How do you know your personal health information is safe?
When sensitive personal data falls into the wrong hands, a lot can go wrong. Imagine a hacker or unauthorized party having access to your full name, address, phone number, health insurance details, and financial information. With the development of private information being transferred online (for example, electronic health record technology), security and privacy are more important now than ever before. Many of our clients transfer highly confidential information that must adhere to strict privacy standards.
What is HIPAA?
In the United States, data privacy and security provisions for safeguarding personal health information are protected by HIPAA (Health Insurance Portability and Accountability Act), which was established in 1996. Becoming certified for HIPAA compliance is done through private companies. When a company is HIPAA compliant, it means that the company ensures all the required physical, network, and process security measures have been put in place to protect the personal health information of individuals.
What is PHIPA?
In Ontario, Canada, we have the Personal Health Information Protection Act, also known as PHIPA, which was established in 2004 to govern personal health information. Specifically, PHIPA establishes the rules for the collection, use, and disclosure of personal health information of individuals.
Personal health information comes in oral and written forms and identifies an individual or could be utilized along with other information to help identify an individual. Information pertains to matters such as the individual’s physical or mental health, the providing of health care to the individual, payments or eligibility for the individual’s health care, the donation of a body part or bodily substance by the individual, or even the individual’s health number. Reasonable steps must be taken to ensure information is protected against theft, loss, unauthorized use and disclosure, unauthorized copying, modification, or disposal.
PHIPA applies to “health information custodians,” which includes healthcare providers (for example, doctors and nurses), hospitals, care homes, pharmacies, and so on. Health information custodians are responsible for collecting, using, and disclosing personal health information on behalf of clients. “Agents” are persons authorized by a health information custodian to collect, use, or disclose personal health information on their behalf.
Under PHIPA, an individual has the right to ask how their personal health information is collected, used, and disclosed, as well as the right to gain access to their personal health information and to correct any errors if needed.
Canadian Web Hosting is 100% PHIPA Compliant.
Customers should understand that as part of PHIPA compliance, information stored and user consent is not given to the hosting provider, but to the healthcare provider that obtains and maintains the personal health information. In accordance with the Information and Privacy Commissioner of Ontario, all Canadian Web Hosting servers and infrastructures are located in Canada. Canadian Web Hosting guarantees the following:
- A notification of any privacy breach will be sent out to the custodian immediately
- Plain language description of our services is provided
- An audit trail feature to track the use of our database is provided
- A risk assessment of our system is written
Canadian Web Hosting fulfills the requirements indicated by the Information and Privacy Commissioner of Ontario (www.ipc.on.ca).
Find out more about our compliance programs and certifications here and contact us if you have any questions.
Thank you for this informative article.
I had a few questions with regard to PHIPA compliance:
– What does PHIPA compliance involve from the perspective of the agent? i.e. is it similar to HIPAA (US) – the implementation of administrative and technical safeguards, privacy requirements etc.
– Do other certifications or self-assessments such as ISO 27001 support PHIPA compliance?
– What is the process for compliance with PHIPA and what is the approximate time frame for this? Is it a self-assessment? Does it involve independent 3rd party audits?
Hi Sophia, thanks for reading our blog!
Yes, PHIPA is comparable with HIPAA but only applies in Ontario where many of our public sector customers reside. As part of the PHIPA compliancy, information stored and user consent is given to the healthcare provider that obtains and maintains the data, not the hosting provider. Canadian Web Hosting is 100% Canadian owned and operated and all servers and infrastructure are located in Canada. As the IT service/hosting provider, Canadian Web Hosting fulfills the requirements indicated by the Information and Privacy Commissioner of Ontario (www.ipc.on.ca). We ensure the following:
– Send a notification of any privacy breach to the custodian as soon as possible
– Provide a plain language description of our services
– Prepare an audit trail feature to track the use of our database
– Have written risk assessment of the system
– Have our own written privacy policies
For more information on the process of PHIPA, you can refer to their website here: https://www.ipc.on.ca/
We are also PIPEDA compliant and AT 101 SOC 2 Type 2 certified (formerly SSAE 16 SOC 2 Type 2 and SAS 70 with CSAE 3416). Our company has also implemented ISO 27002 established guidelines and principles for security management in our organization, which is separate from PHIPA. For more details, please refer to our website: https://www.canadianwebhosting.com/company/sas70_certificates.
Let us know if you have any further questions and how we can help you get started with choosing a hosting service!
– Canadian Web Hosting
Hi,
PHIPA only applies in Ontario. Other provinces have their own health privacy laws. There also are several other levels of federal privacy laws, such as PIPEDA and others that businesses and health practitioners have to comply with. Are you compliant with all of these?
Hi Amber, great question!
Yes, PHIPA applies in Ontario, where many of our public sector customers reside. We are also PIPEDA compliant and AT 101 SOC 2 Type 2 certified (formerly SSAE 16 SOC 2 Type 2 and SAS 70 with CSAE 3416). Our company has also implemented ISO 27002 established guidelines and principles for security management in our organization. For more details, please refer to our website: https://www.canadianwebhosting.com/company/sas70_certificates.
Let us know if you have any further questions and how we can help you get started with choosing a hosting service!
– Canadian Web Hosting
Hi,
We have two questions:
1. In order to be PHIPA in Ontario, you need to have servers physically located in Ontario. Are your servers located in Toronto?
2. Our current solution is running in AWS cloud. If we were to move it to your Cloud, how seamless it will be? Are your Cloud servers provide similar services as AWS?
Hi Vin,
Yes, our servers are located in Vancouver and Toronto. For more information on our data centers, please visit https://www.canadianwebhosting.com/company/datacentres. Additionally, for more information about Canadian Web Hosting’s certifications and compliance, you can visit: https://www.canadianwebhosting.com/company/sas70_certificates
To answer your second question, the actual migration should be quite seamless, as it is conducted offline. Following this, the name server update that has to be done from your side will cause a DNS propagation, but you can always choose to do this overnight or at a time that is otherwise outside of business hours to reduce impact.
For any more questions and clarifications, feel free to contact us here or email sales@canadianwebhosting.ca
If a data center collocation is SOC 2 Type 2 certified (formerly SSAE 16 SOC 2 Type 2 and SAS 70 with CSAE 3416), does this mean they operate in adherence to PIPEDA and PHIPA laws within Ontario, Canada?
Hi Scott – Great question. Being SOC 2 Type 2 certified and following PIPEDA and PHIPA are independent of each other. The SOC 2 Type 2 certification is provided by the Auditing Standards Board of the American Institute of Certified Public Accountants (AICPA). Whereas the PIPEDA and PHIPA are governed by the government. If data is being hosted in Canada, it is subject to PIPEDA and its provisions by law. While there may be some overlap between the two, they’re independent entities. If you want to learn more about the different certifications we have at Canadian Web Hosting, you can see them here: https://www.canadianwebhosting.com/company/sas70_certificates
Does sask. Have the same laws
PHIPA is Ontario’s provincial healthcare rules and regulations for privacy. Saskatchewan will likely have something similar.