In Ontario, the Personal Health Information Protection Act (PHIPA) governs the handling of personal health information (PHI) by health care providers and other organizations involved in the delivery of health care services.
PHIPA does not explicitly prohibit the storage of personal health information outside of Canada, including in the United States, but it does impose strict conditions and requirements on how such data can be handled.
Accountability and Compliance:
Custodians of PHI: Under PHIPA, health information custodians (HICs), such as doctors, hospitals, and clinics, are responsible for the personal health information they collect, use, and disclose, even if it is stored or processed by a third party outside of Canada.
Third-Party Agreements: If a health information custodian uses a third-party service provider (e.g., a cloud service like HighLevel) that stores data in the U.S., the custodian must ensure that the service provider complies with PHIPA. This usually involves a contractual agreement requiring the service provider to protect the data in accordance with PHIPA’s standards.
Security and Safeguards:
Adequate Security Measures: PHIPA requires that personal health information be protected with appropriate physical, administrative, and technical safeguards, regardless of where the data is stored. When storing data in the U.S., the health information custodian must ensure that the service provider employs equivalent or better security measures to protect the information.
Encryption and Access Controls: Data stored in the U.S. should be encrypted both at rest and in transit, and access controls should be in place to ensure that only authorized personnel can access the information.
Transparency and Patient Notification:
Informing Patients: Patients should be informed if their health information is being stored in the U.S., and they should be made aware of any potential implications, such as the possibility of access by U.S. authorities under U.S. law.
Cross-Border Transfers:
Assessment of Risks: While storing data in the U.S. is not prohibited, health information custodians must assess the risks associated with cross-border data transfers, particularly considering that U.S. data may be subject to access under U.S. law (e.g., the USA PATRIOT Act).
Patient Rights and Access:
Maintaining Patient Rights: Patients retain their rights under PHIPA, including the right to access their personal health information and request corrections, even if the data is stored in the U.S. Health information custodians must ensure that these rights can be upheld, regardless of the data’s storage location.
Breach Notification:Obligations in Case of Breach: If a data breach occurs involving personal health information stored in the U.S., the health information custodian is required to notify the affected individuals and potentially the Information and Privacy Commissioner of Ontario (IPC) if the breach poses a risk of significant harm.