To help healthcare entities and entrepreneurs struggling with healthcare laws complexities, I have started writing the ‘healthcare laws’ blog series. This is the 3rd blog of the series. Previously, I wrote about,
In this 3rd blog of the very helpful blog series, I will share everything about the major healthcare law applicable in Ontario, Canada – PHIPA.
An Introduction to PHIPA Ontario
PHIPA (Personal Health Information Protection Act) has been imposed by the Ontario state government. Though there are many differences between PHIPA, HIPAA (USA federal law) and PIPEDA (Canada federal law), the rules established under PHIPA are inspired by HIPAA and PIPEDA rules.
The major difference between PHIPA and PIPEDA is that PHIPA applies to Ontario-based healthcare entities that save, use and disclose personal health information (PHI) of the patients whether on not during commercial activity, unlike the PIPEDA act which applies to all Canada-based organizations that save, use and disclose PHI only during commercial activity.
The major difference between PHIPA and HIPAA is that PHIPA only focuses on objectives and thus, it asks healthcare providers to take ‘reasonable steps’ to ensure PHI security, unlike HIPAA which focuses on method and thus, it suggests the ways to ensure PHI security.
PHIPA was designed with an aim to give individuals greater control over their data and protect personal information across the healthcare sector. It also sets up rules for the collection, usage and disclosure of PHI within the province of Ontario.
The Purpose of the PHIPA
All thanks to the late adoption of cybersecurity technologies, non-IT staff and crucial information, the healthcare industry is the ‘soft target’ for hackers or intruders. To define the best practices for data storage, usage & sharing and ensure that all healthcare providers prioritize the ePHI security, the Ontario state government has imposed PHIPA.
Another purpose of PHIPA is to enable individuals to access their own personal health information and to make changes in those details. PHIPA gives ultimate freedom to individuals to file a complaint against healthcare providers if they violate the PHIPA law.
Overall, establishing clear rules for PHI collection, usage & sharing for healthcare providers and giving more control to individuals over their data are the major two purposes of the PHIPA.
However, the act does not affect the patient-provider relationship!
Does PHIPA Apply to You?
Let’s validate it based on your identity!
- Are you an individual? – PHIPA does apply!
PHIPA has an impact on everyone living in Ontario. PHIPA allows an individual to get access to his personal health information and make changes in it.
- Are you a healthcare provider (custodian)? – PHIPA does apply!
The act defines 7 types of healthcare providers or custodians. In general, anyone who offers healthcare service is called a healthcare provider or custodian. These healthcare providers include health care practitioners, long-term-care service providers, community care access corporations, hospitals, pharmacies, laboratories and medical officers.
- Are you recipients? – PHIPA does apply!
The PHIPA act describes anyone who receives PHI from healthcare providers as a recipient or agent. Insurance companies, employers, and researchers are called recipients and thus, they have to adhere to PHIPA Ontario requirements.
- Are you IT service providers? – PHIPA does apply!
If you are not a healthcare provider and recipient, the PHIPA still applies to you. The PHIPA act includes many requirements for IT service providers who provide IT services to healthcare providers.
What Does PHIPA Protect?
The major purpose of the PHIPA is to protect every possible personal health information of the patients. However, here it is worth mentioning that the PHIPA act does not apply to data that is not collected, used and disclosed.
PHIPA protects the following information.
- Data related to individuals’ physical and mental health
- Data related to individuals’ family health history
- Data related to the provision of health care
- Data related to long-term care plan of individuals
- Data related to payment
- Data related to eligibility for healthcare
- Data related to the donation of the body parts
- Individuals’ health number
PHIPA sets out different rules for the different activities performed by healthcare providers, recipients and IT service providers.
PHIPA Regulations for IT Service Providers:
- In case of any breach or unauthorized access, IT service providers should notify healthcare providers.
- IT service providers should make information about the services provided to the healthcare providers available publicly. They should also publish directives, guidelines and policies of the services.
- Upon request of the healthcare providers, IT service providers should provide them with the data of all accesses and transfers of PHI.
- IT service providers should provide healthcare providers with threat risk assessment and privacy impact assessment of the services.
- IT service providers should sign an agreement with healthcare providers. The agreement must include the description of the services & administrative, and technical & physicals safeguards.
PHIPA Regulations for Healthcare Providers:
Let’s categorize the PHIPA regulations for healthcare providers based on different activities or practices.
1. General Practice
- Healthcare providers can only collect, use and disclose the PHI if the individual permits.
- Healthcare providers cannot collect, use and disclose the information if other information serves the purpose.
- Healthcare providers must not collect, use and disclose the information more than needed.
- Healthcare providers should get express consent to collect, use and disclose PHI for marketing purposes.
2. Fundraising Practice
- Healthcare providers can only collect, use and disclose the PHI for fundraising purposes if permitted by individuals.
- If healthcare providers collect, use and disclose only an individual’s name and mailing address, implied consent is needed.
- Healthcare providers can collect, use and disclose the PHI only for charitable or philanthropic purposes.
