Health information data security is becoming more important as the number of patient records is growing within the healthcare industry. The most common personal data collected includes age, name, address, medical history, ID numbers, income, ethnic origin, blood type, etc. To ensure that this information is protected from unauthorized usage, there are two main legislations that govern how personal data is handled: Federal PIPEDA (Personal Information Protection and Electronic Documents Act) and Ontario’s PHIPA (Personal Health Information Protection Act, 2004).
So which rule applies to dentists?
Health information custodians of Ontario are exempted from the application of PIPEDA as PHIPA is declared substantially similar to PIPEDA. In other words, Ontario dentists only need to comply with PHIPA in respect to the collection, use, and disclosure of personal information that occurs within the Province of Ontario.
What is PHIPA?
Ontario’s PHIPA came into effect on November 1, 2004, with five main purposes:
- To set rules for collecting, using and disclosing personal health information about individuals. This protects the information’s confidentiality and the individual’s privacy, while the information is used to provide effective health care.
- To provide the right for individuals to access their personal health information (with exceptions)
- To provide the right for individuals to correct or amend their personal health information (with exceptions)
- To provide for independent review and resolution of complaints regarding personal health information
- To provide effective remedies for contraventions of this Act
PHIPA is similar to PIPEDA in that they both:
- Incorporate the ten principles in the National Standard of Canada (Model Code for the Protection of Information) with emphasis on principles of consent, access and correction rights
- Provide for independent and effective oversight and redress mechanism with powers to investigate
- Restrict the collection, use and disclosure to appropriate and legitimate purposes only
The biggest difference from PIPEDA is that PHIPA governs health information custodians and their agents that collect, use and disclose personal health information, whether or not in the course of commercial activities. Health information custodians include dentists and other health care practitioners, whereas agents include office staff such as receptionists, office managers, and dental assistants. In some cases, agents may also include accountants, lawyers and record management services.
In accordance with PHIPA, dental offices must do their best to satisfy the ten principles to protect patient data. A failure to comply with these regulations could result in an investigation on the clinic by the Privacy Commission and strict penalties.
Reducing Risks of Data Breach
Custodians are required to take reasonable steps to protect personal health information under their care against theft, loss and unauthorized use, disclosure, copying, modification or disposal. Adopting safeguards within your dental clinic is recommended to reduce the risks of data breaches. Here are some examples from the Royal College of Dental Surgeons of Ontario’s guide to compliance with PHIPA:
- Locking doors and/or use access cards to control and limit access to areas where personal health information is stored
- Use lockable filing cabinets to secure paper records
- Protect record storage areas from natural hazards (e.g. fire, floods, etc.)
- Create policies and procedures to address patients’ requests for access and correction to their personal health information
- Regularly review information practices with your staff
- Establish procedures that address data breaches
- Use confidentiality agreements with independent contractors and suppliers
Technical Safeguards – Cybersecurity
- Encrypt all electronic or digital records
- Implement unique user ID to access any electronic records
- Periodically change passwords to protect documents and records
- Install protection software such as anti-virus, anti-malware, firewalls, etc.
- Keep all systems up-to-date with the latest security fixes
Mandatory PHIPA Breach Reporting
As of October 2017, health information custodians are required to notify the Information and Privacy Commissioner of Ontario (IPC) of privacy breaches if they fall into the following categories:
- Use or disclosure without authorization
- Stolen information
- Further use/disclosure without authority following a breach
- Pattern of similar breaches
- Breaches related to disciplinary action
- Significant breaches
However, even if a breach doesn’t fall into these categories, individuals whose privacy has been breached should still be notified. Every incident of a breach, regardless of being reported, must be counted in the dental office’s annual statistics report for the IPC.
A report should be submitted as soon as possible, by mail or at www.ipc.on.ca with the following information:
- The circumstances of the breach (e.g. how the information got stolen, lost, or disclosed without authority, number of individuals affected, how the breach was discovered, etc.)
- Whether and how you notified the individuals who were affected
- The nature of the health information that was stolen, lost, or used or disclosed without authority
- The steps taken to contain, investigate, and remediate the breach and prevent future breaches, including work that’s still ongoing
The IPC will review the information you submit and may request additional information. In some cases, an investigation may be conducted by the IPC, while in other cases no further action will be taken.
For further information on reporting a breach, you can refer to the guidelines for the health sector.
More than ever before, personal information has become more vulnerable to data breaches as more records become digitized. As a result, PHIPA was put in place to govern how data is handled by health information custodians. Custodians must also implement physical, administrative and technical safeguards to adequately protect these records from unauthorized access.
If you’re interested in stepping up your cybersecurity, check out our other blog post to learn more.
Please note that the above information is intended for reference only and should not replace the advice you should be seeking from any formal legal counsel.