[CAD] Compliance with Privacy Laws in New Brunswick (PHIPAA)

The Personal Health Information Privacy and Access Act (PHIPAA)

The Personal Health Information Privacy and Access Act is New Brunswick’s privacy law relating to health records, and has been deemed “substantially similar” to the federal private sector privacy law with respect to health information custodians. Some differences between PHIPAA and PIPEDA are:
  • PIPEDA applies to all personal information, including PHI, whereas PHIPAA applies only to PHI.
  • PHIPAA does not distinguish between commercial and non-commercial health-care activities
  • PHIPAA provides more specificity and detailed guidance regarding the types of consent required for collection use and disclosure of PHI in various situations, whereas PIPEDA outlines general principles to be considered in determining what type of consent is appropriate in the circumstances. Source

Owl and PHIPAA

Owl helps practices comply with PHIPAA in a number of ways, as PHIPAA requires several specific procedural safeguards not required by PIPEDA:
  • PHIPAA requires custodians to keep records of any PHI about an individual which the custodian destroys: Owl offers a range of Data Export options to ensure you can export your information out of Owl for local storage should you ever decide to. We also offer a maintenance plan at a reduced monthly fee, that allows you to retain access to your account and data without the ability to create new sessions. Learn more about our maintenance plan here!
  • PHIPAA requires custodians to establish and comply with a written policy for the retention, archival storage, access and secure destruction of PHI: To help inform any clinics that are writing this policy, here is our data removal process: Data is destroyed by removing it from all of our systems. We own all hardware that stores any of our customers data which means we own the hard drives. Once we remove data from the hard drives we then overwrite it with other data to ensure it's deleted.
  • There are privacy breach reporting requirements under PHIPAA that do not exist under PIPEDA. Agents and information managers of the custodian should be required to immediately notify the custodian in the event of a breach: While we take significant and extensive measures to ensure a security breach could never occur, if one was to take place, we would of course notify our customers immediately.
  • Both PHIPAA and PIPEDA provide that safeguards should be in place and should be appropriate to the sensitivity of the information to be protectedOwl helps practices achieve this security through our own security measures. At Owl, we use bank-level encryption (SSL) to encrypt all data that moves between our secure and dedicated servers and the device and browser on which a clinician accesses their Owl Practice account. Data that is encrypted between our secure and dedicated servers and the device and browser on which a clinician accessing their Owl account is done using SHA256 with RSA. We continuously test our systems to ensure all of our encryption layers have the most up-to-date patches for any vulnerabilities that surface over time (example: Heartbleed/CVE-2014-0160).

Other Legislation

Other acts that may be potentially relevant to clinics in New Brunswick are:
The Office of the Integrity Commissioner for New Brunswick can be reached through the contact details on this website.