3. Health Cards and Health Numbers Related Practice
- Anyone who is not a healthcare provider cannot collect and use health cards and health numbers.
- Anyone who is not a healthcare provider can only collect and use health cards and health numbers for purposes such as health administration, health planning, and health research.
- Anyone who is not a healthcare provider can only collect and use health cards and health numbers if the healthcare providers have shared the number with him.
- Anyone who is not a healthcare provider cannot disclose the health number except for the purpose related to research and the provision of provincially funded health resources.
4. Data Collection Practice
According to the rule, healthcare providers must collect the data directly from the users. However, they can collect the data indirectly under limited circumstances. A healthcare provider can collect information indirectly,
- If the individual permits.
- If the information is vitally important for the provision of healthcare and it is not feasible to collect data in the direct ways.
- If the healthcare provider is the state or municipal government entity and the data is required for investigation.
- If the healthcare provider is collecting data from a person who is not a healthcare provider for research purposes.
- If the healthcare provider is collecting data from a person who is not a healthcare provider for the planning and management of the health system.
5. Data Usage Practice
Healthcare providers must always ask an individual’s permit before using their data. The permission is not required only in the following circumstances.
- If the individual is required to share his information with healthcare providers by the law.
- If data usage purpose is planning or delivering programs or services that the healthcare providers provide or fund.
- If data usage purposes are risk management and error management.
- If data usage purpose is improving the quality of the care.
- If data usage purpose is education.
- If data usage purpose is proceeding.
- If data usage purpose is obtaining payment.
- If data usage purpose is research.
6. Data Disclosure Practice
Healthcare providers cannot share PHI without the permission of individuals. However, they can share or disclose the data without permission in a number of situations.
- Healthcare providers can disclose data of a deceased individual.
- Healthcare providers can disclose data for health or other programs.
- Healthcare providers can disclose data related to the risks.
- Healthcare providers can disclose data related to care and custody.
- Healthcare providers can disclose data for proceeding.
- Healthcare providers can disclose data to the successor.
- Healthcare providers can disclose data for research purposes.
- Healthcare providers can disclose data for planning and management of the health system.
- Healthcare providers can disclose data for payment.
PHIPA Regulations for Recipients:
- The recipients who get data from the healthcare providers must not use or disclose the data other than the purpose for which it is shared by healthcare providers.
- PHIPA regulations for recipients do not apply to state or municipal government entities.
- Recipients can provide information to pharmacists to help them advise individuals only if the recipients provide coverage for payment and other medication-related services.
PHIPA Regulations for Individuals:
- Individuals can get access to their personal information.
- Individuals cannot get access to someone else’s personal information.
- Individuals cannot get access to the record which includes quality of care information and raw information used solely for research purposes and laboratory experiments.
- Healthcare providers can deny providing information collected for proceeding.
- Healthcare providers can deny providing information collected during the investigation and inspection.
- If a healthcare provider is a government entity, it can deny providing information under privacy laws that only apply to government institutions.
- Individuals should make the ‘request to access’ in writing and provide sufficient information so that healthcare providers can easily identify the record. If the information isn’t sufficient, healthcare providers should offer assistance. The healthcare providers should respond within 30 days of ‘request to access’.
- Individuals can also make a written request to make changes in their data. The healthcare providers should respond within 30 days of the request.
The PHIPA Enforcement
A person who believes that another person, business or corporation violates the PHIPA act, he can lodge a complaint in writing to the Information and Privacy Commissioner of Ontario.
The Information and Privacy Commissioner of Ontario can conduct the review of the complaint if it is not solved informally. The Information and Privacy Commissioner of Ontario can also carry out a self-initiated review in case no one files the complaint.
While conducting the review, the Commissioner can visit your premises, ask you to show record, summon the person and issue a binding order.
The PHIPA Violation Charges
Both federal and state governments believe that ePHI security should be the top priority of the entities functioning in the healthcare sector.
If an individual commits the offence under PHIPA, he can be liable for the fine up to $100,000. And if an entity or organization commits the offence under PHIPA, it can be liable for the fine up to $500,000.
Remarkable Roles of PHIPA Consultants
We are a team of Canada’s best healthcare compliance consultants. My team accommodates healthcare compliance consultants, app developers, and security experts. Because of the full-strength team, we are able to help you in multiple ways.
- Carry out security standard audit, asset & device audit, and security risk assessment
- Discover the app/software security gaps
- Find out the workable solutions to fill those security gaps
- Assist the development team to implement those workable solutions
- Create an organization-wide security policy
- Carry out compliance audits
- Help you address regulations imposed by non-government regulatory bodies
We work with healthcare providers, entrepreneurs and even app/software development firms. In fact, my team recently helped a development firm to fill 47 security gaps in a healthcare app to make it HIPAA compliant. [Read the full case study here]
So, if you’re struggling with healthcare laws and healthcare compliance audits, you can freely contact us for expert help. We’re based in Burlington, Ontario. Let’s schedule a one-on-one meeting.