Insight

Do You Know Your Obligations Regarding Patient’s Personal Health Information?

Protecting your patients’ personal health information is an important part of your practice

It is essential that you are informed. Under the Personal Health Information Protection Act (PHIPA) and the College’s Standard of Practice, it is ultimately your responsibility to ensure that you comply with your patients’ rights to access their information.  

Opticians have a legal duty to provide patients with access to their own health information 

Upon request by a patient, you must grant your patient access to all of their personal health information. This includes measurements such as pupillary distance or measurements taken for contact lenses. You must comply with this request within a reasonable time frame, and definitely within 30 days.  Here’s what you should know:

• Requests for information can be made verbally.  You can require these requests to be in writing – If a patient requests access verbally, the act shows that an optician “may” provide access, while if it is requested in writing, an optician “must” comply.
• You are not permitted to ask the patient why they want the information.
• You are permitted to charge a fee to the patient for access, but that fee cannot be more than ‘reasonable cost recovery’ such as photocopying, and you must first provide the patient with an estimate of the fee. 
• You can only refuse access to a patient if the refusal is permitted under section 52 of PHIPA.
• You are not permitted to refuse access to a patient because you believe that the patient may not fully understand the information, or may use it to purchase prescription eyewear from someone else or from an unregulated source.
• Personal health information includes any information gathered to provide the patient with their eyeglasses or contact lenses as well as the details of the appliance provided and payment made by the patient or a third party to purchase the appliance. Personal health information does not include laboratory or material costs.  

Personal health information is any patient information you collect

Under PHIPA, information you collect from a patient at any point in your relationship is considered personal health information. This includes a patient’s measurements such as pupillary distance and measurements taken to fit contact lenses, health insurance information, and any information the College’s Standards of Practice require you to document in a patient’s file.  

Opticians are Health Information Custodians which brings important responsibilities

Finding the right eyewear for a patient usually involves collecting personal health information. In doing so, you may become a Health Information Custodian (HIC), which makes you responsible for collecting, using and disclosing personal health information on behalf of your patients. As an HIC, you are also permitted to have “agents” that work with you. Agents can be anyone authorized, on your behalf, to ensure personal health information is handled appropriately. Even if you are not the HIC at your particular dispensary, it is likely that you are acting as an agent of the HIC.  

Your responsibilities as health information custodian don’t end when you leave a practice 

If you leave a practice for any reason, you still have a responsibility to your patients as a Health Information Custodian or their agent to make the necessary arrangements to transfer your patients’ records to the patient directly or to another optician or optometrist. It is also your responsibility to inform your patient of the transfer with as much notice as possible. 

Opticians have a duty to keep patient information safe and report any privacy breaches 

Opticians must take steps to keep patients’ personal health information safe from loss, theft or unauthorized disclosure. In the event of a privacy breach, the rules are clear: an optician must report that breach as soon as reasonably possible. A report must be made to:

•    Your patient
•    The College of Opticians of Ontario
•    The Information and Privacy Commissioner

It is crucial that this report contains as much information about the breach as possible and must be responded to in accordance with the Personal Health Information Protection Act.

To learn more information about PHIPA and the rights that you and your patients have, click here.