The Personal Health Information Protection Act, 2004 (PHIPA) is Ontario’s cornerstone law for safeguarding patient privacy. It sets out clear rules for how personal health information can be collected, used, and shared — while guaranteeing individuals specific rights over their own health data. From defining what counts as personal health information to outlining the responsibilities of healthcare providers, PHIPA strikes a balance between protecting confidentiality and enabling the flow of information needed to deliver quality care.
Purposes of the Personal Health Information Protection Act
The Act aims to protect personal health information while ensuring individuals' rights regarding their health data.
- Establishes rules for the collection, use, and disclosure of personal health information.
- Protects confidentiality and privacy of individuals.
- Grants individuals the right to access and correct their personal health information.
- Provides for independent review and resolution of complaints.
- Offers effective remedies for violations of the Act.
Definitions Relevant to Personal Health Information
The Act includes specific definitions that clarify key terms related to personal health information.
- "Account management services" refers to services maintaining the confidentiality and integrity of digital health identifiers.
- "Health information custodian" includes various healthcare providers and organizations with custody of personal health information.
- "Personal health information" encompasses identifying information related to an individual's health, care, and eligibility for services.
- "Substitute decision-maker" is authorized to consent on behalf of individuals regarding their health information.
Health Information Custodian Responsibilities
The Act outlines who qualifies as a health information custodian and their responsibilities regarding personal health information.
- Custodians include healthcare practitioners, hospitals, and health service providers.
- Specific exceptions exist for certain individuals and organizations not classified as custodians.
- Custodians must maintain custody and control of personal health information until legally transferred.
Personal Health Information Definition and Scope
The Act defines personal health information and its components, establishing the scope of what is protected.
- Personal health information includes data related to an individual's physical or mental health, care, and health number.
- Identifying information is defined as data that can identify an individual or could reasonably be used to do so.
- Exceptions exist for information primarily related to employees of the custodian.
Substitute Decision-Maker Provisions
The Act specifies the role and authority of substitute decision-makers in relation to personal health information.
- Substitute decision-makers can consent to the collection, use, or disclosure of personal health information.
- Their authority extends to decisions about treatment and admission to care facilities.
- Specific provisions are in place for personal assistance services and confinement decisions.
Application and Conflict Resolution of the Act
The Act applies to the collection, use, and disclosure of personal health information and outlines conflict resolution.
- The Act applies to all personal health information collected or disclosed after its enactment.
- In case of conflict with other legislation, this Act prevails unless specified otherwise.
- The Act binds the Crown, including all ministries and agencies.
Non-Application of Freedom of Information Acts
The Freedom of Information and Protection of Privacy Act does not apply to personal health information held by health information custodians unless specified otherwise.
- Personal health information is exempt from the Freedom of Information and Protection of Privacy Act and the Municipal Freedom of Information and Protection of Privacy Act.
- Exceptions include specific sections of both Acts that apply to records of personal health information in the custody of health information custodians acting as institutions.
- Records prepared by institutions are deemed to be subject to certain clauses of the Freedom of Information Acts.
- Individuals retain the right to access personal health information if certain information can be severed from the record.
Prescribed Organization Exemption
The Act specifies that personal health information in the custody of a prescribed organization is not subject to the Freedom of Information and Protection of Privacy Act.
- The Act does not apply to personal health information held by prescribed organizations unless stated otherwise.
- This exemption will take effect on a date determined by the Lieutenant Governor in Council.
Transition Provisions for Previous Requests
The Act does not apply to requests for access made before its enforcement, allowing previous laws to govern those requests.
- Any collection, use, or disclosure of personal health information prior to the Act's enforcement remains under the jurisdiction of previous applicable laws.
Duration of Personal Health Information Protection
Personal health information is protected for a specific duration after which it is no longer covered by the Act.
- The Act does not apply to personal health information after 120 years from the record's creation or 50 years after the individual's death.
Rights and Legal Privileges
The Act does not interfere with various legal rights and privileges related to personal health information.
- It does not affect subrogated claims, legal privileges, or the law of evidence.
- Courts retain the power to compel testimony or document production.
Information Practices for Health Custodians
Health information custodians must implement information practices to protect personal health information.
- Custodians are required to have information practices that comply with the Act and its regulations.
- They must ensure compliance with these practices and take reasonable steps to protect personal health information.
Electronic Audit Log Requirements
Health information custodians using electronic means must maintain an electronic audit log.
