PHIPA, the Canadian Healthcare Compliance Regulation is More Than Just a HIPAA Clone

North America has two strong healthcare compliance regulations, HIPAA (USA) and PHIPA (Canada). While the two are very similar, it’s important for Canadian healthcare companies to understand the differences - and what they are responsible for when choosing a provider that will help them communicate, collaborate, and share patient data.

Canadian Healthcare Information Custodians (HIC) are required to comply with the PHIPA compliance framework. PHIPA is a series of rules governing the use, disclosure, and collection of "personal health information" (PHI).

Under PHIPA, personal health information includes the following:

Any  “identifying information” about an individual, whether oral or recorded, if the information...

  • Relates to the individual’s physical or mental condition, including family medical history; or
  • Relates to the provision of health care to the individual; or
  • Is a plan of service for the individual; or
  • Relates to payments, or eligibility for health care or for coverage for health care; or
  • Relates to the donation of any body part or bodily substance, or is derived from the testing or examination of any such body part or bodily substance; or
  • Is the individual’s health number; or
  • Identifies a health care provider or substitute decision-maker for the individual

PHIPA Part IV requires that HICs take “reasonable steps” to protect personal health information against the following:

  • Theft;
  • Loss;
  • Unauthorized use and disclosure; and
  • Unauthorized copying, modification, or disposal.

As a custodian, you may become aware of a privacy breach in a number of ways, including:

  • During the normal course of business.
  • Through a complaint filed by an individual.
  • Notification from the Information and Privacy Commissioner of Ontario, when it receives a formal complaint.

Once a custodian becomes aware of the theft, breach, or unauthorized access, the custodian must notify affected individuals.

Under PHIPA, the requirements for reporting a breach are stringent. A health information custodian must notify the Information and Privacy Commissioner whenever (among other circumstances):

  1. The HIC has reasonable grounds to believe that personal health information (PHI) was used or disclosed without authority by a person who knew or ought to have known that they were using or disclosing the information without authority.
  2. The HIC has reasonable grounds to believe that, after an initial loss or unauthorized use or disclosure of PHI in the HIC’s custody or control, the PHI was or will be further used or disclosed without authority.
  3. The loss or unauthorized use or disclosure of PHI is part of a pattern of similar losses or unauthorized uses or disclosures of PHI in the custody or control of the HIC.
  4. The HIC is required to give notice to a regulated health professional’s governing body or College, in accordance with PHIPA, as it relates to the loss or unauthorized use or disclosure of PHI.

HIPAA Breach Notification Requirements vs. PHIPA Breach Notification Requirements

Under HIPAA, covered entities are required to report breaches of unsecured protected health information. A covered entity’s breach notification obligations differ based on whether the breach affects 500 or more individual, or fewer than 500 individuals.

If a breach of unsecured protected health information affects 500 or more individuals, that breach is considered a “meaningful breach” under HIPAA, and must be reported within 60 calendar days of its discovery, to the following:

  • The Secretary of Health and Human Services.
  • Individuals affected by the breach.
  • Prominent media outlets in the states and jurisdictions where the breach victims reside.

If a breach of unsecured protected health information affects less than 500 individuals, the breach is considered to be a “non-meaningful” breach under HIPAA. In the event of a non-meaningful breach, the covered entity may notify the Secretary no later than 60 days after the end of the calendar year in which the breach is discovered.

The good news?

  • HighSide is HIPAA and PHIPA compliant, giving HIC and medical customers handling PHI peace of mind.
  • With HighSide’s E2E encrypted collaboration platform, there is no chance of a data breach, theft, ransomware, or compromise of PHI stored in and shared via the HighSide cloud.
  • HighSide gives organizations complete visibility into who has access to data, who has accessed data, what device and even what physical location they were present at when accessing data.
  • The centrally managed, but decentralized cryptographic system that is HighSide ensures organizations can control what devices and what users have access to PHI
  • Organizations can use HighSide to communicate with / about patients, share patient medical records, conduct tele-doctor sessions, schedule procedures and store PHI all in one application.
  • Patients and external providers don’t even have to download the HighSide application, simply initiate a “call” link and users are connected via their browser.