128 Data Sharing and Usage | Personal Health Information Protection Act (PHIPA)

Please review this article for the Information and Privacy Commissioner of Ontario on FAQs related to the Province of Ontario PHIPA.

PHIPA establishes rules for the collection, use and disclosure of personal health information that includes the following considerations related to any such data:

• Consent
• Confidentiality
• Individuals right to access personal health information (PHI)
• Ability to withhold or withdraw consent
• Delineate clear rules for use in fundraising or marketing purposes
• Delineate research purposes/uses for PHI

What is Personal Health Information

Personal health information is “identifying information” about an individual, whether oral or recorded if the information:

• relates to the individual’s physical or mental condition, including family
• medical history,
• relates to the provision of health care to the individual,
• is a plan of service for the individual,
• relates to payments, or eligibility for health care or for coverage for healthcare,
• relates to the donation of any body part or bodily substance or is derived
• from the testing or examination of any such body part or bodily substance,
• is the individual’s health number or
• identifies a health care provider or a substitute decision-maker for the
• individual.

Custodian

A custodian is a person or organization listed in PHIPA that, as a result of their or its power or duties or work set out in PHIPA, has custody or control of personal health information.

Protection of Personal Health Information under PHIPA

Health information custodians who have custody or control of your personal health information are required to:

• Help the custodian to comply with their obligations under PHIPA
• Ensure that agents of the custodian are appropriately informed of their duties
• Respond to inquiries from the public about their information practices,
• Respond to requests for access and corrections to information,
• Receive complaints about alleged breaches of PHIPA;
• Produce a written public statement that describes:
• How an individual may obtain access to or request corrections to records of personal health information,
• How to make a complaint to the custodian and to the Commissioner under PHIPA;
• Obtain consent when collecting, using and disclosing personal health information, except in limited circumstances where PHIPA allows the practice without consent;
• Take steps to ensure that the custodian only collects, uses or discloses personal health information as permitted or required by PHIPA;
• Take precautions to safeguard against theft, loss, as well as unauthorized collection, use, disclosure, copying, modification or disposal of personal health information;
• Notify you, at the first reasonable opportunity, of the theft or loss or of the unauthorized use or disclosure of personal health information;
• Make note of and inform, at the first reasonable opportunity, of any uses and disclosures of personal health information that occurred outside of their information practices and without consent;
• Report certain privacy breaches to the Commissioner;
• Ensure that health records are accurate, up-to-date and complete as necessary for the purposes which they are used or disclosed;
• Ensure that your health records are retained, transferred and disposed of in a secure manner;
• Ensure that all employees, staff and other agents are appropriately informed of their duties and obligations under PHIPA.

(Source – Information and Privacy Commissioner of Ontario)