Your Health Privacy Rights in Ontario

Ontario’s health privacy legislation, the Personal Health Information Protection Act (PHIPA), establishes a set of rules regarding your personal health information (PHI). PHIPA gives you the right to:

  • be informed of the reasons for the collection, use and disclosure of your personal health information;
  • be notified of the theft or loss or of the unauthorized use or disclosure of your personal health information;
  • refuse or give consent to the collection, use or disclosure of your personal health information, except in certain circumstances;
  • withdraw your consent by providing notice;
  • expressly instruct that your personal health information not be used or disclosed for health care purposes without your consent;
  • access a copy of your personal health information, except in limited circumstances;
  • request corrections be made to your health records;
  • complain to our office if you are refused access to your personal health information;
  • complain to our office if you are refused a correction request;
  • complain to our office about a privacy breach or potential breach; and
  • begin a proceeding in court for damages for actual harm suffered after an order has been issued or a person has been convicted of an offence under PHIPA.


WHAT ARE THE RESPONSIBILITIES OF HEALTH INFORMATION CUSTODIANS UNDER PHIPA?

Health information custodians who have custody or control of your personal health information are required to:

  • designate or take on the role of a contact person to:
    • respond to your access/correction requests;
    • receive complaints about alleged breaches of PHIPA;
    • respond to inquiries about their information practices.
  • obtain your consent when collecting, using and disclosing your PHI, except in limited circumstances, such as a medical emergency;
  • collect PHI as permitted or required by PHIPA, but no more than is reasonably necessary;
  • take reasonable precautions to safeguard PHI against theft, loss, as well as unauthorized use, disclosure, copying, modification or disposal of your PHI;
  • notify you, at the first reasonable opportunity, of the theft or loss or of the unauthorized use or disclosure of PHI;
  • inform you of any uses and disclosures of your PHI without your consent that occurred outside of their information practices;
  • ensure that your health records are as accurate, up-to-date and complete as necessary for the purposes which they are used or disclosed;
  • ensure that your health records are retained, transferred and disposed of in a secure manner;
  • ensure that all employees, staff and agents are appropriately informed of their duties and obligations under PHIPA.