PHIPA Guidelines

Personal Health Information Protection Act, 2004

Compliance Guidelines for Healthcare Data Management

Overview of PHIPA

The Personal Health Information Protection Act (PHIPA) is Ontario's health privacy law that governs the collection, use, and disclosure of personal health information (PHI) by health information custodians and their agents.

Purpose: PHIPA establishes rules for handling PHI to protect patient privacy while enabling appropriate information sharing for healthcare purposes.

Key Principles of PHIPA

1. Consent

PHI may be collected, used, or disclosed only with the patient's informed consent, except in specific circumstances permitted by law (e.g., emergency treatment, public health reporting).

2. Limited Collection

Collect only the minimum amount of PHI necessary for the intended purpose. Avoid over-collection of information not required for healthcare or administrative purposes.

3. Security Safeguards

Implement administrative, technical, and physical safeguards to protect PHI against unauthorized access, disclosure, loss, or theft.

4. Transparency

Individuals have the right to access their own PHI and request corrections. Organizations must be transparent about how PHI is collected, used, and disclosed.

PHIPA Compliance Requirements for SQL Server

Organizations using SQL Server to store PHI must implement the following controls:

1. Data Encryption

Required:

Control: PHIPA-ENC-001, PHIPA-TDE-001

2. Access Controls

Required:

Control: PHIPA-AUTH-001, PHIPA-MFA-001

3. Audit Logging

Required:

Control: PHIPA-AUDIT-001, PHIPA-AUDIT-002

4. Backup and Recovery

Required:

Control: PHIPA-BACKUP-001, PHIPA-DR-001

5. Network Security

Required:

Control: PHIPA-NET-001, PHIPA-FW-001

Individual Rights Under PHIPA

PHIPA grants individuals the following rights regarding their personal health information:

Right	Description	Response Time
Right to Access	Request access to their own PHI held by a custodian	30 days (extendable to 60 days)
Right to Correction	Request correction of inaccurate or incomplete PHI	30 days
Right to Request Restrictions	Request limits on use or disclosure of their PHI	30 days
Right to Accounting	Request list of disclosures made in past 3 years	60 days
Right to Withdraw Consent	Withdraw previously given consent (with limitations)	Immediate

Privacy Breach Notification

Mandatory Reporting: Health information custodians MUST report privacy breaches to the Information and Privacy Commissioner (IPC) and affected individuals if there is a risk of significant harm.

Breach Response Procedure:

1. Immediate Containment (0-2 hours)

Stop the breach, secure affected systems, preserve evidence

2. Assessment (2-24 hours)

Determine scope, assess risk of harm, document incident

3. Notification (If Required)

Notify IPC and individuals "as soon as possible" if risk of significant harm exists

4. Remediation (Ongoing)

Implement corrective measures, prevent recurrence, document lessons learned

Penalties for Non-Compliance

PHIPA violations can result in significant penalties:

Up to $500,000

Maximum fine for organizations

Up to $50,000

Maximum fine for individuals

Additional consequences may include IPC orders, reputational damage, loss of professional licenses, and civil lawsuits.

Additional Resources

Need Help? Contact your organization's Privacy Officer or Compliance Team for guidance on PHIPA requirements.

Return to Home