PHIPA Compliance Checklist: A Guide

PHIPA Compliance Checklist

The Personal Health Information Protection Act (PHIPA) is the province of Ontario, Canada’s healthcare privacy act. PHIPA regulates how the health sector must protect the confidentiality and security of individual personal health information. Using a PHIPA compliance checklist allows you to determine whether or not you are satisfying the law.

PHIPA Compliance Checklist Element One: Who is Regulated by PHIPA?

PHIPA regulates certain entities and not others. PHIPA regulates private-sector businesses conducting commercial transactions in Ontario – including all disciplines of allied health clinics and solo practitioners

If your business:

  • Is a private-sector business; and
  • Conducts commercial transactions; and
  • Conducts these transactions in Ontario,

Then, you might be subject to PHIPA. If your business does not meet these requirements, you are not subject to PHIPA. If your business meets these requirements, proceed to PHIPA Compliance Checklist Element Two to determine if PHIPA applies to you.

Want to learn more about Canadian data privacy compliance? Click here 

PHIPA Compliance Checklist Element Two: Are You a Health Information Custodian?

PHIPA regulates those private-sector businesses conducting commercial transactions in Ontario defined as health information custodians (HICs). PHIPA also regulates agents authorized to act on behalf of HICs. Health information custodians are the PHIPA equivalent of HIPAA covered entities, while agents authorized to act on behalf of HICs are the PHIPA equivalent of HIPAA business associates.

Under PHIPA, a health information custodian is a person or organization that has custody or control of personal health information as a result of his her or its power, duties, or work set out in PHIPA. 

Examples of custodians include:

  • Health care practitioners (including doctors, nurses, speech-language pathologists, chiropractors, dental professionals, etc.)
  • Psychiatric facilities
  • Long-term care homes
  • Public bodies
  • Ambulance operators
  • Individuals or organizations known as information managers (managing personal health information on behalf of another custodian)

If you are not a health information custodian, you are not regulated by PHIPA. If you are a health information custodian, then, to be covered by PHIPA, you must have actual custody or control of personal health information. 

PHIPA Compliance Checklist Element 3: Do You Have Custody or Control of Personal Health Information?

Personal health information is “identifying information” about an individual, whether oral or recorded, if the information:

  • Relates to the individual’s physical or mental condition, including family medical history;
  • Relates to the provision of healthcare to the individual;
  • Is a plan of service for the individual;
  • Relates to payments, or eligibility for healthcare or coverage for healthcare;
  • Relates to the donation of any body part or bodily substance, or is derived from the testing or examination of any such body part or bodily substance; or
  • Identifies a healthcare provider or a substitute decision-maker for the individual.

If your organization has custody or control of personal health information, you are a HIC and, as such, are regulated by PHIPA. 

This means you must follow specific rules on (among other things): 

You must also follow PHIPA notification requirements in the event of a breach. PHIPA requires custodians to notify individuals at the first reasonable opportunity if personal health information is stolen, lost, or accessed by an unauthorized person. If personal health information handled by an agent on behalf of a custodian is stolen, lost, or accessed by unauthorized persons, the agent must notify the custodian of the breach at the first reasonable opportunity. 

PHIPA also requires that certain breaches be reported to the Information and Privacy Commissioner (IPC) of Ontario. These breaches include:

  1. Breaches where you or another person uses or discloses personal health information in your custody or control without authority. You must report such breaches to the IPC, where the person committing the breach either knew or should have known that their actions were not permitted under the law. That person could be your employee, a health care practitioner with privileges, a third party (such as a service provider), or even someone with no relationship to you.
  2. Stolen information. If you believe personal health information was stolen, you must report it to the IPC. A typical example is when someone has stolen paper records, a laptop, a USB drive, or other electronic devices.
  3. Further use or disclosure without authority after a breach. Following an initial privacy breach, you may become aware that the information was or will be further used or disclosed without authority. If this is the case, you must report it to the IPC.
  4. Pattern of similar breaches. Even if a privacy breach is accidental or insignificant, you must report it to the IPC if it is part of a pattern of similar breaches. Such a pattern may reflect systemic issues that need to be addressed, such as inadequate training or procedures.
  5. Significant breach. Even if none of the above four circumstances apply, you must notify the IPC if the privacy breach is significant. To decide whether a breach is significant, you must consider all the relevant circumstances, including whether:
    • The information is sensitive
    • The breach involves a large volume of information
    • The breach involves many individuals’ information
    • More than one custodian or agent was responsible for the breach

PHIPA Compliance Checklist

Health information custodians can use the following PHIPA compliance checklist to comply with crucial PHIPA rules. A “Y” answer means a health information custodian is compliant. If a response is marked “N,” an organization must remediate its regulatory gaps to bring itself into compliance.

