PHIPA Compliance Checklist
The Personal Health Information Protection Act (PHIPA) is Ontario´s health care privacy Act. It was developed to standardize how personal health information is protected across the health sector and is designed to give individuals greater control over how their personal health information is collected, used, and disclosed.
Compliance with PHIPA is mandatory for persons and organizations defined as health information custodians (“custodians”) in the Act. Custodians include – but are not limited to – hospitals, care homes, psychiatric care facilities, pharmacies, and healthcare practitioners not employed by a hospital or other healthcare facility – for example, school nurses and sports team doctors.
Custodians not only have to comply with PHIPA, but ensure that their agents (employees, students, volunteers, etc.) comply with PHIPA – along with other organizations who provide a service on the custodian´s behalf when the service collects, uses, modifies, discloses, retains, or disposes of personal health information. This can include schools, employers, and insurance companies.
The Requirements for Protecting Personal Health Information
PHIPA imposes requirements on custodians for protecting personal health information. Custodians who have custody or control of personal health information must develop and implement policies (“information practices”) that stipulate:
- When, how, and the purposes for which the custodian routinely collects, uses, modifies, discloses, retains, or disposes of personal health information, and
- The administrative, technical, and physical safeguards and practices the custodian maintains for protecting the information from unauthorized use, modification, disclosure, or disposal.
Custodians must provide a written statement that is readily available to the public that describes the policies and take steps to ensure personal health information is as accurate, up-to-date, and complete as is necessary. Custodians must also ensure that the policies for safeguarding personal health information are enforced to prevent theft, loss, and unauthorized use and disclosure.
While the Act doesn´t mandate PHIPA training for agents, it expects agents to be aware of a custodian´s policies, understand what constitutes an allowable use or disclosure of personal health information, and know how to report a theft, loss, or unauthorized use or disclosure of personal health information. Therefore, it should be assumed PHIPA training for agents is necessary.
Permitted Uses and Disclosures and Individuals´ Rights
Under PHIPA, custodians and authorized agents can only collect personal health information for the purposes of providing health care. Thereafter, the personal health information can only be used or disclosed “as reasonably necessary to meet the purpose of the collection” unless the individual instructs otherwise. All other uses and disclosures require the consent of the individual.
With regards to consent, individuals must be aware of why consent is being sought and it must be given voluntarily. There are circumstances in which custodians can assume implied consent has been given, but in all cases of personal health information being shared with or disclosed to another custodian or third party, it is necessary to obtain explicit consent.
Individuals have the right to withdraw their consent at any time. They also have the right to access copies of personal health information, request errors are corrected, and complain to the Information and Privacy Commissioner of Ontario if their rights are violated or if they believe their personal health information has been collected, used, or disclosed in violation of PHIPA.
PHIPA and Electronic Health Records
In March 2020, the Ontario legislature made several amendments to PHIPA. Among them was the requirement to maintain and monitor an electronic audit log that captures every instance an electronic health record is accessed. The log must record the date and time the electronic health record was accessed, who accessed it, what information was accessed, and if it was modified.
If a custodian subcontracts an electronic service provider to maintain and monitor the electronic audit log, the service provider is subject to PHIPA inasmuch as they must implement administrative, technical, and physical safeguards to protect personal health information. Under no circumstances can a contracted service provider disclose or use personal health information.
However, the 2020 PHIPA amendments also introduced rules for consumer electronic service providers who provide electronic services directly to individuals (i.e., wearable fitness apps). Consumer electronic service providers can use an individual´s personal health information for certain purposes provided they obtain the individual´s consent in advance.
PHIPA Custodians May Also Have to Comply with PIPEDA
Because PHIPA is a “substantially similar” law to the federal Personal Information Protection and Electronic Documents Act (PIPEDA), Ontario-based custodians are generally required to comply with PHIPA rather than the federal law. However, there are circumstances in which an Ontario-based custodian may be subject to PIPEDA or both PHIPA and PIPEDA. These include:
- When data is transferred out of Ontario to a province in which PIPEDA applies.
- When data is transferred into Ontario from a province in which PIPEDA applies.
- When the custodian engages in commercial activities not covered by PHIPA.
It is important to note that conditions are attached to outbound interprovince data transfers. PHIPA states a custodian may only disclose personal health information to an entity outside of Ontario if the recipient performs functions similar to the custodian, the disclosure is for the purpose of health planning or health administration, and the information relates to health care provided in Ontario to a person who is a resident of another province.
Failing to Comply with PHIPA can have Serious Consequences
Custodians are required to inform the Information and Privacy Commissioner of Ontario of all breaches of PHIPA – either immediately or in an annual report (see PHIPA FAQs below for more information on breach notifications). Depending on the nature of the breach, the number of individuals affected, and the cause of the breach, the Information and Privacy Commissioner may conduct an investigation into the custodian´s compliance with PHIPA.
If the investigation determines an individual knowingly committed an offence under PHIPA, they can be fined up to $200,000 and sentence to a year in prison. If a custodian is guilty of an offence, the organization can be fined up to $1,000,000. Individuals affected by a breach can also pursue a private right of action subject to consent from the Attorney general of Ontario. Courts can award compensation for actual harm suffered plus up to $10,000 for mental anguish.
