The Personal Health Information Protection Act (PHIPA) is Ontario's health-specific privacy legislation that sets out rules for the collection, use, and disclosure of personal health information (PHI). It applies to health information custodians and anyone who receives PHI from them. PHIPA aims to protect the confidentiality and security of individuals' health information.
Examples of PHI
Information relating to an individual's physical or mental health, healthcare history, and health card number.
Distinction Between Agents and Custodians
Health Information Custodian - A "health information custodian" is defined under PHIPA as an organization or person who has custody or control of personal health information as a result of or in connection with providing health care or certain other related services. This typically includes hospitals, doctors' offices, pharmacies, and other healthcare providers. They are responsible for complying with PHIPA.
Agents - An "agent" under PHIPA is someone who acts on behalf of a health information custodian in respect of personal health information. This could be an employee, a contractor, or another organization that performs a service for the custodian that involves handling PHI. The agent is generally required to follow the custodian's instructions regarding the handling of PHI. myLaminin would fall under this category.
Key aspects of PHIPA
Scope
Regulates the collection, use, and disclosure of PHI within Ontario. It applies to health information custodians and those who receive PHI.
Compliance
Organizations handling PHI must comply with the requirements outlined in PHIPA, including rules related to consent, access, and security.
Purpose
To protect the privacy of individuals' personal health information while facilitating the effective provision of healthcare.
Assessment
Compliance can be assessed through internal audits, investigations by the Information and Privacy Commissioner of Ontario, and potential legal proceedings.
Who needs to comply?
-
Hospitals
-
Doctors' offices
-
Pharmacies
-
Other healthcare providers
-
Anyone receiving PHI from a health information custodian
Why is compliance important?
-
Ensuring patient privacy
Protecting sensitive health information from unauthorized access and disclosure. -
Legal obligation
Adhering to Ontario's privacy legislation to avoid penalties and legal consequences. -
Maintaining trust
Building and maintaining trust with patients by demonstrating a commitment to privacy. -
Reducing risk
Minimizing the risk of privacy breaches and potential harm to individuals.
myLaminin’s compliance with PHIPA
myLaminin has performed a detailed assessment of our platform’s abilities to comply with PHIPA requirements in our role as an Agent of healthcare custodians. Based on this evaluation of our platform, myLaminin is over 80% compliant with PHIPA requirements.
Requirements tagged as NA, ‘Not Applicable’ are predominantly related to the following:
-
myLaminin is acting in the role of an Agent and not a Custodian and therefore do not hold the same responsibilities as a health information custodian under the Act.
-
If some of our clients choose our On-Premises Data Storage option, they retain responsibilities for some requirements related to data storage and ensuring the physical security of that data.
-
It is the responsibility of the Custodian to ensure that consent is obtained and signed when collecting personal health information using our platform. myLaminin gives researchers complete control over the consent process, methods, and templates used.
-
myLaminin does not integrate with Electronic Health Records (EHRs) or Prescribed Organisations. Our RDM platform does not extend to managing or handling EHRs.