- Custodians must maintain an electronic audit log detailing access and modifications to personal health information.
- The log must include specific information such as the type of information accessed, date and time, and identities of individuals involved.
Accuracy and Disclosure of Personal Health Information
Custodians must ensure the accuracy of personal health information they use or disclose.
- Reasonable steps must be taken to ensure the information is accurate, complete, and up-to-date.
- Limitations on the accuracy of disclosed information must be communicated to recipients.
Security Measures for Personal Health Information
Health information custodians are responsible for protecting personal health information against unauthorized access and disclosure.
- Reasonable steps must be taken to secure personal health information from theft, loss, and unauthorized use.
- Individuals must be notified promptly in case of theft or unauthorized disclosure of their personal health information.
Record Handling and Retention Policies
Custodians must manage the retention, transfer, and disposal of personal health information securely.
- Records must be retained for as long as necessary to allow individuals to exhaust their rights under the Act.
- Custodians may keep records in reasonable locations with the individual's consent.
Accountability and Public Awareness
Health information custodians must designate a contact person for compliance and public inquiries.
- Custodians are required to provide a written public statement outlining their information practices and how individuals can access their information.
Consent Requirements for Personal Health Information
Consent is necessary for the collection, use, or disclosure of personal health information.
- Consent must be knowledgeable, relate to the information, and not be obtained through deception.
- Implied consent is allowed in certain circumstances, but explicit consent is required for disclosures to non-custodians.
Capacity and Substitute Decision-Making
The Act outlines the capacity of individuals to consent to the handling of their personal health information.
- Individuals are presumed capable of consenting unless there are reasonable grounds to believe otherwise.
- Substitute decision-makers may consent on behalf of individuals who are incapable of doing so.
Collection, Use, and Disclosure Limitations
Health information custodians must adhere to strict limitations regarding the collection, use, and disclosure of personal health information.
- Personal health information should only be collected with consent or as permitted by law.
- Custodians must not collect more information than necessary for the intended purpose.
Authorized Uses of Personal Health Information
The text outlines the various purposes for which a health information custodian may use personal health information.
- Custodians can use information for planning, delivering, and evaluating health programs and services.
- Uses include risk management, quality improvement, and fraud prevention.
- Information can be used for educating healthcare agents and obtaining consent from individuals or their decision-makers.
- Disclosure is permitted for legal proceedings, payment processing, and research with ethics board approval.
- Custodians may also disclose information as required by law or treaties.
Disclosure of Personal Health Information
The text details the circumstances under which a health information custodian may disclose personal health information.
- Disclosure is allowed to other custodians for healthcare provision when consent cannot be obtained timely.
- Information can be shared for funding determinations or contacting relatives of incapacitated individuals.
- Specific disclosures are permitted for deceased individuals regarding their identity and circumstances of death.
- Custodians may disclose information for eligibility verification for healthcare services and audits.
Research and Ethics in Health Information
The text specifies the requirements for using personal health information in research.
- Research plans must be approved by a research ethics board before using personal health information.
- The custodian must prepare a detailed research plan outlining objectives and benefits.
- Researchers must comply with conditions set by the ethics board and cannot publish identifiable information.
- The section also addresses mixed uses of personal and health information in research contexts.
Risk Management and Quality Improvement
The text emphasizes the importance of using personal health information for risk and quality management.
- Custodians can disclose information to reduce risks of serious bodily harm to individuals or groups.
- Information may be used to improve the quality of care and related services provided by custodians.
- The focus is on ensuring that health services are effective and safe for individuals receiving care.
Access and Correction of Personal Health Information
The text describes individuals' rights to access and correct their personal health information.
- Individuals have the right to access their health records unless restricted by legal privileges or other acts.
- Requests for access must be made in writing and contain sufficient detail for identification.
- Health information custodians must respond within 30 days, with possible extensions under certain conditions.
- Individuals can request corrections to their records if they believe the information is inaccurate or incomplete.
Health Information Custodian Responsibilities
Health information custodians must manage requests for corrections to personal health information in a timely and transparent manner.
- Written notice of extension must be provided, detailing the length and reason for the extension.
- Requests for corrections must be granted or refused within the extended time limit.
- A deemed refusal occurs if a request is not addressed within the required time frame.
Handling Frivolous or Vexatious Requests
Health information custodians can refuse requests deemed frivolous or vexatious, with obligations to inform the individual.
