Rivet is your agent (PHIPA s.2)
PHIPA s.2 defines an “agent” as a person who, with a custodian’s authorization, acts for or on behalf of the custodian in respect of PHI. That’s the receptionist analogy made formal. A receptionist who handles patient messages is an agent of the custodian under PHIPA — and a service that transcribes voicemails, surfaces them in an inbox, and sends auto-replies on your behalf falls in the same category. Rivet acts as your agent. That means:- Rivet handles PHI on your behalf and at your direction — never for its own purposes.
- The PHIPA accountability for that PHI stays with you. Rivet is bound to protect it; you are accountable for it.
- A written agreement between you and Rivet captures the boundaries of that agency. That’s the Data Processing Agreement you accept when you sign up.
Rivet is a provider of electronic services (O. Reg. 329/04 s.6(3))
Ontario Regulation 329/04 s.6(3) addresses a person who supplies services that enable a custodian to use electronic means to collect, use, retain, disclose, or dispose of PHI. That’s Rivet’s product description in legal language. Under s.6(3), Rivet:- Uses PHI only as necessary to provide the service.
- Doesn’t disclose PHI except to deliver the service or as required by law.
- Notifies you of any unauthorized handling at the first reasonable opportunity.
- On request, provides a plain-language description of the service and its safeguards.
Rivet is not a custodian
Rivet doesn’t provide health care, and Rivet isn’t on the list of custodian classes in PHIPA s.3. The client information Rivet handles belongs — in the PHIPA sense — to you. If a client asks you for a copy of their records, that’s your obligation to fulfil under PHIPA s.52. Rivet’s job is to give you the facts you need to answer that request.Rivet is not a Health Information Network Provider
A HINP (O. Reg. 329/04 s.6(2)) is a service whose primary purpose is to enable two or more custodians to disclose PHI to one another by electronic means. Rivet enables communication between you and your clients — not custodian-to-custodian disclosure. Different role, different obligations.What this means for you
You don’t have to read the statute to use Rivet — but you should know the shape of it, because regulators, insurers, and compliance officers will ask. The short version:- You’re the custodian. The PHI is yours.
- Rivet is your agent. The DPA captures Rivet’s duties to you.
- Rivet uses client information only to deliver the service you subscribed to — never for its own purposes, never for marketing, never to train any AI system.
- If a client asks for access, correction, or deletion of their information, you handle that request as the custodian — and Rivet helps you do it.
Outside Ontario
PHIPA is Ontario-specific. If you practice in another province, the federal PIPEDA baseline applies, plus your provincial health-privacy statute (Alberta’s HIA, B.C.’s PIPA, Quebec’s Law 25, etc.). The Rivet posture — agent of the custodian, electronic-service provider, no secondary use, minimum necessary handling — translates cleanly to those regimes. If your College or your insurer wants the equivalent local characterization in writing, emailhello@getrivet.ca.
Related articles
Your role as custodian
What being a PHIPA custodian means day-to-day, and what Rivet handles on
your behalf.
The Data Processing Agreement
The agreement that papers the agency relationship.
Measurement vs. clinical content
Why Rivet stays a communication tool, not a clinical record system.