Yukon Information and Privacy Commissioner
Compliance
The Information and Privacy Commissioner is responsible for overseeing how HIPMA is administered to ensure that its purposes are achieved, and may advise custodians and promote best practices.
Our office handles several types of compliance files under the Health Information and Privacy Management Act (HIPMA). These files include privacy impact assessments, privacy breach evaluations, and security threat risk assessments.
Privacy Impact Assessment
The only way for a public body to effectively assess and manage privacy risks for any project involving personal health information is to conduct a privacy impact assessment (PIA). Completing a PIA enables a custodian to identify any risks associated with the collection, use or disclosure of personal health information and ensure the information is properly managed in compliance with the HIPMA.
The value of having the Office of the Information and Privacy Commissioner (IPC) review a PIA is as follows:
- A custodian is able to draw on the experience of the IPC in interpreting and applying HIPMA.
- It enables the custodian to receive feedback from the IPC about whether the project poses risks to the privacy of information.
- It demonstrates the custodian's accountability for ensuring the risks to privacy associated with projects involving personal health information are being appropriately managed.
This checklist is to be used by public bodies when submitting privacy impact assessments to our office.
Privacy Breach
The most common privacy breach happens when personal health information of an individual, in the hands of a custodian, is mistakenly disclosed, lost or stolen. For example, when a laptop or memory stick containing personal information is stolen or personal health information is mistakenly emailed to the wrong person. A privacy breach may also be the consequence of faulty business procedure or operational breakdown.
Security Threat Risk Assessment
A security threat risk assessment (STRA) is the overall activity of assessing and reporting security risks for a given information system to make risk-based decisions. Like a PIA, a STRA maps out the data flows for a given information system to identify security risks, but with a particular lens on technical vulnerabilities.
Examples might include risks to the confidentiality, integrity and availability of information stored in a system, as well as vulnerabilities related to malware, ransomware attacks, hacking, etc. The HIPMA makes it mandatory for custodians to conduct a STRA and submit it to our office for review before carrying out personal identity services (also known as digital ID), integrated services, data-linking activities, information management services, or a significant change to any of the above noted types of information systems. Evaluating STRAs requires a certain level of technical expertise.
Please download and submit the form below to request advice from the IPC.
Relevant FAQs
- Can my clients or patients request their personal health information from me?
Yes. Your clients or your patients have the right to examine or receive a copy of their personal health information that is in your custody or control. They can make this request under HIPMA but they must make it in writing unless you agree otherwise.
If you receive an application that is incomplete, you are required to offer assistance to the client or patient in completing it. This includes asking for more details to identify the personal health information requested.
If, after having made a request under HIPMA, you don’t reply or the client or patient is not satisfied with your reply, they can file a complaint with our Office.
- How much time do I have to provide a response to a request for personal health information?
You are required to process the request within 30 days unless meeting that timeline would seriously interfere with your operations or you need to consult with someone about the request. You can take more time but no more than an additional 60 days. In that case, you must give the client or your patient reasons for the delay and let them know when they can expect a response. You must also inform them that they can make a complaint to our Office.
If you do not respond to a request within the time limit, this is considered as a refusal to provide the information and the client or patient can file a complaint with us.
- Can I charge a fee for providing access to personal health information?
Yes. You may charge $9 for each 15 minutes spent processing an access to personal health information request made by an individual. However, HIPMA restricts you from charging this fee to the individual for the first two hours each calendar year.
You may charge $0.25 for each photocopy you make or the actual cost of using another medium, such as a removable storage device, on which you provide a copy. You may also charge the actual cost of shipping the records to the person who requested them. You must provide an estimate of the fees if you are requested to do so.
You cannot charge for a record containing information about who has accessed personal health information that you have stored in an electronic information system. This record is referred to in HIPMA as a ‘record of user activity’.
You cannot charge for transferring an individual’s personal health information to a new health care provider who performs substantially similar functions as you if it is reasonable to expect you will no longer be providing health care to this individual.