As of January 1st 2018, numerous changes have been made to Ontario's Personal Health Information Protection Act (PHIPA). If you are a health information custodian working in a hospital or medical office, it is important to understand how this new set of rules will affect your organization. One of the most critical changes requires health organizations to keep track of privacy and data  breaches. While the Information and Privacy Commissioner of Ontario will be releasing tracking guidelines in March of 2019, custodians are expected to record breaches now. Here is what you need to know to uphold your reputation and ensure your patient information remains secure.
The Personal Information Protection and Electronic Documents Act (PIPEDA) governs how Canadian businesses manage the collection, use, and disclosure of personal information. It is a significant concern to not only commercial organizations, but to their customers as well. This multi-part series is designed to help Canadian businesses better understand these laws and provide direction in applying them to their organizations and ensuring compliance.
British Columbia’s Personal Information Protection Act (PIPA) is similar to PIPEDA in that it protects personal data collection within the private sector. Organizations considered to be public bodies, as well as the public sector, must comply with the Freedom of Information and Protection of Privacy Act (FIPPA). FIPPA requires that public bodies store any personal information that is under its control or custody exclusively in Canada and it can only be accessed in Canada. There are exceptions but they are few.
The province of Alberta has a law similar to PIPEDA that protects personal data collection within the private sector called the Personal Information Protection Act (PIPA). The Freedom of Information and Protection of Privacy (FOIP) governs the public sector.
Ontario’s Personal Health Information Protection Act (PHIPA) works in conjunction with PIPEDA. PHIPA governs custodians of health information (hospitals, long term care service providers, pharmacies, health care practitioners, etc.) as well as their agents (insurance companies, information processors, employees, information managers, and volunteers) regarding the disclosure and use of personal health information. It ensures that when they have personal health information in their control or custody it is protected from loss, theft, and unauthorized disclosure or use.