What Are PHIPA Act Personal Health Information Safeguards?
The Personal Health Information Protection Act, or PHIPA, is a Canadian health information data privacy law. Under the PHIPA Act, health information custodians must protect personal health information in their custody or control. Custodians must also ensure that health records are retained, transferred, and disposed of in a secure manner. PIPEDA compliance requires custodians to take specific personal safeguards to ensure that health data transmitted via mail, the Internet, fax, email, or video is kept secure.
PHIPA Act Personal Health Information Safeguards: General Rules
Under the PHIPA Act, health information custodians (individuals who are the HIPAA equivalent of covered entities and business associates) must take steps to ensure that personal health information in the custodian’s custody or control is protected. Personal health information is the equivalent of protected health information (PHI) under HIPAA, in that both types of information must be protected against theft, loss, and unauthorized use or disclosure. Custodians must also take reasonable measures to ensure that the records containing personal health information are protected against unauthorized copying, modification, or disposal. To ensure that personal health information records are retained, transferred, and disposed of in a secure manner, custodians must implement a series of physical, administrative, and technical security controls.
Want to learn more about Canadian data privacy compliance? Click here
Under the PHIPA Act, physical security controls are similar to the physical safeguards required under HIPAA. PHIPA Act physical security controls include:
- Controlling and limiting access to areas where personal health information records are stored, by locking doors, or by use of employee access cards.
- Using lockable file cabinets.
- Protecting areas where personal health information records are stored from fire, flooding, and other natural hazards.
Under the PHIPA Act, administrative controls – the equivalent of HIPAA’s administrative safeguards – are administrative actions, policies and procedures that custodians take and follow to protect personal health information in their custody or control. Custodians must take these measures to manage their employees and agents, in relation to the protection of that information. This means custodians must inform employees and agents of the employees’ and agents’ own obligations with respect to protecting personal health information.
Under the PHIPA Act, administrative controls include:
- Creating policies and procedures to address patients’ requests for access to their personal health information records.
- Creating policies and procedures to address patients’ requests for correction of their personal health information records.
- Reviewing information practices (data collection, gathering, and use practices) with newly-hired staff.
- Establishing procedures to address, respond to, and mitigate security breaches.
- Obtaining signed confidentiality agreements from independent contractors and suppliers, such as landlords and cleaning staff.
- Training of staff on how to protect personal health information.
- Assigning security clearances to individual staff members based on the type of access the person needs to perform their job.
- Regular audits of actual practices for compliance with security policies.
Under the PHIPA Act, custodians must also implement technical controls – the equivalent of HIPAA technical safeguards – to keep personal health information secure. Technical controls consist of the technology and the policies and procedures for its use, that a custodian must implement and follow to protect electronic records of personal health information and control access to them.
Technical controls include:
- Encryption of electronic or digital records.
- Requiring unique user identification (i.e., login and password, biometric scan) to access electronic records.
- Using and periodically changing passwords to protect documents and records.
- Installing virus and malware protection software on office computers.
PHIPA Act Personal Health Information Safeguards: What is “Reasonable”?
For technical personal safeguards, PHIPA does not dictate the types of encryption to be used, the antivirus software to be installed, or precisely how frequently passwords must be changed. These actions must be taken. Specific measures custodians should take must constitute “reasonable” steps to keep personal health information securely stored. What is reasonable varies depending on the sensitivity of the information and the risks to which it is exposed.
The size of an organization is also a factor to consider. For instance, large organizations dealing with significant amounts of sensitive personal health information will need different security than small offices. Custodians must therefore “scale” security measures to fit their own circumstances.