Canadian Institute For Health Information - Privacy and Security

Privacy and Security

CIHI ensures the confidentiality, integrity and availability of its health information through a comprehensive and integrated privacy and security program. Its Privacy and Security Framework outlines how the organization approaches data governance, and maintains privacy and security protection. CIHI enacts numerous policies and practices to prohibit personal identification, one key policy being strict levels of data suppression.

In the past, some news media outlets have raised concerns about the safety of personal health records in large medical/science databases like CIHI. In 2001, a Toronto Star article expressed fears that large health information vendors like CIHI could potentially leak the private health information of Canadians. The article suggested that the identities of individuals who had abortions and profiles of the mentally ill could potentially be leaked from CIHI’s databases if proper security practices were not in place. The article also surmised that the greatest danger to patient and research subject privacy was the possibility of CIHI’s health information being compromised through involvement with commercial entities. However, the findings of a three year review by the Information and Privacy Commissioner of Ontario (IPC) published in a 2008 report allayed some of these concerns and largely supported CIHI’s assertion that the organization's security policies, procedures and protocols ensure high standards of privacy protection. According to the report, the "IPC is satisfied that CIHI continues to have in place practices and procedures that sufficiently protect the privacy of individuals whose personal health information it receives and that sufficiently maintain the confidentiality of that information," and that as of October 31, 2008, the IPC was satisfied that CIHI met the requirements of the Personal Health Information Protection Act.

Since 2005, CIHI has maintained prescribed entity status under the Personal Health Information Protection Act (PHIPA). Prescribed entity status gives an organization access to personal health data from government health information custodians, without patient consent.