Home » Personal Health Information Protection Act

Personal Health Information Protection Act

by Leanne E. Standryk

Leanne E. Standryk provides a comprehensive look at the Personal Health Information Protection Act (PHIPA).

The Personal Health Information Protection Act (“PHIPA” or the “Act”) sets out to establish a regulatory regime regarding the collection, use and disclosure of personal health information, promote confidentiality and the privacy of individuals. It establishes the right of access to personal information and amendments to such information, identifies who may access such information on another person’s behalf, as well as avenues for the resolution of complaints and possible compensation for infringement of individual privacy rights.

Application of PHIPA

The Act applies to the collection of personal health information by “health information custodians” defined as a health care practitioner, long-term care service provider, operator of a hospital, nursing home, pharmacy, laboratory or specimen collection centre, home for special care, medical officer of health or a board of health, ambulance service, the Minister of Health or “any other person prescribed as a health information custodian” if the person has custody or control of personal health information as a result of or in connection with performing prescribed powers.

The Act is binding on “agents” of a health information custodian who acts on behalf of the custodian. Agents must also not exceed the authority given to them by the custodian.

The Act applies to the use and disclosure of personal health information after the Act comes into force by a person who is not a health information custodian and to whom an information custodian disclosed the information. The Act applies to the collection, use and disclosure of health numbers by any person after the Act comes into force.

General Principle

A custodian may not collect, use or disclose personal health information of an individual without the individual’s consent.

Personal Health Information

Personal health information refers to identifying information, whether in oral or recorded form, that relates to:

  1. physical or mental health of the individual including information that consists of the medical history of the individual’s family;
  2. the provision of health care to the individual;
  3. a plan of service within the meaning of the Long-Term Care Act, 1994 for the individual;
  4. payments or eligibility for health care in respect of the individual;
  5. the donation of a body part or bodily substance of the individual or is derived from the testing or examination of any such body part or bodily substance;
  6. the individual’s health care number;
  7. identifying a provider of health care to the individual or a substitute decision-maker of the individual.

Personal health information does not include identifying information held by health information custodians as employers, i.e. personal health information relating to an employee maintained primarily for a purpose other than the provision of health care to the employee.


A person’s consent is required under the Act for collecting, using or disclosing personal health information by health information custodians in circumstances where it is not explicitly needed to provide them with immediate health care. Disclosure of personal health information about an individual by a health information custodian to another person who is not a health information custodian must always be express. This consent can be withdrawn by the individual at any time by providing notice to the health information custodian.

Even if consent is given, custodians may exercise their discretion and are not mandated to disclose personal health information except where legally required.

PHIPA sanctions the use of notices to bring the purposes of collection, use and disclosure to the attention of patients. It is reasonable to believe that a patient knows the purposes of collection, use or disclosure if the custodian posts a notice describing the purposes where it is likely to come to the attention of patients or if the custodian provides the individual patient with notice.

A patient may withdraw consent, whether the consent is express or implied, by providing notice to the health information custodian.

Capacity and Substitute Decisions

PHIPA presumes that all individuals are capable of consenting to the collection, use or disclosure of personal health information. A custodian may rely on this presumption unless s/he has reasonable grounds to believe that the individual is incapable of consenting. In the case of incapacity, PHIPA provides for decisions to be made by substitute decision makers. The scheme adopted is modelled in the Health Care Consent Act.

So as not to have different substitute decision makers for treatment and for personal health information, PHIPA provides that a substitute decision maker for the purpose of treatment under the Health Care Consent Act is deemed to be the substitute decision maker with respect to personal health information if the purpose of the collection, use or disclosure is necessary or ancillary to a decision about the treatment under the Health Care Consent Act. PHIPA contains mirror provisions with respect to substitute decision makers for admission to long-term care facilities and for personal assistance services.

Permitted Collections

PHIPA sets out exceptions to the principle that a patient’s consent is required for collection of personal health information. One such exception is where the information is reasonably necessary for the provision of health care or assisting in the provision of health care and it is not reasonably possible to collect information directly from the patient, in a timely manner, or that can reasonably be relied on as accurate.

Accuracy and Permitted Uses

A custodian must take reasonable steps to ensure that the information is as “accurate, complete and up-to-date” as is necessary for the purpose for which it uses the information.

