You should be cautious of PHIPA regulations if you are,
- Healthcare provider
- Healthcare app/software owner
- IT service provider to the healthcare entity
- Working with healthcare entity for any research and insurance purposes
Because if you as an entity or organization commit the offence under PHIPA, you can be liable for the fine up to $500,000!
Let’s Start With the Basics of PHIPA Ontario
PHIPA (Personal Health Information Protection Act) has been imposed by the Ontario state government.
Though there are many differences between PHIPA, HIPAA (USA federal law) and PIPEDA (Canada federal law), the rules established under PHIPA are inspired by HIPAA and PIPEDA rules.
PHIPA vs PIPEDA:
The major difference between PHIPA and PIPEDA is that PHIPA applies to Ontario-based healthcare entities that save, use and disclose personal health information (PHI) of the patients whether on not during commercial activity, unlike the PIPEDA act which applies to all Canada-based organizations that save, use and disclose PHI only during commercial activity.
PHIPA vs HIPAA:
The major difference between PHIPA and HIPAA is that PHIPA only focuses on objectives and thus, it asks healthcare providers to take ‘reasonable steps’ to ensure PHI security, unlike HIPAA which focuses on method and thus, it suggests the ways to ensure PHI security.
The Purpose of the PHIPA
To define the best practices for data storage, usage & sharing and ensure that all healthcare providers prioritize the ePHI security, the Ontario state government has imposed PHIPA.
Another purpose of PHIPA is to enable individuals to access their own personal health information and to make changes in those details.
PHIPA gives ultimate freedom to individuals to file a complaint against healthcare providers if they violate the PHIPA law.
Overall, establishing clear rules for PHI collection, usage & sharing for healthcare providers and giving more control to individuals over their data are the major two purposes of the PHIPA.
However, the act does not affect the patient-provider relationship!
Does PHIPA Apply to You?
Let’s validate it based on your identity!
- Are you an individual? – PHIPA does apply!
PHIPA has an impact on everyone living in Ontario. PHIPA allows an individual to get access to his personal health information and make changes in it.
- Are you a healthcare provider (custodian)? – PHIPA does apply!
The act defines 7 types of healthcare providers or custodians.
These healthcare providers include health care practitioners, long-term-care service providers, community care access corporations, hospitals, pharmacies, laboratories and medical officers.
- Are you recipients? – PHIPA does apply!
The PHIPA act describes anyone who receives PHI from healthcare providers as a recipient or agent.
Insurance companies, employers, and researchers are called recipients and thus, they have to adhere to PHIPA Ontario requirements.
- Are you IT service providers? – PHIPA does apply!
If you are not a healthcare provider and recipient, the PHIPA still applies to you.
The PHIPA act includes many requirements for IT service providers who provide IT services to healthcare providers. (We will discuss these requirements later in this blog)
What Does PHIPA Protect?
The major purpose of the PHIPA is to protect every possible personal health information of the patients.
However, here it is worth mentioning that the PHIPA act does not apply to data that is not collected, used and disclosed.
PHIPA protects the following information.
- Data related to individuals’ physical and mental health
- Data related to individuals’ family health history
- Data related to the provision of health care
- Data related to long-term care plan of individuals
- Data related to payment
- Data related to eligibility for healthcare
- Data related to the donation of the body parts
- Individuals’ health number
PHIPA Ontario Regulations
PHIPA sets out different rules for the different activities performed by healthcare providers, recipients and IT service providers.
PHIPA Regulations for IT Service Providers:
- In case of any breach or unauthorized access, IT service providers should notify healthcare providers.
- IT service providers should make information about the services provided to the healthcare providers available publicly. They should also publish directives, guidelines and policies of the services.
- Upon request of the healthcare providers, IT service providers should provide them with the data of all accesses and transfers of PHI.
- IT service providers should provide healthcare providers with threat risk assessment and privacy impact assessment of the services.
- IT service providers should sign an agreement with healthcare providers. The agreement must include the description of the services & administrative, and technical & physicals safeguards.
PHIPA Regulations for Healthcare Providers:
Let’s categorize the PHIPA regulations for healthcare providers based on different activities or practices.
1. General Practice
- Healthcare providers can only collect, use and disclose the PHI if the individual permits.
- Healthcare providers cannot collect, use and disclose the information if other information serves the purpose.
- Healthcare providers must not collect, use and disclose the information more than needed.
- Healthcare providers should get express consent to collect, use and disclose PHI for marketing purposes.
2. Fundraising Practice
- Healthcare providers can only collect, use and disclose the PHI for fundraising purposes if permitted by individuals.
- If healthcare providers collect, use and disclose only an individual’s name and mailing address, implied consent is needed.
- Healthcare providers can collect, use and disclose the PHI only for charitable or philanthropic purposes.
3. Health Cards and Health Numbers Related Practice
- Anyone who is not a healthcare provider cannot collect and use health cards and health numbers.
- Anyone who is not a healthcare provider can only collect and use health cards and health numbers for purposes such as health administration, health planning, and health research.
- Anyone who is not a healthcare provider can only collect and use health cards and health numbers if the healthcare providers have shared the number with him.
- Anyone who is not a healthcare provider cannot disclose the health number except for the purpose related to research and the provision of provincially funded health resources.
