Skip to content

What is PHIPA?

How Do I Know My Personal Health Information is Safe?

When sensitive personal data falls into the wrong hands, a lot can go wrong. Imagine a hacker or unauthorized parties having access to your full name, addresses, health insurance details, and other financial information. With the extension of private information being transferred online (e.g, electronic health record technology), security and privacy are more important now than ever before. Many of our clients transfer highly confidential information that must adhere to strict privacy standards.

What is HIPAA?

In the United States, data privacy and security provisions for safeguarding personal health information is protected by HIPAA (Health Insurance Portability and Accountability Act), which was established in 1996.  Becoming certified for HIPAA compliance is done through private companies. When a company is HIPAA compliant, it means the company ensures all the required physical, network, and process security measures have been put in place to protect the personal health information of individuals.

What is PHIPA?

In Canada, we have the Personal Health Information Protection Act, also known as PHIPA, which was established in 2004 to govern personal health information. Specifically, PHIPA establishes the rules for the collection, use, and disclosure of personal health information about individuals.

Personal health information comes in oral and written forms and identifies an individual or could be utilized along with other information to help identify an individual. Information pertains to matters such as the individual’s physical or mental health, the providing of health care to the individual, payments or eligibility for the individual’s health care, the donation of a body part or bodily substance by the individual, or even the individual’s health number. Reasonable steps must be taken to ensure information is protected against theft, loss, unauthorized use and disclosure, unauthorized copying, modification, or disposal.

PHIPA applies to “health information custodians,” which includes healthcare providers (e.g., doctors and nurses), hospitals, care homes, pharmacies, and so on. Health information custodians are responsible for collecting, using, and disclosing personal health information on behalf of clients. “Agents” are persons authorized by a health information custodian to collect, use, or disclose personal health information on their behalf.

Under PHIPA, an individual has the right to ask how their personal health information is collected, used, and disclosed, as well as the right to gain access to their personal health information and to correct any errors if needed.

Canadian Web Hosting is 100% PHIPA Compliant

Customers should understand that as part of the PHIPA compliance, information stored and user consent is not given to the hosting provider, but to the healthcare provider that obtains and maintains the personal health information. In accordance with the Information and Privacy Commissioner of Ontario, all Canadian Web Hosting servers and infrastructures are located in Canada. Canadian Web Hosting ensures a notification of any privacy breach will be sent to the custodian immediately, a plain language description of our services is provided, an audit trail feature to track the use of our database is provided, and a risk assessment of the system is written.

Canadian Web Hosting fulfills the requirements indicated by the Information and Privacy Commissioner of Ontario (www.ipc.on.ca).

See our compliance programs and certifications here.

6 Comments

  1. Sophia Sophia

    Thank you for this informative article.
    I had a few questions with regard to PHIPA compliance:
    – What does PHIPA compliance involve from the perspective of the agent? i.e. is it similar to HIPAA (US) – the implementation of administrative and technical safeguards, privacy requirements etc.
    – Do other certifications or self-assessments such as ISO 27001 support PHIPA compliance?
    – What is the process for compliance with PHIPA and what is the approximate time frame for this? Is it a self-assessment? Does it involve independent 3rd party audits?

    • Hi Sophia, thanks for reading our blog!

      Yes, PHIPA is comparable with HIPAA but only applies in Ontario where many of our public sector customers reside. As part of the PHIPA compliancy, information stored and user consent is given to the healthcare provider that obtains and maintains the data, not the hosting provider. Canadian Web Hosting is 100% Canadian owned and operated and all servers and infrastructure are located in Canada. As the IT service/hosting provider, Canadian Web Hosting fulfills the requirements indicated by the Information and Privacy Commissioner of Ontario (www.ipc.on.ca). We ensure the following:
      – Send a notification of any privacy breach to the custodian as soon as possible
      – Provide a plain language description of our services
      – Prepare an audit trail feature to track the use of our database
      – Have written risk assessment of the system
      – Have our own written privacy policies

      For more information on the process of PHIPA, you can refer to their website here: https://www.ipc.on.ca/

      We are also PIPEDA compliant and AT 101 SOC 2 Type 2 certified (formerly SSAE 16 SOC 2 Type 2 and SAS 70 with CSAE 3416). Our company has also implemented ISO 27002 established guidelines and principles for security management in our organization, which is separate from PHIPA. For more details, please refer to our website: https://www.canadianwebhosting.com/company/sas70_certificates.

      Let us know if you have any further questions and how we can help you get started with choosing a hosting service!

      – Canadian Web Hosting

  2. Amber Amber

    Hi,

    PHIPA only applies in Ontario. Other provinces have their own health privacy laws. There also are several other levels of federal privacy laws, such as PIPEDA and others that businesses and health practitioners have to comply with. Are you compliant with all of these?

    • Hi Amber, great question!

      Yes, PHIPA applies in Ontario, where many of our public sector customers reside. We are also PIPEDA compliant and AT 101 SOC 2 Type 2 certified (formerly SSAE 16 SOC 2 Type 2 and SAS 70 with CSAE 3416). Our company has also implemented ISO 27002 established guidelines and principles for security management in our organization. For more details, please refer to our website: https://www.canadianwebhosting.com/company/sas70_certificates.

      Let us know if you have any further questions and how we can help you get started with choosing a hosting service!

      – Canadian Web Hosting

  3. Vin Vin

    Hi,
    We have two questions:

    1. In order to be PHIPA in Ontario, you need to have servers physically located in Ontario. Are your servers located in Toronto?

    2. Our current solution is running in AWS cloud. If we were to move it to your Cloud, how seamless it will be? Are your Cloud servers provide similar services as AWS?

    • Nayaz Gill Nayaz Gill

      Hi Vin,
      Yes, our servers are located in Vancouver and Toronto. For more information on our data centers, please visit https://www.canadianwebhosting.com/company/datacentres. Additionally, for more information about Canadian Web Hosting’s certifications and compliance, you can visit: https://www.canadianwebhosting.com/company/sas70_certificates

      To answer your second question, the actual migration should be quite seamless, as it is conducted offline. Following this, the name server update that has to be done from your side will cause a DNS propagation, but you can always choose to do this overnight or at a time that is otherwise outside of business hours to reduce impact.

      For any more questions and clarifications, feel free to contact us here or email sales@canadianwebhosting.ca

Leave a Reply

Your email address will not be published. Required fields are marked *