Yukon Information and Privacy Commissioner
Frequently Asked Questions
- What is a custodian?
‘Custodian’ is a key term in HIPMA. This is an authorized person who may collect, use and disclose personal health information only in accordance with the legislation. Custodians include most health care providers, operators of hospitals and health facilities, the Yukon Government Department of Health and Social Services, the Department of Community Services Yukon Emergency Medical Services program, the Kwanlin Dun First Nation Health Centre, the Many Rivers Counselling and Support Services Society, and the Child Development Centre.
‘Health care providers’ are also defined. They include physicians, nurses, pharmacists, chiropractors, optometrists, dentists and related professionals, psychologists, occupational therapists, midwives, naturopaths, and speech language pathologists, as well as individuals defined in the Health Professions Act, such as physiotherapists.
‘Health facility’ is a defined term and includes medical clinics, community health centres, dental clinics, medical laboratories, specimen collection centres, pharmacies, nursing homes and other continuing or long-term care facilities.
- Do I have the right to access my personal health information?
Yes. Under HIPMA, you have the right to access your personal health information held by a custodian (see ‘What is a custodian?’).
Personal health information includes:
- information related to your health or health care provided to you;
- records of payments for your health care;
- information related to your donation of body parts, tissue or bodily substances; and
- information about testing or examinations that you have undergone.
- What is a ‘record of user activity’?
Electronic information systems used by custodians should have a ‘user-based’ capability to track access to any information within that system. This means that the system can differentiate between users, usually by the login credentials assigned to each user. Every time a custodian or one of their employees accesses your personal health information, they must each use their own login and the system records this access.
A ‘record of user activity’ is the record generated by the system that identifies who has accessed your personal health information. HIPMA gives you the right to request access to this record and the custodian is not allowed to charge you a fee to provide you with it.
You would request access to a record of user activity from a custodian in the same way you would request access to other personal health information from them (see ‘How do I request access to my personal health information?’).
- How do I request access to my personal health information?
HIPMA allows you to view or receive a copy of your personal health information.
You can do this by making a request to the custodian who has your personal health information. This request should be in writing unless the custodian agrees otherwise.
A custodian may refuse to grant you access to your personal health information if the request is deemed to be frivolous or vexatious.
You may wish to keep a copy of your request letter and any response from the custodian in case you are not satisfied with the information that you receive and want to make a complaint to our Office.
- How much does it cost to have access to my personal health information?
The first two hours that a custodian spends in any calendar year responding to your request to access your personal health information is free. After that, they may charge $9 for each 15 minutes.
If a copy of your information is printed or photocopied, the custodian may charge you $0.25 for each page and they may charge the actual cost of using another medium, such as a removable storage device. They may also charge you the cost of shipping or delivering the records to you.
You may ask for an estimate of the total fee in advance.
A custodian is not allowed to charge you for a record containing information about who has accessed your personal health information in an electronic information system (see ‘What is a record of user activity?’).
If it is expected that a custodian will no longer provide you with care and you request them to transfer your personal health information to a new health care provider, then the custodian is not allowed to charge you for this transfer.
- When will I get an answer in response to my request for access?
A custodian is normally required to process your request for access to your personal health information in 30 days or less. However, sometimes compiling the information will take a significant amount of work. In that case, the custodian may take up to a maximum of 60 days as long as they give you reasons for the delay and let you know when you can expect a response.
If you do not receive a response by the deadline indicated by the custodian, you can make a complaint to our Office (see ‘How can I make a complaint to the Office of the Information and Privacy Commissioner?’).
- What if I am not satisfied with the response of the custodian?
A custodian can refuse all or part of your request to access your personal health information. However, they must provide you with reasons for the refusal.
If your request is refused, partially refused, or not answered in time, you may file a complaint with our Office (see ‘How do I make a complaint to the Office of the Information and Privacy Commissioner?’).
If you believe that a custodian has applied HIPMA incorrectly in refusing access and has, therefore, not complied with HIPMA, you have 60 days to file a complaint with our Office from the date of the alleged non-compliance. We do not charge any fees to investigate your complaint.
- What can I do if I believe my personal health information contains an error or is incomplete?
You have the right to request a correction to your personal health information. You should make this request in writing to the custodian. On receipt of your request, a custodian has 30 days to respond. If providing a response will seriously interfere with the operations of the custodian, they can take an extra 15 days as long as they give reasons for the delay and let you know when you can expect a response.
The custodian will either make the requested correction to your record or refuse to do so. If they refuse, you can have a statement of disagreement added to your record and you may make a complaint to our Office. The statement of disagreement is a short note written by you that explains the requested correction and your reasons for it.
A custodian is not required to make a correction or to add a statement of disagreement to a ‘good faith’ professional opinion, or if the requested correction is deemed to be of a repetitious, frivolous, or vexatious nature.
A custodian is not allowed to charge you a fee for correcting your record or adding a statement of disagreement.
If you believe the custodian has not followed HIPMA in managing your request for correction, you can make a complaint to our Office (see ‘How do I make a complaint to the Office of the Information and Privacy Commissioner?’).
- What if I am concerned about the privacy of my personal health information?
Custodians are required to protect personal health information by applying information practices that include adequate administrative policies, as well as technical and physical safeguards, that ensure the confidentiality, security and integrity of your information within their custody or control.
Custodians must also take measures to limit the collection, use, and disclosure of your personal health information. They must prevent breaches of the privacy of this information, and they must ensure that this information is securely stored, disposed of or destroyed. If you are concerned that a custodian is improperly protecting your personal health information or you are aware that a breach of your privacy has occurred, you may make a complaint to our Office (see ‘How do I make a complaint to the Office of the Information and Privacy Commissioner?’).
