Your Health Privacy Rights in Ontario

Ontario’s health privacy legislation, the Personal Health Information Protection Act (PHIPA), establishes a set of rules regarding your personal health information (PHI). PHIPA gives you the right to:

  • be informed of the reasons for the collection, use and disclosure of your personal health information;
  • be notified of the theft or loss or of the unauthorized use or disclosure of your personal health information;
  • refuse or give consent to the collection, use or disclosure of your personal health information, except in certain circumstances;
  • withdraw your consent by providing notice;
  • expressly instruct that your personal health information not be used or disclosed for health care purposes without your consent;
  • access a copy of your personal health information, except in limited circumstances;
  • request corrections be made to your health records;
  • complain to our office if you are refused access to your personal health information;
  • complain to our office if you are refused a correction request;
  • complain to our office about a privacy breach or potential breach; and
  • begin a proceeding in court for damages for actual harm suffered after an order has been issued or a person has been convicted of an offence under PHIPA.


Health information custodians who have custody or control of your personal health information are required to:

  • designate or take on the role of a contact person to:
    • respond to your access/correction requests;
    • receive complaints about alleged breaches of PHIPA;
    • respond to inquiries about their information practices.
  • obtain your consent when collecting, using and disclosing your PHI, except in limited circumstances, such as a medical emergency;
  • collect PHI as permitted or required by PHIPA, but no more than is reasonably necessary;
  • take reasonable precautions to safeguard PHI against theft, loss, as well as unauthorized use, disclosure, copying, modification or disposal of your PHI;
  • notify you, at the first reasonable opportunity, of the theft or loss or of the unauthorized use or disclosure of PHI;
  • inform you of any uses and disclosures of your PHI without your consent that occurred outside of their information practices;
  • ensure that your health records are as accurate, up-to-date and complete as necessary for the purposes which they are used or disclosed;
  • ensure that your health records are retained, transferred and disposed of in a secure manner;
  • ensure that all employees, staff and agents are appropriately informed of their duties and obligations under PHIPA.