Privacy and Health Regulations: Need-to-Knows for Ontario Companies

Authors: Thassiane Gossler and Moushmi Mehta

Start-ups are leading the charge in driving innovations poised to revolutionize the healthcare sector. These companies are assuming a central role in reshaping healthcare through developments in medical diagnostics and patient care. A notable trend is the emergence of technology start-ups offering a spectrum of products, including AI-driven tools for virtual health support, electronic health record management, and solutions for early detection of bodily and dermatological conditions.

Nevertheless, these ventures must grapple with the complexities of regulatory frameworks, particularly when it comes to the handling of personal health information (PHI). In the province of Ontario, the Personal Health Information Protection Act (PHIPA) assumes a critical role as the legislative cornerstone governing the management of health data.[1]

This article will delve into essential factors that companies should consider before introducing AI products in the healthcare sector. Within this context, we will follow the fictional journey of a company to provide insights into understanding the specific roles and requirements outlined by PHIPA.

💡 Case Study: MediCareAI aims to utilize deep learning algorithms for the analysis of medical imaging data, including X-rays, MRIs, and CT scans. This innovative technology promises rapid and accurate detection of abnormalities, offering invaluable support to radiologists and physicians in enhancing the precision of their diagnoses.

Understanding PHIPA

💡 Phase I: MediCareAI opts to establish its start-up in Ontario. During this pre-launch phase, the company is exclusively collecting images from specific target users to gather feedback. No specific medical data is being acquired from users; individuals are only required to sign up for platform access by providing their email addresses.

In Ontario, the PHIPA governs the collection, use, and disclosure of PHI about individuals. This legislation applies to organizations and persons that. (a) facilitate the provision of healthcare; and (b) receive PHI.[2] More specifically, PHIPA applies to persons and organizations defined as Custodians, Agents (who are authorized to act for or on behalf of Custodians) and Service Providers.[3]

During this pre-launch stage, if MediCareAI intends to introduce a beta version of its product primarily to gather feedback, it’s crucial to consider the potential applicability of PHIPA. To begin, it’s important to define the scope of the PHI.

PHI covers information that can identify an individual, whether it is spoken or recorded, and relates to various aspects of their health and healthcare. This includes details about their physical and mental health, including family health history, as well as information associated with the provision of healthcare to the individual, such as identifying their healthcare providers. It also extends to plans outlining home and community care services, information about payments or eligibility for healthcare, details about the donation of body parts or bodily substances, the individual’s health number, and the identification of their substitute decision-maker.[4]

In the specific situation, if MediCareAI had intended to request any such information from users and facilitate the sharing of users’ PHI, it would have been imperative to recognize the pertinent PHIPA regulations. However, since MediCareAI simply invites users to sign up and explore their product through pre-determined case studies without actively soliciting PHI, PHIPA would not be a relevant factor.

Responsibilities Defined by PHIPA

💡 Phase II: With the foundational work complete, MediCareAI is now prepared to advance to the product launch phase, which entails the responsible collection of the users’ health information.

PHIPA defines various roles, each with distinct responsibilities:

