It’s a New Year – and like every New Year, it brings some changes for Ontario’s healthcare industry. As of Jan. 1, Ontario’s Information and Privacy Commissioner can issue penalties of up to a maximum of $50,000 for individuals and $500,000 for organizations that violate the Personal Health Information Protection Act (PHIPA). While this Act is not new, it has historically been ignored and loosely enforced by the Ontario government. This could not be more of a problem, especially in today’s threat landscape, where Personal Health Information (PHI) can sell for as much as $250 per record on the dark web. The importance of PHIPA cannot be understated, and it aids in ensuring personal health information is secure. Since there has not been an overhaul on PHIPA, and it has largely been ignored, we are using this blog post to serve as the ultimate guide to PHIPA. We intend to answer any questions businesses have – whether they directly store PHI or process it on behalf of others. We will also align individual parts of the policy with security technologies/tools your business can implement to ensure compliance and avoid hefty fines.

What is the Personal Health Information Protection Act (PHIPA)?

Personal Health Information Protection Act (PHIPA) is a health-specific privacy legislation enacted on November 1, 2004. PHIPA governs how Personal Health Information (PHI) may be collected, used, and disclosed within the health sector. Its principles set clear guidelines for healthcare providers and organizations, establishing a trust-based relationship between patients and those responsible for their care.

Who does the Personal Health Information Protection Act (PHIPA) apply to?

PHIPA applies to “Custodians” – a term that intends to encompass a broad range of entities across the healthcare sector. Custodians include entities that store Personal Health Information (PHI), such as healthcare practitioners such as family doctors, speech-language pathologists, chiropractors, dental professionals, medical labs, massage therapists, opticians, and physiotherapists. It also encompasses other entities such as hospitals, psychiatric facilities, pharmacies, ambulance services, retirement/special care homes, and long-term care facilities. Custodians must adhere to several legal responsibilities, such as securing consent before collecting, using, or disclosing Personal Health Information (PHI). They must also safeguard PHI from loss, theft, unauthorized access, copying, alteration, or destruction. Furthermore, they must gather only the necessary minimum of information, consistently grant patients access to their health care records, and accommodate requests for corrections.

The second entity defined within PHIPA is “Agents,” this term is used to encapsulate any person (or business) authorized by a custodian to process PHI on the custodian’s behalf. They are not direct healthcare providers but support the operations and functions of custodians. By this definition, Agents can include medical technology companies that store/process PHI (e.g. cloud-based electronic medical record solution), third-party service providers (i.e. Managed IT provider, Managed Security Service Provider, etc.), legal professionals, or any other entity that comes in contact with PHI.

The relationship with custodians requires agents always to follow the policies set out by the custodian, follow PHIPA’s standards, ensure the use or disclosure of personal health information aligns with the purpose consent was granted for and report any breaches of security and privacy to the custodian immediately. In turn, custodians must specifically select agents that comply with PHIPA’s standards and monitor the agent’s handling of personal health information to prevent unauthorized use or disclosure as they remain accountable for the actions of their agents.

Collection and Use of Personal Health Information (PHI)

PHIPA establishes specific guidelines for how information is collected and used. Data minimization is critical; only the least PHI required for the intended purpose should be captured. However, custodians are permitted to use PHI without consent in certain situations – such as emergencies where the patient’s consent cannot be obtained in time. Furthermore, the guidelines specifically state that PHI should only be accessed by healthcare professionals directly involved in the patient’s care or for the purposes to which the patient has expressly consented. This requirement ensures the integrity of patient data. Another tightly regulated aspect is how PHI can be disclosed. Disclosure without consent is only permissible in limited, specific circumstances. Such as those mentioned earlier and other exceptional circumstances, such as if there is significant harm to an individual or the public or for law enforcement purposes.

Cybersecurity & Personal Health Information Protection Act (PHIPA) 

Sections 12 and 13 outline which cybersecurity measures must be in place to ensure the continued protection of Personal Health Information (PHI). Despite not being extremely detailed, we can provide guidance and a number of reccomendations that we’ve helped numerous health care companies achieve.

12 (1) A health information custodian shall take steps that are reasonable in the circumstances to ensure that personal health information in the custodian’s custody or control is protected against theft, loss and unauthorized use or disclosure and to ensure that the records containing the information are protected against unauthorized copying, modification or disposal.

13 (1) A health information custodian shall ensure that the records of personal health information that it has in its custody or under its control are retained, transferred and disposed of in a secure manner and in accordance with the prescribed requirements, if any.

1. Incident Management & Response

The healthcare industry is increasingly targeted by cyberattacks. In 2022, healthcare organizations worldwide experienced an average of 1,463 cyberattacks weekly, marking a 74% increase from 2021, as reported by Check Point Research. Consequently, it’s essential to have a well-defined Incident Response plan. This plan should detail the procedures for identifying, evaluating, and responding to any security incidents, particularly those involving personal health information (PHI). A critical element of this policy is ensuring clear communication, both internally and with impacted individuals. Adhering to this control is vital for satisfying Section 12 of the relevant regulations, which emphasizes the importance of promptly responding to and reporting security breaches to uphold trust.

2. Data Integrity Measures

Personal Health Information (PHI) should be encrypted at rest and in-transit – at a basic level, this can involve enabling disk encryption on machines present within your clinic or healthcare facility and can go as far as implementing Data Loss Prevention (DLP) measures to ensure data cannot be sent or exfiltrated over unsafe manners (i.e. not allowing information containing Social Insurance Number to be transmitted over email). Protections such as these are critical to comply with section 12 of PHIPA and ensure that health information remains secure against unauthorized access.

3. Network Security & Access

Securing network systems against unauthorized access is a crucial aspect of protecting PHI. This involves the implementation of firewalls, the utilization of secure communication protocols both within and outside the healthcare network (such as HTTPS), and 24/7/365 monitoring of network traffic for threats. These security measures are essential to prevent unauthorized access to PHI and align with the general security requirements outlined in Section 12 of PHIPA. A common approach to meeting these requirements is the adoption of a Managed Detection & Response (MDR) platform, or a SOC as a Service (SOCaaS) platform, which offers comprehensive monitoring and response capabilities to address network security threats effectively. All access to remote systems, and to the network itself, should require the usage of complex passwords and other security mechanisms such as Multi Factor Authentication. Access to network systems and PHI should be granted using the concept of least privilege which dictates that personnel should receive the least access possible to perform their duty.

How to report a privacy breach to the Privacy Commissioner of Ontario (IPC)

Custodians must notify the IPC at the first reasonable opportunity of privacy breaches – if at least one of the following situations apply, you are required to report it. These categories are not mutually exclusive and more than one can apply to a privacy or cybersecurity breach. Even if you do not need to notify the IPC, you have a separate duty to notify individuals whose privacy has been breached under subsection 12(2) or clause 55.5(7)(a) of the act. The following are some situations that constitute reporting the incident, and more detailed information on situations that require reporting can be viewed here.

1. Use or disclosure without authority
2. Stolen information – This can include information stolen during a ransomware attack or physical theft of a device
3. Further use or disclosure without authority after a breach

Privacy breaches can be reported through this URL, and the Information and Privacy Commissioner of Ontario (IPC) will review the report.