The Personal Health Information Protection Act (PHIPA) represents a comprehensive model for the protection of personal health information in the province of Ontario. The PHIPA is one of parts of the Health Information Protection Act, the other being the Quality of Care Information Protection Act.
About the PHIPA
The PHIPA was enacted November 1, 2004 and outlines privacy policies and practices for health information custodians in the province of Ontario. It was necessary to develop the appropriate legislative provisions for Ontario health care providers to ensure the privacy of personal health information in a way that is consistent with effective health care services. The purposes of the PHIPA are as follows:
- To establish regulations for the collection, use and disclosure of personal health information in a manner that protects the confidentiality of the information and the privacy of the individuals in question.
- To provide individuals with the right to access personal health information about themselves and to correct or amend such information, subject to certain exceptions.
- To provide independent review and resolution of personal health information complaints.
Under the PHIPA, personal health information is defined as identifying information about an individual, whether it is recorded or unrecorded. This may include information regarding:
- Physical or mental health records of the individual
- Family health history
- Identification of an individual as a health care provider
- Plan of service
- Payments or eligibility for health care
- Donation of body parts or bodily substances
- Individual’s health number
- Identification of individuals’ substitute decision-maker
The PHIPA primarily applies to the management and safeguarding of personal health information under the responsibility of health information custodians. A health information custodian is defined under the PHIPA as:
- Health care practitioners, as individuals or a group practice (e.g. a physician, dentist, nurse, social workers; any person whose primary function is to provide health care for payment)
- Persons or organizations that provide a community health service
- Community care access centers
- Public or private hospitals
- Psychiatric facilities
- Long-term care facilities
- Laboratory or specimen collection center
- Ambulance service
- Board of health
- Ministry of Health and Long-Term Care
Agents of health information custodians are individuals authorized by the custodian to fulfill functions related to the personal health information. Agents may work on a paid or voluntary basis. Agents of health information custodians may include:
- independent contractors engaged by the custodian
Responsibilities for Health Information Custodians
Under the PHIPA, all health information custodians are held responsible for protecting personal health information under their control. This means that custodians and their agents may only collect, use, disclose, retain or dispose of personal health information as it is permitted under PHIPA.
For health information custodians who are not individuals (e.g. hospitals, community centers, pharmacies), a contact person must be designated to be responsible for PHIPA compliance. This individual is responsible for the proper oversight and accountability of health information privacy practices and policies.
A written statement from the custodian must be made available and accessible to the public. This statement must describe:
- The custodian’s information practices
- How to contact the privacy contact person
- How to gain access to or request correction of a health record
- How to make a complaint under the PHIPA
The health information custodian must take reasonable precautions to ensure that the personal health information is protected against theft, loss, unauthorized use or unintended disclosure. The information must also be protected against unauthorized copying, modification or disposal. In the case of such events, the health information custodian must take steps to inform the individual of the occurrence at the first reasonable opportunity.
Before collecting, using or disclosing personal health information, the custodian is obliged under the PHIPA to obtain the individual’s consent. Such consent is described as:
- Being from the individual or authorized substitute
- Knowledgeable, meaning that the individual reasonably knows the purpose for the collection, use and disclosure of the information, as well as his/her right to withhold consent
- Related to the information
- Not obtained through deception or coercion
The consent may be express or implied. In situations of implied consent, a health care custodian assumes that the individual has given consent for the sharing of his/her health information in order to provide health care. In such situations, no consent form is required. In practice, the PHIPA permits health care custodians to assume implied consent to collect, use or disclose health information, unless the individual states otherwise.
In other situations, health care custodians are required to request oral, written or electronic consent before sharing personal health information. This is referred to as express consent. The PHIPA does not require a specific form of express consent. However, an individual may withdraw his/her consent at any time. His/her withdrawal cannot have retroactive effects.
Interaction with other Legislation
Although the federal Personal Information Protection and Electronic Documents Act, the PIPEDA was passed just a few months before the PHIPA, it was noted that the provisions made in the PIPEDA were especially problematic for health sector stakeholders. The PIPEDA was not developed with consideration for the needs of health care or for the organizations that collect, use or disclose personal health information.
The general rule is that where there are conflicts between the PHIPA and any other legislation, the PHIPA will prevail, unless both legislations can be upheld, or unless otherwise specified. However, there are certain situations that the PHIPA does not interfere with:
- Legal privileges, such as lawyer-client privilege or mediation privilege.
- Law of evidence.
- Power of a court of tribunal to compel testimony or evidence.
- Law or court orders prohibiting publication of information.
- Regulatory activities of a body of a health profession or social workers.
In December 2005, the PHIPA was declared to be substantially similar to the PIPEDA, which exempted health information custodians in Ontario from the regulations and provisions of the PIPEDA, regarding the collection, use and disclosure of personal information.
Substantially similar legislation provides privacy protection that is consistent with and to an equal or higher level as the federal PIPEDA. Such legislation incorporates the ten principles outlined in the PIPEDA (i.e. accountability; identifying purposes; consent; limiting collection; limiting use, disclosure and retention; accuracy; safeguards; openness; individual access; and challenging compliance).
Individuals who are dissatisfied with a health information custodian’s management of their personal information may choose to file a complaint with the Information and Privacy Commissioner of Ontario (IPC). The IPC of Ontario is an independent and non-partisan body appointed by the Ontario Legislature. The Commissioner is responsible for ensure that health information custodians are upholding the PHIPA and other provincial privacy legislation.
The IPC of Ontario has the authority to investigate and make rulings about complaints. The following are possible reasons for filing a complaint under the PHIPA with the IPC:
- Health information custodians or their agents have collected, used or shared personal health information in a manner that is contrary to the PHIPA.
- An individual’s request to access his/her personal health record has been denied.
- An individual’s request to correct his/her personal health information has been denied.
While health information custodians are obliged under PHIPA to correct incomplete or inaccurate health records, they are not required to change processional health opinions or to correct records created by other health care providers.
After receiving the complaint, the IPC may choose to take the following steps:
- Encourage the individual to resolve the complaint directly with the health information custodian.
- Authorize a mediator to review the complaint and attempt to negotiate a settlement.
- Review the complaint if there are reasonable grounds. The IPC may receive evidence and information necessary for review.
- Make orders requiring compliance with the PHIPA, to grant an individual access, to make a requested correction or to implement a specific health information practice.
Only the Attorney General may initiate a prosecution for an offence under the PHIPA. Such offences include:
- Collecting, using or disclosing personal health information in violation of the PHIPA.
- Disposing personal health records in order to evade a request for access.
- Obstructing the IPC or an agent of the IPC from carrying out his/her functions.
- Making false statements to the IPC.
- Failing to comply with an IPC order.
- Requesting access to or correction of a health record under false pretences.
Offences against the PHIPA can result in fines up to $50,000 for individuals and up to $250,000 for corporations.
This article discusses the Personal Health Information Protection Act, or PHIPA (2004), which applies to the collection, use and disclosure of personal health information by health care providers in the province of Ontario. The article describes the responsibilities of providers and rights of individuals under the PHIPA and examines the procedure and policies enabling recourse under the PHIPA.
In preparation for the Certified Information Privacy Professional/Canada exam, a privacy professional should be comfortable with topics related to this post, including:
- Health Information Privacy and the Private Sector: The Personal Health Information Protection Act (III.C.)