Chapter 1 – Complying with the Personal Health Information Protection Act (PHIPA)
PHIPA came into force on November 1, 2004.
You need to be familiar with various terms and concepts in order to know what your responsibilities are under the Act. These include “personal health information” (PHI), “health information custodian,” “agent” of a custodian, “recipients” of PHI, “health care,” “collection,” “use” and “disclosure.” (These and other terms are listed in the Glossary at the end of the Toolkit.)
One of the most important considerations is whether you are a health information custodian, an agent of a custodian or a recipient of PHI. This will depend on what your primary function is, and whether it is to provide “health care” as defined in PHIPA.
You should also understand when PHIPA will not apply to you.
Background and key definitions
PHIPA became law on November 1, 2004 and does a number of things:
- It creates a common set of rules for the collection, use and disclosure of personal health information (PHI) for use by “health information custodians” (custodians).
- It requires certain practices to be in place to protect PHI.
- It describes the circumstances in which you can share PHI within your agency, and circumstances in which you can or must give it to someone outside your agency.
- It provides rules for consent, capacity and substitute decision-making in relation to PHI.
- It promotes the appropriate sharing of PHI so that clients can receive and benefit from integrated health services.
- It creates rules for access to and correction of records of PHI.
- It designates the Information and Privacy Commissioner of Ontario as the body that oversees compliance with the Act.
Personal Health Information (PHI)
PHI can be oral (spoken) or recorded (written on paper or electronically). To help you determine whether information you have is defined as PHI, you should ask yourself the following questions:
- Is it information that on its own, or if linked to other information, can be used to identify an individual?
- Does it relate to the physical or mental health of the individual, including his/her family history?
- Does it relate to the health care an individual has received, or identify the people responsible for providing health care to that individual?
- Is the information an individual’s plan of service within the meaning of the Long-Term Care Act? (A plan of service under the Long-Term Care Act refers to certain types of services that are provided in the community and coordinated through designated agencies. They include such things as meals, caregiver support and personal assistance services. This is different than a plan of treatment described in the Health Care Consent Act and Mental Health Act.)
- Does it relate to the individual’s payment or eligibility for health care or for coverage for health care (including eligibility for coverage under the Ontario Health Insurance Plan [OHIP])?
- Does it relate in any way to the individual’s donation of body parts or bodily substances (including their testing)?
- Is it the individual’s health (OHIP) number?
- Does it tell you who the individual’s substitute decision-maker is?
- Is it part of a record that contains PHI, even if it is not itself PHI? (This is called a “mixed” record, which is covered as PHI under the Act.)
If you have answered “Yes” to any of these questions, the information is PHI.
Questions and Answers
Q. Our case management programs provide services to clients in the community. We meet clients in public places (such as libraries and coffee shops) and it is possible that other members of the community may recognize us as health care professionals and conclude that the client is under our care. This could have a negative impact on the client. Does PHIPA prevent or place restrictions on this practice?
A. Technically, identifying a health care provider as giving care to the individual is PHI under the Act. You may want to notify the patient of the risks associated with meeting them in public places (of being overheard despite your best efforts to have a discreet conversation; or of someone recognizing both of you and presuming that this person is your client). You could include this in your written public statement, or state the risks verbally as part of your intake process with clients.
Are you a health information custodian or an agent?
Health information custodians
PHIPA applies primarily to “health information custodians” (custodians) who are named under the Act. These include a person who operates:
- a public hospital,
- a psychiatric facility,
- a long-term care facility, or
- a laboratory.
In these examples, the “person who operates” is typically a Board of Directors or other group with corporate responsibility for the organization.
Other custodians include:
- health care practitioners, whether they are regulated (such as occupational therapists and nurses) or unregulated (such as mental health counsellors, as long as they are providing health care for payment), and
- the Minister of Health and Long-Term Care, together with the Ministry, as they are responsible for planning and funding Ontario’s health services and, as a result, hold PHI.
A person who operates the following is also included in the definition of custodian:
- a centre, program or service for community health or mental health whose primary purpose is the provision of health care.
This means that mental health and addictions agencies, programs and services that provide health care directly to clients are custodians and need to be aware of the rules under PHIPA.
Is your primary purpose to provide health care?
If you still have questions about whether you are a custodian, consider PHIPA’s definition of “health care.” Health care is any observation, examination, assessment, care, service or procedure that is done for a health-related purpose and is carried out or provided
- to diagnose, treat or maintain an individual’s physical or mental condition,
- to prevent disease or injury or to promote health, or
- as part of palliative care.
- making, dispensing or selling drugs, devices and equipment or other items by prescription, or
- community services provided under the Long-Term Care Act (discussed above).
