Yukon Ombudsman Yukon Information and Privacy Commissioner Yukon Public Interest Disclosure Commissioner

Yukon Information and Privacy Commissioner

Frequently Asked Questions

These FAQs are intended for administrative purposes only, are not intended as a substitute for legal advice, and are not binding on the Information and Privacy Commissioner. For the exact wording and interpretation of HIPMA please read  the Act  in its entirety. 

What is a custodian?

 ‘Custodian’ is a key term in HIPMA.  This is an authorized person who may collect, use and disclose personal health information only in accordance with the legislation.  Custodians include most health care providers, operators of hospitals and health facilities, the Yukon Government Department of Health and Social Services, the Department of Community Services Yukon Emergency Medical Services program, the Kwanlin Dun First Nation Health Centre, the Many Rivers Counselling and Support Services Society, and the Child Development Centre.

‘Health care providers’ are also defined.  They include physicians, nurses, pharmacists, chiropractors, optometrists, dentists and related professionals, psychologists, occupational therapists, midwives, naturopaths, and speech language pathologists, as well as individuals defined in the Health Professions Act, such as physiotherapists.

‘Health facility’ is a defined term and includes medical clinics, community health centres, dental clinics, medical laboratories, specimen collection centres, pharmacies, nursing homes and other continuing or long-term care facilities. 

What is a ‘record of user activity’?

Electronic information systems used by custodians should have a ‘user-based’ capability to track access to any information within that system.  This means that the system can differentiate between users, usually by the login credentials assigned to each user.  Every time a custodian or one of their employees accesses your personal health information, they must each use their own login and the system records this access.

A ‘record of user activity’ is the record generated by the system that identifies who has accessed your personal health information.  HIPMA gives you the right to request access to this record and the custodian is not allowed to charge you a fee to provide you with it.

You would request access to a record of user activity from a custodian in the same way you would request access to other personal health information from them (see ‘How do I request access to my personal health information?’).

Where can I get more information?

For any questions about your rights and custodians’ responsibilities under HIPMA, please contact us.

Office of the Information and Privacy Commissioner
Suite 201, 211 Hawkins Street
Whitehorse, Yukon, Y1A 1X3
Ph: 867-667-8468 
Toll free: 1-800-661-0408 ext. 8468

The Office is open between 8:30 A.M. and 4:30 P.M. from Monday to Friday.

Can my clients or patients request their personal health information from me?

Yes.  Your clients or your patients have the right to examine or receive a copy of their personal health information that is in your custody or control.  They can make this request under HIPMA but they must make it in writing unless you agree otherwise.

If you receive an application that is incomplete, you are required to offer assistance to the client or patient in completing it.  This includes asking for more details to identify the personal health information requested.

If, after having made a request under HIPMA, you don’t reply or the client or patient is not satisfied with your reply, they can file a complaint with our Office.

How much time do I have to provide a response to a request for personal health information?

You are required to process the request within 30 days unless meeting that timeline would seriously interfere with your operations or you need to consult with someone about the request.  You can take more time but no more than an additional 60 days.  In that case, you must give the client or your patient reasons for the delay and let them know when they can expect a response.  You must also inform them that they can make a complaint to our Office.

If you do not respond to a request within the time limit, this is considered as a refusal to provide the information and the client or patient can file a complaint with us.

Can I charge a fee for providing access to personal health information?

Yes.  You may charge $9 for each 15 minutes spent processing an access to personal health information request made by an individual.  However, HIPMA restricts you from charging this fee to the individual for the first two hours each calendar year.

You may charge $0.25 for each photocopy you make or the actual cost of using another medium, such as a removable storage device, on which you provide a copy.  You may also charge the actual cost of shipping the records to the person who requested them.  You must provide an estimate of the fees if you are requested to do so.

You cannot charge for a record containing information about who has accessed personal health information that you have stored in an electronic information system.  This record is referred to in HIPMA as a ‘record of user activity’.

You cannot charge for transferring an individual’s personal health information to a new health care provider who performs substantially similar functions as you if it is reasonable to expect you will no longer be providing health care to this individual.

How do I properly respond to a request for health information?

When you receive a request, you must do one of the following:

  1. make the personal health information available for examination at your office,
  2. provide a copy of the personal health information, or
  3. inform the client or patient that you are refusing to allow access to the information and provide your reasons for doing so.

At times, you may have legitimate reasons not to release a record or certain information within it.  If there is a legitimate reason to refuse access under HIPMA, you are still required to grant access to as much of the record as possible.  This means you may sever the information in question and provide the remaining record to the person who requested it.

