The Personal Health Information Protection Act, 2004 (PHIPA) is Ontario’s cornerstone legislation for protecting patient privacy. It sets clear, legally binding rules for how personal health information can be collected, used, and disclosed, while also guaranteeing individuals specific rights over their own health data. For healthcare providers, PHIPA is designed to strike a careful balance: protecting confidentiality without disrupting the flow of information needed to deliver safe, effective care.
From defining what qualifies as personal health information to outlining the responsibilities of healthcare providers and enforcement powers of regulators, PHIPA forms the foundation of privacy compliance in Ontario’s health system.
At its core, PHIPA exists to protect personal health information while empowering individuals with control over their data. The Act establishes clear rules governing how health information is collected, used, and shared, ensures confidentiality and privacy, and grants individuals the right to access and request corrections to their records. It also provides an independent complaint and review process through the Information and Privacy Commissioner of Ontario (IPC) and creates enforcement mechanisms, including fines and compliance orders, when violations occur.
PHIPA contains specific definitions that clarify who is responsible for health information and what data is protected. A health information custodian includes healthcare practitioners, clinics, hospitals, pharmacies, laboratories, and other organizations that have custody or control of personal health information. Personal health information refers to identifying information related to an individual’s physical or mental health, healthcare history, care received, or eligibility for services. A substitute decision-maker is someone legally authorized to make decisions about personal health information on behalf of an individual who is incapable of doing so themselves. The Act also addresses account management services, which relate to maintaining the security and integrity of digital health identifiers.
Health information custodians have significant obligations under PHIPA. They must maintain custody and control of personal health information until it is lawfully transferred, ensure information is accurate and up to date, and protect it against theft, loss, and unauthorized access. Custodians are also required to notify individuals promptly if their information is stolen, lost, or improperly accessed or disclosed.
Records must be retained securely for as long as necessary to allow individuals to exercise their rights under the Act, and disposed of in a secure manner when no longer required. Each custodian must designate a contact person responsible for PHIPA compliance and for responding to public inquiries, and must make a written public statement explaining their information practices.
PHIPA broadly defines personal health information to include data relating to an individual’s physical or mental health, healthcare history, care received, and Ontario health number. Identifying information includes anything that can directly identify an individual or could reasonably be used to do so. There are limited exceptions, such as certain information primarily related to employees of a custodian rather than patients.
Consent is central to PHIPA. In most cases, personal health information can only be collected, used, or disclosed with consent or where the law specifically permits it. Consent must be knowledgeable, relate to the information in question, and not be obtained through deception or coercion.
Implied consent may be relied upon in certain healthcare settings, particularly within the “circle of care,” where information is shared among providers directly involved in treatment. However, express consent is required for disclosures to non-custodians or for non-healthcare purposes such as marketing.
PHIPA also recognizes that not all individuals are capable of making decisions at all times. Individuals are presumed capable unless there are reasonable grounds to believe otherwise. When a person is incapable, a substitute decision-maker may consent on their behalf, including decisions related to treatment, admission to care facilities, and the handling of personal health information.
PHIPA requires custodians to limit the collection, use, and disclosure of personal health information to what is reasonably necessary for the intended purpose. Information may be used for planning, delivering, and evaluating healthcare services, quality improvement, risk management, fraud prevention, educating healthcare agents, obtaining consent, and processing payments.
Disclosure is permitted in specific circumstances, including for legal proceedings, public health reporting, research approved by a research ethics board, and situations involving a risk of serious bodily harm. Custodians may also disclose information to other healthcare providers when timely consent cannot be obtained and care is required.
The Act allows personal health information to be used for research, but only under strict conditions. Research must be approved by a research ethics board, supported by a detailed research plan, and conducted with safeguards to prevent the publication of identifiable information. PHIPA also supports the use of health information for quality improvement and risk management, recognizing the importance of data in improving patient safety and care outcomes.
Individuals have the right to access their personal health information, subject to limited exceptions such as legal privilege. Requests must be made in writing and include enough detail to identify the records. Custodians generally have 30 days to respond, with extensions allowed in specific circumstances.
If an individual believes their information is inaccurate or incomplete, they can request a correction. Custodians must either make the correction or explain why the request is refused. If a correction is refused, individuals may submit a statement of disagreement to be attached to their record and may file a complaint with the IPC.
For custodians using electronic systems, PHIPA imposes additional obligations. Electronic audit logs must be maintained to track access to and modification of personal health information. These logs must record details such as the type of information accessed, the date and time, and the identity of the individual who accessed it. Custodians must also ensure that electronic service providers comply with PHIPA’s privacy and security requirements.
The Information and Privacy Commissioner of Ontario has broad powers to enforce PHIPA. The Commissioner can investigate complaints, inspect records, compel the production of documents, and issue binding orders. Administrative penalties may be imposed to encourage compliance and eliminate any economic benefit gained from violations.
Serious offences, such as wilfully collecting, using, or disclosing personal health information in contravention of the Act, can result in significant penalties. Individuals may face fines of up to $200,000 or imprisonment, while corporations can be fined up to $1,000,000. Prosecutions require the consent of the Attorney General.
PHIPA compliance is not just a regulatory requirement—it’s fundamental to maintaining patient trust. Non-compliance can lead to financial penalties, forced changes to information practices, reputational damage, and loss of confidence from patients and partners. As healthcare becomes increasingly digital, understanding and implementing PHIPA’s requirements is essential for protecting both patients and the long-term stability of a healthcare practice.
