Privacy FAQ

NOTE: Responses are based on legislation and bylaws applicable in the province of Saskatchewan. These responses should not be viewed as legal advice.

  1. How long do I need to keep my paper records for?
  2. How long do I need to keep my electronic records for?
  3. If I scan my paper records into my EMR, do I need to keep the paper records?
  4. How do I destroy my old paper records?
  5. Can a patient request to view or receive a copy of his or her personal health information?
  6. Can patients be denied access to their personal health information?
  7. Can I share my password?
  8. I dislike having to lock or log off the computer when I leave the room. Do I really need to do this?
  9. Do I need to mask my patient's personal health information?
  10. Who do I contact with a region to access an electronic institutional record?

 

1. How long do I need to keep my paper records for?

Currently The Health Information Protection Act (HIPA) does not have legislation enacted to address retention periods.

The College of Physician and Surgeons requires that records be held for six years after the patient was last seen. Records of pediatric patients shall be retained until two years past the age of majority or six years after the date last seen, whichever may be the later date.

The Canadian Medical Protective Association recommends that members keep medical records for at least 10 years from the date of last entry or, in the case of minors, 10 years from when the age of majority is reached or 10 years from the last entry, whichever is greater.

The trustee needs to ensure that they have a policy and procedure in place that establishes the retention period and the process for destruction and storage of the medical records. (See: Retention Periods for Personal Health Information, Storage of Personal Health Information, Scanning and Destruction of Original Paper Records)

Back to top


2. How long do I need to keep my electronic records for?

Currently The Health Information Protection Act (HIPA) does not have legislation enacted to address retention periods.

The College of Physician and Surgeons requires that records be held for six years after the patient was last seen. Records of pediatric patients shall be retained until two years past the age of majority or six years after the date last seen, whichever may be the later date.

The Canadian Medical Protective Association recommends that members keep medical records for at least 10 years from the date of last entry or, in the case of minors, 10 years from when the age of majority is reached or 10 years from the last entry, whichever is greater.

The trustee needs to ensure that they have a policy and procedure in place that establishes the retention period and the process for destruction and storage of the medical records. (See: Retention Periods for Personal Health Information, Storage of Personal Health Information, Scanning and Destruction of Original Paper Records)


Back to top


3. If I scan my paper records into my EMR, do I need to keep the paper records?

No, the trustee does however need to ensure that policies and procedures are in place to ensure that documents are accurately scanned and that the scanning quality assurance and destruction procedures are implemented and followed consistently

Physicians also need to be sure part of their process is to have someone sign off that they have reviewed the paper document and the electronic document and that to the best of their knowledge state that it is a “true and exact copy of the patient's record”.

Please refer to the Resource Material and the Sample Policy and Procedure Manuals for more specific details. [See: Scanning and Destruction of Original Paper Records and page 43 of the Sample Policy Manual for a Group Practice (.doc)]


Back to top


4. How do I destroy my old paper records?

Any document that contains personal health information needs to be destroyed in a confidential manner.

This can be done by cross shredding the document, either in the clinic or by hiring an outside company to do so.

If hiring an outside agency to shred the practice's documents, the trustee needs to make sure that they have put confidentiality provisions into any contract that they might have with the contracted agency. For more information please refer to the Resource Material (Destruction of Paper Records of Personal Health Information) and the Sample Template - Agreements (.doc).

Back to top


5. Can a patient request to view or receive a copy of his or her personal health information?

Yes, patients have the right to access their personal health information. This right is enshrined in legislation under HIPA. Patients may make either a verbal or written request for access.

The trustee should have a policy and procedure in place to identify how a patient can make a request to access his or her record. Staff should be able to provide the requestor with assistance in this process if required.

The trustee is able to charge a reasonable fee if the patient requests a copy of the record. The SMA has identified a fee rate for this purpose. Please refer to the Reference Manual (PDF) under “Patient Access to their Own Information” for those rates and additional information.

The trustee should also be aware that the patient may request a fee waiver and the ability of the patient being able to pay should be taken into consideration when applying a fee for the request.

Through posters or pamphlets in the waiting room and exam rooms, trustees should identify to their patients that they have the right to access their records.

Back to top


6. Can patients be denied access to their personal health information?

Yes, but only in very specific circumstances. Please refer to the Reference Manual (PDF) under “Patient Access to their Own Information” or HIPA Section 38 for these specifics.


Back to top


7. Can I share my password?

No, passwords should not be shared. These are like providing someone with a signed blank cheque and walking away. Your password and user log on is like your signature. These will say that you went on to the EMR and viewed, edited, etc. X patient’s information. Physicians should not share their password with their office manager or other staff. The trustee should review what access levels are needed for these individuals so that they may adequately perform their work instead.

Leaving your password lying around or walking away from your computer without logging off or locking it is just like you having shared your password with someone. You will be held responsible should any concerns arise with your log on and password when the system is audited.


Back to top


8. I dislike having to lock or log off the computer when I leave the room. Do I really need to do this?

Yes, everyone needs to lock or log off the computer every time they move away from a computer or leave the patient's exam room. Having the EMR or any computer access available to others that do not have a need to know the information leaves the door open for someone to access the information without authorization. If you were the last person logged onto the computer, any concerns that arise will need to be addressed with you and you will be held accountable.

HIPA requires that trustees and those individuals who work for them must take reasonable measures to protect personal health information. Leaving computers unlocked or logged on while not physically being at the computer would be seen as someone NOT taking reasonable measures to protect this information.


Back to top


9. Do I need to mask my patient’s personal health information?

Patients are able to limit the amount of personal health information that is collected, used or disclosed where express and implied consent is used. All of the approved vendors with the Saskatchewan EMR program have masking capabilities. They may have general and/or specific masking options. The only area that could not be masked is the patient’s registration information.

It is recommended that trustees utilize the masking capabilities of their EMR to meet patients' consent directives. There may be other alternatives to masking that trustees could speak with their patients about as well, such as doing regular audits and providing this information to the patient. The trustee needs to speak with the client to establish what the reasons are for the patient wishing to mask his or her information. Patients also needs to understand the risks and benefits of having their personal health information masked.

There is not a yes or no answer to this question. Trustees must take reasonable measures to manage a patient's consent directives; how they choose to do so would be subject to what alternatives are available to the trustee and the request of the patient. Please see the Resource Materials for more information (Managing Patient Consent and Masking).

Trustees functioning in a paper environment would have significantly less ability to mask the patient’s personal health information and audits relating to access are almost impossible. The trustee could speak to the client about their ability to seal their record.

Events