If any of the items in the list above describe your main function, you are a custodian and have all of the responsibilities of a custodian under PHIPA. There are a few exceptions, including the following:
- If you are the “agent” of a custodian (see below)
- If you are an aboriginal healer who provides aboriginal healing services to aboriginal persons or members of the aboriginal community
- If you treat another person solely by prayer or spiritual means based on your religion
- If you are acting on behalf of a person who is not a custodian, and the main purpose of your work is not health care
Are you an agent of a custodian?
PHIPA also applies to a custodian’s “agents” if they collect, use or disclose PHI on behalf of the custodian. These include
- employees and consultants,
- health-care practitioners (if they are acting on behalf of the custodian),
- students, and
- independent contractors (including physicians and third-party vendors who provide you with supplies or services).
For example, a staff member of an addictions program is an agent of the program under PHIPA. So is the shredding company you hire to dispose of files that contain client PHI. Agents must
- collect, use and disclose PHI with the same care and diligence as the custodian (given that agents
- collect, use and disclose PHI on behalf of the custodian, and not for their own purposes),
- comply with the custodian’s obligation to collect as little PHI as needed in the circumstances, and not
- collect PHI if other information would suit the purpose,
- not collect, use or disclose it when other information is available,
- protect it from being lost, stolen or inappropriately accessed, as well as from unauthorized copying, modification and disposal, and
- tell the custodian as soon as possible if the PHI that the agent possesses or handles on behalf of the
- custodian is lost or stolen, or if someone accesses it without authority.
Custodians should reinforce these expectations with all of their agents. This can be done in a variety of ways:
- Providing education on PHIPA (in person, and through notice boards, publications and other written materials)
- Reinforcing a privacy culture throughout your agency, and being clear about your expectations
- Building a privacy component into annual performance reviews
- Reviewing existing contracts with third party vendors to ensure that they have adequate safeguards for PHI
Questions and Answers
Q: Where do “non-traditional” mental health and addictions service providers such as consumer and family initiatives fit under PHIPA?
A: These providers are not custodians under PHIPA (unless they are agents of a custodian collecting, using or disclosing PHI for the custodian’s purpose and not their own).
Q: What about alternative work programs?
A: Consumer or family initiatives and alternative work programs would have to say “Yes” to all of the following criteria in order to be custodians:
- They are a program or service for community health (including addictions) or community mental health.
- They collect, use and disclose PHI.
- Their primary purpose is providing health care.
- Typically, the primary purpose of these groups is not health care under the definition of PHIPA. Instead, their primary purpose might be to support, educate and advocate on behalf of consumers or families. Or, in the case of an alternative work program, its main purpose is likely to provide job opportunities for those suffering from a mental illness; its main purpose is employment, and not health care.
Even if they are not agents of a custodian and do not fit squarely under PHIPA, these organizations could still model their privacy and information practices on the Act. The only difference would be that there would be fewer formal rights and obligations (for example, clients would not have the right to make a complaint to the Information and Privacy Commissioner).
Q: Where do housing providers fit under PHIPA?
A: There are several types of housing providers to consider. Some fall under the definition of “health information custodian,” while others do not.
For example, if the relationship between the client and the housing provider is strictly one of a private landlord and tenant, with a primary purpose of housing, the landlord is not a custodian under PHIPA. Express consent should be sought before any PHI is given to the landlord.
If a mental health agency provides housing as one of its services and acts as the landlord to its clients, there is no problem in sharing the client’s PHI with the part of the agency that is arranging the housing, since both the person giving and receiving the PHI are agents of the custodian under the Act. PHI can be shared in this way based on the client’s implied consent, if you wish to do so. You are also free to ask for the client’s express consent.
However, if the mental health agency leases housing units from a private landlord for the agency’s clients, PHI should only be provided to the landlord with the individual’s consent. For example, it could be clear to a landlord that a new tenant is a client of a mental health agency. Technically, this is a disclosure of PHI. The landlord is not a custodian under PHIPA, and express consent of the client is required.
A person who operates one of the following types of homes is named as a custodian under PHIPA (note that this is not the full list):
- An approved home under the Mental Hospitals Act
- A home for special care under the Homes for Special Care Act
- A care home under the Tenant Protection Act
When does PHIPA not apply?
PHI in employment files
PHIPA applies to your employee’s records of PHI only if they are kept mainly for the purpose of providing health care or assisting in providing health care. For example, if your employee’s file has a doctor’s note in it that explains an employee’s absence from work, that PHI is not covered under the Act, as the record is kept primarily for employment purposes, not primarily for health care purposes.
However, if an employee becomes a client of your agency, the record you keep about the care you provide to that employee would be covered under PHIPA.
