Practices to protect personal health information under PHIPA-Ontario, Part-3

In our last article we discussed two practices that are provided under PHIPA namely Accuracy and steps to ensure collection now the remaining practices we will discuss under this article.

3) Steps to ensure collection

PHIPA mandates a health information custodian to take steps which are reasonable in the circumstances in order to ensure that personal health information is not collected/obtained without authority. 

These steps are usually in the form of contractual obligations wherein the collection, retention, deletion of personal health information is protected by the custodians and norms are to be provided by the  custodians in order ensure the safe collection of personal health information.

4) Limits on use of de-identified information

Section 11.2 of PHIPA imposes a restriction on use of de-identified information and makes it crystal clear that no person shall use or attempt to use information that has been de-identified to identity an individual, either alone or with other information unless PHIPA or any other act has permitted the information to be used to identify the individual. 

However, it is to be noted that section 11.2 has certain limitations which forms as an exception to this rule and prescribes the names of some people who are not prevented from using information that they deidentified, either alone or with other information, to identify an individual:

  1. A health information custodian
  2. A prescribed entity mentioned in subsection 45 (1) (this is the disclosure for for planning and management of health system)      
  3. A prescribed person who complies or maintains a registry of personal health information 
  4. Any other prescribed person 

5) Security (S.12) 

This section of PHIPA mandates for custodians to take all reasonable steps in the circumstances in order to ensure that personal health information in the custodian’s custody or control is protected against theft, loss and unauthorized use or disclosure and to ensure that the record containing the information are protected against unauthorized copying, modification or disposal. 

Section 12 of PHIPA mandatorily asks for the security of personal health information, therefore it is advisable to keep the note of the following circumstances-    

  1. Protection against theft
  2. Protection in eventuality of loss 
  3. Protection against unauthorized use 
  4. Protection against unauthorized copying
  5. Protection against modification or disposal

Picture Credit-https://www.colleaga.org/