Personal Health Information Protection Act (Ontario)
The Personal Health Information Protection Act (PHIPA) is privacy legislation in Ontario that applies to the collection, use, and disclosure of personal health information (PHI) in the course of providing or facilitating healthcare services.
Customers are always in control of how they manage and access their content stored on AWS. AWS does not have visibility into or knowledge of what customers are uploading onto its network, including whether or not that data is deemed subject to PHIPA legislation, and customers are responsible for ensuring their own PHIPA compliance. AWS customers can design and implement an AWS environment, and use AWS services in a manner that satisfies their obligations under PHIPA.
The AWS Canada (Central) Region is currently available for multiple services, including Amazon Elastic Compute Cloud (Amazon EC2), Amazon Simple Storage Service (Amazon S3), and Amazon Relational Database Service (Amazon RDS). For a complete list of AWS Regions and services, visit the Global Infrastructure page. Canada Region pricing is available on the detail page of each service, which can be found through our products & services page.
What is PIPEDA and what is PHIPA? What is the relationship between these laws?
The Personal Information Protection and Electronic Documents Act (PIPEDA) is a Canadian federal law that applies to the collection, use, and disclosure of personal information in the course of commercial activities in all Canadian provinces. Certain Canadian provinces have also adopted their own general privacy laws for both the public and private sector, as well as privacy laws specific to personal health information. The Personal Health Information Protection Act (PHIPA) is the privacy law in Ontario that applies to the collection, use, and disclosure of personal health information (PHI) in the course of providing or facilitating healthcare services.
Whether, and the extent to which, an AWS customer is subject to PIPEDA, PHIPA, or any other Canadian provincial privacy requirements may vary depending on the customer’s business. In general, health information custodians in Ontario and their agents will be subject to PHIPA where personal health information is concerned (other aspects of their business may be subject to other privacy laws). The term “health information custodian” includes healthcare providers (e.g., doctors, nurses, etc.), hospitals, long-term care homes, homes for special care, community care access centers, Local Health Integration Networks (LHINs), pharmacies, medical laboratories, local medical officers of health, ambulance services, community mental health programs, and the Ministry of Health and Long-Term Care.
Other organizations may be subject to PIPEDA or provincial privacy laws as well. For more information about PIPEDA, please visit the AWS PIPEDA page.
Customers should consult their own legal advisors to understand the privacy laws to which they are subject.
Does AWS comply with PHIPA?
AWS customers can design and implement an AWS environment, and use AWS services in a manner that satisfies their obligations under PHIPA.
Customers that are subject to PHIPA bear the responsibility to comply with its requirements for the collection, use, and disclosure of PHI. AWS services are structured so that customers have control over how their content is stored or processed using AWS, including control over how that content is secured and who can access that content. AWS provides services that customers can configure and use to aid in the security of any PHI they store on AWS, and it is the responsibility of the customer to architect a solution that meets applicable privacy requirements.
Note that there is no officially recognized “certification” for PHIPA compliance in the same way that an entity might be SOC, PCI, or FedRAMP certified or authorized. Instead, AWS offers its customers considerable information regarding the policies, processes, and controls established and operated by AWS. AWS provides workbooks, whitepapers, and best practice guides on our AWS Compliance Resources page and customers have on-demand access to the AWS third-party audit reports in AWS Artifact. Customers can leverage this information to evaluate whether AWS satisfies their security requirements under PHIPA.
Is a separate contract or contract amendment needed with AWS under PHIPA, similar to the requirement for a Business Associate Agreement under HIPAA in the United States?
There is no equivalent requirement under PHIPA to have an agreement in place between Customer and AWS in the way that HIPAA requires a Business Associate Agreement in the United States. Customers should consult their account representatives with any questions about the applicability of specific AWS contract terms.
Does AWS access PHI that customers put on AWS?
Customers are always in control of how they manage and access their content stored on AWS. AWS provides an advanced set of access, encryption, and logging features to help customers manage their content and access it effectively. AWS does not access or disclose customer content unless at the direction of the customer, or if necessary to comply with the law or a valid and binding order of a governmental or regulatory body having jurisdiction. Unless AWS is legally prohibited from doing so or there is a clear indication of illegal conduct in connection with the use of AWS services, AWS notifies customers before disclosing customer content so they can seek protection from disclosure. For more information, visit our Data Privacy FAQ.
Does PHIPA prohibit an AWS customer from having data in transit or at rest outside of Ontario or outside of Canada?
Customers should consult their own legal advisors when seeking to comply with privacy laws. Generally speaking there is no requirement in PHIPA that specifically limits the ability of a person or organization from transferring or storing data outside of Ontario or Canada. PHIPA does require entities to take steps to safeguard PHI, however. It is the responsibility of each customer to determine whether transferring and storing data outside of Canada satisfies its security obligations.
AWS customers should consider whether the laws of any other Canadian provinces apply, and review such laws for any data residency limitations. AWS customers choose the region(s) in which their content will be stored. AWS will not move or replicate customer content outside of the customer’s chosen region(s) without the customer’s consent.
Does PHIPA require that PHI be encrypted?
Under PHIPA there is no specific requirement to encrypt PHI. However, entities subject to PHIPA are required to take steps to safeguard PHI and it is the responsibility of each customer to determine whether encryption is appropriate to satisfy its security obligations. AWS recommends that PHI always be encrypted at rest and in transit as a best practice.
How can customers get information to complete a Privacy Impact Assessment in connection with using AWS?
AWS makes available a wide range of materials to help customers understand the AWS environment and security controls. AWS provides customers with on-demand access to third-party audit reports (such as our SOC 1 and SOC 2 reports) in AWS Artifact. AWS also provides workbooks, whitepapers, and best practices on our AWS Compliance Resources page about how to run workloads on AWS in a secure manner.
How do customers implement auditing and logging in AWS?
Consistent with the Shared Responsibility Model, customers should consider implementing auditing and logging across their AWS environment in a manner sufficient to meet their compliance requirements. AWS offers services that make scalable logging and log analytics architectures simpler to implement. AWS also has a variety of partners in the AWS Marketplace that provide security logging solutions. Refer to the AWS Security-Logging Capabilities page for more information on how to implement logging on AWS.
Can you provide examples of other healthcare organizations in Canada utilizing AWS?