Practices to protect personal health information under PHIPA-Ontario, Part-4

Security is one of the most important parameters while dealing with laws related to privacy. In our last article we were dealing with the practices and discussed five types of practices explicitly mentioned under Personal Health Information Protection Act (PHIPA). There is no doubt that all of them are the most important practices but among them security is something where breach of it will cause huge penalties including monetary as well as imprisonment. In our last article (link here-https://worldprivacylaw.com/?p=520) we discussed security practice of security briefly. Now here we will deal with the same in detail and some other folded aspects of it will try unfolding. 

Practice of security is provided u/s.12 of PHIPA-Ontario. Section 12 of PHIPA mandates the custodians to take all reasonable steps in the circumstances in order to ensure that personal health information in the custodian’s custody or control is protected against theft, loss and unauthorized use or disclosure and to ensure that the record containing the information are protected against unauthorized copying, modification or disposal. 

Notice of theft, loss, etc. to Individual- 

Section 12 provides that the Custodian must serve a notice, to an individual to whom the personal health information belongs to, about the theft, loss, use or disclosure has happened without authority.  

The custodian shall notify the individual at the first reasonable opportunity of the theft or loss or of the unauthorised use or disclosure and such notice shall mention in a form of statement that the individual is entitled to make a complaint to the Commissioner under Part VI of PHIPA. It is pertinent to note that this provision is making custodians liable for many things and even imposing a duty upon Custodians to inform the Individual about their entitlement.

However, this rule has some exceptions as well which are precisely and clearly mentioned u/s12 (4) and they are-

In case when a custodian is a researcher and received the personal health information from another health information custodian under subsection 44 (1), the researcher must  notify the individual if the information is stolen, lost, used or disclosed without authority, unless the health information custodian that disclosed the personal health information under subsection 44 (1). (Section 44 is basically disclosure of personal health information of an individual for the purpose of research and such disclosure can be made upon receiving an application).

  1. Firstly custodian has to obtain the individual’s consent to having the researcher contact the individual and
  2. Inform the researcher that the individual has given the consent.

Note: this is basically an agreement respecting disclosure in which the researcher enters into an agreement with the custodian wherein the researcher agrees to comply with the conditions and restrictions.