A Guide to Ontario’s Healthcare Privacy Law: PHIPA
Different regions have different privacy requirements that healthcare providers need to meet in order to protect Personal Health Information (PHI).
In the United States, this takes the form of HIPAA. For Canadians living in the province of Ontario, these protections are designated under PHIPA, and its rules are slightly different from its American counterpart.
MedStack specializes in helping companies across North America maintain all necessary compliance regulations to protect their customers’ privacy.
With that in mind, we’ve created this page to help you understand the intricacies of Ontario’s PHIPA protections, and the steps you need to take to achieve compliance under its rules.
What is the Personal Health Information Protection Act (PHIPA)?
The Personal Health Information Protection Act, or PHIPA, is a health-specific legislation relating to privacy, which has been in effect since late 2004.
This legislation helps control the ways in which Personal Health Information (PHI) is collected, used, or shared between healthcare organizations. This may sound straightforward, but it’s actually quite complex.
People are rightfully very protective of their PHI, but there are some situations in which it’s vital for health information to be shared between healthcare practitioners easily and quickly, such as during medical emergencies.
Because there are so many different organizations that PHI must go through in the healthcare system (i.e., insurance companies, hospitals, doctors, lab technicians, etc.), this further complicates the process.
PHIPA is in place to ensure that necessary information is available to medical enterprises when needed, while also protecting that confidential data from being leaked outside of approved contacts within the healthcare chain.
What Could Be Considered Personal Health Information (PHI)?
Personal Health Information or PHI is a broad term that refers to any identifying health information that can be tied back to an individual. This could be either written and recorded or shared verbally.
This data can take a variety of forms, including but not limited to:
- Treatment plans for medical conditions
- Insurance payment or eligibility information
- Previously sought medical attention
- Information directly relating to physical or mental health
- Family or personal medical histories
- Health card or insurance account numbers
- Previously or currently prescribed medications
- Results of medical testing
- An individual’s choice to donate body parts in the event of passing
- Alternate decision-makers for the individual in the event of catastrophic injury
These are only some of the examples of private health information. As you can see, PHI covers an extremely wide range of information and uses within the healthcare field, which is why it’s so crucial to maintain compliance and protect this data.
Why Does PHIPA Matter?
Without PHIPA, residents of Ontario would have to worry about their PHI being shared without their permission and without notification in the event of a data breach.
Thankfully, PHIPA protects individuals by giving them additional rights relating to their health information. This allows individuals some peace of mind with their PHI, even when the data is outside their direct control.
Some rights afforded individuals through PHIPA include:
- The right to request corrections to their existing PHI
- The right to be informed when PHI is collected, used, or shared
- The right to be informed when PHI is lost, stolen, or if the information may have been accessed by individuals who don’t have the proper privacy permissions
- Access to their own PHI, in most situations
- The right to refuse consent to collect, use, or share PHI
- The right to complain to the Information and Privacy Commissioner (IPC) in the event of potential privacy breaches or when healthcare professionals refuse to share an individual’s own PHI with them
- The right to seek damages through legal action, if an enterprise is convicted of violating PHIPA compliance laws
For enterprises that are obligated to protect PHI through their day-to-day business activities, it’s essential to maintain PHIPA compliance.
Otherwise, in addition to the damage done to individuals with PHI that is shared illegally, it could result in severe legal and financial ramifications for enterprises allowing this information to be shared with unauthorized users.
Who Does PHIPA Apply to?
There are two groups to which PHIPA readily applies: Custodians and Agents.
Although there are similarities between these two groups, they are two distinct parts of the healthcare system that work together to protect your health information.
Who Would be Considered Custodians?
Custodians are any organization or individual who, as a result of their position within the healthcare industry, has control or guardianship of PHI.
This could include enterprises, such as:
- Medical laboratories
- Doctor’s offices
- Insurance companies
- Hospital services (i.e., triage, ambulance, etc.)
- Retirement or long-term care facilities
- Psychiatric health facilities
- Community care and access services
- The Canadian Blood Services
- Special care facilities
- Surgical and specialist facilities
Who Would be Considered Agents?
An agent is an individual who’s authorized by a registered custodian to manage or perform services relating to PHI, on behalf of the custodian organization.
This could be any individual that works for, volunteers, or is contracted by a custodian and as part of these activities, will come into contact with, collect, use, or disclose Personal Health Information.
Even though these agents are authorized to access PHI and make decisions regarding its use, collection, or dispersal, it’s the custodians who are technically accountable in the event of a PHIPA breach.
This is why many custodians have provisions built into their agent contracts that enforce some level of accountability, in the event that an agent causes a PHIPA compliance issue or breaches PHI privacy laws.
How Does PHIPA Protect Your Personal Health Information?
At its core, PHIPA is designed to give individuals additional rights and protections for their health information privacy, by setting specific rules and obligations that custodians are required to maintain.
Not only does this force custodians to take necessary steps to avoid loss, theft, or unauthorized access to PHI, but it also ensures that health information isn’t modified, copied, or disposed of without the proper authorization.
In the event that PHI requires disposal or transfer to another custodian, PHIPA puts rules in place to ensure that all PHI is disposed of in a secure manner, which avoids potential breaches during the transfer or disposal processes.
When a breach does occur, PHIPA requires that custodians notify affected individuals at the first possible opportunity.
How Do You Maintain PHIPA Compliance?
Consent is one of the biggest factors that’s required in order for custodians and their agents to maintain compliance with PHIPA.
Any time that a custodian is required to collect, use, or share PHI with another agency, they’re required to get consent from the individual to whom the PHI applies. The only time this doesn’t apply is when PHIPA allows specific types of information to be shared without consent.
The consent must be given by the individual voluntarily, be related to the situation, and the individual must be knowledgeable about which information is being collected, used, or shared.
There are a number of other steps that custodians can take to ensure that they maintain PHIPA compliance outside of patient consent, such as:
- Keeping PHI record secure with internal security systems
- Keeping PHI records up-to-date
- Only storing records for appropriate periods of time
- Appointing privacy contact representatives within the enterprise
- Creating policies and procedures for dealing with PHI leaks
- Publicly listing privacy practices
- Choosing specific agents to handle PHI, minimizing the exposure of PHI even within authorized organizations
- Providing individuals with access to their own PHI in a reasonable time frame (usually within a preset period of 30 days)
MedStack Understands the Importance of PHIPA Compliance
Let Us Help You Ensure Your PHI Privacy is Always Protected
MedStack is the go-to compliance platform for digital health, used to get safeguards in place immediately and save time and money on engineering and privacy lawyers. Many compliance requirements are ongoing, so we are a continuous solution that provides clients with long-term privacy protections.
No matter where your business is, we understand the importance and intricacies involved in maintaining PHIPA, HIPAA, SOC 2, or ISO 27001 compliance, as well as what you’ll need to do in order to meet and maintain those standards.
It’s our mission to make it faster, easier, and more affordable for companies to design, develop, and launch digital healthcare solutions that meet the stringent requirements of modern healthcare enterprises.
Stop wasting time, energy, and resources on paperwork instead of your product. MedStack can put your business on the fast track to growth and take your application from zero to healthcare hero.