Safeguarding Health Information: Everything You Need to Know About PHIPA

When we seek medical care, not only do we hope that this care will be provided at the highest possible standard but we also want this part of our lives to remain private. Thus, in the realm of healthcare, a delicate balance must be struck – one where our right to confidentiality harmonizes with the need to share our medical history among healthcare providers.

To ensure this balance, countries adopt numerous standards, laws, and regulations. In a previous interview with our in-house experts, we have discussed such essential standards as HIPAA, PIPEDA, HL7, and others. Today, we are going to focus on PHIPA — a healthcare standard designed to ensure the discreet guardianship of our health data while fostering a collaborative environment for effective medical treatment.

Brief overview: What is PHIPA about?

PHIPA, the Personal Health Information Protection Act, is a regulatory framework that governs how personal medical data is used. In operation since November 2004, the law is currently in its fortieth edition.

PHIPA aims to establish a balance between protecting individuals’ privacy rights and meeting the legitimate needs of healthcare authorities to handle personal medical information. This is crucial for providing effective and timely healthcare, as well as for planning and managing the healthcare system.

In terms of geographical application, PHIPA is confined to the province of Ontario in Canada. Nevertheless, let’s stress that there are no constraints on individuals or organizations transmitting information beyond the borders of this province or even throughout Canada.

What are the functions of PHIPA?

PHIPA serves main pivotal functions:

  1. Regulating protocols: Overseeing the correct handling of personal health information.
  2. Empowering patient rights: Providing patients with the right to access and amend their personal health records held by custodians.
  3. Setting administrative requirements: Establishing guidelines for custodians of personal health records, directly influencing software product development processes.

What falls under the category of personal health information in PHIPA?

As the name suggests, personal health information (PHI) is the data that can uniquely identify a person. This includes:

  • physical or mental health status;
  • provision of medical care to an individual;
  • payment for healthcare services or entitlement to medical services;
  • organ donation, and more.

Some examples of PHI include health history, EMR/EHR, healthcare services received, laboratory test results or analyses, information regarding payment for healthcare services, health insurance plans, and so forth.

A crucial aspect to consider is that PHIPA also covers mixed records, which encompass both PHI and other data. For example, if a record contains such details as an address, phone number, and a patient’s medical card number, it all falls under the category of personal health information.

Who qualifies as the custodian of such information?

A custodian is any entity, be it an individual or an organization, possessing the right to access or control such personal health information. It comes as no surprise that examples of custodians include healthcare professionals, hospitals, elder care facilities and specialized care homes, pharmacies, medical laboratories, and more.

Nevertheless, there are some exemptions. The regulations of PHIPA do not extend to certain categories of custodians:

  • indigenous healers and midwives offering traditional healing and midwifery services to indigenous individuals or members of the indigenous community;
  • individuals providing treatment solely through spiritual methods or prayer.

How can a provider of custom healthcare solutions meet the legal requirements?

It’s important to mention that PHIPA applies to a diverse range of individuals and organizations holding PHI. However, the law’s provisions also extend to agents and providers of electronic services.

  • An agent is any person authorized by the custodian to perform services related to PHI on behalf and in the interest of the custodian on a contractual basis.
  • A provider of electronic services is an individual or entity that provides services that enable the custodian to engage in electronic collection, utilization, modification, disclosure, storage, or disposal of PHI.

Within this paradigm, a healthcare software development company can be classified as an electronic service provider. However, there’s an important distinction: irrespective of whether the electronic service provider acts as an agent or not, they must comply with limitations associated with the use of personal health data.

What are the key provisions of PHIPA?

There are many provisions in PHIPA, but the most important include:

  • Gathering, utilizing, and disclosing PHI requires consent from individuals, with certain exceptions.
  • Custodians of PHI must treat all such information as confidential and ensure its security.
  • Individuals possess the right to access their PHI and correct any errors.
  • Individuals can instruct PHI custodians not to disclose their information to others.
  • There are specific regulations regarding the use of PHI for fundraising or marketing purposes.
  • Clear guidelines on the utilization and disclosure of PHI for research purposes are developed.
  • Individuals have the right to file a complaint if they identify errors in their PHI.
  • Legal mechanisms must be in place to address violations of the legislation.

