Personal Health Information Protection Act: What Dentists Need to Know NOW!
What is PHIPA?
The Personal Health Information Protection Act, 2004 (“PHIPA“) imposes obligations on dentists with respect to collecting, using and disclosing “personal health information”. By way of background, “personal health information” is defined in section 4 of PHIPA and includes oral or written information that relates to:
- the physical health of a patient;
- the provision of health care to a patient;
- relates to payments or eligibility for health care or coverage for a patient; or
- identifies the patient‘s health number.
Under PHIPA, dentists are considered to be “Health Information Custodians” (which we will refer to as “Custodians”) under PHIPA. As such, dentists (and their agents – i.e. staff and associates) must abide by the laws concerning the collection, use, and disclosure of personal health information under PHIPA. It is very important for dentists to be aware of their obligations and also make their agents aware as well.
Custodians must have a contact person to help them and their agents comply with PHIPA, respond to inquiries about the custodian‘s information practices, respond to requests for access to or correction of a record of personal health information, and receive complaints about alleged PHIPA violations. It is generally recommended that the Custodian also be the contact person to fulfil these legal obligations.
Use of Personal Health Information
Dentists may use personal health information WITHOUT the need to obtain any consent for a number of reasons, such as: planning or delivering services, improving the quality of care, educating agents and research purposes and obtaining payment for health care or related goods and services.
Disclosing Personal Health Information
Dentists may disclose personal health information without consent that relates to providing health care, monitoring health payments, eliminating or reducing a significant risk of bodily harm, or a legal proceeding (among other things).
Dentists have an obligation to take “reasonable steps” to ensure personal health information:
- is accurate, complete and up-to-date;
- is protected from theft, loss and unauthorized use or disclosure; and
- records are protected against unauthorized copying, modification or disposal.
What if a Patient Wants to Access their Personal Health Information?
PHIPA also provides patients with an entitlement to access their personal health information records and outlines conditions under which access may be denied. Those records include digital records, dental radiographs, impressions, etc. Patients can generally access records of their own personal health information (and not someone else‘s). Before a dentist provides access, they must take reasonable steps to determine the patient‘s identity. A written request is necessary to invoke a patient‘s rights under PHIPA and a Custodian must respond within 30 days (but can extend this by an additional 30 days if it is not reasonably practical to reply within that time frame and notifies the patient of the delay and reasons why within that initial 30 day time frame). A Custodian must make the record available by providing a copy and, if reasonably practical, provide an explanation of any term, code or abbreviation used in the record.
Breaches and Notifications
Dentists MUST notify a patient if their personal health information has been stolen, lost or accessed by unauthorized persons. Dentists MAY also voluntarily report privacy breaches to Ontario‘s Information and Privacy Commissioner.
What are the Consequences of Failing to Comply with PHIPA?
Here‘s where things get scary for dentists. To begin, a patient who believes PHIPA has been violated may file a complaint with Ontario‘s Information and Privacy Commissioner. The dentist may be liable or found guilty if they did not act in good faith or that they acted unreasonably, or did not comply with PHIPA. Examples of what could constitute a breach include: dental practices handing out patient contact information to private marketing companies or inappropriately providing patient information to financial services companies. When an action is commenced, there must be actual harm. Statutory penalties under PHIPA range from $50,000 fines for individuals and $250,000 fines for organizations!
Please note that the information provided herein is not legal advice and is provided for informational and educational purposes only. If you need legal advice, contact me (Ljubica Durlovska), David Mayzel or Michael Carabash. We are your legal dental team.