Protecting Patient Data: Your Guide to Ontario’s PHIPA
September 12, 2022
From medical histories to social security numbers to banking information, all healthcare organizations, regardless of size or specialty, collect, store, and transmit vast amounts of confidential patient data. To ensure that this data is protected from unauthorized access, Healthcare Professionals must comply with various federal and provincial privacy regulations that govern the use of personal health information (PHI). In Ontario, that’s the Personal Health Information Protection Act, or PHIPA for short.
But do all Healthcare Professionals fully understand their responsibilities when it comes to data stewardship? To help you out, we’ve put together a guide on Ontario’s premier healthcare privacy law. Keep reading to learn more about PHIPA, how it’s different from PIPEDA, and how Healthcare Professionals can protect PHI.
Disclaimer: The information presented herein is general in nature and provided for educational purposes only. It is not exhaustive nor is it a substitute for legal or insurance advice. For specialized guidance, please consult a lawyer.
Overview of PHIPA:
The Personal Health Information Protection Act (PHIPA) is a provincial privacy legislation that governs the collection, use, and disclosure of all personal health information in Ontario. It was formed in 2004 with the intent to maintain the confidentiality of health records, strengthen individual rights over PHI, and establish penalties for any compliance violations. PHIPA’s mandate also includes key rules for breach notification, record-keeping, and risk assessment.
PHIPA applies to:
- All individuals and organizations that are considered “health information custodians” (HICs) and agents that are authorized to act on behalf of HICs;
- All recipients of personal health information from HICs; and
- Electronic service providers that collect, store, or transmit PHI, including health information network providers.
Compliance with PHIPA is overseen by an independent body of oversight known as the Information and Privacy Commissioner of Ontario (IPC). The IPC has the authority to review and adjudicate complaints and order organizations to abide by PHIPA (i.e. to correct or dispose of records). For more information, please consult the following resource from the IPC: Frequently Asked Questions Personal Health Information Protection Act.
How does PHIPA protect personal health information?
Under PHIPA, all individuals and organizations that collect PHI must:
- Obtain consent to collect, use, or disclose an individual’s personal health information;
- Ensure that personal health information remains accurate, up-to-date, and complete;
- Collect, use or disclose only as much personal health information as is necessary to provide effective care;
- Provide individuals with access to their personal health information upon request (except in limited legal situations);
- Correct any errors if the record is incomplete or inaccurate where possible (unless the record was created by another custodian or if the information in question contains professional observations or opinions made in good faith);
- Maintain the security of personal health information by taking reasonable steps to protect against theft, loss and unauthorized use or disclosure, and unauthorized copying, modification, or disposal; and
- Ensure all health records are retained, transferred, and disposed of in a secure manner (in such a manner that their reconstruction is not reasonably feasible).
What’s the relationship between PHIPA and PIPEDA?
In Canada, consumer data is protected under the Personal Information Protection and Electronic Documents Act, or PIPEDA, which governs the collection, use, and disclosure of all personally identifiable information (PII) gathered in commercial activities. PIPEDA applies nationwide, except in the provinces of Alberta, British Columbia, and Quebec, who have enacted their own comprehensive privacy regulations.
However, Healthcare Professionals are exempt from PIPEDA in provinces with specific health information privacy laws that have been deemed “substantially similar” to federal legislation, like PHIPA. As a result, PHIPA effectively takes the place of PIPEDA in Ontario; HICs and agents only need to comply with PHIPA with respect to the collection, use, and disclosure of PHI within the province.
Nonetheless, any organizations that operate interprovincially or internationally are still subject to PIPEDA (and/or its provincial counterpart) if they engage in commercial activities involving:
- The collection, use, or disclosure of personal information outside of Ontario;
- The collection, use, or disclosure of personal information that is not health-related (e.g. collecting banking information to process a sale that is unrelated to your duties as a Healthcare Professional); and
- The cross-border transfer of personal information (e.g. sending a mailing list or other patient data from one province to another).
PIPEDA might also apply if Healthcare Professionals need to comply with Canada’s anti-spam legislation, which requires consent to send electronic messages for commercial intent.
What is “personal health information?”
