How can you protect your patient's health information?
An individual’s health information is one of the most sensitive forms of personal information.
This information is collected primarily for reasons connected with patient care. Health information may be used for a number of other reasons including financial reimbursement, medical education, research, social services, quality assurance, risk management, public health regulation, litigation, and commercial purposes.
Privacy is a major concern for physicians. The increased availability of patient records in electronic format has led to concerns about the potential misuse of personal information for purposes other than direct patient care. Without confidence that their privacy will be maintained, patients may refrain from disclosing critical information, may refuse to provide their consent to use personal health information for research purposes, or may simply not seek treatment.
How can I create a Privacy Policy?
EMR Privacy Resources
The SMA, in conjunction with its partners in the EMR Program, the Ministry of Health and eHealth Saskatchewan, and in consultation with the College of Physicians and Surgeons of Saskatchewan (CPSS) have developed privacy and security resources to assist physicians and their staff with implementing EMR policies and procedures to meet the expectations of HIPA and the CPSS Bylaw 23.
**HIPA legislation has been updated and a new version of the document is under review.
Steps to create a Privacy Policy
- Download sample policy for either a sole or group practice.
- Save the document with your clinic name.
- Remove the dates in the header.
- Remove the logos from the footer.
- Add page numbers.
- Change the name of the clinic and physician throughout the document.
- Amend the policies to reflect your clinic’s information.
- Read through the revised Policy Manual to make necessary changes.
Additional Templates:
- Highlights of the Privacy and Security Resource Materials (PDF)
- Steps for Creating a Policy Manual (PDF)
- EMR Program - Privacy and Security Policy and Procedure Requirements Checklist (PDF)
- EMR Program - Privacy and Security Policy Required Actions Checklist (PDF)
- Privacy and Security Reference Manual: Requirements and Good Practices for Protecting Personal Health Information (PDF)
- Forms and Letters (.doc)
- Agreements (.doc)
- Checklists (.doc)
- Privacy Poster
10 Privacy Principles
This section sets out organizations’ responsibilities for each of the 10 fair information principles. It outlines how to fulfill these responsibilities and offers some tips.
Principle 1 - Accountability
An organization is responsible for personal information under its control. It must appoint someone to be accountable for its compliance with these fair information principles.
Principle 2 - Identifying Purposes
The purposes for which the personal information is being collected must be identified by the organization before or at the time of collection.
Principle 3 - Consent
The knowledge and consent of the individual are required for the collection, use, or disclosure of personal information, except where inappropriate.
Principle 4 - Limiting Collection
The collection of personal information must be limited to that which is needed for the purposes identified by the organization. Information must be collected by fair and lawful means.
Principle 5 - Limiting Use, Disclosure, and Retention
Unless the individual consents otherwise or it is required by law, personal information can only be used or disclosed for the purposes for which it was collected. Personal information must only be kept as long as required to serve those purposes.
Principle 6 - Accuracy
Personal information must be as accurate, complete, and up-to-date as possible in order to properly satisfy the purposes for which it is to be used.
Principle 7 - Safeguards
Personal information must be protected by appropriate security relative to the sensitivity of the information.
Principle 8 - Openness
An organization must make detailed information about its policies and practices relating to the management of personal information publicly and readily available.
Principle 9 - Individual Access
Upon request, an individual must be informed of the existence, use, and disclosure of their personal information and be given access to that information. An individual shall be able to challenge the accuracy and completeness of the information and have it amended as appropriate.
Principle 10 - Challenging Compliance
An individual shall be able to challenge an organization’s compliance with the above principles. Their challenge should be addressed to the person accountable for the organization’s compliance with PIPEDA, usually their Chief Privacy Officer.