This blog is for those who own a healthcare mobile app or plan to build one but have doubts regarding PHIPA compliance. 

You can expect to learn more about PHIPA rules and regulations which may apply to your healthcare app. 

And if you still cannot figure it out, you can hire our PHIPA compliance experts who have been dealing with healthcare compliance for more than 7 years. 

So, let’s start. 

Frequently asked questions around PHIPA compliance for healthcare mobile apps 

1) Does PHIPA apply to my healthcare mobile app? 

PHIPA is the dedicated healthcare-specific privacy law imposed by the Ontario provincial government. 

So, it does apply to your healthcare mobile app in major two conditions. 

• If your healthcare app collects, stores and shares personal as well as medical information of patients. 
• And if your healthcare app is available in Ontario. 

2) How does PHIPA affect my healthcare mobile app? 

Well, the motive of PHIPA is to establish rules and regulations for the collection, use and disclosure of personal information of patients. 

It sets out the rules which define in which conditions you can save, use and share patient data and which are the privacy measures you must put in place to ensure data privacy and security. 

So, if you follow all the regulations of PHIPA, you end up making your healthcare mobile app most private and secure. 

But if you practice non-compliance, you would become liable for a hefty fine by the privacy commissioner. 

3) What rights do my app users have under PHIPA? 

• You need to inform them of the purpose for which you are collecting, storing and sharing their personal health data. 
• You have to notify them in the case of stolen and lost data. You also need to notify them if any unauthorized person gets access to their data. 
• They can refuse to give you consent for storing, using and sharing their personal health data. 
• They can withdraw the consent. 
• They can ask you to provide a copy of their personal health information. 
• They can request you to make corrections to their data. 

4) Which types of patient data my app must handle with regard to the PHIPA act? 

PHIPA clearly states that any ‘identifying information’ about an individual is protected under the act. This identifying information includes, 

• Any data related to patients physical and mental condition 
• Any data related to medical history of patients’ family 
• Any data related to patients’ eligibility for healthcare or for coverage for healthcare
• Patients’ health number 
• Healthcare provider or a substitute decision-maker of a patient 

5) How long does my healthcare app need to keep personal data of patients? 

PHIPA requires you to keep patient data in such a manner that you are able to provide data back to the patients if they ask for it - anytime. 

However, PHIPA does not include any specific years for how long you must keep patient data. Thus, you must refer to your governing legislation to know applicable record retention requirements. 

6) What do I have to keep in mind if I need to collect, use and share the data of my users? 

Well, you can surely store, use and share the personal data of your users - but under some conditions. 

The most important condition is you must obtain the consent of users before handling their data. 

PHIPA also defines 4 major characteristics of consent. 

• It must be knowledgeable
• It must be voluntary 
• It must be related to the information in question 
• It must be given by individual  

7) How must my healthcare app use the personal healthcare data of patients? 

Your healthcare app must address these 3 conditions to use data legally. 

• It must ask for patients’ consent before using their data. 
• It must not use any data of patients if some other data serve the same purpose. 
• You need to use data only if there is a valid purpose behind it. 
• It must ensure that patient data is complete, accurate and up-to-date as is necessary for the purposes. 

8) Do I need to save, use and share patient data only in Ontario or Canada? 

No, PHIPA does not make it mandatory to save, use and share patient data only in Ontario or Canada. 

You can store, use and share it even outside of Ontario and Canada. But you must ensure there are administrative and technical safeguards in place - wherever patient data is stored.  

9) Is PIA (Privacy Impact Assessment) mandatory under PHIPA?  

PIA reveals all privacy vulnerabilities an entire organization has. Under HIA (Health Information Act of Alberta), it is mandatory. 

But talking about PHIPA, PIA is not mandatory. However, we would suggest you carry out PIA to eliminate the last-possible privacy vulnerability out of your entire organization. 

10) What if I don’t build a PHIPA-compliant healthcare app in Ontario? 

If you commit an offence under PHIPA, you as an organization or startup can be liable for a fine of up to $250,000. 

And in some cases, you may be subject to a civil suit for damages for breach of privacy.

One lesson we’ve learned in our 7+ years of practice as PHIPA experts in Ontario  

“Healthcare compliance isn’t a choice. IT IS THE ONLY CHOICE! Because Canadians are serious about data privacy and security. And the government is even more.” 

So, for your understanding of how we help you be compliant with applicable healthcare privacy laws (HIPAA, PHIPA, PIPEDA, HIA or anything), let us share two real case studies. 

Case study 1: How we made a healthcare app compliant with HIPAA? 

Case study 2: How did we execute PIA on a healthcare project?