Personal Health Information Protection Act

Understanding the Personal Health Information Protection Act – The Personal Health Information Protection Act (known as PHIPA) aims to balance a patient’s right to privacy with the need to share patient information with other healthcare professionals. It establishes the rules for how, and by whom, personal healthcare information is collected, used, and disclosed. 

Important Terms in PHIPA

PHIPA introduces terms to clarify what information it protects, and who is obligated to safeguard it.

Personal Health Information includes both written and oral information about an individual, including:

  • Health card number
  • Family’s medical history
  • Identity of health care providers
  • Plan of service for long term care
  • Other information included in a record that includes personal health care information

Health Care Custodians are individuals and organizations that have control of personal health care information. Examples include:

  • Healthcare providers (doctors, nurses, paramedics, psychologists, dieticians, physiotherapists, etc.)
  • Pharmacies
  • Hospitals
  • Long-term care homes
  • Medical laboratories

Agents of Health Care Custodians are individuals that act on behalf of the custodian, or work for the custodian. This can include:

  • Administrative staff
  • Employees with access to medical records
  • Volunteers or students

Create a Privacy Sensitive Culture

PHIPA was intended to instill confidence in security conscious patients, with the hope that they will then be more forthcoming with sensitive information. This, in turn, would lead to better outcomes for patients.

In the workplace, respecting patient privacy can be seen in small actions. For example, never leaving a patient’s chart unattended, or making a point to only discuss personal information in private settings, away from other patients and practitioners. In short, sharing information on a need-to-know basis.

Policies like this may already be in practice by health information custodians, as PHIPA was designed to extend and bolster these practices. However, it is important to note that in other situations, PHIPA may have contradicted common practices. In these cases, PHIPA takes precedence, so it is important to ensure that health information custodians have the legally mandated processes in place.

Accountability and Training

Under PHIPA, health information custodians are accountable for the use and access of the personal health information entrusted to them. Agents of health information custodians are also accountable, though they may be less aware of this obligation.

Training can ensure that everyone understands their responsibility to safeguard confidential patient information. Effective training helps to maintain patient-practitioner confidence and compliance with PHIPA. Without it, practitioners will also be unable to access digital health assets, such as Ontario’s Electronic Record Health Systems.

You can start building a more security conscious work culture by contacting HR Enable today. We are happy to provide more information about PHIPA compliance, draft policies specific to your business, training, and best practices.


Let’s get started