Personal Health Information Protection Act
The Personal Health Information Protection Act, also known as PHIPA, is Ontario legislation established in November 2004. PHIPA is one of two components of the Health Information Protection Act. The Health Information Protection Act, also established in 2004, comprises two schedules: PHIPA and the Quality of Care Information Protection Act.
PHIPA provides a set of rules for the collection, use and disclosure of personal health information, and includes the following provisions:
- Consent is required for the collection, use and disclosure of personal health information, with few exceptions
- Health information custodians are required to treat all personal health information as confidential and maintain its security
- Individuals have a right to access their personal health information, as well as the right to correct errors
- Individuals have the right to instruct health information custodians not to share their personal health information with others
- Rules are provided for the use of personal health information for fundraising or marketing purposes
- Guidelines are set for the use and disclosure of personal health information for research purposes
- Accountability is ensured by granting an individual the right to complain if they have identified an error in their personal health information
- Remedies are established for breaches of the legislation
History
- December 17, 2003: The Health Information Protection Act was introduced
- January 26, 2004: Public hearing at Standing Committee on General Government held in Toronto
- February 2, 2004: Public hearing at Standing Committee on General Government held in Sault Ste. Marie, Kingston and London
- February 9, 2004: and April 28, 2004 Clause-by-clause consideration of the Bill resulting in various amendments
- May 17, 2004: Bill 31 passed third and final reading with unanimous support in the legislature
- May 20, 2004: Bill 31 received Royal Assent
- July 3 - September 3, 2004: Public consultation on regulations
- November 1, 2004: Schedules A and B of the Health Information Protection Act come into force
Application
Health information custodians
A health information custodian can be any number of individuals or organizations who have custody or control of personal health information. To elaborate, some examples of a health information custodian include:- Healthcare providers such as doctors, nurses, social workers, dentists, psychologists, paramedics, optometrists, physiotherapists, occupational therapists, chiropractors, massage therapists, dieticians, naturopaths and acupuncturists
- Hospitals
- Long-term care homes and homes for special care
- Community Care Access Centres
- Pharmacies
- Medical laboratories
- Local medical officers of health
- Ambulance services
- Community mental health programs
- Ministry of Health and Long-Term Care
Agents of health information custodians
Examples include:
- Employees of the health information custodian
- Persons contracted to provide services to the health information custodian where the person has access to personal health information
- Volunteers or students who have any access to personal health information
Role of the Information and Privacy Commissioner
| Complaint | Time to File the Complaint |
| Personal health information has been collected, used or shared contrary to PHIPA | Within 1 year |
| A request to see personal health information has been denied | Within 6 months |
| A request to have personal health information corrected has been denied | Within 6 months |
When the commissioner receives a complaint, a mediator may be appointed to try to solve the problem. The IPC has various powers to resolve complaints, including the power to order a health information custodian to:
- Change or stop the way information is collected, used or shared
- Provide access to the record of personal health information
- Correct the record of personal health information
Content
- sets out of the purpose of the Act. It defines key terms used throughout the Act, such as "health information custodian" and "health information agent".
- details the required practices for the handling of personal health information and health records. Accountability of information is also discussed.
- discusses consent for the use, collection and disclosure of personal health information. Capacity to consent and characteristics of substitute decision-making are outlined.
- outlines the situations for when personal health information can be used, collected and disclosed, and for what purposes.
- summarizes an individual's right of access to their personal health information, and the necessary steps that are taken to correct information within their record if need be.
- details the role of the Commissioner in enforcing the Act.
- explains the general applications and details of the Act, including non-retaliation, immunity, Crown liability, reliance on assertion, offences and regulations.