If you're running a healthcare business in Ontario, then you must be aware of and comply with the Personal Health Information Protection Act, 2014 (PHIPA). Noncompliance can entail serious penalties, fines, and/or jail time.
Any individual found guilty of violating PHIPA could be fined up to $200,000 and/or imprisoned for a year. Meanwhile, any organization or institution that violates PHIPA can be fined up to $1,000,000. Additionally, anyone linked to a corporation that has committed an offence under PHIPA can also be held personally liable if they aided and abetted the crime or were responsible for preventing it but deliberately avoided doing so.
If you want to prevent your organization from facing PHIPA penalties, avoid the following PHIPA mistakes.
1. Failing to obtain consent
Under the law, individuals must give their express consent before their protected health information (PHI) can be collected, used, or disclosed, except in certain circumstances. This means you have to get written or verbal permission from all individuals whose PHI you will handle, depending on the sensitivity of the information.
Health information custodians like you must also obtain consent for each specific purpose for which the PHI will be used or disclosed. For example, if you're collecting PHI to make treatment decisions and to study health trends, you need to get consent for both purposes. You can't simply get blanket consent for all future uses of the individual's PHI. If you're unsure whether consent is required in a particular situation, it’s best to err on the side of caution and obtain consent.
2. Collecting more information than necessary
Another common PHIPA mistake is collecting more data about an individual than necessary. When collecting PHI, you should only collect the information that serves a specific purpose. If you're collecting PHI for medical research purposes, for instance, you don't need to collect respondents’ names, addresses, and Social Security numbers to maintain their anonymity.
3. Not keeping PHI accurate or up to date
Health information custodians have the duty to keep PHI accurate and up to date. This means, for example, that if an individual provides you with new information related to their health, you should update your records accordingly.
Individuals also have a right to request that their PHI be corrected if they believe it to be inaccurate or incomplete. If you receive such a request and agree that the PHI is inaccurate or incomplete, then you must take steps to correct the information. If you do not agree with the request, you must notify the individual that their request was denied and inform them of their right to appeal.
4. Not providing individuals access to their own PHI
Individuals should be able to request access to their own PHI, and custodians must provide them with the requested information unless there’s an acceptable reason for not doing so.
If an individual submits a written request for PHI access, then you have 30 days to comply with their request. If you cannot provide the requested information within that time frame, you must explain the reason for the delay and give a date by which the information will be provided.
5. Failing to keep PHI secure
One of the most important aspects of complying with PHIPA is ensuring that PHI is kept secure. Therefore, your organization should implement robust security measures, such as password protection, data encryption, and physical security. You must also ensure that only authorized individuals have access to PHI. One way to do this is by implementing access control protocols that restrict PHI access only to employees who need it to do their jobs.
In the unfortunate event that PHI is compromised, you must notify the affected parties as soon as possible and take steps to prevent further unauthorized access, use, or disclosure. Under PHIPA, you are also required to report certain privacy breaches to the Office of the Information and Privacy Commissioner of Ontario.
Should you need a hand in maintaining PHIPA compliance, partnering with XBASE Technologies is a good place to start. Our wide range of Exponentially Better™ services can help your organization protect sensitive information so you remain compliant with various privacy laws. Contact us today to learn more.