The Personal Health Information Protection Act, 2004 (PHIPA) is Ontario’s privacy law that governs how personal health information (PHI) is collected, used, and disclosed. For healthcare providers—whether you’re a sole practitioner, part of a small clinic, or operating a healthcare corporation—PHIPA compliance is not optional. It’s a legal requirement.
PHIPA was created with a dual purpose: to protect the confidentiality of patient health information while still allowing the appropriate flow of information needed to deliver safe, effective, and timely care. The law gives patients clear rights, places defined responsibilities on healthcare providers, and establishes enforcement authority through the Information and Privacy Commissioner of Ontario (IPC).
PHIPA is designed to establish clear rules for how personal health information is handled in Ontario’s healthcare system. Its goals include protecting patient privacy and confidentiality, giving individuals the right to access and correct their health records, providing an independent process for complaints through the IPC, and offering remedies when violations occur—including fines and compliance orders.
A Health Information Custodian (HIC) is any individual or organization that has custody or control of personal health information. This includes physicians, nurse practitioners, clinics, hospitals, pharmacies, laboratories, and other health service providers.
Personal Health Information refers to identifying information about an individual that relates to their physical or mental health, healthcare history, care received, or eligibility for health services.
A Substitute Decision-Maker is a person legally authorized to make decisions about another individual’s health information when that individual is incapable of doing so themselves.
Under PHIPA, custodians are responsible for maintaining control over personal health information until it is lawfully transferred. They must ensure information is accurate, complete, and up to date, and protect it against theft, loss, or unauthorized access.
Custodians are also required to notify individuals promptly if a privacy breach occurs, securely retain records for required retention periods, and dispose of records safely when no longer needed. In addition, every organization must designate a contact person responsible for PHIPA compliance and responding to public inquiries.
Consent must be knowledgeable and voluntary, meaning the patient understands what information is being collected or shared and agrees freely.
Express consent is required when disclosing personal health information to non-custodians or for purposes unrelated to healthcare, such as marketing.
Implied consent may be used in certain healthcare situations, particularly within the “circle of care,” where information is shared among providers directly involved in a patient’s treatment.
PHIPA also includes a lock-box provision, which allows patients to restrict the use or disclosure of specific health information unless they provide express permission.
PHIPA limits the collection, use, and disclosure of personal health information to what is reasonably necessary for the intended purpose. Permitted uses include planning, delivering, and evaluating healthcare services, quality improvement and risk management, payment processing and fraud prevention, approved research, legal proceedings, public health reporting, and situations involving a risk of serious harm.
Fundraising activities are permitted under limited conditions, provided patients are informed and given clear opt-out options. Marketing activities always require express consent. Research involving personal health information must receive approval from a Research Ethics Board and follow strict privacy safeguards.
Healthcare providers using electronic systems must take additional precautions. These include maintaining audit logs that track who accesses or modifies personal health information, implementing secure digital health identifier systems with proper consent, and ensuring that any electronic service providers or vendors also comply with PHIPA requirements.
The Information and Privacy Commissioner of Ontario has broad enforcement powers. The IPC can investigate complaints, conduct reviews, issue binding orders, impose administrative penalties, and refer serious offences for prosecution.
Penalties can be significant—up to $200,000 for individuals and $1,000,000 for corporations.
Non-compliance with PHIPA can lead to costly fines, mandatory changes to your information practices, reputational damage, and loss of patient trust. In a healthcare environment that increasingly relies on digital records and electronic communication, understanding and meeting PHIPA obligations is essential to protecting both your patients and your practice.