4. Data Collection Practice
According to the rule, healthcare providers must collect the data directly from the users. However, they can collect the data indirectly under limited circumstances. A healthcare provider can collect information indirectly,
- If the individual permits.
- If the information is vitally important for the provision of healthcare and it is not feasible to collect data in the direct ways.
- If the healthcare provider is the state or municipal government entity and the data is required for investigation.
- If the healthcare provider is collecting data from a person who is not a healthcare provider for research purposes.
- If the healthcare provider is collecting data from a person who is not a healthcare provider for the planning and management of the health system.
5. Data Usage Practice
Healthcare providers must always ask an individual’s permit before using their data. The permission is not required only in the following circumstances.
- If the individual is required to share his information with healthcare providers by the law.
- If data usage purpose is planning or delivering programs or services that the healthcare providers provide or fund.
- If data usage purposes are risk management and error management.
- If data usage purpose is improving the quality of the care.
- If data usage purpose is education.
- If data usage purpose is proceeding.
- If data usage purpose is obtaining payment.
- If data usage purpose is research.
6. Data Disclosure Practice
Healthcare providers cannot share PHI without the permission of individuals. However, they can share or disclose the data without permission in a number of situations.
- Healthcare providers can disclose data of a deceased individual.
- Healthcare providers can disclose data for health or other programs.
- Healthcare providers can disclose data related to the risks.
- Healthcare providers can disclose data related to care and custody.
- Healthcare providers can disclose data for proceeding.
- Healthcare providers can disclose data to the successor.
- Healthcare providers can disclose data for research purposes.
- Healthcare providers can disclose data for planning and management of the health system.
- Healthcare providers can disclose data for payment.
PHIPA Regulations for Recipients:
- The recipients who get data from the healthcare providers must not use or disclose the data other than the purpose for which it is shared by healthcare providers.
- PHIPA regulations for recipients do not apply to state or municipal government entities.
- Recipients can provide information to pharmacists to help them advise individuals only if the recipients provide coverage for payment and other medication-related services.
PHIPA Regulations for Individuals:
- Individuals can get access to their personal information.
- Individuals cannot get access to someone else’s personal information.
- Individuals cannot get access to the record which includes quality of care information and raw information used solely for research purposes and laboratory experiments.
- Healthcare providers can deny providing information collected for proceeding.
- Healthcare providers can deny providing information collected during the investigation and inspection.
- If a healthcare provider is a government entity, it can deny providing information under privacy laws that only apply to government institutions.
- Individuals should make the ‘request to access’ in writing and provide sufficient information so that healthcare providers can easily identify the record. If the information isn’t sufficient, healthcare providers should offer assistance. The healthcare providers should respond within 30 days of ‘request to access’.
- Individuals can also make a written request to make changes in their data. The healthcare providers should respond within 30 days of the request.
PHIPA Privacy Law – In Essence
Source: IPC Ontario
The PHIPA Enforcement
A person who believes that another person, business or corporation violates the PHIPA act, he can lodge a complaint in writing to the Information and Privacy Commissioner of Ontario.
The Information and Privacy Commissioner of Ontario can conduct the review of the complaint if it is not solved informally.
The Information and Privacy Commissioner of Ontario can also carry out a self-initiated review in case no one files the complaint.
While conducting the review, the Commissioner can visit your premises, ask you to show record, summon the person and issue a binding order.
PHIPA for Healthcare Mobile Apps/Software
After reading so far, you must have understood the fact that your app should be PHIPA compliant.
So, now the question is, how to make the healthcare app/software PHIPA compliant.
Unfortunately, the PHIPA guideline does not suggest the steps to make an app PHIPA compliant.
But the simplest method is, you need to make sure that there is no security loophole in the app to make the healthcare app PHIPA compliant. (It is simplest in theory, not practical!)
Another thing you need to ensure is that without the consent of users, you are not sharing any of their data.
In case you are using some third-party API such as Zoom for communication purposes, it should be PHIPA compliant too.
The app should have basic security features such as two-factor authentication.
Your organization should also have a policy or strategy to mitigate any data-breach.
There are many more requirements to make your healthcare app PHIPA compliant. But ultimately, all requirements lead to one major requirement – anything which keeps data secure!
Remarkable Roles of PHIPA Consultants
Our team accommodates healthcare compliance consultants, app developers, and security experts. Because of the full-strength team, we are able to help you in multiple ways.
- Carry out security standard audit, asset & device audit, and security risk assessment
- Discover the app/software security gaps
- Find out the workable solutions to fill those security gaps
- Assist the development team to implement those workable solutions
- Create an organization-wide security policy
- Carry out compliance audits
- Help you address regulations imposed by non-government regulatory bodies
We work with healthcare providers, entrepreneurs and even app/software development firms.
In fact, we recently helped a development firm to fill 47 security gaps in a healthcare app to make it HIPAA compliant. [Read the full case study here]
So, if you’re struggling with healthcare laws and healthcare compliance audits, you can freely contact us for expert help.
CEO Talks: Let’s schedule a one-on-one meeting. I am looking forward to sharing earned knowledge for free. (I am leading our team of PHIPA consultants.)