Unauthorized access continues to be a growing problem in the health sector in Ontario. The province’s Personal Health Information Protection Act, (PHIPA), permits health information custodians (HIC) to collect, use and disclose personal health information for the purposes of providing or assisting in the provision of health care based on implied or assumed implied consent but prohibits the collection, use and disclosure of personal health information for any other purpose without the express consent of the individual, unless permitted or required by PHIPA.

It is important that HICs and their agents recognize that the issue of unauthorized access to personal health information, regardless of motive, is significant and is taken seriously. The protection of privacy should be integral to the delivery of health care and embedded into the culture of health care organizations. Developing and implementing a comprehensive approach, incorporating a variety of measures and ensuring agents are aware of the relevant privacy policies and procedures can go a long way toward preventing unauthorized access.

The purpose of this paper is to shed light on the extent of the problem and the potential consequences for individuals, custodians and their agents, and the entire health sector, and to provide guidance to custodians on minimizing the risk of unauthorized access.