Part II of the Personal Health Information Protection Act (hereinafter PHIPA) from section 10 to 12 lay down the provisions related to practices to protection of personal health information.
Practices to protect personal health information
Information practices are those measures which every health information custodian who has custody or control of personal health information must have in place information information practices to comply with the requirements of PHIPA.
Section 10 (2) of PHIPA imposes a duty upon a health information custodian to comply with its information practices. However, in case when a health information custodian that uses electronic means to collect, use, modify, disclose, retain, or dispose of personal health information must comply with the regulations and requirements as provided in.
Further, a person who provides goods & services for the purposes of enabling a health information custodian to use electronic means to collect, use, modify, disclose, retain or dispose of personal health information shall comply with the prescribed requirements provided if any.
Section 10 includes health information custodian (using electronic means) as well as a person who provides goods and services to enable a health information custodian to use electronic means are mandated to comply with the requirements if any. For eg. computer software or hardware provided to the custodian, internet service providers etc. are also mandated to adhere with the requirements if any provided as a practice to protect the personal health information.
Important to Note–
the entire PHIPA speaks of collection, use, disclosure of personal health information and provides the rules and regulation for the same. However, section 10 is one step ahead which speaks of information custodians using electronic means to collect, use, modify, disclose, retain, and dispose of personal health information.
Amendment to section 10
In 2020 the amendment was carried out by adding section 10.1 and provisions for electronic audit log were provided under PHIPA and provided section 10.1 (1) to 10.1 (4).
Electronic Audit Log:
The amendment provides that subject to exception if any provided for, a health information custodian who uses electronic means to collect, use, disclose, modify, retain, dispose of personal health information is mandated to-
- Maintain, or require the importance of, an electronic audit log
- Audit and monitor the electronic audit log as often as required by the regulation and
- Comply with any requirements that may be prescribed
It further provides that a health information custodian using electronic means to collect, use, modify, disclose, retain, and dispose of personal health information shall provide a copy of electronic audit log to the commissioner if it is requested by him.
Picture Credit-https://healthinformatics.uic.edu/