PHIPA sets out several exceptions to the principle that information may not be used without a patient’s consent.

Some of the purposes for which a custodian may use personal health information without a patient’s consent include:

  1. the planning or delivering of programs or services;
  2. the allocation of resources to any program or service;
  3. the evaluation or monitoring of any of the programs and services;
  4. risk management, error management, or activities to improve the quality of care or the quality of any related program or services of the custodian;
  5. for processing, monitoring, verifying or reimbursing claims for payment under any Act or program administered by the Ministry; and
  6. for research conducted by the custodian provided that the requirement specific to research under PHIPA, 2003 are met.

Use of Personal Health Information

A person who is not a health information custodian and who received personal health information from a custodian cannot use or disclose the information for any purpose other than the purpose for which the custodian disclosed the information under the Act.

Permitted Disclosures

A custodian must clearly describe to the person to whom it discloses personal health information, the limitations, if any, on the accuracy, completeness or up-to-date character of the information. Alternatively, the custodian must take reasonable steps to ensure that the information is accurate, complete and up-to-date as is necessary for the purposes of the disclosure that are known to the custodian at the time of disclosure.

At common law and under the current Public Hospitals Act regulation, in some instances, health information may be disclosed without seeking the patient’s consent. PHIPA has similar exceptions. Examples include the following:

  1. Disclosure for the provision of health care: A custodian may disclose information to specifically listed health care providers (i.e. practitioners, community access centers, etc.) if disclosure is necessary for the provision of health care and it is not reasonably possible to obtain consent in a timely manner.
  2. Contacting a relative or friend of a patient; a custodian may disclose personal health information for the purpose of contacting a relative or friend if the patient is injured, incapacitated, or ill and unable to give consent personally.
  3. Confirming patient is in the facility: Unless there is an express request from the patient to the contrary, a custodian may confirm that the person is a patient or resident in the facility, the location of the individual in the facility and the general health status of the patient described as “critical, poor, fair, stable or satisfactory”.
  4. Disclosure when the patient is deceased: Disclosure may be made for the purpose of identifying the individual whom it believes to be deceased and informing any person whom it is reasonable to inform that the patient is deceased or believed to be deceased.
  5. Significant risk to bodily harm: Disclosure is required to eliminate or reduce a significant risk of bodily harm to a person or group of persons.
  6. Audits and Accreditation: Disclose to a person conducting an audit or reviewing an accreditation or application for same, if the audit or review relates to services provided by the custodian. The person conducting the audit or review must not remove records of personal health information from the custodian’s premises.
  7. Disclosure to law enforcement authorities: Disclosure to a person conducting an investigation or similar procedure authorized by warrant or under an Act of Ontario or Canada for the purposes of complying with the warrant or the Act.
  8. Disclosure to Colleges and other Regulatory bodies.
  9. Disclosure to the PGT, CAS and the Children’s Lawyer to enable them to carry out their statutory functions.
  10. Research: A custodian may disclose information to a researcher provided that the requirements of s. 43 of the PHIPA are met. The Act sets out the matters which the Research Ethics Board must consider in deciding whether to approve a research plan. Before disclosure, the researcher must enter into an agreement with the custodian regarding the use, security, disclosure, return and disposal of personal health information.

Access to Records of Personal Health Information and Correction

Individuals may access their record of personal health information, except in limited circumstances, by written request. They may also request that a custodian correct personal health information where they believe it to be inaccurate but the correction is done at the custodian’s discretion where the custodian believes the information given to be correct. An individual has the right to complain to the Information and Privacy Commissioner about a health information custodian’s refusal to correct the record.

The provisions of the Act provide that the custodian may charge a fee for making a record available or providing a copy of the record provided that it first gives the patient an estimate of that fee. The fee should be no more than a maximum fee to be set out in the regulations of the Act. If no fee is set in the regulations, the fee should be no more than a reasonable cost recovery.

Administration and Enforcement

The Act will be overseen by the Information Privacy Commissioner. An individual can make a complaint in writing to the Commissioner where s/he feels that another person has contravened a provision of the Act. Upon receiving the complaint, the Commissioner may authorize a mediator to review the complaint and try to resolve any dispute. Once the Commissioner makes an order, the individual affected by the order may bring an action in the Superior Court of Justice for compensation or damages.

