The Personal Health Information Protection Act, 2004 (“PHIPA“) imposes obligations on dentists with respect to collecting, using and disclosing “personal health information”. By way of background, “personal health information” is defined in section 4 of PHIPA and includes oral or written information that relates to:
- the physical health of a patient;
- the provision of health care to a patient;
- relates to payments or eligibility for health care or coverage for a patient; or
- identifies the patient’s health number.
Under PHIPA, dentists are considered to be “Health Information Custodians” (which we will refer to as “Custodians”). As such, dentists (and their agents – i.e. staff and associates) must abide by the laws concerning the collection, use, and disclosure of personal health information under PHIPA. It is essential for dentists to be aware of their obligations and make their agents aware.
Custodians must name a contact person to help them respond to inquiries about the Custodian’s information practices, respond to requests for access to or correction of a record of personal health information and receive complaints about alleged PHIPA violations. It is generally recommended that the Custodian be the contact person themself to ensure all these legal obligations are fulfilled.
Use of Personal Health Information
Dentists may use personal health information WITHOUT the need to obtain any consent for several reasons, such as: planning or delivering services, improving the quality of care, educating agents and research purposes and obtaining payment for health care or related goods and services.
Disclosing Personal Health Information
Dentists may disclose personal health information without consent to provide health care, monitor health payments, eliminate or reduce a significant risk of bodily harm, or a legal proceeding (among other things).
Dentists have an obligation to take “reasonable steps” to ensure personal health information:
- is accurate, complete and up-to-date;
- is protected from theft, loss and unauthorized use or disclosure; and
- records are protected against unauthorized copying, modification or disposal.
What if a Patient Wants to Access their Personal Health Information?
PHIPA also provides patients with an entitlement to access their personal health information records and outlines conditions under which access may be denied. Those records include digital records, dental radiographs, impressions, etc. Patients can generally access records of their personal health information (and not someone else’s). Before a dentist provides access, they must take reasonable steps to determine the patient’s identity. A written request is necessary to invoke a patient’s rights under PHIPA, and a Custodian must respond within 30 days (but can extend this by an additional 30 days if it is not reasonably practical to reply within that time frame and notifies the patient of the delay and reasons why within that initial 30-day timeframe). A Custodian must make the record available by providing a copy and, if reasonably practical, explain any term, code or abbreviation used in the record.
Breaches and Notifications
Dentists MUST notify a patient if their personal health information has been stolen, lost or accessed by unauthorized persons. Dentists MAY also voluntarily report privacy breaches to Ontario’s Information and Privacy Commissioner.
What are the Consequences of Failing to Comply with PHIPA?
Here’s where things get scary for dentists. First, a patient who believes PHIPA has been violated may file a complaint with Ontario’s Information and Privacy Commissioner. The dentist may be liable or found guilty if they did not act in good faith, acted unreasonably, or did not comply with PHIPA. Examples of what could constitute a breach include dental practices handing outpatient contact information to private marketing companies or inappropriately providing patient information to financial services companies. When an action is commenced, there must be actual harm. Statutory penalties under PHIPA range from $50,000 fines for individuals and $250,000 fines for organizations!