The Personal Health Information Protection Act (PHIPA) is a provincial privacy legislation that governs the collection, use, and disclosure of all personal health information in Ontario. It was formed in 2004 with the intent to maintain the confidentiality of health records, strengthen individual rights over PHI, and establish penalties for any compliance violations. PHIPA’s mandate also includes key rules for breach notification, record-keeping, and risk assessment.

PHIPA applies to:

• All individuals and organizations that are considered “health information custodians” (HICs) and agents that are authorized to act on behalf of HICs;
• All recipients of personal health information from HICs; and
• Electronic service providers that collect, store, or transmit PHI, including health information network providers.

Compliance with PHIPA is overseen by an independent body of oversight known as the Information and Privacy Commissioner of Ontario (IPC). The IPC has the authority to review and adjudicate complaints and order organizations to abide by PHIPA (i.e. to correct or dispose of records). For more information, please consult the following resource from the IPC: Frequently Asked Questions Personal Health Information Protection Act.

RELATED: Which healthcare privacy laws apply to my practice?

Under PHIPA, all individuals and organizations that collect PHI must:

1. Obtain consent to collect, use, or disclose an individual’s personal health information;
2. Ensure that personal health information remains accurate, up-to-date, and complete;
3. Collect, use or disclose only as much personal health information as is necessary to provide effective care;
4. Provide individuals with access to their personal health information upon request (except in limited legal situations);
5. Correct any errors if the record is incomplete or inaccurate where possible (unless the record was created by another custodian or if the information in question contains professional observations or opinions made in good faith);
6. Maintain the security of personal health information by taking reasonable steps to protect against theft, loss and unauthorized use or disclosure, and unauthorized copying, modification, or disposal; and
7. Ensure all health records are retained, transferred, and disposed of in a secure manner (in such a manner that their reconstruction is not reasonably feasible).

In Canada, consumer data is protected under the Personal Information Protection and Electronic Documents Act, or PIPEDA, which governs the collection, use, and disclosure of all personally identifiable information (PII) gathered in commercial activities. PIPEDA applies nationwide, except in the provinces of Alberta, British Columbia, and Quebec, who have enacted their own comprehensive privacy regulations.

However, Healthcare Professionals are exempt from PIPEDA in provinces with specific health information privacy laws that have been deemed “substantially similar” to federal legislation, like PHIPA. As a result, PHIPA effectively takes the place of PIPEDA in Ontario; HICs and agents only need to comply with PHIPA with respect to the collection, use, and disclosure of PHI within the province.

Nonetheless, any organizations that operate interprovincially or internationally are still subject to PIPEDA (and/or its provincial counterpart) if they engage in commercial activities involving:

• The collection, use, or disclosure of personal information outside of Ontario;
• The collection, use, or disclosure of personal information that is not health-related (e.g. collecting banking information to process a sale that is unrelated to your duties as a Healthcare Professional); and
• The cross-border transfer of personal information (e.g. sending a mailing list or other patient data from one province to another).

PIPEDA might also apply if Healthcare Professionals need to comply with Canada’s anti-spam legislation, which requires consent to send electronic messages for commercial intent.

RELATED: All About PIPEDA: How do privacy laws affect my business?

Under PHIPA, personal health information (PHI) is any oral or recorded information that could reasonably be used, either alone or combined with other data, to identify an individual. That includes any information concerning:

• An individual’s health number;
• An individual’s physical or mental health (including family medical history);
• The provision of care to an individual (including plans of service);
• The individual’s healthcare provider or substitute decision-maker;
• Home and community care;
• Payments or eligibility for healthcare or coverage of healthcare;
• The donation or testing of an individual’s body part or bodily substance;
• Information derived from the testing or examination of an individual’s body part or bodily substance; and
• Information that is collected, incidentally or not, in the course of providing health services to the individual.

PHI also extends to mixed records that contain both personal health information and other non-health-related information, like age, name, home address, phone number, date of birth, income, and ethnic origin.

RELATED: All About PIPEDA: How do privacy laws affect my business?

A “health information custodian,” or an HIC, is an individual or an organization that has custody or control of personal health information.

Examples of HICs include:

• All regulated Healthcare Professionals that provide “healthcare” or other medical services for “health-related purposes” in Ontario (e.g. doctors, nurses, dental professionals, dieticians, nutritionists, physiotherapists, chiropractors, massage therapists, speech-language pathologists, medical laboratory technologists, occupational therapists, opticians, and more);
• Healthcare facilities (e.g. hospitals, psychiatric facilities);
• Long-term care homes, retirement homes, and homes for special care;
• Laboratories and research agencies;
• Community care access corporations;
• Pharmacies;
• Ambulance services;
• And more.

Health information custodians DO NOT include:

• A Healthcare Professional or service provider, who is an agent of a health information custodian;
• A person who provides treatment solely by spiritual means or by prayer.