Under PHIPA, personal health information (PHI) is any oral or recorded information that could reasonably be used, either alone or combined with other data, to identify an individual. That includes any information concerning:
- An individual’s health number;
- An individual’s physical or mental health (including family medical history);
- The provision of care to an individual (including plans of service);
- The individual’s healthcare provider or substitute decision-maker;
- Home and community care;
- Payments or eligibility for healthcare or coverage of healthcare;
- The donation or testing of an individual’s body part or bodily substance;
- Information derived from the testing or examination of an individual’s body part or bodily substance; and
- Information that is collected, incidentally or not, in the course of providing health services to the individual.
PHI also extends to mixed records that contain both personal health information and other non-health-related information, like age, name, home address, phone number, date of birth, income, and ethnic origin.
Health Information Custodians and Agents:
What’s a “health information custodian?”
A “health information custodian,” or an HIC, is an individual or an organization that has custody or control of personal health information.
Examples of HICs include:
- All regulated Healthcare Professionals that provide “healthcare” or other medical services for “health-related purposes” in Ontario (e.g. doctors, nurses, dental professionals, dieticians, nutritionists, physiotherapists, chiropractors, massage therapists, speech-language pathologists, medical laboratory technologists, occupational therapists, opticians, and more);
- Healthcare facilities (e.g. hospitals, psychiatric facilities);
- Long-term care homes, retirement homes, and homes for special care;
- Laboratories and research agencies;
- Community care access corporations;
- Ambulance services;
- And more.
Health information custodians DO NOT include:
- A Healthcare Professional or service provider, who is an agent of a health information custodian;
- A person who provides treatment solely by spiritual means or by prayer.
What’s an “agent of a health information custodian?”
An “agent of a health information custodian” is any person who is authorized by a custodian to perform services or activities involving PHI on their behalf. That includes any person or company that is employed by, volunteers for, or contracts with an HIC and thus, may have access to PHI, like a nurse in a hospital, office staff in a clinic, or a law firm on retainer.
Am I a health information custodian or an agent?
You are a health information custodian if you have custody and control of personal health information and you:
- Are a regulated Healthcare Professional;
- Own and/or operate a private practice; and/or
- Own and/or operate a healthcare organization (care facility, research agency, etc.).
However, even if you technically fall under the definition of a health information custodian, you’re considered an agent if you work under or on behalf of another HIC, whether that’s a regulated Healthcare Professional, a private practice, or a hospital.
What are my obligations under PHIPA?
If you’re an HIC, you must:
- Develop and implement data security policies that outline:
- When, how, and why you are collecting, retaining, or disposing of PHI; and
- The administrative, technical, and physical safeguards in place with respect to PHI;
- Ensure that all agents are aware of their obligations under PHIPA;
- Notify individuals if their PHI is used or disclosed in a manner outside what was previously agreed upon;
- Respond to public inquiries about your data security policies;
- Respond to requests for access or correction;
- Report and respond to all potential privacy breaches;
- And more.
If you’re an agent of an HIC, you must ensure that the collection, use, disclosure, retention, or disposal of all PHI is:
- Authorized by the HIC;
- Necessary for the purposes of carrying out your duties as an agent;
- Compliant with PHIPA; and
- Compliant with any specific restrictions, policies, or practices established by the HIC.
Failure to adhere to any of the regulations above could lead to an investigation by the IPC and strict penalties.
Who bears greater responsibility for data?
Ultimately, a health information custodian is responsible for the PHI in their custody, even if they permit an agent to collect, use, disclose, retain, and dispose of information on their behalf.
The HIC will also be held accountable if an agent violates PHIPA. That includes sole practitioners, who are still held to the same standard of healthcare, even if they aren’t incorporated, don’t have staff, and don’t have access to the same assets as a major corporation.
Offences Under PHIPA:
What counts as an offence under PHIPA?
If organizations fail to safeguard, retain, or dispose of personal information in their custody or fail to report a privacy breach, they risk severe penalties for compliance violations.
