Questions & Answers

Can an employee of a health office take home patients' charts to complete work at home? The employee has children and a husband who may be able to view the charts.

Answer – Custodians must protect against any reasonably anticipated threat to the security, loss and unauthorized use or disclosure of health information. In making a decision to allow employees to take work home, custodians must first assess whether this decision will expose the health information to any increased risk of loss, theft, destruction, unauthorized access or other threats. Based on this assessment, the custodian can then develop policies and procedures to mitigate these risks.



The OIPC recommends the following points be considered in a policy on working at home:

Whether you permit your employees to work at home
If employees are allowed to work from home, whether the employee needs to seek permission from a supervisor, or sign-out the records
Specific procedures to protect the information in transit and while stored off-site (these measures should consider whether the information will be stored in paper or electronic form and be developed accordingly)
Instructions for proper destruction of transitory records
Information security awareness training for employees who will be working from home
For permanent work-at-home arrangements, site visits to ensure your policies have been implemented
A protocol for reporting privacy and security breaches, such as loss, theft, destruction, unauthorized access.

Back