Leading Practices for PHI

Blog /Leading Practices for PHI
NTT DATA Blog 15

Health information management leading practices for non-traditional care models
The management of personal health information (PHI) is a requirement by any organization that creates or collects it to maintain the privacy of the individual it belongs to and to protect the health information from unauthorized access or use.

Data-driven healthcare has not changed the fundamental spirit of the original Hippocratic Oath; The current Code of Ethics for the Canadian Medical Association is as firm on treatment and accountability as in its forbearer, and Canadian laws ensure this is put into practice. At a minimum, organizations must meet these requirements to comply with leading practices:

  • Health information management is required where medical or clinical disciplines create information in the delivery or support of health services to an employee/client/patient, regardless of the industry. Examples include blood and laboratory tests, eye examination, health and physical examinations, medical clearance or occupational health services within an organization.
  • Canadian laws, The Privacy Act and the Access to Information Act guide the mandatory requirements for the protection of privacy of PHI and serve as the overarching mandatory requirements.
  • Some provinces also have legislation in place which must be applied.
  • Medical and clinical disciplines are guided by their professional practice standards in the creation, use, storage, retention and destruction of health information in accordance with retention rules (the length of time that health information can be kept by the organization).
  • Health information may be created in any medium, paper or electronic.
  • Regardless of the medium, security and privacy apply in accordance with professional practice standards as well as The Privacy Act and the Access to Information Act and provincial legislation.
  • Access to and use of health information is restricted to healthcare professionals in the delivery of care unless the employee/client/patient consents to release specified health information, even within an organization including Human Resources, management and executive roles.
  • Health information may only be released to health insurance providers with the client/patient’s consent.
  • Health Information must be destroyed and/or deleted at the end of the record retention schedule. This activity must be documented to demonstrate the destruction was completed.

Beyond this general guideline to 2019’s PHI in Canada, organizations must remain aware of how PHI is used by their teams and in their projects. After 35 years of supporting complex health projects, our teams within NTT DATA understand how organizations can balance the need for information with regulations around privacy.

To learn more about confirming your projects meets privacy compliance laws contact NTT DATA today.

*This was originally written by Sierra Systems Group Inc., which has become NTT DATA Services as of December 17, 2018.

Post Date: 2019-11-15