What happens if one fails to adhere to PHIPA regulations?

Failure to adhere to PHIPA carries substantial consequences, with varying penalties for individuals and corporations. Individuals may incur fines of up to $200,000 and a maximum imprisonment term of 1 year, while corporations face penalties reaching up to $1 million

And although health data custodians are typically the ones held responsible, there’s an important aspect to it — if a corporation violates PHIPA, all employees of that corporation who either authorized the offense or had the authority to prevent it but consciously chose not to may also face legal consequences.

Does PHIPA include a certification process?

There is no distinct certification program for assessing compliance with PHPA requirements. However, given the high stakes related to non-compliance, how can one proactively protect oneself?

The law has one notable provision, emphasizing that a custodian or holder of information must take reasonable measures to ensure information security. However, the legislation does not specifically indicate what those measures are, leaving that to custodians’ discretion.

That said, let’s have a look at some examples showcasing how various companies practically achieve PHIPA compliance. The first set of measures are those established by the Information and Privacy Commissioner of Ontario, the designated authority responsible for ensuring compliance with the law:

  • Develop a well-rounded privacy policy and set of procedures, stating expectations and responsibilities for all custodians in safeguarding PHI.
  • Integrate privacy notifications and confidentiality warning indicators into electronic information systems.
  • Enforce the signing of confidentiality agreements by all custodians before getting access to PHI.
  • Implement a suite of administrative, technical, and physical measures to restrict access and usage of information based on the principle of job necessity.
  • Ensure systematic logging of all interactions with personal health information in electronic information systems on a regular, purposeful (reactive), and random (proactive) basis.
  • Ensure logging of all interactions with PHI in information systems on a regular basis.

Although these measures provide a bit more context around the protection of health information, they are still rather general. Thus, let’s have a look at some of the most popular examples of what measures companies actually use to comply with PHIPA:

  • setting data retention timelines;
  • secure and irreversible data disposal;
  • regular remote data backups;
  • maintaining audit logs with notifications to the custodian about any breaches of confidentiality;
  • incorporating Strong Encryption;
  • ensuring the prevention of unintentional creation of unencrypted data;
  • establishing a complaint submission service for custodians of personal health information for their review.

Finally, let’s conclude today’s discussion with two real-world examples of Zoom and AWS putting these security measures into practice.


  • Signing Data Protection Agreements to establish clear contractual mechanisms for data transmission.
  • Leveraging TLS 1.2 with 256-bit AES-GCM for data encryption.
  • Employing 24/7 security and monitoring through various layers of physical security controls like perimeter fencing, CCTV cameras, motion detectors, biometric access requirements, and more.
  • Refraining from monitoring, viewing, or tracking video or audio content from video meetings or webinars.
  • Limiting the account retention period to 30 days after termination to assist in reactivation upon customer request, after which the account is permanently deleted.

AWS (Amazon Web Services)

  • In the spirit of transparency, AWS provides comprehensive information about its policies, procedures, and information management tools.
  • Upon request, customers have access to independent audit reports through AWS Artifact, allowing them to assess compliance with PHIPA requirements.
  • AWS respects customer preferences by enabling them to choose the region for storing their content. Importantly, AWS doesn’t move or copy customer content beyond the selected regions without explicit consent.
  • Encryption decisions are left to the customers. As a best practice, AWS recommends encrypting personal health information at all times during storage and transmission.

The bottom line

As data breaches are becoming more frequent and severe, protecting sensitive health data is the top priority for patients, healthcare providers, and regulatory bodies alike. PHIPA is one the cornerstones that a secure healthcare system is built on. Adherence to the standard not only mitigates the risks associated with data breaches but also fosters a culture of responsibility and transparency, ensuring that personal health information remains intact in an ever-evolving digital landscape.

Contact Us
Contact Us