Personal health information is one of the most sensitive forms of personal information. It is collected primarily for reasons connected with patient care, but may also be used for financial reimbursement, medical education, research, social services, quality assurance, risk management, public health regulation, litigation, and commercial purposes.

Privacy is a major concern for physicians. If patients aren’t confident their privacy will be maintained, they may refrain from disclosing critical information, refuse to provide their consent to use personal health information for research purposes, or choose not to seek treatment.

A 1999 Canadian Medical Association (CMA) survey found that 11 per cent of the public held back information from a health-care provider because they were concerned about who it would be shared with or how it would be used. Wrongful release of personal health information to third parties also can result in harm to patients. The Supreme Court of Canada has recognized that Sections 7 and 8 of the Canadian Charter of Rights and Freedoms are meant to ensure personal security and to protect a reasonable expectation of privacy.

The Health Information Protection Act (HIPA) and the Personal Information Protection and Electronic Documents Act (PIPEDA)

HIPA is legislation that governs the collection, use and disclosure of personal health information in the province of Saskatchewan. Proclaimed in 2003, the Act defines and places obligations on personal health information “trustees,” which include government, regional health authorities, health professionals (including physicians), and professional regulatory bodies. HIPA applies to personal health information in any form, including both paper and electronic records.

At the federal level, PIPEDA came fully into force on January 1, 2004 to protect personal information, including personal health information. It applies to organizations in the private sector that engage in “commercial activities” — including physicians in private practice . Because HIPA legislation is not considered “substantially similar” to PIPEDA, it does not supersede the requirements of PIPEDA.

Both HIPA and PIPEDA apply to physicians in their private practice.

SMA and College of Physicians and Surgeons of Saskatchewan (CPSS) Position on Privacy Legislation

Maintaining confidentiality is a professional responsibility of physicians, and is a central part of the doctor-patient relationship. While a patient, with few exceptions, has the right to access, and request an amendment of, his or her personal health information, the physician owns the medical record. Physicians designated as trustees are accountable for the personal health information they collect, use and disclose through appropriate consent and safeguards. In addition, they must take reasonable measures to protect the personal health information that is in their custody or control.

The information on this website focuses on the requirements of HIPA which is — in the opinion of the College of Physicians and Surgeons of Saskatchewan (CPSS) and the SMA — more appropriate legislation for the health sector. Again, it should be noted that physicians are guided by both statutes in their private practice.

Current legislation imposes some external controls to ensure that personal health information is managed appropriately. The SMA and the CPSS recommend that all physicians familiarize themselves and their staff with their responsibilities to maintain medical records in compliance with HIPA and PIPEDA.

Privacy Step-by-Step Guide

This guide is intended to help you develop privacy policies and procedures for your practice that meet the requirements of HIPA and the College of Physicians and Surgeons of Saskatchewan (CPSS) Bylaw 23.2.

Step 1

Read the Steps for Creating a Policy Manual (PDF). This will provide you with information about how to develop a policy manual for your practice.

Step 2

Review the Privacy and Security Policy and Procedure Requirements Checklist (PDF)*. This will give you a clear picture of what your clinic already has in place and areas that may need work.

Step 3

Review the Privacy and Security Required Actions Checklist (PDF)*. This will give you information about what you are required to do as part of your clinic’s privacy and security program.

Step 4

Open the Sample Policy Manual that matches your practice type (below) and follow the instructions contained in Step 1 to adapt the manual to your practice:

Step 5

Review the EMR resources or non-EMR resources as needed.

*These checklists can also be used by non-EMR practices to meet HIPA and CPSS requirements.