Healthcare entities have an ethical responsibility to protect the personal health information (PHI) of their patients, by upholding patient privacy and confidentiality. Further, there is a legal responsibility. In Canada, healthcare organizations must adhere to the Personal Health Information Protection Act (PHIPA), as well as any provincial or local laws, such as the Personal Information Protection and Electronic Documents Act (PIPEDA) in Ontario, which enforce protections around the collection, use, and disclosure of PHI.
PHI typically refers to any identifying patient information in verbal, written, or oral form, including:
- Physical or mental health
- Health history
- Healthcare services
- Healthcare plan
- Payments
- Eligibility for healthcare
As custodians of PHI, healthcare entities must adopt appropriate measures to maintain patient privacy and confidentiality when collecting, using, or disclosing any identifying information. They will need to consider the range of risks that exist in a healthcare environment and identify opportunities to prevent, mitigate, and transfer them through a comprehensive risk management plan.
Actions may include strengthening their internal control systems, as well as building awareness around PHI best practices through improved talent acquisition, training, and continued education strategies. Undertaking these measures can help to ensure compliance with laws and regulations and prevent unauthorized access, use, or disclosure of PHI.
The following guidance highlights key risk controls healthcare entities may implement to create a consistent standard for PHI privacy and security across their healthcare organization. It is not an exhaustive list and should be used in conjunction with internal policies and procedures, as well in compliance with local laws and regulations.