In the event of a large scale breach of personal health information that could have been avoided with adequate precautions, the financial penalties could escalate into tens of millions of dollars. Therefore, it is in a custodian´s best interests to understand the requirements for protecting personal health information, train agent on the permitted uses and disclosures and patients´ rights, and ensure adequate safeguards are implemented to prevent unauthorized access to EHRs.
PHIPA Compliance Checklist
We have compiled the following PHIPA compliance checklist as a guide to the areas of PHIPA custodians should focus on to prevent violations of the Act and breaches of personal health information. This PHIPA compliance checklist does not constitute legal advice and should not be relied upon as such. Custodians should conduct a risk analysis to identify specific areas in which potential violations of PHIPA exist, and seek professional compliance help to address these areas.
The first item on a PHIPA compliance checklist is to determine if your organization is subject to PHIPA. Some organizations and individual healthcare practitioners are exempt from PHIPA but may still be subject to PIPEDA. If you organization is subject to PHIPA:
- Understand what identifying information constitutes personal health information.
- Develop policies that state the purpose for collecting personal health information.
- Develop policies for protecting information from loss, theft, and unauthorized disclosure.
- Train agents on the permitted uses and disclosures of personal health information.
- Train agents on patients´ rights, and when it is appropriate to use implied consent.
- Implement mechanisms to prevent unauthorized access to EHRs and the unauthorized modification or deletion of personal health information by agents.
- Conduct due diligence on third party service providers to ensure the protection of personal health information disclosed to them.
- Understand the role of the Information and Privacy Commissioner in enforcing compliance with PHIPA.
Who does PHIPA apply to?
PHIPA applies to a wide variety of persons and organizations defined as health information custodians. PHIPA also applies to agents who are authorized to act for or on behalf of custodians. Additionally, PHIPA applies to the use and disclosure of personal health information by those who receive personal health information from custodians (recipients) and to electronic service providers, including health information network providers.
What is a custodian under PHIPA?
A custodian is a person or organization that, as a result of his, her, or its power or duties or work has custody or control of personal health information. Examples of custodians include:
Health care practitioners – including doctors, nurses, speech-language pathologists, chiropractors, dental professionals, dieticians, medical laboratory technologists, massage therapists, midwives, occupational therapists, opticians, and physiotherapists).
Community care access corporations, hospitals, psychiatric care facilities, long-term care homes, pharmacies, laboratories, ambulance services, retirement homes, and homes for special care.
Medical officers of health of boards of health, the Minister of Health and Long-Term Care and Canadian Blood Services.
What identifying information constitutes personal health information under PHIPA?
Identifying information is information that identifies an individual or for which it is reasonably foreseeable in the circumstances that it could be utilized, either alone or with other information, to identify an individual.
Personal health information is identifying information about an individual in oral or recorded form that relates to the physical or mental health of the individual, the provision of health care to the individual, or the health history of the individual and their family.
Other information considered personal health information under PHIPA includes:
- An individual´s eligibility for, coverage of, or payment for health care.
- The donation of any individual´s body part.
- The testing or examination of an individual´s bodily substance.
- The individual´s health number.
- Any information that identifies the individual´s health care provider or substitute decision-maker.
What happens if an individual is unable to provide their consent because of illness or injury?
PHIPA allows substitute decisions makers to give their consent on behalf of an incapacitated person. A substitute decision maker is usually a family member, an attorney, or a representative appointed by the Consent and Capacity Board (see the Child, Youth and Family Services Act §301(4)).
In an emergency, the person responsible for authorizing admissions to the healthcare facility can act as the substitute decision maker (see the Health Care Consent Act §46(4)). That person also has the authority to authorize treatment for the incapacitated individual.
When are custodians required to inform the Information and Privacy Commissioner of Ontario of a breach of PHIPA?
All breaches of PHIPA Must be reported to the Information and Privacy Commissioner annually. However, certain types of breach must be reported immediately. These fall into seven categories:
- Unauthorized uses or disclosures in which the negligent party was aware or ought to have been aware that their actions were a breach of PHIPA. Accidental breaches do not have to be reported immediately unless they fall into one of the subsequent categories.
- When personal health information that has been stolen. This can include events such as the theft of a laptop, USB, or paper records, or a cyberattack resulting in the non-availability of information. An exception exists if the stolen data has been encrypted or de-identified.
- The further use of personal health information following a non-reportable breach if it becomes apparent the information has, or will be, used without authorization – for example to commit identity theft or insurance fraud.
- If a pattern of similar breaches occurs, the breaches must be reported to the Information and Privacy Commissioner. This is because such a pattern may reflect systemic issues that need to be addressed, such as inadequate training or procedures.
- When a breach results in disciplinary action against a member of a health regulatory college, or when the member has their membership revoked or suspended because of a breach, this has to be reported to the Information and Privacy Commissioner.
- When a breach of similar severity that would have triggered notification to a health regulatory college results in disciplinary action against any other agent – for example, if a non-medical receptionist posts details of a patient´s admission on social media.
- Although PHIPA does not define a “significant breach”, custodians are required to report significant breaches to the Information and Privacy Commissioner if the nature of the breach contains sensitive information, if the breach involves a large volume of information, if the breach involves many individuals´ information, or if more than one custodian or agent is responsible for the breach.