Acts and Regulations

P-7.05 - Personal Health Information Privacy and Access Act

Section 50
Disposition versions

Full text
Security safeguards
50(1)In accordance with any requirements prescribed by the regulations, a custodian shall protect personal health information by adopting information practices that include reasonable administrative, technical and physical safeguards that ensure the confidentiality, security, accuracy and integrity of the information.
50(2)The information practices referred to in subsection (1) shall be based on nationally or jurisdictionally recognized information technology security standards and processes, appropriate for the level of sensitivity of the personal health information to be protected.
50(3)Without limiting subsection (1), a custodian shall
(a) implement controls that limit the persons who may use personal health information maintained by the custodian to those specifically authorized by the custodian to do so,
(b) implement controls to ensure that personal health information maintained by the custodian cannot be used unless
(i) the identity of the person seeking to use the information is verified as a person the custodian has authorized to use it, and
(ii) the proposed use is verified as being authorized under this Act,
(c) if the custodian uses electronic means to request disclosure of personal health information or to respond to requests for disclosure, implement procedures to prevent the interception of the information by unauthorized persons,
(d) when responding to requests for disclosure of personal health information, ensure that the request contains sufficient detail to uniquely identify the individual to whom the information relates, and
(e) ensure agents of the custodian adhere to the safeguards.
50(4)A custodian who maintains personal health information in electronic form shall implement any additional safeguards for the security and protection of the information required by the regulations.
Security safeguards
50(1)In accordance with any requirements prescribed by the regulations, a custodian shall protect personal health information by adopting information practices that include reasonable administrative, technical and physical safeguards that ensure the confidentiality, security, accuracy and integrity of the information.
50(2)The information practices referred to in subsection (1) shall be based on nationally or jurisdictionally recognized information technology security standards and processes, appropriate for the level of sensitivity of the personal health information to be protected.
50(3)Without limiting subsection (1), a custodian shall
(a) implement controls that limit the persons who may use personal health information maintained by the custodian to those specifically authorized by the custodian to do so,
(b) implement controls to ensure that personal health information maintained by the custodian cannot be used unless
(i) the identity of the person seeking to use the information is verified as a person the custodian has authorized to use it, and
(ii) the proposed use is verified as being authorized under this Act,
(c) if the custodian uses electronic means to request disclosure of personal health information or to respond to requests for disclosure, implement procedures to prevent the interception of the information by unauthorized persons,
(d) when responding to requests for disclosure of personal health information, ensure that the request contains sufficient detail to uniquely identify the individual to whom the information relates, and
(e) ensure agents of the custodian adhere to the safeguards.
50(4)A custodian who maintains personal health information in electronic form shall implement any additional safeguards for the security and protection of the information required by the regulations.