- Custodians must provide reasons for refusal and inform individuals of their right to complain to the Commissioner.
- Individuals can file complaints regarding refusals based on frivolous or vexatious grounds.
Duty to Correct Inaccurate Records
Custodians are required to correct personal health information if it is proven to be incomplete or inaccurate.
- Corrections must be made if the individual provides sufficient information to support the claim.
- Exceptions exist for records not created by the custodian or for professional opinions made in good faith.
Procedures Following Corrections
Upon granting a correction request, custodians must follow specific procedures to update records and notify relevant parties.
- Correct information must be recorded, and incorrect information must be struck out or labeled.
- Individuals must be notified of the actions taken, and custodians must inform others who received the incorrect information if requested.
Rights of Individuals Regarding Refusals
Individuals have specific rights if their correction requests are refused or deemed refused.
- They can prepare a statement of disagreement and require it to be attached to their records.
- Individuals can also complain to the Commissioner about the refusal.
Electronic Health Record Regulations
The prescribed organization is responsible for developing and maintaining electronic health records while ensuring privacy and security.
- The organization must manage personal health information and ensure data quality through audits and assessments.
- It must comply with regulations regarding the collection, use, and disclosure of personal health information.
Consent Directives and Their Management
Individuals can issue consent directives regarding the collection, use, and disclosure of their personal health information.
- The prescribed organization must implement these directives and assist individuals in formulating them if necessary.
- Consent directives can be modified or withdrawn by the individual at any time.
Ministerial Directives and Oversight
The Minister has the authority to issue directives to the prescribed organization regarding its operations and compliance.
- Directives must be reviewed by the Commissioner and the advisory committee before implementation.
- The Minister must ensure public consultation and transparency in the directive process.
Digital Health Identifier Activities
The prescribed organization is authorized to conduct digital health identifier activities with individual consent.
- Personal health information can be collected and disclosed for validation and verification services.
- The organization must ensure that only necessary information is collected and that privacy is maintained.
Breach Notification Requirements
In the event of a breach involving digital health identifier records, the prescribed organization must notify affected individuals.
- Notifications must include information about the individual's right to complain to the Commissioner.
- The organization must also inform the Commissioner of significant breaches as per regulations.
Powers and Responsibilities of the Commissioner
The Commissioner has extensive powers to conduct reviews and enforce compliance with health information regulations.
- The Commissioner can inspect records and demand the production of relevant documents.
- Entry to dwellings requires consent or a search warrant.
- Inspections must occur during reasonable hours and not interfere with healthcare services.
- Individuals must not obstruct the Commissioner or provide false information.
- The Commissioner can compel testimony and inspect personal health information under specific conditions.
Review Process and Orders
The Commissioner can issue orders following a review to ensure compliance with health information regulations.
- After a review, the Commissioner may direct health information custodians to grant access to records or make corrections.
- Orders can require cessation of non-compliant practices or the return of improperly handled records.
- The Commissioner can impose administrative penalties for contraventions of the Act.
- Orders may include terms deemed appropriate by the Commissioner.
Administrative Penalties and Appeals
The Act outlines the process for imposing administrative penalties and the rights to appeal such orders.
- Administrative penalties aim to encourage compliance and prevent economic benefits from violations.
- Penalties must be paid to the Minister of Finance and can be appealed within 30 days.
- The Commissioner certifies the order and reasons for the appeal process.
Confidentiality and Protection of Information
The Act emphasizes the confidentiality of personal health information and the protection of individuals involved in reviews.
- Information disclosed during reviews is generally not admissible in court, except in perjury cases.
- The Commissioner and staff are not compellable witnesses regarding confidential information.
- Precautions must be taken to protect personal health information during legal proceedings.
Offences and Penalties for Violations
The Act specifies offences related to the mishandling of personal health information and outlines penalties.
- Offences include wilfully collecting or disclosing information in contravention of the Act.
- Penalties for individuals can reach up to $200,000 or one year of imprisonment.
- Corporations can face fines up to $1,000,000 for violations.
- Prosecutions require the consent of the Attorney General.
Regulatory Framework and Public Consultation
The Lieutenant Governor in Council has the authority to make regulations under the Act, with provisions for public consultation.
- Regulations can specify definitions, exemptions, and requirements for health information custodians.
- Public consultation is required before making regulations, with a minimum comment period of 60 days.
- The Minister can expedite regulations in urgent situations or for minor clarifications.
Related
