In Canada, the Personal Information Protection and Electronic Documents Act (PIPEDA) is the presiding federal regulation controlling how organizations can collect, store, process, and share Canadian citizens’ data for commercial purposes. Nonetheless, it isn’t the only Canadian data privacy law businesses will need to worry about. Under Part I of PIPEDA, provinces can enact their own data collection regulations to supplant PIPEDA’s data collection rules so long as the Canadian government determines their proposed regulations closely align with PIPEDA’s rules. The Personal Health Information Protection Act (PHIPA), Ontario’s healthcare data collection law, is one notable example of this. PHIPA regulates what doctors, hospitals, healthcare providers, and health service providers in Canada’s largest province can do when collecting, processing, and sharing the personal and health information of Ontario residents. While PIPEDA will still apply to any international or interprovincial data collection activities performed for commercial purposes, it will affect how these individuals and entities can collect and process sensitive patient information within Ontario for commercial and non-commercial purposes.
PHIPA protects oral, written, and otherwise-recorded patient health information, including patients’ physical and mental health data, family history, treatment plans, healthcare insurance and payment information, and blood & organ donor information. It mandates that providers and organizations that hold and process this data should take steps reasonable under the circumstances to protect it against loss, theft, unauthorized disclosure and unauthorized copying. If these types of incidences do occur, healthcare organizations are required to notify affected individuals at the first reasonable opportunity, and include statements that affected individuals can file complaints with Ontario’s information and security commissioner.
The law also addresses data retention practices. Under PHIPA, providers and companies must ensure any patient personal and health information they have in custody is retained, disposed of, and transferred securely. They are also supposed to preserve health records subject to a patient’s inquiry on file for the duration of time necessary to resolve the patient’s request. Agents of healthcare custodians must also follow PHIPA. They must not only stay within the scope of their custodians’ instructions, and but they’ll also need to collect and process data in a manner necessary for carrying out their duties. This doesn’t mean that healthcare providers and entities are immune to their agents’ PHIPA violations.
Providers and organizations are liable for the collection and security of all data their agents collect, and must ensure their agents are following their data collection directives. Individuals and organizations who don’t comply with PHIPA could face serious sanctions. Hospitals and companies, for example, could face fines of up to $500,000 per violation, while doctors and other individuals could liable for up to $100,000 in fines. A corporation’s officers, members, agencies, and employees could also face personal liability if they either authorized offense or were in a position to stop it and knowingly didn’t.
Moving your data into the cloud can help you quickly achieve PHIPA compliance. Our virtual cloud hosting platform, Abacus Private Cloud, allows you to leverage an ePHI-compliant hosting platform to run your software and work with your patients’ health data. This allows you to securely store your patients’ information in transit and at rest while leveraging three layers of physical, server, and data security and other top-tier protections.
Contact us to learn how Abacus Private Cloud can help you comply with PHIPA.