PHIPA (the Personal Health Information Protection Act of 2004) is Canadian legislation that sets forth rules regarding health information security. In many ways, it corresponds with the U.S. Health Insurance Portability and Accountability Act of 1996 (HIPAA). Both improve healthcare standards and safeguard the use and disclosure of health information.
RELATED: To be or not to be HIPAA compliant
But they don’t do so in the same way, so companies that want to work across the border must demonstrate the necessary compliance. Paubox, Inc. is a software company that provides HIPAA compliant communication solutions and solid email security for healthcare organizations.
Today we are asking: Is Paubox PHIPA compliant or not?
What is PHIPA?
PHIPA establishes rules regarding healthcare privacy in Canada. It oversees regulations regarding the collection, use and disclosure of health information.
SEE ALSO: What is the Personal Health Information Protection Act and why is it necessary?
PHIPA is part of Canadian legislation PIPEDA, the Personal Information Protection and Electronic Documents Act. PIPEDA covers a wide range of industries throughout Canada, while PHIPA focuses on healthcare in Ontario. PHIPA legislation applies to:
- The collection of personal health information by a health information custodian (HIC)
- The use or disclosure of personal health information by an HIC or a person who receives information from an HIC
- The collection, use or disclosure of a health number by any individual
The legislation also provides individuals with the right to access their personal health information from HICs. Part II of PHIPA requires HICs to take reasonable steps to protect personal health information against:
- Theft and/or loss
- Unauthorized use and disclosure
- Unauthorized copying, modification or disposal
Once an HIC becomes aware of any of these circumstances, the custodian must provide proper notification as specified by PHIPA.
HICs and personal health information
An HIC operates an organization that provides healthcare and has custody or control of personal health information. There are several types of HICs:
- Healthcare practitioners
- The operator of a hospital
- Laboratories or specimen collection centers
- A person who operates a group practice
- A service provider under the Long-Term Care Act
- A community care access corporation
- Nursing homes
- Independent health facilities
- Pharmacies
- Ambulance services
- Centers, programs or services for community or mental health
- The Minister of Health and Long-Term Care
SEE ALSO: Health information custodians working for non-health information custodians
Personal health information includes anything identifying, whether oral or recorded, if the information:
- Relates to a physical or mental condition, including family medical history
- Relates to the provision of healthcare
- Is a plan of service for an individual
- Relates to payments or eligibility/coverage for healthcare
- Relates to the donation of any body part or the testing/examination of any such part
- Is the individual’s health number
- Identifies a healthcare provider or substitute decision-maker for the individual
A HIPAA refresher
The U.S. Department of Health and Human Services (HHS) created HIPAA to improve healthcare standards and combat protected health information (PHI) abuse. Just like the Canadian provinces, each state also has its own rules to follow regarding PHI protection. HIPAA consists of five sections (or titles), and the most referenced is Title II. This section sets the policies and procedures for safeguarding PHI, whether in paper or electronic (ePHI) form.
RELATED: Understanding and implementing HIPAA rules
HIPAA refers to those who must comply as covered entities, which can be institutions, organizations or individuals. Covered entities fall under three general categories: health plans, healthcare clearinghouses and certain healthcare providers. Common examples of healthcare providers are doctors, clinics, psychologists, dentists, chiropractors, nursing homes and pharmacies.
When covered entities use or disclose PHI, they must make sure that they have patient consent.
SEE ALSO: Patient engagement and HIPAA compliance: What you need to know
Moreover, they must make sure that the PHI remains protected, no matter if in storage or transit. Healthcare organizations must always make a concerted effort to prevent data breaches.
PHIPA versus HIPAA
Both PHIPA and HIPAA intend to hold organizations accountable and establish rules for patient privacy and security: all while ensuring strong patient care. This means that organizations that work with health information must:
- Respect individual privacy
- Protect confidentiality
- Limit disclosure without consent
- Provide patients access to their records
- Ensure patients’ right to investigate privacy concerns
PHI and personal health information generally encompass the same type of data. And both PHIPA and HIPAA insist on strong cybersecurity measures to protect that data.
