What is a PHIPA Privacy Policy?

Ontario residents’ health information privacy is governed by the Personal Health Information Protection Act (PHIPA). A PHIPA Privacy Policy is a written document, prepared by a healthcare organization, that outlines the kind of personal information the organization collects, how the organization uses the information in compliance with PHIPA, and the safeguards used by the organization to protect the personal information. The details of a PHIPA Privacy Policy are discussed below.

What is a PHIPA Privacy Policy: Key Components

A PHIPA Privacy Policy describes how an organization complies with the PHIPA requirement to safeguard personal health information (HIPAA refers to this information as “protected health information”). 

Want to learn more about Canadian data privacy compliance? Click here

PHIPA Privacy Policy

The key components of a PHIPA Privacy Policy include a description of:

Services performed by the healthcare organization.

This description includes an explanation of how the healthcare organization or health information custodian views, accesses, collects, or stores personal health information.

What specific personal information is collected.

Under PHIPA, personal information includes personal address, and, in some cases, CPSO numbers. CPSO stands for College of Physicians and Surgeons of Ontario. The College of Physicians and Surgeons of Ontario is the regulatory body for medical doctors in Ontario; it is the Canadian equivalent of a state medical board, licensing agency, or credentialing agency that can conduct health oversight activities under HIPAA.

Why the healthcare organization uses and discloses personal health information.

The PHIPA Privacy Policy should state the purposes of use and disclosure. Such purposes include delivery of healthcare services, and sharing of health information among providers when permitted by law. A healthcare provider may disclose personal information to third parties for designated purposes, but only if the patient first provides written consent. Such third parties include businesses that authorize and process payments, website hosting services, and identity verification services. Third parties must safeguard personal information they receive, and may not use that information for any purpose other than provision of services to the healthcare organization. 

What consent is and when it is required.

A PHIPA Privacy Policy should state that by providing personal information to the provider, an individual consents to the provider’s collection, use, or disclosure of that personal information, in accordance with the PHIPA Privacy Policy and as permitted or required by law. The PHIPA Privacy Policy should also note that an exception to requiring consent may be made in cases of legal, medical, or security reasons where it is impossible or impractical to receive consent.

Patients’ rights regarding marketing information.

The PHIPA Privacy Policy should state that receiving marketing communications, whether in hard copy or by email, is always optional, and that patients will be provided every opportunity to be removed from email or address lists containing such communications. The PHIPA Privacy Policy or procedure should also inform patients that they can unsubscribe from email marketing communications by following the links sent to them by the provider.  

How personal information is treated as private and confidential.

PHIPA privacy policies should state that the healthcare provider will keep personal information protected and secure by providing security safeguards that are appropriate to the sensitivity of the information. PHIPA privacy policies should also state that providers will only keep personal information for as long as it is required for legal or business purposes. The Privacy Policy should contain a disclaimer to the effect that, although the healthcare provider makes every reasonable effort to protect personal information from unauthorized access, release, use, loss and theft, disclosure, alteration by third parties, copying or modification by physical and logical security procedures, confidentiality policies, and authorization requirements, there is always some risk involved in transmitting information over the Internet. The policy should then state that, because of this, the provider does not represent, warrant or guarantee that personal information will be protected against loss, misuse or alteration, and does not accept any liability for personal information submitted by patients, nor for patients’ or third parties’ use or misuse of personal information. 

The provider’s website.

The PHIPA Privacy Policy should state that individuals may visit the public portion of the provider’s website without providing any personal information. The policy should further note that the provider may collect some information regarding patient use on its website and the pages patients visit on the website. This “use” can include the type of browser a patient uses, and the name of the patient’s Internet Service Provider. In addition, the PHIPA Privacy Policy should note that the provider may collect “cookie” information from patients’ browsers to identify their computers and provide the healthcare organization with a record of patient visits to the website. The Privacy Policy should state that users may set their browser to disable or refuse to accept cookies, although doing so may affect their viewing of certain portions of the Website.