Confidentiality and Privacy—Personal Health Information (PHIPA)

Vocabulary flashcards covering key terms and concepts from the Confidentiality and Privacy—Personal Health Information practice standards (PHIPA, PHI, and related governance in Ontario).

Personal health information (PHI)

Identifying information about clients in verbal, written, or electronic form collected during care; includes physical/mental health, care provided, plan of service, payments/eligibility, donations, health number, and substitute decision-maker; may appear in mixed records.

Personal Health Information Protection Act (PHIPA)

Ontario legislation governing health information privacy; sets rules for collection, use, and disclosure; balances privacy with access for care; permits sharing among the health care team and requires confidentiality and security.

Custodian

An organization that provides care or holds personal health information; responsible for information practices, policies, and ensuring agents comply with PHIPA.

Agent

A person authorized to act for or on behalf of a custodian (e.g., health care staff); cannot act independently with PHI; acts under the custodian’s authority.

Use of PHI

Sharing within the health care team to provide care is considered a use; consent for use is generally implied within the team.

Collection (PHIPA)

Gaining PHI; may collect only as much information as needed; can collect indirectly without consent (e.g., from a relative) when the client cannot provide it or to ensure timely care.

Disclosure (PHIPA)

Making PHI available or releasing it to another custodian or person; express consent is needed for disclosures outside the health care team or for uses not related to providing care.

Implied consent

Assuming consent when conditions are met, often satisfied by posting a notice describing purposes of collection, use, and disclosure; used to facilitate routine care within the team.

Express consent

Consent given verbally or in writing; required for disclosures outside the health care team or for uses beyond providing care (e.g., fundraising, marketing); form content need not be elaborate.

Substitute decision-maker

Person authorized to make decisions and provide information when the client cannot; rules similar to Ontario health care consent law; may be a spouse or parent of a dependent child.

Lockbox provision

Client right to instruct that part of PHI not be shared with other providers; if exercised, nurse must inform the receiving practitioner that some information has been withheld.

Right to access

Client’s right to obtain a copy of their PHI; client bears the burden to show the record is incomplete or inaccurate; access may be refused in certain circumstances (e.g., QA materials, raw test data, risk of harm, confidential sources).

Right to amend (corrections)

Clients may request changes to PHI they believe is inaccurate or incomplete; corrections can be added or changed; written requests trigger formal procedures; cannot override required reporting or professional opinions.

Grounds for refusing access

Access may be refused for quality assurance information, raw psychological test data, risk of serious harm to treatment or others, or disclosure of confidential sources.

Professional misconduct (Nursing Act)

Giving information about a client to a person other than the client or authorized representative without consent or as required by law.

Knowledgeable consent

Ensuring clients understand their rights regarding collection, use, and disclosure; obtain express consent for disclosures outside the health care team; involve substitute decision-makers when the client is incapable; allow withholding/withdrawal of consent.

Disclosure without consent

PHIPA permits certain disclosures without client consent, such as to provide health care when timely consent isn’t possible, to obtain consent from a relative, to confirm residence or general health status, or to prevent significant harm; check limits on disclosure with the appropriate authority.

Quality of Care Information Protection Act (QOCIPA)

2016 act protecting quality of care information produced by facilities or entities; promotes open discussion of adverse events and peer review, while protecting this information from use in litigation or by clients.

Maintaining a Quality Practice Setting

CNO guidance for organizations and nurses to support confidentiality: care delivery processes, policies, communication systems, leadership, and professional development to ensure PHI privacy and security.

Public notice of information practices

Nurse must provide a written public statement describing information practices, contact person, how to access/correct records, and the complaint process.

Breach notification

If a confidentiality breach occurs, notify the designated contact person in the practice setting and take appropriate corrective action.