SEE ALSO: Cybersecurity in healthcare
Those measures should be present when organizations collect, discuss/analyze, disseminate and store health information. And, of course, organizations that violate either PHIPA or HIPAA face similar fines depending on the offense.
Indeed, PHIPA and HIPAA are alike in many ways, but we’re here to examine the differences to answer the following question: is Paubox, as a provider of HIPAA compliant solutions, also PHIPA compliant? PHIPA has several requirements that HIPAA does not, and some of these variations impact organizations like Paubox.
Business associates and business associate agreements
Covered entities often use the services of other organizations (or people) called business associates, who must also demonstrate HIPAA compliance. As stated within the HIPAA Privacy Rule, these entities must sign a business associate agreement. The agreement ensures that the business associate understands and follows HIPAA rules when dealing with PHI.
RELATED: How can I sign a BAA with Paubox?
PHIPA calls these entities agents. Agents are authorized by a custodian to perform services or activities that include personal health information. And in this case, the custodian remains accountable if there is a breach through the agent.
There is no business associate agreement equivalent in Ontario. HICs only sign an agreement with certain service providers, depending on their classification.
Managed service providers versus electronic service providers
Under HIPAA, managed service providers (MSPs) are entities that manage a company’s IT infrastructure. They can count as business associates but could also be subcontractors governed by HIPAA. MSPs are liable if any data they work with is PHI.
In Canada, these companies are called electronic service providers (ESPs). Just like MSPs, ESPs supply services for custodians and are therefore bound by health rules.
There is a special type of ESP called HINP, or health information network provider. These organizations help the exchange of personal health information between HICs. This classification of ESP must enter into a signed agreement with the custodians they work with.
Furthermore, PHIPA requires HINPs to make certain information publicly available. This includes information provided to the custodian, any directives, guidelines and policies of the provider that apply to its services and a general description of the safeguards that the ESP implements. HIPAA does not impose the same requirement.
Breach reporting requirements and HIPAA
According to the Breach Notification Rule, covered entities must report all breaches of unsecured PHI. "Unsecured" means that the data has not been rendered unusable or unreadable to unauthorized people. Breaches that affect 500 individuals or more must be reported to HHS, affected individuals and media outlets. HHS’ Office of Civil Rights then adds them to their Breach Notification Portal, which includes all reported breaches from the last 24 months.
Healthcare organizations must report breaches affecting less than 500 people only to the HHS Secretary. This is done no later than 60 days after the end of the calendar year. Under PHIPA, breach reporting requirements are more stringent.
If an agent has a breach, they must notify HICs at the first reasonable opportunity. The HIC is then responsible for notifying affected individuals. The Information and Privacy Commissioner must be notified if the HIC has reasonable grounds to believe health information:
- Was used or disclosed without authority
- Was further used or disclosed without authority after initial loss
- Was part of a pattern of similar breaches
The HIC may also need to give notice to a regulated health professional’s governing body or college as it relates.
Is Paubox PHIPA compliant?
Canadian healthcare organizations doing business in America must be HIPAA compliant. And vice versa. The health industry is vast, and it is important to provide strong patient care while remaining compliant with proper health laws. So is Paubox, with its HIPAA compliant email solution PHIPA compliant?
Given the stringent control of data that Paubox utilizes, the PHIPA rules are no problem. However, Paubox does not have data storage facilities in Canada, which is a requirement for PHIPA compliance.
In the U.S., we provide a safe space for organizations to trust patient communication and deliver effective patient care. We only use strong cybersecurity controls and sign an agreement to demonstrate our measures even when not required.
Because PHIPA has data sovereignty requirements and Paubox focuses solely on U.S. healthcare and does not retain any data storage in Canada to meet PHIPA requirements, Paubox is not PHIPA compliant.
Conclusion: Paubox is not PHIPA compliant.
RELATED: Today’s essential email security to avoid healthcare breaches
Need help with email security and keeping your email HIPAA compliant? Find out why over 4,000 healthcare customers trust us to secure 70,000,000 emails monthly.
Subscribe to Paubox Weekly
Every Friday we'll bring you the most important news from Paubox. Our aim is to make you smarter, faster.