Privacy & Personal Health Information
Under the Personal Health Information Protection Act (PHIPA), midwives are responsible for safeguarding personal health information (PHI).
PHI includes oral, written or electronic information or communication about:
- someone’s physical or mental health or family health history;
- the provision of health care, that someone is receiving care from particular care-providers (e.g., a client list), and payment for health care;
- the individual’s health number, laboratory requisitions;
- their substitute decision-maker; and
- any other information about an individual that is included in a record containing personal health information is also included in the definition.
The Act does not apply to information about an individual, if the information could not reasonably be used to identify the individual.
As health information custodians, midwives are responsible for protecting PHI against unauthorized use or disclosure, loss or theft; notifying a client if their information is accessed inappropriately, lost or stolen; ensuring that records are accurate and complete; and storing, transferring and disposing of records in a secure manner. To comply with PHIPA, midwives need to:
- Understand their obligations under PHIPA (see this FAQ on the Personal Health Information Protection Act)
- Be familiar with the CMO Guide on Compliance with Personal Health Information Protection Act
- Designate a privacy officer for anyone to contact with concerns.
- Develop an information and privacy statement that describes how and why PHI is collected and shared and who to contact if clients concerns. See these sample protocols for examples.
- Ensure proper consent or authorization before disclosing PHI to child protection agencies, the Coroner, or police. Consent is not required to enter information in BORN.
- Have all midwives, students, staff, volunteers, and contractors (e.g., cleaning staff, IT consultant) sign a confidentiality agreement (access a template confidentiality agreement under the Human Resources and General Office tab on this page).
- Assess the office layout: are charts and clinical documents locked up and inaccessible to clients and the public? Do computer screens face away from clients (e.g., reception)?
- Pause to think about the implications of loss and how PHI can be kept secure before carrying it out of the clinic. Take the least amount of PHI needed to provide care: is anything needed? Which parts of the chart are needed? Could this just include the client’s contact info and their due date on the client list?
- If there has been a breach (e.g., records lost, inappropriate access, theft), practices can contact the AOM’s Quality and Risk Management team. Depending on the severity of the breach, there may also be a need to report it in a timely manner to the Information and Privacy Commissioner and HIROC for support in disclosing the breach to clients and working to prevent future breaches.
- Starting with the year 2018, ALL MPGs must submit an annual report of all incidents where PHI was compromised to the IPC. Practice groups should have a system to track these incidents as they happen, such as this template from the OHA.
- Implement safeguards to prevent privacy breaches in electronic records (e.g., texting, emailing, electronic intake forms, electronic health records).
Webinar: Privacy Concerns and Solutions for Hardcopy and Paper Users (coming soon to our online store!)
Presented by Sharon Swift, RM and lawyer Judith Goldstein from the Office of the Information and Privacy Commissioner.
Webinar: Privacy in the Electronic Practice Environment (coming soon to our online store!)
Presented by Lucia D’Amore, RM and electronic health privacy consultant Blair Witzel.