Different regions have different privacy requirements that healthcare providers need to meet in order to protect Personal Health Information (PHI).
In the United States, this takes the form of HIPAA. For Canadians living in the province of Ontario, these protections are designated under PHIPA, and its rules are slightly different from its American counterpart.
MedStack specializes in helping companies across North America maintain all necessary compliance regulations to protect their customers’ privacy.
With that in mind, we’ve created this page to help you understand the intricacies of Ontario’s PHIPA protections, and the steps you need to take to achieve compliance under its rules.
The Personal Health Information Protection Act, or PHIPA, is a health-specific legislation relating to privacy, which has been in effect since late 2004.
This legislation helps control the ways in which Personal Health Information (PHI) is collected, used, or shared between healthcare organizations. This may sound straightforward, but it’s actually quite complex.
People are rightfully very protective of their PHI, but there are some situations in which it’s vital for health information to be shared between healthcare practitioners easily and quickly, such as during medical emergencies.
Because there are so many different organizations that PHI must go through in the healthcare system (i.e., insurance companies, hospitals, doctors, lab technicians, etc.), this further complicates the process.
PHIPA is in place to ensure that necessary information is available to medical enterprises when needed, while also protecting that confidential data from being leaked outside of approved contacts within the healthcare chain.
Personal Health Information or PHI is a broad term that refers to any identifying health information that can be tied back to an individual. This could be either written and recorded or shared verbally.
This data can take a variety of forms, including but not limited to:
These are only some of the examples of private health information. As you can see, PHI covers an extremely wide range of information and uses within the healthcare field, which is why it’s so crucial to maintain compliance and protect this data.
Without PHIPA, residents of Ontario would have to worry about their PHI being shared without their permission and without notification in the event of a data breach.
Thankfully, PHIPA protects individuals by giving them additional rights relating to their health information. This allows individuals some peace of mind with their PHI, even when the data is outside their direct control.
Some rights afforded individuals through PHIPA include:
For enterprises that are obligated to protect PHI through their day-to-day business activities, it’s essential to maintain PHIPA compliance.
Otherwise, in addition to the damage done to individuals with PHI that is shared illegally, it could result in severe legal and financial ramifications for enterprises allowing this information to be shared with unauthorized users.
There are two groups to which PHIPA readily applies: Custodians and Agents.
Although there are similarities between these two groups, they are two distinct parts of the healthcare system that work together to protect your health information.
Custodians are any organization or individual who, as a result of their position within the healthcare industry, has control or guardianship of PHI.
This could include enterprises, such as:
An agent is an individual who’s authorized by a registered custodian to manage or perform services relating to PHI, on behalf of the custodian organization.
This could be any individual that works for, volunteers, or is contracted by a custodian and as part of these activities, will come into contact with, collect, use, or disclose Personal Health Information.
Even though these agents are authorized to access PHI and make decisions regarding its use, collection, or dispersal, it’s the custodians who are technically accountable in the event of a PHIPA breach.
This is why many custodians have provisions built into their agent contracts that enforce some level of accountability, in the event that an agent causes a PHIPA compliance issue or breaches PHI privacy laws.
At its core, PHIPA is designed to give individuals additional rights and protections for their health information privacy, by setting specific rules and obligations that custodians are required to maintain.
Not only does this force custodians to take necessary steps to avoid loss, theft, or unauthorized access to PHI, but it also ensures that health information isn’t modified, copied, or disposed of without the proper authorization.
In the event that PHI requires disposal or transfer to another custodian, PHIPA puts rules in place to ensure that all PHI is disposed of in a secure manner, which avoids potential breaches during the transfer or disposal processes.
When a breach does occur, PHIPA requires that custodians notify affected individuals at the first possible opportunity.
Consent is one of the biggest factors that’s required in order for custodians and their agents to maintain compliance with PHIPA.
Any time that a custodian is required to collect, use, or share PHI with another agency, they’re required to get consent from the individual to whom the PHI applies. The only time this doesn’t apply is when PHIPA allows specific types of information to be shared without consent.
The consent must be given by the individual voluntarily, be related to the situation, and the individual must be knowledgeable about which information is being collected, used, or shared.
There are a number of other steps that custodians can take to ensure that they maintain PHIPA compliance outside of patient consent, such as:
MedStack is the go-to compliance platform for digital health, used to get safeguards in place immediately and save time and money on engineering and privacy lawyers. Many compliance requirements are ongoing, so we are a continuous solution that provides clients with long-term privacy protections.
No matter where your business is, we understand the importance and intricacies involved in maintaining PHIPA, HIPAA, SOC 2, or ISO 27001 compliance, as well as what you’ll need to do in order to meet and maintain those standards.
It’s our mission to make it faster, easier, and more affordable for companies to design, develop, and launch digital healthcare solutions that meet the stringent requirements of modern healthcare enterprises.
Stop wasting time, energy, and resources on paperwork instead of your product. MedStack can put your business on the fast track to growth and take your application from zero to healthcare hero.
Learn how MedStack can help you.