PHIPA (Ontario) — Personal Health Information Protection Act, 2004 · vPHIPA — Personal Health Inf…
PHIPA (Ontario) — Personal Health Information Protection Act, 2004
PHIPA (Ontario) — Personal Health Information Protection Act, 2004 — 100% covered.
6 requirements · 6 enforced · 0 designed · 0 advisory · 0 deferred.
Source: Personal Health Information Protection Act, 2004 (Ontario), S.O. 2004, c. 3, Sched. A. Consent + lawful purpose for collection/use/disclosure of personal health information by a health-information custodian (ss.29-30, 36-38), the circle-of-care implied-consent rule, electronic-record audit-log and access-control duties (s.10.1 + s.12 + O. Reg. 329/04 s.6.3), the data-minimisation rule (s.30(2)), and breach + IPC-notification duties (s.12(2)-(3)).
By category
| Category | Reqs | Enforced | Designed | Advisory | Deferred | Coverage |
|---|---|---|---|---|---|---|
| Consent + lawful purpose (ss.29-30, 36-38) | 2 | 2 | 0 | 0 | 0 | 100% |
| Data minimisation (s.30(2)) | 1 | 1 | 0 | 0 | 0 | 100% |
| Electronic audit log + access control (s.10.1, s.12, O.Reg.329/04 s.6.3) | 1 | 1 | 0 | 0 | 0 | 100% |
| Access + correction (ss.52-55) | 1 | 1 | 0 | 0 | 0 | 100% |
| Breach + IPC notification (s.12(2)-(3)) | 1 | 1 | 0 | 0 | 0 | 100% |
Every requirement → the KYE™ artefact that enforces it
| ID | Title | Status | KYE™ enforcement |
|---|---|---|---|
phipa.s29 |
Section 29 — A health-information custodian must not collect, use or disclose personal health information unless it has the individual's consent and the activity is for a lawful purpose, or the Act permits it without consent | enforced | audit_events: kye.purpose.request.v1, kye.purpose.admissibility.v1engines: internal, internalconstitution_refs: constitution/12-PURPOSE-PERMISSION.md |
phipa.s38 |
Section 38 — Implied consent within the circle of care: a custodian may use or disclose personal health information for the provision of health care unless the individual has withheld or withdrawn consent | enforced | audit_events: kye.purpose.admissibility.v1, kye.evidence.decision_map.v1engines: internal, internalconstitution_refs: constitution/12-PURPOSE-PERMISSION.md |
phipa.s30-2 |
Section 30(2) — Data minimisation: a custodian must not collect, use or disclose more personal health information than is reasonably necessary to meet the purpose | enforced | audit_events: kye.purpose.admissibility.v1, kye.evidence.tool_call.v1engines: internalconstitution_refs: constitution/12-PURPOSE-PERMISSION.md, constitution/63-MEMORY-AUTHORITY-RAIL.md |
phipa.s10.1 |
Section 10.1 + O. Reg. 329/04 s.6.3 — Electronic audit log: a custodian using electronic means to handle personal health information must maintain an audit log recording every access and the agent responsible, and detect unauthorised use | enforced | audit_events: kye.evidence.tool_call.v1, kye.replay.proof.v1engines: internalconstitution_refs: constitution/30-AUDIT-WORM-RETENTION.md, constitution/13-RESILIENCE-LOOP.md |
phipa.s52 |
Sections 52-55 — Right of access and correction: an individual has a right of access to a record of their personal health information and may require correction of an inaccuracy | enforced | audit_events: kye.evidence.pack.v1, kye.evidence.decision_map.v1engines: internal, internalconstitution_refs: constitution/31-DATA-GOVERNANCE-PACK.md, constitution/21-DELEGATED-AUDITABILITY.md |
phipa.s12-2 |
Section 12(2)-(3) — Notice of breach: a custodian must notify an individual at the first reasonable opportunity if their personal health information is stolen, lost, or used/disclosed without authority, and notify the IPC in prescribed circumstances | enforced | audit_events: kye.signal.incident.opened.v1, kye.compliance.attestation.v1engines: internal, internalconstitution_refs: constitution/13-RESILIENCE-LOOP.md |