Frequently Asked Questions:
Personal Health Information Protection Act
9
• a registered massage therapist providing health care services to clients of
a spa and
• a nurse employed in-house by a manufacturing rm in a health care capacity.
A custodian cannot disclose personal health information to a non-custodian,
including the non-custodian for whom the individual is working, unless the
individual whose personal health information is at issue has given express
consent or the disclosure is permitted or required by PHIPA or another law.
For further information, please see the IPC fact sheet, Health Information
Custodians Working for Non-Health Information Custodians.
WHAT IS AN AGENT?
PHIPA denes an agent to include any person who is authorized by a custodian
to perform services or activities in respect of personal health information on the
custodian’s behalf and for the purposes of that custodian.
An agent may include a person or company that contracts with, is employed
by or volunteers for a custodian and, as a result, may have access to personal
health information. PHIPA permits custodians to provide personal health
information to their agents only if the custodian is permitted to collect, use,
disclose, retain or dispose of the information.
For example, an agency relationship under PHIPA includes a nurse who is
employed by, or a student who volunteers at, a hospital. An agency relationship
may also include a physician who is not employed by a hospital, but has
admitting privileges to use the hospital’s equipment or facilities. In such cases,
the custodian hospital is permitted to authorize the agent to handle or deal with
personal health information on its behalf, as long as the agent complies with
PHIPA and adopts the information practices of the custodian. An agent must
notify the custodian if the personal health information the agent is handling is
stolen, lost or accessed by unauthorized persons.
The custodian remains accountable for the personal health information in its
custody or under its control, even where the agent is authorized to act on its
behalf with respect to that personal health information. The custodian also
remains accountable for the personal health information in its custody or under
its control where the agent acted beyond what was authorized by the custodian.
For example, in Order HO-013, employees were found to be agents when they
used and/or disclosed personal health information in the custody or under the
control of a hospital for the purpose of selling or marketing Registered Education
Saving Plans. The custodian hospital was accountable for the contravention of
PHIPA, even though the agents may have acted beyond the authority delegated
by the hospital.
Is a health care
practitioner
working for a
non-custodian
considered to be a
custodian?