Other offences under PHIPA include:
- Collecting, using, or disclosing PHI in contravention of PHIPA’s regulations (both intentional and unintentional);
- Requesting access to or correcting PHI under false pretences;
- Purposely disposing of records to avoid providing access to individuals or an investigation by the IPC;
- Stalling or obstructing the IPC, or one of its delegates, during the course of investigation;
- Vengeful or disciplinary behaviour towards an individual who has made a complaint to the IPC;
- Failing to comply with the IPC’s orders.
What are the consequences for offences under PHIPA?
HICs and agents who have acted reasonably and in good faith will generally be protected from liability. But the penalties for those who willfully violate or disregard PHIPA are steep—and they’ve climbed even higher in the last year.
Following the amendments to PHIPA in 2020, the maximum fines for privacy offences have doubled from $100,000 to $200,000 for individuals and from $500,000 to $1,000,000 for organizations, with the possibility of up to one year of imprisonment.
Additionally, whether or not the organization itself is prosecuted or convicted, PHIPA holds officers, members, employees or agents of corporations personally liable for corporate offences if they authorize an offence or knowingly refrain from preventing an offence.
Keep in mind: regulatory fines will be levied on top of existing breach remediation costs, such as forensic investigation, client notification, credit monitoring, legal fees, and more. Plus, anyone convicted of an offence under PHIPA may be subject to lawsuits from disgruntled patients whose information was compromised. Finally, PHIPA allows courts to award up to $10,000 in mental anguish damages per victim if they determine that harm was caused by reckless misconduct.
Amendments to PHIPA:
What are the changes to PHIPA?
In early 2020, significant amendments were made to PHIPA by Bill 188, Economic and Fiscal Update Act, 2020 to strengthen the protection of PHI and enhance the IPC’s oversight. In addition to heavier fines, the updates have given the IPC the power to directly impose penalties on HICs and agents for PHIPA violations instead of relying on court proceedings to do so.
While the enforcement amendments took effect immediately, stricter rules regarding the handling of electronic PHI will come into force at a later date upon proclamation by the Lieutenant Governor. That includes regulations for electronic audit logs, new de-identification standards, and new rules for consumer electronic service providers (e.g. developers of mobile device applications and online portals that process PHI) and the HICs that use them. The changes will affect all Healthcare Professionals and technology companies that process personal health information.
For more information, please consult the following resources:
- Bill 188, Economic and Fiscal Update Act, 2020
- Towards A More Integrated Health System? Amendments to PHIPA and Announcements about Digital and Virtual Health Care (from Fasken law firm)
- Health/Privacy and Cybersecurity Bulletin (from Fasken law firm)
- Recent Changes to the Personal Health Information Protection Act (from Lerners LLP)
How can I protect PHI?
Although it may be some time before the technology changes take effect, PHIPA has already increased the IPC’s punitive and oversight powers, while simultaneously giving individuals more control over their personal information. But with health records—and healthcare in general—becoming more digitized and breaches on the rise worldwide, this likely won’t be the last of PHIPA’s amendments in the near future.
Now more than ever, it is crucial for all HICs, large and small, to safeguard their data, their organizations, and their patients by adopting a more proactive stance towards privacy management. Take steps to build a more cyber-aware workforce. Ensure all staff know how to securely collect, use, store, and dispose of PHI. Implement adequate physical, administrative, and technical defences to protect sensitive information and backup all data regularly.
For more guidance on cybersecurity measures, check out our helpful resources:
- How Can Healthcare Professionals Manage the Risks of Virtual Care?
- Prepare Now or Pay Later: How Can Businesses Mitigate the Risk of Ransomware?
- Sink or Swim: How Can Businesses Survive the Cybercrime Tsunami?
- Cyber Security & Privacy Breach Toolkit
For more comprehensive guidance, consult a licensed broker like PROLINK. With over 40 years of experience, we’ve seen it all—privacy breaches, laws, amendments, and more. PROLINK can help you plan and protect with a tailored cyber risk management approach and a specialized Data Security & Privacy Breach Insurance policy unique to your organization’s needs.
To learn about your privacy exposures and how you can protect yourself, connect with PROLINK today!
PROLINK’s blog posts are general in nature. They do not take into account your personal objectives or financial situation and are not a substitute for professional advice. The specific terms of your policy will always apply. We bear no responsibility for the accuracy, legality, or timeliness of any external content.