How to make sure your organization is PHIPA compliant

How to make sure your healthcare organization is PHIPA compliant

Virtual care has seen a complete transformation as a result of the pandemic and now more than ever, patients and providers are turning to telemedicine to connect remotely and seamlessly using technology. But one of the more important components surrounding virtual care is PHIPA compliance – a must for Ontario healthcare organizations and a sure-fire way for your company to reach a broader customer base. The Personal Health Information Protection Act (PHIPA) is a set of rules for the collection, use, and disclosure of personal health information in Ontario. 

As someone involved in the delivery of healthcare services in Ontario, it is a direct responsibility of the healthcare organization to ensure that appropriate digital and physical security measures are adopted within your telehealth organization.

  • Consent is required for the collection, use and disclosure of personal data.
  • Health information custodians need to treat all personal data as confidential and maintain its security.
  • Individuals have a right to access, correct, and ask not to share their personal data.
  • Guidelines are set for the use and disclosure of personal health information for research purposes.
  • An individual has the right to complain if they find error in their personal health information.
  • Remedies are established for breaches of the legislation.
How can I ensure my organization is PHIPA compliant?

Your telehealth organization, startup or clinic are considered to be health information custodians by having custody or control of personal health information. To ensure PHIPA compliance, here are the action items your organization needs to enforce:

  • Keep up-to-date health records: Telehealth organizations are required to correct any inaccurate or incomplete record and respond to an individual’s request for correction within 30 days. This also means ensuring that all applications and systems used within your organization are up to date. OnCall’s OTN verification ensures that our telehealth software is constantly updating and secure.
  • Keep records secure: Protect information from theft, loss, and unauthorized use and make sure records are retained, transferred, and disposed of in a secure manner. This includes correctly configured firewalls and installing security software that fits your company’s size and needs. OnCall’s software is PHIPA compliant, with security features such as  end-to-end 256-bit encryption using native apps with regular audits by a third party to ensure OnCall’s privacy obligations are always met.
  • Consider the optimal security software for your organization: Implementing a new security system means working with a vendor to select the right product for your needs.
  • Backup your data: Make sure that the backup of your records is stored off-site, guaranteeing security in case of a ransomware attack
  • Appoint a privacy contact person: Designate a contact person who is responsible for compliance, training, responding to inquiries and access to records, receiving complaints about contraventions of PHIPA
  • Publish privacy practices: Create and publish a statement of your company’s personal health information practices, contact information for your records contact person, process for obtaining access to records or correcting a record, and how to make a complaint to your organization
  • Always obtain consent: Obtain express or implied consent, where appropriate, for the collection, use and disclosure of personal data. With OnCall’s digital intake and informed consent feature, providers ensure they receive informed consent prior to any appointment with a patient. 

Here are a few questions to consider asking your telemedicine vendor:

  • How and where is information stored, encrypted and protected
  • How does the vendor manage remote access to information?
  • How are authorized users and confidential information managed?

Learn more about OnCall’s privacy and security policies here.