  1. Custodian: A custodian / heath information custodian (HIC) is a person or organization that has custody or control of PHI while delivering healthcare services[5].
    • Scenario: MediCareAI collects medical images from its users and facilitates connections with healthcare practitioners for consultations.
    • Outcome: Users submit medical images for analysis on the MediCareAI platform and connect with health professionals. Here, MediCareAI is not the HIC since the practitioner is the one delivering healthcare services. Unless the user has provided express consent to MediCareAI storing their PHI, the practitioner will not be permitted to share the user’s PHI, including the users’ medical images. The practitioner, as the HIC, must ensure data security and privacy under PHIPA, maintaining access records, and responding to user requests for data access or corrections.
  2. Agent: PHIPA defines an agent to include any person who is authorized by an HIC to perform services or activities in respect of PHI on the HIC’s behalf.
    • Scenario: MediCareAI decides to collaborate with a radiology clinic for image analysis.
    • Outcome: In this case, the radiology clinic acts as an HIC of PHI. They authorize MediCareAI as their agent to perform image analysis on their behalf. MediCareAI, as the agent, must adhere to PHIPA guidelines, ensuring that they only use the data for the authorized purpose, maintain confidentiality, and report any breaches to the HIC.
  3. Service Provider: A person or organization that supplies services to assist an HIC in using electronic means to collect, use, modify, disclose, retain, or dispose of PHI, and one who is not an agent of the HIC.
    • Situation: MediCareAI hires a cloud storage provider to securely store the medical images.
    • Outcome: The cloud storage provider is a Service Provider as defined by PHIPA. MediCareAI must ensure that the cloud provider meets PHIPA’s requirements for data security and privacy. They should have a contractual agreement in place that specifies the responsibilities and obligations of the Service Provider concerning the users’ PHI stored on their platform.
  4. Health Information Network Provider (HINP): A person who provides services to two or more HICs to enable them to use electronic means to disclose PHI to one another.
    • Situation: MediCareAI develops a feature that enables radiology clinics to share their medical imaging analyses with the physicians of their patients.
    • Outcome: MediCareAI acts as HINP as defined by PHIPA. MediCareAI must comply with several PHIPA requirements, including notifying HICs of privacy breaches, providing clear descriptions of their services and safeguards, maintaining electronic records of all accesses and transfers of PHI, and establishing written agreements with HICs to uphold confidentiality and security standards.

From the above phases and scenarios, understanding the roles of an HIC, Agent, or Service Provider, is clearly crucial for companies in these sectors. By identifying their specific role, companies can determine their responsibilities and obligations regarding the handling and safeguarding of PHI.

This includes recognizing whether they have custody or control of PHI, whether they are authorized by an HIC to act on their behalf, or if they are providing services to facilitate the collection, use, modification, disclosure, retention, or disposal of PHI. By clarifying their role under PHIPA, companies can navigate the regulatory landscape effectively, implement appropriate security measures, and maintain the privacy and security of health data, thus safeguarding the interests of both – users and the organization itself.

Key Takeaways

Given that the AI-driven health technology often relies on extensive datasets for training and analysis, it is even more crucial to educate users about data collection, usage, and the AI’s intended purposes.

  1. Users must have a clear understanding of how their health data will be used within the product and provide their informed consent accordingly. Companies should seek legal assistance to establish transparent and informed consent mechanisms to comply with PHIPA.
  2. Certain considerations under PHIPA include having robust security measures to safeguard PHI against unauthorized access and cyber threats.
  3. Access control is also vital, and companies should ensure that only authorized personnel can access such data, with continuous monitoring and auditing in place to prevent unauthorized usage.
  4. Data minimization, as encouraged by PHIPA, should guide the companies in collecting only the necessary personal health data for their AI’s intended purpose, as excessive data collection can pose privacy and compliance risks.
  5. Establishing clear data retention and deletion policies is essential, adhering to PHIPA’s guideline of retaining information only for the required duration.
  6. Companies should also prepare comprehensive breach response plans and train their teams regularly to ensure awareness and compliance with privacy principles and security measures mandated by PHIPA.


Ontario’s thriving tech ecosystem presents startups with the opportunity to revolutionize healthcare through AI-driven solutions like Skin AI. However, this potential comes with the responsibility to protect personal health information and adhere to PHIPA regulations, as PHIPA violations can lead to several consequences, such as legal proceedings for damages, substantial fines for organizations and personal liability for those involved.

By proactively integrating privacy considerations into their AI product development processes and staying informed about evolving privacy laws, startups can create innovative solutions that benefit both patients and the healthcare sector while maintaining the highest standards of data protection and privacy. This careful approach not only ensures compliance but also safeguards patient trust and promotes responsible AI innovation in healthcare.

[1] Personal Health Information Protection Act, 2004, SO 2004, c 3, Sch A (“PHIPA”).

[2] O. Reg. 329/04 ss. 1; and 2.

[3] O. Reg. 329/04 s. 7.

[4] O. Reg. 329/04 s. 4.

[5] PHIPA defines health care as “any observation, examination, assessment, care, service or procedure that is done for a health-related purpose and is carried out or provided to diagnose, treat or maintain an individual’s physical or mental condition; to prevent disease or injury or to promote health; or as part of palliative care.”