Ontario PHIPA Modernization:

Introduction:

PHIPA stands for Personal Health Information Protection Act.

With rapid advances in technology that vastly expand the ability of organizations to collect, use, and share personal information, new rules, and rights are needed to protect Ontarians from potentially unfair practices and maintain a high level of trust and confidence in this digital economy.

In Ontario, PHIPA sets the rules for collecting, retaining, using, disclosing, and disposing of Personal Health Information (PHI). The primary goal of PHIPA is to protect the PHI. PHI is identifying information about a person’s health and healthcare history.

?

PHI Includes:

·?????? Physical and medical conditions

·?????? Family medical history

·?????? Provision of healthcare

·?????? Long-term healthcare services

·?????? Health card number

·?????? Donor information

·?????? Payment Information

?

PHIPA applies to individuals and organizations, called agents and Health Information Custodians (HIC) with control over Personal Health Information (PHI).

HIC’s Include:

·?????? Doctors

·?????? Hospitals

·?????? Pharmacies

·?????? Laboratories

·?????? Retirement Homes

·?????? Ministry of Health

·?????? Healthcare Practitioners (GM, Dentists, Surgeons)

·?????? Prescribes entities (Canadian Institute for Canadian Health Information)

?

The Canadian Health Information is the group of people authorized by MHIC to collect, use, disclose & dispose of PHI that are actively involved in providing direct health care to a patient referred to as agents.

Agent’s Include:

·?????? Medical students

·?????? Nurses

·?????? Technicians

·?????? And other employees who help in patient care

?

Agents or HICs in the circle of care are permitted to rely on the patient’s implied consent when collecting using or disclosing the patient’s PHI.

?

Purpose of PHIPA = An organization may collect, use, or disclose personal information only for purposes that a reasonable person would consider fair and appropriate in the circumstances.??

Factors to consider:

The following factors must be considered in determining whether the purpose is fair and appropriate:

·??The volume, nature and sensitivity of the personal information, including whether the organization has taken steps to de-identify the personal information.

?

·??Whether the collection, use or disclosure is necessary to achieve the legitimate needs of the organization.

?

·??Whether there are less intrusive means of achieving those purposes at a comparable cost and with comparable benefits.

?

·??Whether the individual’s loss of privacy is proportionate to the benefits in light of any measures, technical or otherwise, implemented by the organization to mitigate the impacts of the loss of privacy on the individual.

?

Limiting collection, use, and disclosure:

An organization may collect, use, or disclose personal information only if,

·??The organization obtains the individual’s consent in respect of the collection, use, or disclosure, or the organization is otherwise permitted to collect, use, or disclose.

?

6 Conditions need to be met to properly disclose information to HICs:

1.??The HIC must be entitled to rely on implied consent.

2.??The patient must have provided the information, their decision maker, or another HIC.

3.??The information was collected to provide or assist with health care for patients.

4.??The information shared by one HIC to another must be to provide health care to the patient.

5.??The disclosure of information must only take place between HICs.

6.??The HIC providing the information must not be aware that the patient had withheld/withdrawn consent.

?

?

Patient’s Rights:

·?? Know the purpose for the collection, use, and disclosure of your PHI.

·???Refuse the collection, use of disclosure of your PHI.

·???Withdraw consent.

·???Request access t your PHI.

·???Place a complain with the information and privacy commissioner about any breach of PHIPA.

·???Request corrections to your PHI.

·???Request that all of part of your PHI be made private.

?

HIC Responsibilities:

(a)??? Obtain proper consent where necessary.

(b)??? Collect PHI lawfully.

(c)??? Take precautions to safeguard PHI.

(d)??? Ensure accuracy and upkeep.

(e)??? Ensure proper and safe storage.

(f)????? Assign a PHIPA spokesperson and share their contact information.

(g)???? Post public notices on information and protection practices.

(h)??? Inform patients of non – consensual use and disclosure of their PHIs.

(i)?????? Ensure relevant persons are informed of their PHIPA responsibilities.

?

Disposal at individual’s request: If an organization receives a written request from an individual to dispose of personal information that it has collected from the individual, the organization shall, as soon as feasible, dispose of the information, unless:

·??Disposing of the information would result in the disposal of personal information about another individual and the information is not severable

?

·??Here are other requirements of this Act, another Act or an Act of Canada or an Act or regulation of Ontario or Canada or of the reasonable terms of a contract that prevent the organization from disposing of the information.

?

·??The personal information has been disclosed during a legal proceeding or is otherwise available to a party of a legal proceeding.

?

Disposal by service provider:

?If an organization has transferred personal information to a service provider and the organization subsequently disposes of the information, the organization shall, as soon as feasible:

?????????I.?If the organization receives a request from an individual, inform the service provider of the individual’s request

?????? II.??Ensure that the service provider disposes of the information

???? III. Obtain a confirmation from the service provider that the information has been disposed of.

?

Key Changes in Ontario PHIPA Modernization:

Expansion of Scope to Include Consumer Electronic Service Providers: This change recognizes the growing role of technology companies in managing health information and ensures they are held to the same privacy standards as traditional HICs.

?Mandatory Electronic Audit Logs: These logs must record every instance of access, modification, or handling of PHI, including details such as the date, time, and identity of the person accessing the information. This measure ensures that any unauthorized access can be traced and addressed, thereby strengthening patient privacy.

?Increased Penalties for Non-Compliance: The modernization also introduces stricter penalties for non-compliance with PHIPA. The maximum fines have doubled, with individuals facing up to $200,000 and corporations up to $1,000,000 in penalties. . These increased penalties serve as a strong deterrent against mishandling PHI and emphasize the importance of compliance with privacy regulations.

Rights to Access PHI Electronically: The modernization reinforces individuals' rights to access their PHI through electronic means. This provision empowers patients by giving them greater control over their health information, enabling them to make informed decisions about their care.

?Enhanced Oversight by the Privacy Commissioner: The Privacy Commissioner of Ontario is given enhanced powers to oversee the implementation of PHIPA. The Commissioner can conduct reviews of consumer electronic service providers, issue orders to prevent the sharing of PHI with non-compliant services and impose fines directly.

Graphs:

Fig: Distribution of Health Information Custodians (HICs)

This chart shows the percentage distribution of various Health Information Custodians involved in handling PHI in Ontario. The largest segment (25)% is occupied by Healthcare Practitioners.

Fig: Patient’s right under PHIPA

This line chart represents the importance (%) of various rights that patients have under PHIPA. The most critical rights include the ability to request privacy for PHI and the right to access their health information, both showing their importance.

Fig: Penalties for Non-Compliance

This chart compares the maximum penalties before and after the modernization of PHIPA.