What is PHIPA Training?

PHIPA Training

The Personal Health Information Protection Act, or PHIPA, is the healthcare data privacy law for the province of Ontario, Canada. PHIPA regulates private sector businesses that conduct commercial transactions in Ontario, by setting forth rules for how individual personal health information may be collected, used, and disclosed within the health sector. Specifically, PHIPA regulates health information custodians. 

A health information custodian is a person or organization identified in PHIPA that, as a result of his, her, or its power or duties or work, has custody or control of personal health information. Health information custodians must train employees on PHIPA’s requirements. PHIPA training details are discussed below.

What is PHIPA Training: It’s the Personal Principle That Matters

PHIPA regulates how health information custodians must protect the confidentiality and security of individual personal health information. The first component of PHIPA training a custodian gives to its employees should be on the concept of personal health information.

Personal health information is certain identifying information about an individual, whether the information is oral or recorded (electronically, in writing, or in any other medium). 

Personal health information is identifying information about an individual if the information:

  • Relates to the individual’s physical or mental condition, including family medical history
  • Relates to the provision of health care to the individual
  • Is a plan of service for the individual
  • Relates to payments, or eligibility for health care or for coverage for healthcare
  • Relates to the donation of any body part or bodily substance or is derived from the testing or examination of any such body part or bodily substance
  • Is the individual’s health number
  • Identifies a health care provider or a substitute decision-maker for the individual

“Identifying information” includes information that identifies an individual or for which it is reasonably foreseeable that could be used, either alone or with other information, to identify an individual.

Want to learn more about Canadian data privacy compliance? Click here 

What is PHIPA Training: Consent

The next component of PHIPA training should cover the principles of identifying purposes and obtaining consent. Generally, PHIPA requires that health information custodians obtain consent from an individual to collect, use, or disclose that individual’s personal health information.

PHIPA training should distinguish between the law’s two types of consent. Under PHIPA, there is implied consent, and there is express consent. Implied consent is consent that is implied from the circumstances. PHIPA allows for implied consent to be given, provided that the consenting person knows the purpose of the collection, use, or disclosure, and knows that they have the right to give or withhold consent.

What is PHIPA Training: Implied Consent

Under the concept of implied consent, if a custodian states (such as, in a poster or brochure that is readily available, and that is likely to be viewed by the individual) the purposes for which it seeks to disclose, collect, or use personal health information, the law will then assume that the individual is aware of that purpose.  

Under PHIPA, if an individual is aware of the purpose for which PHI disclosure, collection, or use is sought, the person has consented to that disclosure, collection, or use. If the individual objects to the disclosure, collection, or use, the individual must bring the specific objection to the health information custodian’s attention to ensure the disclosure, collection, or use is not made.  

What is PHIPA Training: Assuming Consent

The next component of PHIPA training should cover specific instances of when, exactly, in real life, a health information custodian can assume that it has implied consent to collect, use, or disclose personal health information to provide health care. 

This assumption can be made if the following conditions are met:

  • The information was received by the health information custodian, from either the individual, the individual’s substitute decision-maker, or another health information custodian.
  • The information was received to provide healthcare to the individual.
  • The information is collected, used, or disclosed to provide healthcare to the individual.

Since each condition above allows for an assumption that there is implied consent, PHIPA refers to these conditions as instances of assumed implied consent.

Individuals in what PHIPA calls an individual’s “Circle of Care” may rely upon the concept of assumed implied consent to conclude that a patient has consented to their collecting, using, or disclosing personal health information for the purpose of providing or assisting in providing healthcare.

What is the PHIPA Circle of Care?

The next PHIPA training concept is the so-called “Circle of Care.” This phrase is nowhere to be found within the text of PHIPA. 

It is a fanciful nickname that refers to the following individuals:

  • For a physician’s office: The physician, nurses, a specialist, or other healthcare practitioner referred by the physician, and any other healthcare practitioner selected by the patient (i.e., a pharmacist).  
  • For a hospital: The attending physician and the “treatment team” (i.e., all residents, nurses, clerks, and employees assigned to the patient and who provide care).

Additional examples of custodians who fall within the PHIPA Circle of Care include individuals within long-term care homes and community care access centers, who provide or assist in providing treatment to an individual.  

As implied by the name, the PHIPA Circle of Care does not include individuals who do not provide care to a patient. As such, health information custodians who are not part of an individual’s direct or follow-up treatment, and non-custodians, such as insurance companies and employers, stand outside of the circle. 

Providing PHIPA training on the concepts of personal health information, consent, and the circle of care gives employees a working knowledge of the ground rules of PHIPA.