In 2004, amended November 2018, legislation was passed in Ontario that established the Personal Health Information Protection Act, or PHIPA, as a part of the Health Insurance Protection Act. While this act was meant to ensure that patient data is protected while in the care of Health Information Custodians (or HICs), there are some best practices that ALL businesses can – and should – take from its implementation.
What PHIPA Says
The act is divided into seven sections, as follows:
- Interpretation and Application, which establishes the purpose of the Act and provides key definitions for terms used throughout.
- Practices to Protect Information, which defines how personal health information and records are to be handled and accountability standards.
- Consent Concerning Personal Health Information, which outlines the guidelines for permission to use, share, or disclose personal health information.
- Collection, Use, and Disclosure of Personal Health Information, which establishes the reasons that personal health information can be used, retained, and shared.
- Access to Records of Personal Health Information and Correction, which spells out an individual’s right to access their information and the process to correct any information as necessary.
- Admission and Enforcement, which defines the Commissioner’s role in enforcing the regulations the Act contains.
- General, which contains details on how the act is to be applied and other assorted considerations.
Implementing these rules and practices enable all businesses to protect their patients’ data better. We propose that any business should adopt some of these rules in Canada for the benefit of their data security. Here, we’ll explore a few examples.
For our purposes, we will focus specifically on part two, which discusses the necessary security measures that healthcare organizations need to take to be compliant to the Act – and how your business can also benefit from them.
Practices to Protect Personal Information (and Not Just for Healthcare)
Security Considerations
The law states that, “A health information custodian shall take steps that are reasonable in the circumstances to ensure that personal health information in the custodian’s custody or control is protected against theft, loss and unauthorized use or disclosure and to ensure that the records containing the information are protected against unauthorized copying, modification or disposal.”
Let’s take a moment to consider this sentence and how it relates to your current security practices: These records are supposed to be “…retained, transferred and disposed of in a secure manner and accordance with the prescribed requirements if any.”
Do you, like many businesses, keep essential documents on unsecured devices such as removable media (USB drives, tape drives) or the ‘C’ drive of each workstation? Do you have a robust security system in place to protect your data, such as password management, content filtering, anti-spam protection, or do you train your staff on security best practices?
What’s excellent about PHIPA’s requirements is that they effectively spell out the best practices designed not only for medical providers but for all types of businesses to protect their data. However, as is often the case, the actual stumbling block is implementation.
This, of course, is sound advice for any organization to take. Enacting it can also be relatively simple, with the right solutions implemented into an IT infrastructure. If we consider that PHIPA requires a HIC to take reasonable steps to protect [data] against theft, loss, disclosure, as well as against unauthorized duplication, altering, or deletion, it becomes clear that the same kind of guidelines should be kept in mind when adopting IT solutions in the business.
Making Your Business Processes Compliant
Compudata doesn’t just take care of your IT… we strive to get ALL of our clients PHIPA compliant. We feel that no matter what industry you are in if you are dealing with personally identifiable information, you owe it to your customers and clients to meet or exceed these compliances.
By taking a page from the PHIPA playbook, Compudata can improve your security, allowing you to confidently turn your attention to your business processes…even if you’re not a medical practice. A couple of security solutions that would prove useful to implement are as follows:
- Hardware and Software solutions. While we all need the internet to communicate, it can also be one of the most significant vulnerabilities your business can face. We shore up this risk by enacting security solutions, such as next-generation hardware and software security solutions.
- Training and Policies. The most significant risk to your data comes from your staff and human error. We will assist you in introducing IT security best practices among your team to ensure data security solutions and the software will be more effective.
From protecting your communications through email encryption to keeping data threats at bay with unified threat management solutions, we have the answer to your security concerns. Of course, if you’re a medical practice in need of PHIPA and PIPEDA compliance, we’ll ensure that your network is ready to enable your business and its data to be protected securely.
Not protecting your client data and suffering a security breach could have dire effects on your business. Downtime from crypto viruses can last 1-10 Business days, loss of business due to delays and server degradation in client trust if a breach occurs.
To learn more about our solutions, reach out to us at 1-855-405-8889.