Ontario’s Personal Health Information Protection Act (PHIPA) is widely recognized as a complex statute. With lengthy definitions and numerous, layered obligations, it can be particularly difficult for solo practitioners and small health care organizations to understand and fulfill their privacy compliance obligations.

Recognizing these challenges, the Office of the Information and Privacy Commissioner of Ontario (IPC) recently released the Privacy Management Handbook for Small Health Care Organizations (the “Handbook”). This resource is specifically designed to help health information custodians with limited privacy infrastructure build tailored privacy management programs that suit the size and nature of their operations.

Who Is the Handbook For?

The Handbook is aimed at solo practitioners – such as physicians, nurses, massage therapists, dentists, pharmacists, opticians, psychologists, and other regulated health professionals – as well as small health care providers like walk-in clinics, specialist practices, family health teams, and community health centres (collectively referred to as “small health information custodians”).

What Does the Handbook Cover?

The Handbook begins by clarifying key PHIPA terms, including “health information custodian,” “agent,” and “personal health information.” It explains the rights of patients and the corresponding obligations of custodians regarding the collection, use, and disclosure of personal health information. It also emphasizes the need for a “right-sized” privacy management program – one that is proportionate to the organization’s scale and operations.

Building a Privacy Management Program: Key Elements

The Handbook outlines the following core components of an effective privacy management program:

1. Establishing Governance and Accountability

This foundational step includes:

  • Embedding privacy into the organization’s culture through employee training and confidentiality agreements;
  • Clearly assigning privacy roles and responsibilities;
  • Conducting data inventories and privacy impact assessments to understand data holdings, data flows, and potential vulnerabilities;
  • Evaluating third-party vendors and ensuring privacy-protective contractual terms are in place; and
  • Planning for contingencies, including disaster recovery and privacy breaches.

2. Creating and Documenting Privacy Policies

Organizations are required to:

  • Develop written policies outlining rules for the collection, use, disclosure, and protection of personal health information, among other things; and
  • Prepare a public-facing privacy statement that describes information-handling practices, identifies a designated contact person, and explains how individuals can access or correct their information or submit complaints under PHIPA.

3. Implementing Privacy Safeguards

Organizations must implement appropriate administrative, technical, and physical safeguards to protect personal health information. The IPC advises particular caution when:

  • Transmitting health information via email;
  • Using artificial intelligence in the delivery of health services; and
  • Continuing to use outdated technologies like fax machines (practice tip: avoid faxes!).

4. Operationalizing Privacy Policies

This involves putting privacy rules into day-to-day practice by:

  • Developing staff training programs, record retention and secure destruction plans, breach response protocols, and procedures for responding to patient questions or concerns;
  • Regularly reviewing access controls; and
  • Establishing business continuity and succession plans.

5. Ongoing Monitoring and Review

Organizations should regularly assess the effectiveness of their privacy management programs to ensure ongoing compliance with PHIPA and to identify areas for improvement.

Additional Tools and Resources

The Handbook includes several helpful appendices, such as:

  • A sample job description for a privacy officer;
  • A sample privacy policy;
  • Guidelines for drafting breach notification communications; and
  • A curated list of related IPC resources.

Final Notes

The Handbook is a practical tool intended to guide small health information custodians in developing or improving their privacy management programs. However, it does not constitute legal advice and is not binding on the IPC’s tribunal. Health information custodians of all sizes should seek legal advice specific to their circumstances when building out their privacy management programs.

For more information on this topic, please contact Jaime Cardy or other members of the Dentons Privacy and Cybersecurity group

Subscribe and stay updated
Receive our latest blog posts by email.
Stay in Touch
, ,
Jaime Cardy

About Jaime Cardy

Jaime Cardy is a senior associate in the Privacy and Cybersecurity group in Dentons’ Toronto office. She has particular expertise in providing risk management and compliance advice under various legislative privacy regimes, including in both the public and healthcare sectors.

Full bio

RELATED POSTS