November 1st - 10th Anniversary of PHIPA

Of all the information that is collected about us in our increasingly data-driven lives, our health information is perhaps the most intimate and sensitive. While our financial information may say something about our tastes or socioeconomic status, our health information is exceptional because it is distinctly unique to each of us as individuals. While this information is needed by health care professionals to provide us with proper care and treatment, its unauthorized use and disclosure can have devastating consequences. For example, it can be used to discriminate based on an individual’s mental or emotional state, physical disabilities, lifestyle habits, medication, and genetic information, to name but a few. This is why protecting this information is so important.

The Personal Health Information Protection Act (PHIPA) was enacted ten years ago, on November 1, 2004, to establish rules governing the collection, use and disclosure of health information within the health sector. In order to keep this information confidential and secure, while not compromising the effective and efficient delivery of health care. PHIPA is Canada’s first consent-based health statute. It generally requires consent of individuals to be obtained before their health information can be collected, used or disclosed and provides individuals the right to prevent their information from being collected, used or disclosed for health care purposes. Further, PHIPA also provides individuals the right to access their records and to require their correction when they are inaccurate or complete in order to enable individuals to become partners in their health care.

The long road to enacting health privacy legislation in Ontario began in 1980, with the Royal Commission of Inquiry into the Confidentiality of Health Records in Ontario led by Justice Horace Krever. The result was a three-volume report containing 170 recommendations which would serve as the impetus for the enactment of PHIPA. Three decades have passed since the Krever Commission and PHIPA is now recognized as a gold standard for protecting privacy while enabling the effective provision of health care.

In fact, PHIPA has been viewed as such a success that it has served as a model both here in Canada, and in the United States. In 2007, the New Brunswick Task Force on Personal Health Information cited PHIPA “… as the gold standard among personal health information statutes …” The U.S. Institute of Medicine also recommended that PHIPA be used as a model for amending the U.S. Health Insurance Portability and Accountability Act. Having surveyed health privacy legislation around the world, PHIPA was highlighted as a potential model.

So, what does the next ten years hold for PHIPA? I think the obvious answer is that it will have to adapt to the increasingly rapid changes in information and communications technology, most notably the development of electronic health records and other shared health record systems. There is a growing need for a legislative framework to address health information in an increasingly digital and interconnected world. While PHIPA has served Ontario admirably over the last decade, it must be amended to clarify the rights individuals and the duties and obligations of health care providers in a shared electronic environment.

Modernizing PHIPA will help to facilitate the introduction of electronic health records and pave the way for a smooth and seamless transition toward 21st century health care while protecting our privacy and the confidentiality of our health information – we deserve no less.