PHIPA Requirements¶

Personal Health Information Protection Act (Ontario)

Overview¶

PHIPA governs the collection, use, and disclosure of personal health information (PHI) by health information custodians (HICs) in Ontario.

Note: VitaraVox acts as an agent of the health information custodian (the clinic), not as a custodian itself.

Key Definitions¶

Term	Definition
Health Information Custodian (HIC)	Healthcare provider who has custody/control of PHI
Agent	Person who acts for a custodian with PHI access
Personal Health Information (PHI)	Identifying health info about an individual

VitaraVox as Agent¶

Under PHIPA s. 17, agents must:

Requirement	VitaraVox Implementation	Status
Act in accordance with custodian's instructions	Clinic configuration controls behavior	✅
Not collect, use, disclose beyond permitted	Scheduling only, no medical records	✅
Notify custodian of breach	Breach notification procedure	⚠️ Document
Keep information secure	TLS, encryption, access controls	✅

PHIPA s. 20 permits implied consent for healthcare purposes within the circle of care.

Applies to: - Patient identification - Appointment scheduling - Appointment reminders

VitaraVox Implementation: ✅ Valid basis for scheduling

Required when: - Collecting PHI from the individual - Using/disclosing for purposes outside circle of care

VitaraVox Implementation: - New patient registration requires explicit verbal consent ✅ - Voice script: "Do you consent to proceed?" ✅

Information Practices¶

Collection¶

PHIPA Requirement	VitaraVox Implementation
Collect directly from individual when possible	Voice calls direct from patient ✅
Collect only necessary information	BC Health minimum fields ✅
Inform of purpose at collection	Voice agent states purpose ✅

Use¶

PHIPA Requirement	VitaraVox Implementation
Use only for collected purpose	Scheduling only ✅
No secondary use without consent	Not applicable ✅

Disclosure¶

PHIPA Requirement	VitaraVox Implementation
Disclose to EMR (same custodian)	Patient data to OSCAR ✅
No disclosure to third parties	Never implemented ✅

Retention¶

PHIPA Requirement	VitaraVox Implementation
Retain for regulatory period	Call logs: 1 year (metadata only)
Secure destruction after retention	Automated purge planned

Security Requirements¶

PHIPA s. 12 requires reasonable safeguards.

Safeguard	VitaraVox Implementation	Status
Physical	Cloud infrastructure (OCI)	✅
Technical	TLS 1.2+, AES-256	✅
Administrative	RBAC, audit logs	✅
Access controls	Role-based, per-clinic	✅
Audit trail	All admin actions logged	✅

Breach Notification¶

PHIPA s. 12(2) requires notification of theft, loss, or unauthorized access.

Requirement	Timeline	Recipient
Notify IPC	At first reasonable opportunity	Information and Privacy Commissioner
Notify individuals	At first reasonable opportunity	Affected patients
Notify custodian	Immediately	Clinic (for agent breaches)

Breach Response Procedure¶

Contain - Stop ongoing breach
Assess - Determine scope and risk
Notify - IPC, individuals, custodians
Remediate - Fix root cause
Document - Retain records

Agent Agreement¶

PHIPA requires written agreements between custodians and agents.

Agreement Must Include:

Element	Status
Permitted uses and disclosures	⚠️ Template needed
Security safeguards	⚠️ Template needed
Notification obligations	⚠️ Template needed
Return/destruction of PHI	⚠️ Template needed

IPC Guidance Documents¶

Relevant guidance from the Information and Privacy Commissioner of Ontario:

Document	Relevance
Health Agents	Agent responsibilities
Privacy Breach Protocol	Breach notification
AI in Healthcare	Voice AI considerations

Action Items¶

Priority	Action	Owner
High	Create agent agreement template	Legal
High	Document breach notification procedure	Security
Medium	Review IPC AI guidance	Privacy Officer
Low	Annual PHIPA training for staff	Privacy Officer