If your client or patient asks, you must help to clarify any word in the record that is unintelligible and explain any term, code, or abbreviation.

What happens if a complaint is filed about my response to a request?

If your client or patient files a complaint with our Office in relation to your handling of their access to personal health information request, the Information and Privacy Commissioner (IPC) may consider or refuse to consider the complaint.  If she agrees to consider it, then someone from our Office will contact you to provide a summary of the complaint, as well as a summary of the procedure we will use to consider it.

Our Office’s first approach will always be to try and resolve the complaint informally.  When this fails, the IPC will consider the complaint formally.  This means she will conduct a formal adjudicative hearing that requires the participation of all parties.  Most hearings are conducted in writing by way of submissions.

At the conclusion of the hearing, called a ‘consideration’, the IPC will issue her report containing her findings of fact and law, and recommendations she deems appropriate to remedy any non-compliance with HIPMA she may find.  She will then distribute her report to you and the complainant.  She also has authority to distribute the report to other persons including professional licensing bodies.

The IPC may publish her entire report but must, at minimum, publish a summary of it.  The report cannot be published until the appeal period in respect of the report has expired.  HIPMA identifies the appeal period as six months from the issuance of the report.

What do I do if I receive recommendations from the Information and Privacy Commissioner?

When you receive recommendations from the Information and Privacy Commissioner (IPC), you must decide whether or not to follow any or all of them and provide written notice of your decision to the IPC.  If you decide to accept her recommendations, then someone from our Office will be in touch with you to follow-up on their implementation.

Failure to provide notice of your decision within 30 days will be taken by the IPC as a decision to not follow the recommendations as per HIPMA.  If you decide not to follow a recommendation or do not follow a recommendation that you agreed to within a reasonable time, your client or patient may initiate an appeal in the Supreme Court of Yukon as long as they do so within six months from the date the IPC’s report is issued.

What other complaints can be made about me under HIPMA?

HIPMA is a complete governance scheme for the collection, use, disclosure, security and management of personal health information.

What this means is that you cannot collect, use or disclose personal health information unless HIPMA authorizes it.  It also means that you are obligated under HIPMA to properly manage and secure personal information so that breaches of privacy do not occur.  If you fail to do so and a breach of privacy occurs, then HIPMA requires you to notify any individual affected by the breach if there is a risk of significant harm to the person as a result of the breach.  If you notify an individual about a breach, you must also notify the Information and Privacy Commissioner (IPC).

The complaint provisions in HIPMA are very broad.  HIPMA authorizes ‘any person’ to make a complaint to the IPC “if the person reasonably believes that a custodian has failed to comply with [HIPMA] or the regulations.”

As such, a person can make a complaint to the IPC for any non-compliance with HIPMA including improper collection, use, disclosure, disposal, destruction or breach of personal health information, even if it is not their own.

For advice about your responsibilities under HIPMA, contact the Office of the IPC.

Who do I contact for advice about my responsibilities under HIPMA?

The Information and Privacy Commissioner has authority under HIPMA to provide advice to custodians about their responsibilities under HIPMA and to promote best practices.

To obtain advice, please contact us.

Office of the Information and Privacy Commissioner
            Suite 201, 211 Hawkins Street
            Whitehorse, Yukon  Y1A 1X3
            Ph: 867-667-8468  Toll free: 1-800-661-0408 ext. 8468

The Office is open between 8:30 A.M. and 4:30 P.M. from Monday to Friday.

Is the Information and Privacy Commissioner part of Government?

No.  The Information and Privacy Commissioner (IPC) is an independent officer of the Yukon Legislative Assembly and is, therefore, not part of the Yukon Government.

In Yukon, the IPC is the same person as the Ombudsman and the Public Interest Disclosure Commissioner.  For more information about these roles, visit the Offices’ website at: http://www.ombudsman.yk.ca.

The IPC is responsible to monitor compliance with HIPMA and the Access to Information and Protection of Privacy Act (ATIPP).

ATIPP applies to Yukon public bodies, such as Yukon Government departments.  HIPMA applies to custodians, as defined in the Act and regulations.

The IPC has a number of responsibilities under these Acts and has broad authority to investigate complaints made, including the power to compel production of records and witnesses.  Under HIPMA, the IPC has adjudicative authority.  This means she can make findings of fact and law that are binding on custodians.  At the conclusion of an adjudication, called a ‘consideration’ under HIPMA, she has the authority to recommend any remedy she determines appropriate.