- Report a Privacy Breach
- Collection, Use and Disclosure of Personal Health Information
- Responding to a Privacy Breach
- Unauthorized Access
- Access and Correction
- PHIPA Complaint Process
- Safeguarding Personal Health Information
- Your Health Privacy Rights in Ontario
- PHIPA Code of Procedure
Access and Correction
With limited exceptions, the Personal Health Information Protection Act (PHIPA) provides individuals with a right to access their personal health information held by a health information custodian (custodian), and sets out a formal procedure for access requests to custodians. The right of access does not apply to:
- records that contain quality of care information;
- personal health information required for quality assurance programs;
- raw data from psychological tests or assessments;
- personal health information used solely for research purposes; or
- personal health information that is in the custody or control of a laboratory for a test requested by a health care practitioner, where an individual has the right to access that information from the health care practitioner and the practitioner has not directed the lab to provide the information directly to the individual.
An individual may exercise a right of access to a record of personal health information by making a written request for access to the custodian that has custody or control of the information. Nothing in PHIPA prevents a custodian from granting an individual access to a record of personal health information if the individual makes an oral request for access.
You must respond as soon as possible in the circumstances, but no later than 30 days after receiving a request for access.
Extensions of up to a maximum of 30 additional calendar days are allowed, where meeting this time frame would unreasonably interfere with your operations, or where the necessary consultations would not make it reasonably practical to reply within that time frame. In such situations, you must inform the individual in writing of the extension and set out the length of the extension and the reasons for the extension.
You should then either make the record available for examination or provide a copy of the record. Otherwise, you must give a written notice to the individual seeking access stating that, after a reasonable search, the record does not exist, cannot be found or is not a record to which access applies. If you are entitled to refuse the request, in whole or in part, then you must give a written notice stating that the request is being refused and provide reasons for the refusal. The notice must also state that the individual is entitled to make a complaint about the refusal to the IPC. If an individual decides to complain to the IPC, the complaint must be in writing.
Where you do not respond to an access request within the required timeline, you will be deemed to have refused the request.
Generally, custodians must provide individuals with access to their records of personal health information.
You may only refuse access to a record of personal health information in limited situations, including where:
- the information in question is subject to a legal privilege that restricts disclosure of the record or the information to the individual.
- access could reasonably be expected to result in a risk of serious harm to the treatment or recovery of the individual or serious bodily harm to the individual or another person.
- the information was collected in the course of an inspection, investigation or similar procedure and the resulting proceedings, appeals or processes have not yet been concluded.
- another law prohibits the disclosure of that information.
If an exception applies, an individual must still be provided with access to the part of the record that can reasonably be separated from the part of the record that the individual does not have a right of access.
If a record is not dedicated primarily to personal health information about the individual requesting access, the individual only has a right of access to the portion of personal health information about the individual in the record that can reasonably be severed from the record for the purpose of providing access.
If you deny an individual access to their personal health information, they can file a written complaint with the IPC and our office may adjudicate that complaint.
You may charge a fee not exceeding reasonably cost recovery for providing access to an individual’s record of personal health information. PHIPA also permits a custodian to waive all or part of the fee associated with an access request. Before charging a fee, PHIPA requires you to first provide the individual with a fee estimate.
There is currently no regulation that sets the fee amount for providing access to an individual’s records of personal health information. However, our Health Order HO-009 interpreted reasonable cost recovery and found that a custodian may charge a fee of $30 for photocopying or printing the first 20 pages of a record and 25 cents per page for every additional page. This $30 fee includes additional activities, for example, locating and retrieving the record, reviewing the contents of the record for not more than 15 minutes and preparing a response letter to the individual.
WHAT IF I WORK FOR A NON-CUSTODIAN THAT IS COVERED UNDER PUBLIC SECTOR ACCESS AND PRIVACY LEGISLATION, SUCH AS A SCHOOL BOARD OR MUNICIPALITY?
The provisions of PHIPA regarding access to, and correction of, personal health information do not apply to records in the custody or under the control of a health care practitioner who is employed by or acting for an institution subject to the Freedom of Information and Protection of Privacy Act (FIPPA) or the Municipal Freedom of Information and Protection of Privacy Act (MFIPPA) that is not a health information custodian if the individual has the right to request access to the record under one of those Acts. In that case, the individual would submit an access request under FIPPA or MFIPPA. For example, if an individual would like to access personal health information collected by a psychologist who works for a school board, the individual should request the information from the school board, in accordance with MFIPPA, rather than directly to the psychologist.
If you are a custodian who works for a non-custodian that is not covered under FIPPA or MFIPPA, for example a private sector organization, the provisions of PHIPA would apply. In that case, the individual would submit an access request under PHIPA directly to you.