How PHIPA Applies to Healthcare Providers and Payment Vendors

All Health Service Providers in Ontario, whether you operate a hospital, a dental practice, or another health service, fall under the rules and regulations set forth in PHIPA for the protection of patient information. When exploring your opportunities to work with a payment processing vendor, there are many factors to consider. One key factor that is seldom discussed, PHIPA, is unique to the healthcare industry – we felt that a discussion that focuses on this aspect could be helpful for many.

Disclaimer: This interpretation of the legislation should not be relied upon as a substitute for reading the legislation or seeking independent legal advice.

What Is PHIPA and Does It Apply to Payment Processing Vendors?

The Personal Health Information Protection Act (PHIPA) is Ontario’s health-information privacy legislation which came into force on November 1, 2004. The following discussion helps to interpret the legislation specifically as it applies to all third-party payment processing services being provided to Health Information Custodians.

Who Does PHIPA Cover?

The act applies to all Health Information Custodians operating within the province of Ontario and to individuals or organizations that receive Personal Health Information from Health Information Custodians.

Health Information Custodians are defined by the act as Hospitals, Pharmacies, Medical Labs, Long-Term Care providers, Medical Officers or Boards of Health, Community Care corporations, and all healthcare practitioners.

• With limited exceptions, Health Information Custodians should only collect, use or disclose Personal Health Information with the consent of individuals, unless the Act allows the use without consent.
• The Act allows custodians to use Personal Health Information without the consent of individuals for the purpose of obtaining payment for health care goods and services.

The Act also applies to the use and disclosure of Personal Health Information by Agents who receive personal health information from Health Information Custodians.

Agents are defined by the act as including insurance companies, employers, researchers, information technology service providers, or any others who perform services (including payment processing and gateway services) on behalf of a Health Information Custodian.

• Agents who receive PHI from Health Information Custodians are also required to follow the rules set out in the Act.

Individuals also have the right to access and request the correction of their own personal health information.

Interpretation: a payment service provider that provides services to a HIC is considered an Agent under PHIPA and any PHI disclosed to them by a HIC is regulated by the act.

What Information Does PHIPA Cover?

The act does not apply to all Personal Health Information (PHI).

• The act only applies to information that is collected, used and disclosed by Health Information Custodians (HIC).
• The Act does not apply to information about an individual if this information could not reasonably be used to identify the individual.

The definition of Personal Health Information by the act includes all information that relates to the provision of health care services to individuals

Personal Health Information includes both oral and written information about the individual, if this information meets any of the following conditions:

• It relates to an individual’s physical or mental health, including family health history;
• It relates to the provision of health care, including the identification of persons providing care;
• It relates to any long-term care service plans for individuals;
• It relates to payment or eligibility for health care;
• It relates to the donation of body parts or substances or is derived from the testing or examination of such body parts or substances;
• It is the individual’s provincial health number;
• It identifies an individual’s substitute decision-maker
• It relates to any other information about an individual that is included in a record containing personal health information.

Interpretation

For an abundance of caution, we will interpret all information related to the provision of health care services to individuals and that is provided by any Health Information Custodians to an Agent, to be considered PHI that is regulated by the act.

Under this broad interpretation, PHI would include any administrative information required for the purposes of obtaining payment for health care goods and services.

This administrative information could potentially include information about the payment amount to be collected, the individual’s name, phone number and other transaction data used to facilitate the payment collection process such as a customer number used for billing purposes

The KEY Qualifier

The key qualifier is that this information must have been disclosed to the Agent by the Health Information Custodian in order for it to be considered PHI under the act. Information obtained directly from the individual by the Agent would explicitly be not considered PHI.

Applying The Rules

Let’s apply these rules now to two different use cases for payment processing services typically provided by an Agent. These could apply to any self-serve automated solution such as hosted online payments, hosted IVR payments and credit/debit card terminals.

Example 1: Self Service Payments, No Patient Data is provided by HIC

A payment processing company accepts payments made by individuals who received health care services. Individuals submit all information being used in this payment processing directly to the payment processing company’s technology. No information about the individual is provided for this process to the payment processing company by the Health Information Custodian. The payment processing company maintains records of the payments and certain administrative information that they collect during the processing.

Is the payment processing company a Health Information Custodian?

No. Payment processing companies are not included in the definition of a custodian. Under the act, the payment processing company would be considered an Agent.

Is the payment processing company a recipient of PHI from a HIC?

No. All information in this process is obtained directly from the individual.

Is the information used by the Agent considered Personal Health Information?

No. The information in question is identifying information that relates to the provision of health care to the individual under the types of information included in the definition of personal health information, however, the act only applies to this information if it is in the custody or control of a custodian, or in the custody or control of an individual or an organization that received it from a custodian.

Is the use and disclosure of this information subject to PHIPA rules?

No. The payment processing company and the information they collect or use in this the process is not subject to the PHIPA rules since the information was not received from a custodian.

Example 2: Self Service Payments, Customer Data is provided by HIC

A payment processing company accepts payments made by individuals who received health care services. Individuals submit some information being used in this payment processing directly to the payment processing company’s technology. Information about the individual’s account balance payable is provided for this process to the payment processing company by the Health Information Custodian. The payment processing company maintains records of the payments and certain administrative information that they collect during the processing.

Is the payment processing company a Health Information Custodian?

No. Payment processing companies are not included in the definition of a custodian. Under the act, the payment processing company would be considered an Agent.

Is the payment processing company a recipient of PHI from a HIC?

Yes. Some information used in this process is obtained from the HIC.

Is the information used by the Agent considered Personal Health Information?

Yes. The information in question is identifying information that relates to the provision of health care to the individual under the types of information included in the definition of personal health information, and, this information is in the custody or control of an individual or organization who received it from a custodian.

Is the use and disclosure of this information subject to PHIPA rules?

Yes. The payment processing company and the information they received from a custodian in this process is subject to the PHIPA rules.

PHIPA applies to businesses located in Ontario who interact with PHI Client information and specifies the geographical boundaries for information covered under PHIPA. This fact would indicate that any business currently sending PHI Client information across the Canadian border to third-party Vendors of any kind is in breach of the rules and regulations set forth in PHIPA. The implications of breaching PHIPA can range and can become costly.

In the end, Healthcare and Payment Processing organizations alike are held accountable for how they use PHI-specific client information.

References

1. A Guide to the Personal Health Information Protection Act, Dec 2004, Information and Privacy Commissioner/Ontario
2. Ontario’s Personal Health Information Privacy Legislation for the Health Sector, Ontario Ministry of Health

Copyright^© 1996 - 2000 Datatel Communications Inc (USA)/ Datatel Inc (Canada). All rights reserved.