If you’re a healthcare provider in Ontario — whether a sole proprietor, part of a small clinic, or operating a healthcare corporation — you are legally required to protect your patients’ personal health information (PHI). The Personal Health Information Protection Act, 2004 (PHIPA) is Ontario’s comprehensive privacy law that outlines how PHI must be collected, used, and disclosed.
PHIPA ensures the privacy of individuals while allowing the necessary flow of health information to provide effective care. It applies to health information custodians (HICs), their agents, and certain service providers who manage PHI on their behalf.
Purpose of PHIPA
PHIPA exists to:
- Require consent for the collection, use, and disclosure of PHI (with limited exceptions).
- Ensure custodians treat PHI as confidential and secure.
- Grant individuals the right to access and correct their health information.
- Allow individuals to withdraw consent for how their PHI is handled.
- Set rules for fundraising, marketing, and research that involve PHI.
- Provide a complaint process through Ontario’s Information and Privacy Commissioner (IPC).
Rights of Individuals Under PHIPA
Patients have the right to:
- Be informed about why and how their information is collected, used, or shared.
- Be notified if their PHI is lost, stolen, or accessed without authorization.
- Refuse or withdraw consent for the collection, use, or disclosure of PHI.
- Access their records and request corrections.
- Complain to the IPC if their rights are violated.
Who Must Comply with PHIPA
PHIPA applies to:
- Custodians: Healthcare practitioners, hospitals, long-term care homes, pharmacies, labs, community care agencies, and more.
- Agents: People authorized by custodians to handle PHI (staff, contractors, volunteers).
- Electronic Service Providers: Organizations that store or process PHI on behalf of custodians.
- Health Information Network Providers: Entities facilitating the secure electronic exchange of PHI between custodians.
What Counts as Personal Health Information
PHI includes:
- Information about physical or mental health
- Health care history and treatments
- Payments or eligibility for health care
- Ontario health card number
- Organ/tissue donations
- Substitute decision-maker details
It excludes identifying information about employees that’s not related to health care delivery.
Consent Under PHIPA
- Express Consent: Clearly given orally or in writing (required for marketing, fundraising, and sharing PHI with non-custodians).
- Implied Consent: Inferred from actions or circumstances, generally allowed within the “circle of care” for providing health services.
- Lock-Box: Patients can restrict certain PHI from being shared without their express consent.
Collection, Use, and Disclosure Rules
Custodians must:
- Collect only the minimum necessary PHI for the purpose.
- Collect directly from the patient unless exceptions apply (e.g., emergencies).
- Limit use and disclosure to authorized purposes (care delivery, legal duties, quality improvement, approved research).
Special Provisions
- Fundraising: Allowed with implied consent for charitable purposes, but patients must be informed and able to opt out.
- Marketing: Requires express consent.
- Research: Requires strict ethics review and privacy safeguards, with some cases allowing use without consent if in the public interest.
Breach Notification
If PHI is lost, stolen, or accessed without authorization:
- Agents must inform custodians immediately.
- Custodians must notify affected individuals and, in certain cases, the IPC.
Penalties for Non-Compliance
Violating PHIPA can lead to:
- Fines up to $50,000 for individuals
- Fines up to $250,000 for organizations
- Reputational damage and loss of patient trust
Related
