Part 1 – PHIPA Fundamentals
All Ontario Health Information Custodians and their health care providers are responsible for fulfilling the requirements of the Personal Health Information Protection Act (PHIPA for short).
PHIPA Fundamentals:
PHIPA establishes rules for the collection, use and disclosure of personal health information and includes provisions that:
- Protect an individual’s personal health information (PHI) from unauthorized access.
- Provide an individual with the right to control how their information is used and shared.
Who is a Health Information Custodian at Brock?
PHIPA only applies to Brock University units that provide health care services. Brock University has 3 health care providers who act as Health Information Custodians within the context of PHIPA:
- Student Health Services
- Personal Counselling Services
- Brock Sports Medicine Clinic
Those who act for or on behalf of HICS are known as agents under PHIPA.
This includes:
- Regulated health professionals (e.g. Nurses, Psychologists, Kinesiologists, Chiropractors)
- Administrative staff
An agent is a “person that, with the authorization of the custodian, acts for or on behalf of the custodian in respect of personal health information for the purposes of the custodian, and not the agent’s own purposes…” – PHIPA section 2
What are the responsibilities of a HIC and agent?
Under PHIPA, a HIC is responsible for protecting the PHI in its custody or control. This includes establishing and implementing information practices that comply with PHIPA, implementing technical, physical and administrative safeguards to protect PHI, designating a contact person for PHIPA matters, providing a written statement that is readily available to the public that describes the HIC’s information practices, notifying individuals if their PHI is breached, and ensuring that all agents are properly informed of their duties under PHIPA .
By contrast the role of an agent is to follow the HIC’s policies, procedures, adhere to the technical, physical and administrative safeguards in place, and inform the HIC, as soon as possible, of any privacy breaches.
When and how can Agents collect, use or disclose PHI at Brock?
How is the role of an agent different from a HIC? |
|
| HIC’s Role | Agent’s Role |
| Policies & Procedures | Collect, use, disclose, retain, or dispose of PHI as permitted by the HIC |
| Access Policy & Procedure | If another law permits or requires the agent to collect, use, disclose, retain, or dispose of PHI as the case may be, the agent does not need authorization of the custodian to comply with the law (e.g. Child & Family Services Act) |
| Breach Procedure | Notify HIC if PHI is breached |
| Confidentiality Pledges | Comply with PHIPA and College Regulations |
| Contact Person | |
| Written statement (Poster) | |
| Use of Electronic means | |
| Accuracy | |
| Security | |
| Handling of Records | |
What is Personal Health Information (PHI)?
- A patient’s physical or mental health (including family medical history)
- The provision of health care to a patient
- A plan of service for a patient
- A patient’s payments or eligibility for health care
- A patient’s substitute decision-maker
Examples of PHI
- Health history
- Individual’s health card number and other personal identification numbers
- The identification of persons providing care
- Substitute decision-maker’s name
- Lab requisitions
What about non-PHI?
PHI is protected under PHIPA. Brock employees and contractors also have a responsibility under the Freedom of Information and Protection of Privacy Act (FIPPA) to protect all Personal Information (PI).
PI, as defined by FIPPA, means recorded information about an identifiable individual, including information about:
-
information relating to the race, national or ethnic origin, colour, religion, age, sex, sexual orientation or marital or family status of the individual,
-
information relating to the education or the medical, psychiatric, psychological, criminal or employment history of the individual or information relating to financial transactions in which the individual has been involved,
-
any identifying number, symbol or other particular assigned to the individual,
-
the address, telephone number, fingerprints or blood type of the individual,
-
the personal opinions or views of the individual except where they relate to another individual
-
correspondence sent to an institution by the individual that is implicitly or explicitly of a private or confidential nature, and replies to that correspondence that would reveal the contents of the original correspondence
-
the views or opinions of another individual about the individual
-
the individual’s name where it appears with other personal information relating to the individual or where the disclosure of the name would reveal other personal information about the individual
Examples of PI
- Grades
- Student status (e.g. registered)
- Accommodations provided (e.g. by Student Accessibility Services)
- Employment history (e.g. student or agent)
- OSAP eligibility or OSAP provided
Key Points
What is the Purpose of PHIPA?
PHIPA establishes rules for the collection, use and disclosure of personal health information (PHI) and:
- requires consent for the collection, use and disclosure of PHI, with necessary but limited exceptions,
- requires that custodians treat all PHI as confidential and keep it secure,
- provides individuals with a right of access to their PHI, as well as the right to correct errors,
- gives individuals the right to withhold or withdraw consent to the collection, use or disclosure of personal health information or to expressly instruct custodians not to use or disclose their PHI for health care purposes,
- establishes clear rules for the collection, use and disclosure of PHI for fundraising and marketing purposes,
- sets guidelines for the collection, use and disclosure of PHI for research purposes,
- grants individuals the right to complain to the Information and Privacy Commissioner of Ontario about the practices of custodians and
- establishes remedies for breaches of the legislation.
Learn More
Click here for the next module: Part 2 – Collection, Use, & Disclosure
