If you’re a healthcare provider in Ontario—whether you’re a sole practitioner, part of a small clinic, or operating a healthcare corporation—you are legally required to protect your patients’ personal health information (PHI). The Personal Health Information Protection Act, 2004 (PHIPA) is Ontario’s comprehensive health privacy law that governs how PHI must be collected, used, stored, and disclosed.
PHIPA is designed to protect patient privacy while still allowing the appropriate flow of information needed to deliver safe, effective care. It applies not only to healthcare providers themselves, but also to staff, contractors, and third-party service providers who handle health information on a provider’s behalf.
PHIPA exists to ensure that personal health information is handled responsibly and respectfully. It requires consent for the collection, use, and disclosure of PHI, subject to limited legal exceptions. It also ensures that healthcare providers treat PHI as confidential and secure, grants individuals the right to access and correct their health records, and allows patients to withdraw consent for how their information is handled.
In addition, PHIPA sets specific rules for fundraising, marketing, and research activities that involve personal health information, and it establishes a formal complaint and enforcement process through the Information and Privacy Commissioner of Ontario (IPC).
PHIPA gives patients meaningful control over their health information. Individuals have the right to know why and how their information is being collected, used, or shared. They must be notified if their PHI is lost, stolen, or accessed without authorization. Patients can refuse or withdraw consent for the collection, use, or disclosure of their information in many circumstances, access their health records, and request corrections if information is inaccurate or incomplete.
If patients believe their rights have been violated, they have the right to file a complaint with the IPC.
PHIPA applies broadly across Ontario’s healthcare system. It covers health information custodians, including healthcare practitioners, clinics, hospitals, long-term care homes, pharmacies, laboratories, and community care agencies. It also applies to agents, such as employees, contractors, and volunteers who are authorized to handle PHI on behalf of a custodian.
In addition, PHIPA applies to electronic service providers that store, transmit, or process PHI for healthcare organizations, as well as health information network providers that facilitate the secure electronic exchange of PHI between custodians.
Personal health information includes any identifying information related to an individual’s physical or mental health, healthcare history, treatments received, or eligibility for healthcare services. This can include payment or billing information, Ontario health card numbers, organ or tissue donation details, and information about substitute decision-makers.
PHIPA generally does not apply to identifying information about employees unless that information is directly related to healthcare delivery.
Consent is a cornerstone of PHIPA. Express consent, given clearly either orally or in writing, is required for activities such as marketing, most fundraising communications, and sharing PHI with non-custodians. Implied consent may be relied upon in certain healthcare situations, particularly within the “circle of care,” where information is shared among providers directly involved in a patient’s treatment.
PHIPA also includes a lock-box provision, allowing patients to restrict the sharing of specific pieces of their health information unless they give express consent.
Healthcare providers must collect only the minimum amount of personal health information necessary to achieve the intended purpose. Whenever possible, information should be collected directly from the patient, unless an exception applies, such as in emergencies or when collection from another source is permitted by law.
Use and disclosure of PHI must be limited to authorized purposes, including healthcare delivery, meeting legal obligations, quality improvement initiatives, and approved research activities.
PHIPA allows fundraising activities under specific conditions, typically with implied consent, provided patients are informed and given a clear opportunity to opt out. Marketing activities always require express consent.
Research involving personal health information is subject to strict requirements. Most research must be approved by a research ethics board and include strong privacy safeguards. In limited cases, PHI may be used without consent if the research is in the public interest and meets defined legal criteria.
If personal health information is lost, stolen, or accessed without authorization, immediate action is required. Agents must notify the custodian as soon as possible. Custodians must then notify affected individuals and, in certain cases, report the breach to the Information and Privacy Commissioner of Ontario.
Timely notification and proper documentation are critical to meeting PHIPA obligations and reducing risk.
Failing to comply with PHIPA can have serious consequences. Individuals may face fines of up to $50,000, while organizations can be fined up to $250,000. Beyond financial penalties, non-compliance can result in reputational damage, loss of patient trust, and increased scrutiny from regulators.
For Ontario healthcare providers, PHIPA compliance is not just a regulatory obligation—it’s a core part of delivering ethical, trustworthy care in an increasingly digital healthcare environment.
