Your health privacy rights in Ontario
Ontario’s health privacy legislation, the Personal Health Information Protection Act (PHIPA), establishes a set of rules regarding your personal health information (PHI). PHIPA gives you the right to:
- be informed of the reasons for the collection, use and disclosure of your personal health information;
- be notified of the theft or loss or of the unauthorized use or disclosure of your personal health information;
- refuse or give consent to the collection, use or disclosure of your personal health information, except in certain circumstances;
- withdraw your consent by providing notice;
- expressly instruct that your personal health information not be used or disclosed for health care purposes without your consent;
- access a copy of your personal health information, except in limited circumstances;
- request corrections be made to your health records;
- complain to our office if you are refused access to your personal health information;
- complain to our office if you are refused a correction request;
- complain to our office about a privacy breach or potential breach; and
- begin a proceeding in court for damages for actual harm suffered after an order has been issued or a person has been convicted of an offence under PHIPA.
What is a health information custodian?
A heath information custodian (“custodian”) is a person or organization described in the Personal Health Information Protection Act (PHIPA) that has custody or control of your personal health information. Health information custodians can include:
- a health care practitioner (e.g., a physician) or a person who operates a group practice of health care practitioners
- long-term care homes
- Local Health Integration Networks, including those functions previously performed by community care access centres
- hospitals, including psychiatric facilities
- specimen collection centres, laboratories, independent health facilities
- pharmacies
- ambulance services
- Ontario Agency for Health Protection and Promotion
Which health care providers are not classified as health information custodians?
Health information custodians do not include:
- health care practitioners and other persons or organizations that provide health care as agents of a custodian
- someone who evaluates or assesses capacity under the Health Care Consent Act or Substitute Decisions Act
- a health care practitioner who acts for or on behalf of a person who is not a custodian, if the scope of duties of the practitioner do not include the provision of health care (e.g., a physician examining a person for the purpose of providing a fitness report to an insurance company or employer)
- an aboriginal healer who provides traditional healing services to aboriginal persons or members of an aboriginal community
- an aboriginal midwife who provides traditional midwifery services to aboriginal persons or members of an aboriginal community
- a person who provides treatment solely by spiritual means or by prayer
What are the responsibilities of health information custodians under PHIPA?
Health information custodians who have custody or control of your personal health information are required to:
- have in place information practices that comply with PHIPA and to act in a way that complies with those information practices;
- designate or take on the role of a contact person to:
- help the custodian to comply with their obligations under PHIPA,
- ensure that agents of the custodian are appropriately informed of their duties,
- respond to inquiries from the public about their information practices,
- respond to your requests for access and corrections to your information,
- receive complaints about alleged breaches of PHIPA;
- produce a written public statement that describes:
- the information practices of the custodian,
- how to contact the custodian or their contact person,
- how an individual may obtain access to or request corrections to records of personal health information,
- how to make a complaint to the custodian and to the Commissioner under PHIPA;
- obtain your consent when collecting, using and disclosing your personal health information, except in limited circumstances where PHIPA allows the practice without consent;
- take steps to ensure that the custodian only collects, uses or discloses personal health information as permitted or required by PHIPA;
- take precautions to safeguard against theft, loss, as well as unauthorized collection, use, disclosure, copying, modification or disposal of your personal health information;
- notify you, at the first reasonable opportunity, of the theft or loss or of the unauthorized use or disclosure of personal health information;
- make note of and inform you, at the first reasonable opportunity, of any uses and disclosures of your personal health information that occurred outside of their information practices and without your consent;
- report certain privacy breaches to the Commissioner;
- ensure that your health records are accurate, up-to-date and complete as necessary for the purposes which they are used or disclosed;
- ensure that your health records are retained, transferred and disposed of in a secure manner;
- ensure that all employees, staff and other agents are appropriately informed of their duties and obligations under PHIPA.