Am I a Health Information Custodian or Agent?

Downloads

PDF file Am I a Health Information Custodian or Agent Decision Tree

Am I a Health Information Custodian or Agent?

Am I a Health Information Custodian or Agent?

Occupational therapists need to collect, use, and disclose personal health information (PHI) about their clients to carry out their own work, and complete and retain records according to applicable privacy laws and organization-specific policies and procedures. For more information about privacy legislation, refer to COTO’s guidance document on Privacy Legislation and Occupational Therapy Practice.

As defined in PHIPA (s. 3 [1]), a “health information custodian” (HIC) is an individual or organization that has “custody or control of personal health information” because of their professional role and/or responsibilities. Under PHIPA, “an agent” is a person who is authorized to perform services or activities on behalf of a health information custodian (HIC).

The following decision tree can help occupational therapists determine if they are a HIC or agent.

Process Description

Question 1

Do you collect, use, or disclose personal health information (PHI) in the course of providing occupational therapy or supporting other health care services?

  • If yes, proceed to Question 2.
  • If no, you are neither a health information custodian (HIC) nor an agent.

Question 2

Do you work for or on behalf of a health organization, clinic, or health care provider, and follow their instructions and policies regarding how to handle personal health information (PHI)?

  • If yes, proceed to Question 3.
  • If no, skip to Question 4.

Question 3

Do you have independent authority over how personal health information (PHI) is collected, used, or disclosed (for example: policies, storage, access)?

  • If yes, you are likely the health information custodian (HIC).
  • If no, you are likely the agent.

Question 4

Do you work in your own private practice or as independent contractor, where you store and respond to clients requesting access or correction to the record?

  • If yes, you are likely the health information custodian (HIC).
  • If no, proceed to Question 5.

Question 5

Are you contracted or employed by a health information custodian (HIC) to perform services involving PHI?

  • You are likely the agent.

Note: Other privacy laws may apply depending on whether
(1) the services provided (such as workplace evaluations or independent assessments) are considered healthcare or non- healthcare; and
(2) the type of organization through which services are funded or delivered (municipal, provincial, or federal government or services to Indigenous communities). OTs should familiarize themselves with the privacy laws applicable to their practice to determine who is the custodian of the information.