Confidentiality and Privacy

Working in a non-healthcare facility 

You are a dietitian with a practice located in a fitness facility.  When it comes to managing your client’s health records, are you a health information custodian (HIC) or agent?

For non-health organizations, the question of who constitutes the HIC is more complex and may require specific legal advice. First, ensure that health services are offered by the organization. If so, either the organization or those providing health services must accept responsibility for health information privacy.
Generally, a HIC is a health care practitioner or person who operates an organization listed under the Personal Health Information Protection Act, 2004 (PHIPA), that provides health care to an individual and has custody or control of their personal health information. A more explicit definition of a HIC can be found in Section 3 of PHIPA.

Most organizations  classified as HICs have a designated privacy or information officer whose role is to ensure the requirements of HICs have been fulfilled in accordance with PHIPA. A dietitian in solo private practice would be the HIC for their dietetic practice. Outside of independent practice, dietitians should work with their employer’s risk management and may need to obtain legal counsel to determine who is the HIC with respect to PHIPA.

Under the Personal Health Information Protection Act, 2004 (PHIPA), "persons providing fitness or weight-management services" are not custodians. However, if a dietitian has  custody and control of personal health information in connection with their duties, then they  are ultimately responsible for that personal health information. Under PHIPA, custodians are required to take steps to protect personal health information in their custody or control against theft, loss and unauthorized use or disclosure and that they are also protected against unauthorized copying, modification or disposal (see section 12 of PHIPA). Section 14 of PHIPA) PHIPA ncludes general provisions on where records of personal health information are kept. The dietitian would have to negotiate whether the facility would be the HIC  or whether the dietitian would assume the responsibility.
For example, a summer camp, spa, or industrial plant may have a health office. The employer will either have to designate the health office as the HIC or indicate that those who work there are the independent contractors responsible for protecting the privacy of the health records for the health office.
Dietitians can conduct a privacy impact assessment to make sure their records are safe and securely kept. The IPC’s Privacy Impact Assessment Guidelines for the Ontario Personal Health Information Protection Act is a self-assessment tool designed to help custodians review the impact that a proposed information system, technology or program may have on the privacy of the personal health information records they keep. Be sure to discuss any concerns with your employer and consider if you require legal advi ce.  

Additional HIC Resources