What has been open to recent debate is the issue of records that a custodian has about the custodian’s employees that are kept for occupational health and safety reasons. For example, if the agency, as an employer, brings in a nurse to provide flu shots to all staff, the information in the nurse’s hands is PHI; the nurse brought in from the outside is providing a health care service. Once the information is disclosed (with the client’s consent) to the agency to be placed in a file to show compliance with the Occupational Health and Safety Act, it is not being kept for a health care purpose and is therefore not PHI.
Generally, anyone who holds PHI outside the health sector is not covered under PHIPA (such as insurance companies, employers, school boards and others). Only a few specific rules under PHIPA are important for these types of third parties (called “recipients”) who obtain PHI from a custodian. For example, if a client gives an addictions program consent to release PHI to an insurance company, PHIPA places limits on how the insurance company can then use or disclose that information.
Recipients are not agents of the custodian because they do not collect, use or disclose PHI on the custodian’s behalf. Typically, a recipient’s activities are very separate from the custodian’s.
Examples of recipients include
- insurance companies,
- family members (unless they have legal authority to act on behalf of the client, such as acting as the
- client’s substitute decision-maker), and
- courts or tribunals such as the Consent and Capacity Board.
In some cases, a custodian will be able to give information to a recipient without client consent, such as where PHIPA or another law allows or requires this disclosure.
Custodians are not “recipients,” even when they receive PHI from other custodians.
You should follow the rules in PHIPA unless another law specifically says that it prevails over PHIPA. For example, the rules about community treatment orders in the Mental Health Act prevail where they conflict with any of PHIPA’s rules.
It is best to stay current on any changes to the laws you rely on frequently. This is because when PHIPA came into force on November 1, 2004, it also made a number of changes to existing laws, including the Mental Health Act. Be aware that some situations may be governed by a law that takes priority over PHIPA, if there is a conflict between it and PHIPA. The other laws may also give you additional discretion about how PHI can be collected, used or disclosed.
For example, under subsection 35(2) of the Mental Health Act, an officer in charge of a psychiatric facility may now collect, use or disclose PHI about a patient, with or without the patient’s consent, for the purposes of examining, observing, assessing or detaining someone under the Mental Health Act; or to comply with the mental disorder provisions of the Criminal Code, including orders of a court or the Ontario Review Board. It will be up to these psychiatric facilities to decide when they will rely on this authority. These facilities will still have obligations under PHIPA, for example, to safeguard the PHI they hold and to provide clients with access to their records of PHI. This rule does not apply to community mental health agencies nor to addictions programs. However, the facility’s discretion to give PHI to you is worth noting.
For example, a court support worker employed by a mental health agency may need information from the psychiatric facility that performed a court-ordered assessment for a client. This section would give the officer in charge of the psychiatric facility the authority to disclose that information. Other sections of PHIPA that would apply (for example, where the facility may rely on the client’s implied consent to give you information) will be discussed further below.
Questions and Answers
Q: A number of community service agencies and our local psychiatric facility have created a database that contains client PHI. Information is accessible by each of the members of the database in order to support the client’s integrated care and to reduce duplication of services. This is done with client consent.
Is the database a custodian under PHIPA? Instead of acting as separate custodians of the PHI in the database, could several service agencies act as one custodian?
A: You should first look at the status under PHIPA of each of the community agencies and the psychiatric facility that will have access to the database:
- If each of them is a custodian under PHIPA, placing the information in a database is the same as giving it to another custodian under PHIPA.
- If someone who has access to the database is not a custodian (nor the agent of a custodian), the information is shared with him/her as a third-party “recipient.”
Getting a client’s consent to give their PHI to the person who maintains the database is always a good idea, since it is not a use or disclosure a client might think you would typically make.
The database is not a custodian under PHIPA. However, the person who operates and maintains the database may be considered a “health information network provider” under the Act. For example, a provider that hosts data for two or more custodians in an electronic format, such as a database, is doing so for the purpose of allowing custodians to give PHI to each other.
Special rules about health information network providers are provided in section 7 of the regulations to PHIPA (O. Reg. 329/04 is available online at www.e-laws.gov.on.ca).
If your agency is involved in this type of arrangement with a health information network provider and other agencies, you should review this section very carefully; it sets out multiple requirements for anyone who supplies electronic services to custodians, including health information network providers.
Two or more custodians may apply to the Ministry of Health and Long-Term Care to be named as a single custodian for the purpose of PHIPA. Doing so would cover them for all purposes of PHIPA, not just for the PHI in the shared database. See discussion of this issue in Chapter 2.
You can learn more about the single custodian application process online at: www.health.gov.on.ca.
Collection, use and disclosure
The concepts of collection, use and disclosure of PHI will be discussed in further detail in Chapters 4, 5 and 6 of this Toolkit.