Your responsibilities PHIPA (Federal Act) – Personal Health Information Protection Act

According to PHIPA, as a healthcare provider, you are a Health Information Custodian, meaning a person or organization who has custody or control of personal health information as a result of or in connection with performing the person’s or organization’s powers or duties or the work

Health information custodians include doctors, other health care practitioners, hospitals, and long-term care homes. They also include health care clinics, laboratories, pharmacies, the Ministry of Health and Long-Term Care, and other health-related organizations.

What does that mean when it comes to Handling of Patient Records?

Handling of records:

A health information custodian shall ensure that the records of personal health information that it has in its custody or under its control are retained, transferred and disposed of in a secure manner and in accordance with the prescribed requirements if any.  

Place where records kept:

A health information custodian may keep a record of personal health information about an individual in the individual’s home in any reasonable manner to which the individual consents, subject to any restrictions set out in a regulation, by-law or published guideline under the Regulated Health Professions Act, 1991

(As in noted in PHIPAhttps://www.ontario.ca/laws/statute/04p03)

How is this different for Electronic Records?

You need to follow these same guidelines for both paper and electronic records.

Key considerations for electronic records include ensuring: (as from )

  • Privacy and confidentiality by protecting against unauthorized access (password protection and/or data encryption)
  • Audit trails identifying the date and time of an entry and who made the entry or change (and the changes made), while preserving the original content
  • Security is maintained when transmitting records electronically, or when using portable storage devices (by encryption of information or avoiding the use of portable equipment in public places)
  • Adequate data backup to prevent loss of information
  • The record remains retrievable and reproducible for the duration of the retention period (e.g., technological advances may mean records stored in certain electronic formats may no longer be accessible)
  • Confidential methods for complete disposal (e.g., purging the information or destroying the hardware so that the information cannot be retrieved vs. simply deleting the files) (See also FAQ 6f.)

Custodians must have technical and physical safeguards in place to protect records and information in any form, including records and information collected and stored electronically.

(Record keeping recommendations source: http://www.collegept.org/)

What are the stricter privacy rules that apply to BC and Nova Scotia?

BC and NS have stricter data sovereignty requirements including storing data in Canada.  These fall under the Freedom of Information and Protection of Privacy Act (FOIPPA) regulates access to records held by public bodies and privacy standards for such records in the province of British Columbia and the Personal Health Information Act  in Nova Scotia.

The privacy-related sections of the act apply to “officers of the Legislature, their employees and, in relation to their service providers, the employees, and associates of those service providers, as if the officers and their offices were public bodies.”

That means that if you provide services for a public body (officers of the Legislature, their employees etc.)in BC or NS, then FOIPPA or PHIA may apply to you.  Sections that apply include the data sovereignty provisions of FOIPPA which require that data collected by public bodies in BC be stored in Canada.

*Concerns about accessing data through the PATRIOT Act are misplaced because there are broader mechanisms in place for requesting and sharing data between governments and law enforcement agencies that predate the PATRIOT Act.

Summary:

To be compliant with PHIPA, your electronic records must be:

  1. Kept private and confidential, protected against unauthorized access (password protection and/or data encryption)
  2. Audit trails identifying the date and time of an entry and who made the entry or change (and the changes made), while preserving the original content
  3. Security is maintained when transmitting records electronically, or when using portable storage devices (by encryption of information or avoiding the use of portable equipment in public places)
  4. Adequate data backup to prevent loss of information
  5. The records remain retrievable and reproducible for the duration of the retention period (e.g., technological advances may mean records stored in certain electronic formats may no longer be accessible)
  6. Confidential methods for complete disposal (e.g., purging the information or destroying the hardware so that the information cannot be retrieved vs. simply deleting the files)