Contravention of various parts of the Act constitute offenses including: willfully collecting, using or disclosing personal health information contrary to the Act; knowingly making false statements to the Information Privacy Commissioner; making a request for access to a record under false pretenses; willfully failing to comply with an order of the Commissioner; and disposing of a record in an attempt to avoid giving access. Offences under the Act can result in fines of up to $50,000.00 for individuals and up to $250,000.00 for corporations.

Information Practices

A custodian must have in place information practices which comply with the requirements of PHIPA and its regulations. The information practices must also be set out in a written statement available to members of the public.

If the use or disclosure of the personal health information with a patient’s consent is outside the scope of the custodian’s description of its information practices, the custodian must:

  1. inform the patient of the use and disclosure at the first reasonable opportunity unless the patient would not have a right to access the information;
  2. make note of the uses and disclosure; and
  3. keep the notes of the use and disclosure in a form that is linked to the patient’s record.

Public Statement

The custodian must make available to the public a written statement which includes:

  1. a general description of the custodian’s information practices;
  2. how to contact the contact person;
  3. how an individual may obtain access or request correction of a record; and
  4. how to make a complaint to the custodian and to the Commissioner.

Issues and Concerns for Ontario Employers

Although the Act specifically applies to health information custodians, it will likely have an impact on Ontario employers.

Express consent from each employee must be given for an employer to obtain personal health information from a health information custodian. This may have the affect of hindering an employer’s ability to manage absenteeism, employee disability and to obtain personal health information to ensure employee health and safety while on the job.

Employees will have the right to refuse to disclose personal health information to their employer for any reason.

It is not clear as to whether or not an employer who is not a health information custodian is bound by the Act in terms of collecting personal health information directly from the individual and not through a personal information custodian.

Since an individual may be granted full access to their record of personal information then it may be easier for an employer to obtain the needed information through the employee directly.

Some businesses have health care custodians on staff and therefore may have an advantage in obtaining personal health information under the Act.

Mental Health Act and Public Hospitals Act: Amendments

In order to ensure consistency with PHIPA, Bill 31 repeals certain provisions of the Mental Health Act. The repealed provisions include those pertaining to a patient’s right to access and seek correction of the record. PHIPA will govern a patient’s right to access and seek corrections of his/her records in a psychiatric facility. The provisions of the Mental Health Act specific to the disclosure of records pursuant to a summons or other similar requirement as well as the disclosure of information in a proceeding will continue in place.

Patient information and records in public hospitals are governed by Regulation 965 made under the Public Hospitals Act. Bill 31, being a statute, does not amend regulations. It is anticipated, however, that the patient information provisions contained in Regulation 965 will be amended. Should amendments not be made, PHIPA provides that in the event of a conflict between provisions of PHIPA and a provision of another statute or regulation, the provisions of PHIPA prevail.

Quality of Care Protection Act, 2003 (QCPA)

QCPA and PHIPA recognize the public interest in facilities engaging in quality of care and peer review activities. Under these laws, subject to exceptions, information generated for the purposes of a quality of care committee may not be disclosed and may not be accessed by patients. This information is referred to as “quality of care information”. Quality of care information is defined as information collected by or prepared for a quality of care committee for the sole or primary purpose of assisting the committee in carrying out its functions. It also includes information which relates solely or primarily to any activity that the committee carries on as part of its functions. It does not, however, include information contained in an incident report if the facts involving the incident are not fully recorded in the patient’s record.

A quality of care committee is specifically defined as a committee designated by a health facility as a quality care committee and which functions are to carry out activities for the purpose of studying, assessing or evaluating the provision of health care with a view to further improving the quality of care or the level of skill, knowledge and competence of the persons involved in the delivery of care within the facility.

To ensure that it may rely on the statutory protections for information generated in the course of quality reviews, hospitals will wish to ensure that the hospital committee addressing quality reviews will be found to be a quality of care committee as defined in QCPA. To rely on the protections set out in the Act, the information generated must be for the sole and primary purpose of assisting the committee in carrying out its functions or relate to an activity the committee undertakes as part of its functions.

Lancaster, Brooks & Welch Logo Contact

St. Catharines Office
PO Box 790,
Ste 800 – 80 King St.

Welland Office 
PO Box 67,
Ste 202 – 3 Cross St.