Personal Health Information Protection Act of Ontario, Canada (PHIPA)

Modern healthcare includes many cutting-edge therapies, treatments, diagnostics, and tools that utilize technology to provide care. Doing so means processing data concerning an individual’s health - arguably the most sensitive and private information relating to a person – in more ways than ever before. The unfortunate reality is that personal health information ("PHI") can be a high value target for threat actors, so protecting PHI is critical. Proofpoint products and services can be a key part of an organization’s data security and protection plan.

Many of Proofpoint’s customers in Ontario working in healthcare may be considered to be health information custodians ("HICs") subject to the Personal Health Information Protection Act ("PHIPA"). PHIPA is a series of rules governing the collection, use, and disclosure of PHI in the course of providing or facilitating healthcare services in Ontario. Health information custodians and their agents are subject to PHIPA anytime PHI is being used, shared, or processed. Part IV of PHIPA, "Collection, Use and Disclosure of Personal Health Information" requires that HICs take "reasonable steps" to protect personal health information against theft, loss, unauthorized use and disclosure, and unauthorized copying, modification, or disposal. Proofpoint products can be an effective component of our customers’ data protection strategies as required by Part IV.

As custodians of PHI, our customers take their due diligence relating to partners like Proofpoint very seriously. To assist in that process, the Proofpoint Trust site provides the details of how Proofpoint uses data and complies with laws while providing products and services to our customers. It is important to note that for the majority of Proofpoint products, only the minimum amount of data required is used. The exceptions to this are products in the archive line due to the nature of archiving.

PHIPA does not require PHI to remain in Ontario.  Proofpoint is unable to keep data solely in Ontario. You can find more details about our subprocessors on the Proofpoint Trust Site. All subprocessors are subject to written agreements that address duties of confidentiality and secure data handling practices.

Proofpoint is not a Managed Service Provider as defined under PHIPA. Proofpoint only provides cybersecurity software and related services that do not include managing our customers’ IT infrastructure.

It may be helpful to know that Proofpoint does not require PHI to provide our products and services. While it is possible that PHI could pass through the products and services, it is unlikely that such information would ever be accessed by a person or retained, as Proofpoint’s focus is on information relating to threats. For certain customers, Proofpoint may be considered to be an agent under PHIPA. We are happy to discuss that possibility with you.

Please note that in the event of a known unauthorized use, disclosure or acquisition by a third party of personal data that compromises the security, confidentiality, or integrity of such data maintained by Proofpoint, Proofpoint will notify the applicable customers in writing within 48 hours of discovery. This is reflected in Proofpoint’s Data Security Policy. Furthermore, Proofpoint only uses the data that passes from our customers through our products and services for providing and improving the products and services. We do not sell customer data.

As reflected in the Data Security Policy, many of our products are certified under our SOC 2 Type II Report ("SOC 2")."

© 2022. All rights reserved. The content on this site is intended for informational purposes only.
Last updated April 27, 2022.