PHIPA for Ontario- Important definitions & Interpretations, Part-2

Personal health information & Personal health custodian, these two definitions we learned in our last article and we also discussed the interpretation aspect of it. Now in today’s article firstly, we will discuss the practices PHIPA has provided in order to guide the custodian. Section 2  (Information Practices) of PHIPA says that in relation to a health information custodian, means the policy of the custodian for actions in relation to personal health information, including-

  1. When, how and purposes for which the custodian routinely collects, uses, modifies, discloses, retains, discloses, retains or disposes of personal health information, and 
  1. The administrative, technical and physical safeguards and practices that the custodian maintains with respect to the information (pratiques relatives aux renseignements means information practices)

In simple words information practices in relation to health information custodian means the policies custodian have framed which includes when, how and purposes for which custodian obtains personal health information and the safeguards which custodian has taken for the protection of the information. 

Secondly, we will discuss the definition of agent, section 2 of PHIPA says that in relation to a health information custodian, means a person that,

  • with the authorization of the custodian, acts for or on behalf of the custodian in respect of personal health information for the purposes of the custodian, and not the agent’s own purposes     
    • Whether or not the agent has the authority to bind the custodian 
    • Whether or not the agent is employed by the custodian and
    • Whether or not the agent is being remunerated

In other words the definition means an agent has to be authorized to act so by the custodian with respect to the personal health information and it explicitly bars the activities for agent’s own purposes. 

Lastly, the most important and interesting one is “de-identify’ so, in relation to the personal health information of an individual it means to remove any information that identifies the individual or which is reasonably foreseeable in the circumstances that it could be utilized, either alone or with other information, to identify the individual.

The de-identification has a corresponding meaning which is “anonymiser”. This is also known as right to erasure or right to be forgotten in GDPR or data protection Bill of India. This is one of the essential rights provided under GDPR and under PHIPA it is defined and guaranteed. Section 11 of PHIPA explicitly mentions that no person shall use or attempt to use information that has been de-identified to identify an individual. Either alone or with other information however, it is to be kept in mind that this de-identification of information is subject to the permission of PHIPA or other act or any exception as provided.    

Picture Credit-https://healthitsecurity.com/