[CAD] Compliance with Privacy Laws in Ontario (PHIPA)

The Personal Health Information Protection Act (PHIPA)

The Personal Health Information Protection Act (PHIPA) is Ontario legislation established in November 2004. PHIPA has been legally deemed “substantially similar” to PIPEDA, which means in most cases PHIPA is the relevant privacy legislation for clinics in Ontario to be following. However, they may need to follow PIPEDA in certain instances - see the quote below:

The federal government has deemed PHIPA to be “substantially similar” to PIPEDA. Custodians and their agents are exempted from having to comply with the provisions of PIPEDA to the extent that they collect, use and disclose personal health information within Ontario. PIPEDA continues to apply to all commercial activities relating to the exchange of personal health information between provinces and territories and to information transfers outside of Canada.” - Information and Privacy Commissioner of Ontario - 2015 PHIPA FAQ

PHIPA provides a set of rules for the collection, use and disclosure of personal health information, and includes the following provisions:
  • Consent is required for the collection, use and disclosure of personal health information, with few exceptions
  • Health information custodians are required to treat all personal health information as confidential and maintain its security
  • Individuals have a right to access their personal health information, as well as the right to correct errors
  • Individuals have the right to instruct health information custodians not to share their personal health information with others
  • Rules are provided for the use of personal health information for fundraising or marketing purposes
  • Guidelines are set for the use and disclosure of personal health information for research purposes
  • Accountability is ensured by granting an individual the right to complain if they have identified an error in their personal health information
  • Remedies are established for breaches of the legislation

Owl and PHIPA

Under PHIPA, Owl is considered an electronic service provider. The Information and Privacy Commissioner of Ontario describes an electronic service provider as:

“...a person who supplies services that enable a custodian to collect, use, modify, disclose, retain or dispose of personal health information electronically. If the electronic service provider is not an agent of the custodian, then it shall not use any personal health information to which it has access in the course of providing services to the custodian, except as necessary in the course of providing the service and it cannot disclose the information. Electronic service providers must also ensure their employees or any other persons acting on their behalf agree to comply with these restrictions”

In regards to this, Owl is fully compliant in regards to its use of PHI in providing services. Owl employees have received comprehensive training on matters of privacy, compliance, and security. Our support staff can only view information on your account if you reach out to us to ask us for help, and then give us permission to help you by looking at your account. We will only ask to take this step when it allows for the fastest solution to your problem, or we deem it necessary to help us understand an issue.

Agents and custodians have a number of responsibilities under PHIPA, and here we’ve listed some of the ways Owl helps you meet these expected duties and responsibilities:
  • If personal health information handled by an agent on behalf of a custodian is stolen, lost or accessed by unauthorized persons, the agent must notify the custodian of the breach at the first reasonable opportunityWhile we take significant and extensive measures to ensure a security breach could never occur, if one was to take place, we would of course notify our customers immediately so that you could fulfill your obligations under PHIPA.
  • A custodian must also provide a written statement that is readily available to the public and describes the custodian’s information practices: Owl has some suggested language and guidance to help clinics inform Clients about Owl over at our FAQ: https://faq.owlpractice.ca/owl-and-compliance/consent-forms
  • Upon the death of a custodian, the estate trustee or the person who assumed responsibility for the administration of the estate becomes the custodian, until custody and control passes to another person who is legally authorized to hold the recordsIn the event of the death of a custodian, Owl will comply with Power of Attorney (POA) document(s) sent to us - a lawyer and/or College should be able to furnish this for you. Simply email us at support@owlpractice.ca, explaining the situation, providing the POA, and requesting access to the account. This will take us roughly 24-72 hours to process (we need time to verify that the POA is valid and can be executed)
  • An individual may exercise a right of access to a record of personal health information by making a written request for access to the custodian that has custody or control of the informationFinding all the information and documents you need to supply to an individual in this situation is easy, thanks to extensive export options that make exporting Client information out of Owl simple. Notes can be exported from the Client profile, all financial and Client data can be exported and individual historical receipts and invoices can also be downloaded. Exports of secure messages are not currently possible, but Clients already have access to this information through their Client Portal.