Yukon Information and Privacy Commissioner
I Have Concerns about Privacy Under HIPMA
- What is personal health information?
- How is the privacy of my personal health information protected?
- What can I do if I am concerned about the privacy of my health information?
- What if I work for a custodian and I am concerned they are violating the HIPMA?
- Are there penalties for violating HIPMA?
- What is the role of the Information and Privacy Commissioner (IPC)?
- How do I make a complaint?
- Is there a fee to make a complaint?
- What if my complaint is about my request to access my personal health information from a custodian?
What is personal health information?
Personal health information includes among other things:
- information about your health including information in medical records or files,
- information about health care you have received,
- records of payments for your health care,
- information about testing or examinations you have undergone,
- information about you donation of a body part, tissue, or bodily substance, and
How is the privacy of my personal health information protected?
HIPMA requires custodians to protect the privacy of your personal health information. They are required to limit the collection, use and disclosure of your personal health information, and to implement information management practices, including policies, that ensure the confidentiality, security and integrity of any personal health information they hold. They must also establish retention policies and ensure personal health information is securely disposed of or destroyed when the retention period expires. A custodian is required to make public a statement about their information practices. And they must identify a contact individual who is responsible to receive and respond to complaints and requests for access.
What can I do if I am concerned about the privacy of my health information?
HIPMA allows an individual to make a complaint about any violation of HIPMA by a custodian. If you reasonably believe that a custodian has violated the HIPMA, you may make a complaint to the Information and Privacy Commissioner (IPC). You can make a complaint about such things as:
- Collection: There are rules that govern who can collect your personal health information, how they can collect it, and when and how you must be informed about the collection.
- Use: There are rules that govern how a custodian can use your personal health information which can be with or without your consent.
- Disclosure: There are rules about when a custodian can disclose your personal information which can also be with or without your consent.
- Information Practices: There are rules that require custodians to implement effective information management practices to guard against a breach of personal health information.
- Security Breaches: There are rules a custodian must follow, including that you must be notified, when your personal health information is breached and you are at risk of significant harm as a result. A security breach (sometimes called a privacy breach in HIPMA) means the theft, loss or disposition, or disclosure or access of your personal health information contrary to the requirements of HIPMA.
- Consent: There are rules a custodian must follow when obtaining consent under HIPMA to ensure the consent is valid, including rules about who can be your substitute decision maker.
- Yukon Health Information Network (YHIN): There are rules custodians must follow in establishing and accessing the YHIN, including rules about the masking of an individual’s personal health information to prevent unauthorized access to it.
You can also make a complaint to the IPC if you are concerned someone has accessed your personal health information in an electronic information system inappropriately. Before doing so, you may wish to request a ‘record of user activity’ from the custodian that shows who accessed your information. Contact the custodian for information about how to request a record of user activity. A custodian is not allowed to charge you for providing you with a copy of this record.
What if I work for a custodian and I am concerned they are violating the HIPMA?
HIPMA has built in protections to protect whistleblowers. Specifically, HIPMA prohibits any person from dismissing, suspending, demoting, disciplining, harassing or disadvantaging a person in any way if the person, acting in good faith, informs the IPC about a violation or anticipated violation of HIPMA or refuses to participate in a contravention of HIPMA.
The Public Interest Disclosure of Wrongdoing Act (PIDWA) can also protect a whistleblower who is an employee of a public entity if the violation of HIPMA amounts to a wrongdoing. PIDWA also includes robust reprisal protection. Please click here for more information.
Are there penalties for violating HIPMA?
Yes, HIPMA has broad offence provisions. Any person who knowingly violates HIPMA or the regulations “is guilty of an offence.” There have been a number of successful prosecutions across Canada involving custodians and their agents who were found to have violated health information privacy laws.
What is the role of the Information and Privacy Commissioner (IPC)?
If your complaint cannot be resolved informally the Information and Privacy Commissioner will conduct a hearing. Most hearings are conducted in writing by way of the parties making submissions. Following a hearing the IPC will issue a report with her findings and any appropriate recommendations to remedy any noncompliance with HIPMA. Both you and the custodian will receive a copy of the report.
Summaries of Reports will be published on our website. As well, the IPC may choose to publish the entire report. Any personal or health information will be removed from the report before it is published.
How do I make a complaint?
To make a complaint complete the Request for Review/Complaint Form and submit it to our office.
Forms can be found on our website by clicking here.
You can also obtain the form by contacting our Office at:
Office of the Information and Privacy Commissioner
Suite201-211 Hawkins Street
Whitehorse, Yukon Y1A 1X3
Phone: 867 667-8468
Toll free: 1-800-661-0406 ext. 8468
Is there a fee to make a complaint?
There is no fee for our services.
What if my complaint is about my request to access my personal health information from a custodian?
Please visit our Access Concerns page for details.
- What is a custodian?
‘Custodian’ is a key term in HIPMA. This is an authorized person who may collect, use and disclose personal health information only in accordance with the legislation. Custodians include most health care providers, operators of hospitals and health facilities, the Yukon Government Department of Health and Social Services, the Department of Community Services Yukon Emergency Medical Services program, the Kwanlin Dun First Nation Health Centre, the Many Rivers Counselling and Support Services Society, and the Child Development Centre.
‘Health care providers’ are also defined. They include physicians, nurses, pharmacists, chiropractors, optometrists, dentists and related professionals, psychologists, occupational therapists, midwives, naturopaths, and speech language pathologists, as well as individuals defined in the Health Professions Act, such as physiotherapists.
‘Health facility’ is a defined term and includes medical clinics, community health centres, dental clinics, medical laboratories, specimen collection centres, pharmacies, nursing homes and other continuing or long-term care facilities.
- Do I have the right to access my personal health information?
Yes. Under HIPMA, you have the right to access your personal health information held by a custodian (see ‘What is a custodian?’).
Personal health information includes:
- information related to your health or health care provided to you;
- records of payments for your health care;
- information related to your donation of body parts, tissue or bodily substances; and
- information about testing or examinations that you have undergone.
- What is a ‘record of user activity’?
Electronic information systems used by custodians should have a ‘user-based’ capability to track access to any information within that system. This means that the system can differentiate between users, usually by the login credentials assigned to each user. Every time a custodian or one of their employees accesses your personal health information, they must each use their own login and the system records this access.
A ‘record of user activity’ is the record generated by the system that identifies who has accessed your personal health information. HIPMA gives you the right to request access to this record and the custodian is not allowed to charge you a fee to provide you with it.
You would request access to a record of user activity from a custodian in the same way you would request access to other personal health information from them (see ‘How do I request access to my personal health information?’).