If you are concerned that someone has improperly accessed your personal health information stored in an electronic health information system, you may request a record from the custodian that shows who has accessed this information (see ‘What is a record of user activity?’). There is no cost for a copy of this record (see ‘How much does it cost to request health information?’).
- What are the rules about my Yukon Public Health Care Insurance Plan (YHCIP) number and card?
HIPMA, together with its Health Information General Regulation, prohibit any person from collecting, using or disclosing your YHCIP card and number except in the following limited and specified circumstances.
Your YHCIP number may only be collected, used or disclosed:
- for health care related purposes including the provision of health care, for health research or an investigation, for a purpose related to the Yukon Health Information Network, for a proceeding, and by the Canadian Institute for Health Information, or similar body if there is an agreement authorizing use of the number;
- by a person who is processing a payment for a life, health or disability insurance policy, or administrating a matter under the Workers’ Compensation Act, the Jury Act, the Coroners Act or the Occupational Health and Safety Act if the collection, use or disclosure is necessary;
- by any person, except a public body, for the purpose of determining before 2018 if you are a resident of Yukon; and
- by an election officer who may only collect and use the number to verify your identity and to determine if you are a resident of Yukon.
The production of your YHCIP card may be requested:
- by a custodian or their agent to provide you with health care;
- by the Department of Highways and Public Works Motor Vehicles program if the purpose of collection and use is for the purposes of your organ donation;
- by an election officer in relation to their collection and use of your number; and
- by any person, except a public body, who may collect and use your YHCIP number for the purpose of determining if you are a resident of Yukon if the collection and use is before 2018.
- How do I make a HIPMA complaint to the Office of the IPC?
If you reasonably believe that a custodian has not complied with HIPMA, you can make a complaint to our Office by completing and submitting a ‘Review/ Complaint Form’.
This form can be found by clicking here.
You can also obtain the form by contacting us as follows.
Office of the Information and Privacy Commissioner
3162 Third Avenue, Main Floor
Whitehorse, Yukon Y1A 1G3
Phone: 867-667-8468
Toll free: 1-800-661-0408 ext. 8468
The Office is open between 8:30 A.M. and 4:30 P.M. from Monday to Friday.
- What happens when I file a HIPMA complaint?
When we receive your complaint, we will:
- notify the custodian about the complaint, and
- provide you and the custodian with a summary of the complaint, as well as a summary of the procedure we will use to consider the complaint.
Our Office will work with you and the custodian to settle the complaint informally. If this is not possible, the Information and Privacy Commissioner (IPC) may conduct a hearing. Under HIPMA, this is called a ‘consideration’. Following a consideration, the IPC will generate a report with her findings and recommendations. Both you and the custodian will receive a copy of the report.
The IPC may refuse to consider your complaint for a number of reasons. For example, it may be trivial or has already been dealt with. In that case, the IPC will inform you of the reasons for her refusal.
- What if the custodian does not follow the recommendations of the IPC?
If the custodian decides not to follow the recommendations of the Information and Privacy Commissioner (IPC) or agrees to follow them but has not done so within a reasonable time, you may appeal to the Yukon Supreme Court. You must initiate your appeal within six months after the IPC’s report is issued.
- Is the Information and Privacy Commissioner part of government?
No, the Information and Privacy Commissioner (IPC) is an independent officer of the Yukon Legislative Assembly and is, therefore, not part of the Yukon government.
In Yukon, the IPC is the same person as the Ombudsman and the Public Interest Disclosure Commissioner. Click on each role for more information.
The IPC is responsible for monitoring compliance with the Health Information Privacy and Management Act (HIPMA) and the Access to Information and Protection of Privacy Act (ATIPP).
ATIPP applies to Yukon public bodies, such as Yukon government departments. HIPMA applies to custodians (see ‘What is a custodian?’). For more information about HIPMA see the HIPMA FAQ section.
The IPC has a number of responsibilities under these Acts and has broad authority to investigate complaints made, including the power to compel production of records and witnesses. Under ATIPP and HIPMA, the IPC also has adjudicative authority which means her office can make findings of fact and law that are binding on public bodies and custodians subject to the Acts.
- Where can I get more information?
For any questions about your rights and custodians’ responsibilities under HIPMA, please contact us.
Office of the Information and Privacy Commissioner
3162 Third Avenue, Main Floor
Whitehorse, Yukon, Y1A 1G3
Ph: 867-667-8468
Toll free: 1-800-661-0408 ext. 8468The Office is open between 8:30 A.M. and 4:30 P.M. from Monday to Friday.
- Can my clients or patients request their personal health information from me?
Yes. Your clients or your patients have the right to examine or receive a copy of their personal health information that is in your custody or control. They can make this request under HIPMA but they must make it in writing unless you agree otherwise.
If you receive an application that is incomplete, you are required to offer assistance to the client or patient in completing it. This includes asking for more details to identify the personal health information requested.
If, after having made a request under HIPMA, you don’t reply or the client or patient is not satisfied with your reply, they can file a complaint with our Office.
- How much time do I have to provide a response to a request for personal health information?
You are required to process the request within 30 days unless meeting that timeline would seriously interfere with your operations or you need to consult with someone about the request. You can take more time but no more than an additional 60 days. In that case, you must give the client or your patient reasons for the delay and let them know when they can expect a response. You must also inform them that they can make a complaint to our Office.
If you do not respond to a request within the time limit, this is considered as a refusal to provide the information and the client or patient can file a complaint with us.