Policies and Procedures

Y_ N_ Do you have health information custodian practices in place that comply with PHIPA?

Y_ N_ Do these policies and procedures cover collection, use, and disclosure; access; accuracy; consent; security; collection, use and disclosure; and complaints?

Collection, Use, and Disclosure

Y_ N_ When you use electronic means to collect, use, modify, disclose, retain or dispose of personal health information, do you comply with PHIPA requirements?

Y_ N_ If you are a person who provides goods or services for the purpose of enabling a health information custodian to use electronic means to collect, use, modify, disclose, retain or dispose of personal health information, do you comply with PHIPA?

Access

Y_ N_ Do you honor individuals’ right to access copies of their personal health information?

Y_ N_ Do you honor individuals’ right to request that errors in their personal health information be corrected?

Accuracy

Y_ N_ Do you take reasonable steps to ensure the accuracy of personal health information that you use?

Y_ N_ Do you, as a health information custodian, ensure that you take reasonable steps to ensure that the personal health information you disclose about an individual is as accurate, complete, and up-to-date as is necessary for the purposes of the disclosure that are known to you at the time of disclosure?  

Y_ N_ Do you clearly set out for the recipient of the disclosure the limitations, if any, on the accuracy, completeness, or up-to-date character of the information?

Authority

Y_ N_ Do you, as a health information custodian, take steps that are reasonable in the circumstances to ensure that personal health information is not collected without authority?

Y_ N_ Do you, unless an exception applies, ensure that no employee uses or attempts to use information that has been de-identified to identify an individual, either alone or with other information, unless PHIPA or another law permits the information to be used to identify the individual?

Security

Y_ N_ Do you maintain the security of the personal health information that is in your custody or control?

Y_ N_ Do you provide notice when personal health information about an individual that is in the custody or control of a health information custodian is stolen or lost?

Y_ N_ If there has been theft, loss, or unauthorized use or disclosure of personal health information, do you notify the Information and Privacy Commissioner of Ontario of the theft or loss or of the unauthorized use or disclosure?

Y_ N_ Do you ensure that the records of personal health information you have in your custody or under your control are retained, transferred, and disposed of in a secure manner and in accordance with PHIPA?

Retention and Storage

Y_ N_ If you have custody or control of personal health information that is the subject of a request for access, do you retain the information for as long as necessary to allow the individual to exhaust any recourse under PHIPA that he or she may have with respect to the request?

Y_ N_ Do you train employees on where records of personal health information may be kept?

Training and Information Practices

Y_ N_ Do you, as a health information custodian, train employees on the definition and role of contact persons?

Y_ N_ Do you ensure that you make a written statement describing your information practices available to the public?

Y_ N_ Do you train employees on when an agent of a health information custodian may collect, use, disclose, retain or dispose of personal information?

Consent

Y_ N_ Do you obtain individual consent for use and disclosure of personal health information when consent is required? 

Y_ N_ Do you ensure that individuals are made aware of why consent is being sought?

Y_ N_ Do you ensure that consent is voluntarily obtained?

Y_ N_ Do you train your workforce to honor individuals’ requests to withdraw consent, which may be done at any time?

Complaints and Breaches

Y_ N_ Do you ensure individuals are made aware that they have the right to complain to the Information and Privacy Commissioner (IPC) of Ontario if their PHPA rights are violated, or if they believe their PHI has been collected, used, or disclosed in violation of PHIPA?

Y_N_ Do you know when you are required to inform the Information and Privacy Commissioner of Ontario, and others, of a breach of PHIPA?

Y_ N_ Are you familiar with what types of breaches must be reported immediately?