General Privacy Compliance

The Rule: A brief summary of the key requirements of the law.
What You Need To Do: A brief summary of the key tasks that you must perform to comply with the law.
What You Should Do: Recommended best practices for you to consider implementing.
Related Sections of the Act: A list of the sections of the Act discussed in the section, should you want to refer directly to the Act for more information.
Checklists, Templates and Tools: Tools to help you perform the tasks.
To support your understanding of the content, there is a Glossary and Index at the end.

Overview

Heath Privacy and information security Acts regulate how you collect, use, retain, transfer, disclose, provide access to and dispose of patients’ personal health information.
These Regulations  have a number of purposes:

  • to establish rules for the collection, use and disclosure of personal health information that protect the confidentiality of that information and the privacy of individuals, while facilitating the effective provision of health care,
  • with a few limited and specific exceptions, to provide individuals with a right to access and correct their personal health information,
  • to provide for independent review and resolution of complaints about personal health information, and
  • to provide effective remedies for contraventions of the Act.

Application and Scope

Heath Regulation applies to a variety of organizations and individuals within the health care sector. These organizations and individuals are called health information custodians, and include hospitals and health care practitioners. Health regulation also applies to agents, who can be either organizations or individuals, and who are
authorized to act for or on a health information custodian’s behalf. The Act regulates how health information custodians and their agents may collect, use, retain, transfer, disclose, provide access to and dispose of patients’ personal health information. See the Glossary for a definition of the italicized terms.
This website uses the term “you” for the sake of clarity and brevity. The terms “you” and “your” describe the legal obligations of:

  • hospitals, who are health information custodians, and who have a broad institutional responsibility for privacy compliance,
  • physicians, who are health information custodians when operating their own private practice within a hospital (i.e., when they rent out office space at a hospital) and who are agents when acting for a hospital (i.e., when they treat patients in the hospital and contribute to patients’ health records in that regard), and who have individual responsibility for privacy compliance, and
  • hospital professional staff members, administrative staff members, students and volunteers, who are agents of the hospital, and who also have individual responsibility for privacy compliance.

Each of these organizations and individuals (i.e., you) must make efforts (to the extent reasonable given the circumstances) to fulfil the key tasks described in this website, and to protect patients’ privacy and the confidentiality of their personal health information.

This website uses the term “patient” for the sake of clarity and brevity. The term “patient” should be read to include all individuals about whom you collect, use and disclose personal health information.