Am I a Custodian or an Affiliate? It's confusing!
The Health Information Act (HIA) is a provincial statute designed to protect the privacy of Albertans by providing the legal framework for the collection, use and disclosure of personally identifiable health information. Such information may relate to patient treatment, diagnostic and laboratory investigations, and registration information such as name, address, health-care number, etc.
The HIA designates "custodians" who are ultimately responsible for ensuring identifiable health information is collected, used and disclosed appropriately.
A custodian is an organization or entity defined in section 1(1)(f) of the HIA or designated in section 2 of the Health Information Regulation (reference here). Some examples of custodians include entities like Alberta Health Services (AHS), and regulated members of:
- the College of Physicians and Surgeons of Alberta;
- the Alberta Dental Association and College; and
- the College of Registered Dental Hygienists of Alberta.
Being a custodian comes with responsibilities
A custodian must have written policies and procedures describing how they handle information and how their affiliates will also have access to and use information. Custodians are responsible for submitting Privacy Impact Assessments to the Alberta Office of the Information & Privacy Commissioner (OIPC) when needed, and for entering into Information Management Agreements (IMAs) with third parties who manage identifiable patient health information. For example, an IMA would be required with a third-party software vendor for use of a non-AHS electronic medical record. A custodian would also be responsible for having a policy and procedure for investigating privacy breaches, and notifying the Minister of Health per section 60.1 of the HIA. Ultimately, a custodian may be subject to financial penalties under the HIA for a privacy breach, including a breach by an affiliate, if reasonable safeguards in preventing a breach are not in place.
Duties of a custodian include:
- Duty to collect, use or disclose health information with highest degree of anonymity possible
- Duty to collect, use or disclose health information in a limited manner
- Duty to protect health information
- Duty to notify:
- In accordance with the regulations and subsection (3), the custodian must as soon as practicable give notice of any loss of individually identifying health information or any unauthorized access to or disclosure of individually identifying health information in the custody or control of the custodian, if there is a risk of harm to an individual as a result of the loss or unauthorized access or disclosure.
- Duty to ensure accuracy of health information
- Duty to identify responsible affiliates
- Duty to establish or adopt policies and procedures
- Duty to prepare privacy impact assessments
Who are affiliates?
Under the HIA, an affiliate is:
- an individual employed by a custodian,
- a person who performs a service for a custodian as an appointee, volunteer or student,
- a person who performs a service for a custodian under a contract or agency relationship with the custodian,
- a health services provider who is exercising the right to admit and treat patients at a hospital as defined in the Hospitals Act,
- an information manager as defined by the HIA, or
- a person who is designated under the regulations to be an affiliate.
Under the HIA, an affiliate of a custodian must not use health information in any manner that is not in accordance with the affiliate's duties to the custodian and must follow any policies and procedures of that said custodian.
So what am I?
In some instances you will be an affiliate, but in some you may be a custodian.
You are functioning as an affiliate, for example, if you:
- are a learner. The custodian may be AHS, Alberta Health or your preceptor, depending on the setting of the health service being provided;
- are delivering health services in an AHS or Covenant Health hospital. AHS or Covenant would be the custodian; or
- use an AHS clinical information system (CIS) such as eClinician or Connect Care.
Please note that the University is currently in the process of defining custodianship within the School of Dentistry. Stay tuned for a future Get HIP! issue that will highlight how to know if you are a custodian or affiliate within that context.
Some examples in which you would be a custodian include, but are not limited to:
- using Alberta Netcare from your own non-AHS, non-Covenant Health office for patients seen in a non-AHS, non-Covenant facility (i.e. patients that are seen in your "private" office); Remember: self-access to your own health information via Netcare is not allowed as per Netcare policy.
- having your own "private" office / clinic to deliver health services;
- using a non-AHS electronic medical record; or
- being responsible for the custody and control of paper charts that contain identifiable patient information.
The University of Alberta Faculty of Medicine & Dentistry (FoMD) has policies and procedures that you may use and adopt when you are a custodian.
References
Health Information, A personal Matter: A practical guide to the Health Information Act
Resources
FoMD Informatics website - Privacy and Security