An “agent of a health information custodian” is any person who is authorized by a custodian to perform services or activities involving PHI on their behalf. That includes any person or company that is employed by, volunteers for, or contracts with an HIC and thus, may have access to PHI, like a nurse in a hospital, office staff in a clinic, or a law firm on retainer.

You are a health information custodian if you have custody and control of personal health information and you:

• Are a regulated Healthcare Professional;
• Own and/or operate a private practice; and/or
• Own and/or operate a healthcare organization (care facility, research agency, etc.).

However, even if you technically fall under the definition of a health information custodian, you’re considered an agent if you work under or on behalf of another HIC, whether that’s a regulated Healthcare Professional, a private practice, or a hospital.

If you’re an HIC, you must:

• Develop and implement data security policies that outline:
  • When, how, and why you are collecting, retaining, or disposing of PHI; and
  • The administrative, technical, and physical safeguards in place with respect to PHI;
• Ensure that all agents are aware of their obligations under PHIPA;
• Notify individuals if their PHI is used or disclosed in a manner outside what was previously agreed upon;
• Respond to public inquiries about your data security policies;
• Respond to requests for access or correction;
• Report and respond to all potential privacy breaches;
• And more.

If you’re an agent of an HIC, you must ensure that the collection, use, disclosure, retention, or disposal of all PHI is:

• Authorized by the HIC;
• Necessary for the purposes of carrying out your duties as an agent;
• Compliant with PHIPA; and
• Compliant with any specific restrictions, policies, or practices established by the HIC.

Failure to adhere to any of the regulations above could lead to an investigation by the IPC and strict penalties.

Ultimately, a health information custodian is responsible for the PHI in their custody, even if they permit an agent to collect, use, disclose, retain, and dispose of information on their behalf.

The HIC will also be held accountable if an agent violates PHIPA. That includes sole practitioners, who are still held to the same standard of healthcare, even if they aren’t incorporated, don’t have staff, and don’t have access to the same assets as a major corporation.

If organizations fail to safeguard, retain, or dispose of personal information in their custody or fail to report a privacy breach, they risk severe penalties for compliance violations.

Other offences under PHIPA include:

• Collecting, using, or disclosing PHI in contravention of PHIPA’s regulations (both intentional and unintentional);
• Requesting access to or correcting PHI under false pretences;
• Purposely disposing of records to avoid providing access to individuals or an investigation by the IPC;
• Stalling or obstructing the IPC, or one of its delegates, during the course of investigation;
• Vengeful or disciplinary behaviour towards an individual who has made a complaint to the IPC;
• Failing to comply with the IPC’s orders.

HICs and agents who have acted reasonably and in good faith will generally be protected from liability. But the penalties for those who willfully violate or disregard PHIPA are steep—and they’ve climbed even higher in the last year.

Following the amendments to PHIPA in 2020, the maximum fines for privacy offences have doubled from $100,000 to $200,000 for individuals and from $500,000 to $1,000,000 for organizations, with the possibility of up to one year of imprisonment.

Additionally, whether or not the organization itself is prosecuted or convicted, PHIPA holds officers, members, employees or agents of corporations personally liable for corporate offences if they authorize an offence or knowingly refrain from preventing an offence.

Keep in mind: regulatory fines will be levied on top of existing breach remediation costs, such as forensic investigation, client notification, credit monitoring, legal fees, and more. Plus, anyone convicted of an offence under PHIPA may be subject to lawsuits from disgruntled patients whose information was compromised. Finally, PHIPA allows courts to award up to $10,000 in mental anguish damages per victim if they determine that harm was caused by reckless misconduct.

RELATED: The Consequences of a Breach: Can Your Business Survive a Cyberattack?

In early 2020, significant amendments were made to PHIPA by Bill 188, Economic and Fiscal Update Act, 2020 to strengthen the protection of PHI and enhance the IPC’s oversight. In addition to heavier fines, the updates have given the IPC the power to directly impose penalties on HICs and agents for PHIPA violations instead of relying on court proceedings to do so.

While the enforcement amendments took effect immediately, stricter rules regarding the handling of electronic PHI will come into force at a later date upon proclamation by the Lieutenant Governor. That includes regulations for electronic audit logs, new de-identification standards, and new rules for consumer electronic service providers (e.g. developers of mobile device applications and online portals that process PHI) and the HICs that use them. The changes will affect all Healthcare Professionals and technology companies that process personal health information.

For more information, please consult the following resources:

• Bill 188, Economic and Fiscal Update Act, 2020
• Towards A More Integrated Health System? Amendments to PHIPA and Announcements about Digital and Virtual Health Care (from Fasken law firm)
• Health/Privacy and Cybersecurity Bulletin (from Fasken law firm)
• Recent Changes to the Personal Health Information Protection Act (from Lerners LLP)