Are you a custodian or trustee of health records?

Nurses may at times be custodians of health information (also known as “trustees” in some provinces)1 by application of the law, whether or not they have previously agreed to undertake these responsibilities. Why do you need to know if you are a custodian of personal health information?

All provinces and territories have now adopted legislation governing the management of personal health information. Although it varies from one province or territory to another, the legislation is typically structured to identify the custodians of personal health information and set out their responsibilities for the collection, use, disclosure, retention and destruction of personal health information.

As a result, custodians are generally responsible for ensuring that personal health information is, for example:

  • held in a secure location;

  • collected only as necessary to provide health-care services or with the consent of the individual to whom it relates;

  • accessed only by authorized staff members; and

  • used, disclosed and retained in accordance with the specific requirements of the legislation.

In most circumstances, the custodian identified in the legislation is the facility where the services are provided. In most jurisdictions, nurses, along with other health-care professionals who care for patients within the facility, are known as agents or affiliates. In that capacity, nurses are generally authorized to collect, access, use and disclose personal health information to provide care to their patients, but do not have the same rights and responsibilities as custodians.

However, there can be circumstances where nurses, rather than the facilities, are the custodians of personal health information. A  nurse is more likely to be the custodian of personal health information when, for example:

  • acting as an independent contractor and providing services to patients outside a health-care facility designated as a custodian;

  • employed in a nursing capacity in an organization that does not normally provide health care (such as an occupational health nurse employed by a mining company or a nurse practitioner employed in a university clinic to provide primary care to students); or

  • employed in a nursing capacity in a private clinic or organization that provides health-care services but is not owned or operated by a health-care professional (a nurse who provides nursing services in a beauty rejuvenation clinic, for instance).

If you know that you are (or will be) legally designated as a custodian of personal health information, you will be able to understand, plan for and fulfil your legal obligations in the following circumstances:

Before starting an employment or before entering into a professional services agreement:

  • If you understand the additional obligations imposed on you as custodian, you can discuss and reach an agreement with your prospective employer as to what policies and resources will be required to ensure that you can adequately fulfill your obligations as custodian. You will also be able to plan for an appropriate transition of personal health information to another custodian at the end of the employment period.

During employment or otherwise when rendering professional services:

  • You can ensure that measures are in place to adequately protect personal health information from unauthorized access.

  • You will be able to structure your files so that personal health information is clearly distinguishable from employment-related information and therefore adequately protect them from improper disclosure.

  • You will recognize that it is your responsibility to respond to requests for access to or disclosure of personal health information, or put in place appropriate alternate measures to manage these requests.

  • You will be able to recognize the need for appropriate arrangements for the allocation of custodial responsibilities, if these responsibilities are shared among health-care professionals.

  • You will know that in the event of a complaint or litigation, you, as custodian, will generally be able to access personal health information more readily to investigate and address the concerns.

After employment or after the termination of the professional services agreement:

  • You will know that if you are the sole custodian of personal health information, unless you are able to make alternate arrangements, your custodial obligations will probably not end at the conclusion of your professional services agreement or employment. You may continue to be responsible for the retention of personal health information (possibly for many years), including responding to all requests for access or disclosure of the personal health information.

Ideally, this should be stipulated in the professional services agreement at the time of hiring. Suitable alternatives or measures to support the ongoing management of personal health information (such as adequate storage and compensation) should also be incorporated in the professional services agreement.

Nurses who do not fulfill their obligations as custodians can face sanctions under the applicable health information protection legislation or a complaint to their regulatory body. CNPS beneficiaries should contact the CNPS if they need help in determining whether they are the custodians of personal health information or have questions regarding their obligations as custodians. They can call 1-844-4MY-CNPS (1-844-469-2677) to speak with a CNPS legal advisor, who is a lawyer.


1. The word “custodian” will be used in this article.


Published October 2017