PHIPA, like HIPAA, is a series of rules governing the use, disclosure, and collection of health information. HIPAA regulates the use of protected health information, or PHI. PHIPA uses a different phrase to describe this information: personal health information.
Under PHIPA, personal health information includes the following:
Any “identifying information” about an individual, whether oral or recorded, if the information:
- Relates to the individual’s physical or mental condition, including family medical history; or
- Relates to the provision of health care to the individual; or
- Is a plan of service for the individual; or
- Relates to payments, or eligibility for health care or for coverage for health care; or
- Relates to the donation of any body part or bodily substance, or is derived from the testing or examination of any such body part or bodily substance; or
- Is the individual’s health number; or
- Identifies a health care provider or substitute decision-maker for the individual
Covered Entities vs. Health Information Custodians
While HIPAA regulates the use and disclosure of PHI by covered entities, PHIPA regulates the use and disclosure of personal health information by health information custodians (HICs). Under PHIPA, an HIC is a health care practitioner or person who:
- Operates an organization that provides health care to an individual; and
- Has custody or control of that individuals personal health information.
HIPAA Privacy Rule vs. PHIPA Part IV
Under the HIPAA Privacy Rule, a covered entity – a provider, health plan, or clearinghouse that electronically transmits health information in connection with certain transactions – may generally not use or disclose PHI unless:
- An exception to the Privacy Rule allows it to; or
- The individual who is the subject of the information (or the individual’s personal representative) authorizes the use or disclosure in writing.
Part IV of PHIPA, “Collection, Use and Disclosure of Personal Health Information”, imposes a similar requirement on HICs. Part IV requires that HICs take “reasonable steps” to protect personal health information against the following:
- Unauthorized use and disclosure; and
- Unauthorized copying, modification, or disposal.
As a custodian, you may become aware of a privacy breach in a number of ways, including: