Frequently Asked Questions - Personal Health Information

What types of health care providers are required to comply with PHIPA?

  • Organizations and persons that are required to comply with PHIPA are referred to as Health Information Custodians (HICs) and are specifically listed in the legislation. 
  • Examples of HICs include:
    • a Medical Officer of Health within the meaning of the Health Protection and Promotion Act
    • an ambulance service
    • hospitals
    • regulated health care practitioners such as physicians, nurses, dentists, chiropractors, etc.
  • Refer to PHIPA, a copy of which can be viewed at Service Ontario e-laws External Link or The Information and Privacy Commissioner/Ontario External Link for a complete list of organizations and persons that are required to comply with this legislation

top of page

What types of information does PHIPA apply to?

  • Applies to personally identifiable information about the health or health care of an individual. 
  • Examples include:
    • information about one’s physical or mental condition including family health history
    • payment made for health care or eligibility for health care 
    • an individual’s health card number
    • the identity of an individual’s health care provider, etc. 
  • Health information that is non-identifying or that is maintained by a person or organization that is not a considered a HIC under PHIPA is generally not subject to PHIPA. 

top of page

What do I do if I am not sure of the staff person or program to contact for my personal health information?

  • Contact our well established customer service call centre, Access Halton, who can assist you with finding the appropriate contact for any type of inquiry. 
  • Dial 311 or call 905-825-6000 or 1-866-442-5866.

top of page

Who is entitled to act on another person’s behalf for the collection, use and disclosure of personal health information?

  • Substitute-decision makers, such as the following persons, are entitled to act on behalf of another individual:
    • a parent/legal guardian of a child under 16 years of age, with some exceptions
    • any person that has been given written authorization by an individual that is at least 16 years of age or the individual’s substitute decision-maker to consent
    • an estate trustee or person who has assumed responsibility for administration of a deceased’s estate
    • a person that has legal authority under PHIPA to consent for an incapable individual
    • a person that is entitled or required to act as a substitute decision-maker under legislation

top of page

How do I formally request access to or a correction of my personal health information?

  • Simply put your access or correction request in writing, ensuring to provide sufficient detail to enable staff to locate the records. 
  • Submit the written request to the staff person or program you believe has custody of your personal health information.
  • A response should be received within 30 days unless a notice of extension is issued under PHIPA. 
  • Prior to disclosure of information, staff may ask to verify your identity (e.g. where your mailing address information is incomplete or outdated or where you wish to access the record(s) in person and staff is not familiar with you).

top of page

As a parent, am I always entitled to access my child’s health information?

  • Parents are often entitled to access the personal health information of their children, although some limitations exist.
    Under PHIPA, HICs can disclose a child’s personal health information to a parent in the following circumstances:
    • to a custodial parent, if the information pertains to a child under 16 years of age and there is no implicit or explicit expectation of confidentiality or if no legal exception under PHIPA exists 
    • to a custodial parent of a child 16 years of age or older where the child has been deemed incapable of consenting and the custodial parent is considered the substitute decision-maker under legislation
    • to a non-custodial parent in the circumstances listed above, but only with the consent of the custodial parent or substitute decision-maker, as applicable
  • Other situations involving disclosure of a child’s personal health information may require the written authorization of the official substitute decision-maker or the child to whom the information relates.

top of page

When might I be denied access to personal health information?

  • Only in very limited circumstances.
  • Examples of where access may be denied include:
    • if the information is subject to legal privilege
    • if legislation or a court order prohibits disclosure of the information
    • if disclosure could reasonably be expected to seriously harm the treatment or recovery of an individual
    • if the disclosure could reasonably be expected to result in a risk of serious bodily harm to a person
    • if disclosure could lead to the identification of a person that was required by law to provide information in the record
    • if the information was prepared primarily for the purpose of an anticipated proceeding
    • if the information can be withheld from disclosure under freedom of information legislation; etc.
  • When a formal access request is partially or fully denied, staff must provide a written response outlining the reason(s) for denying access to the information.
  • Decisions on disclosure can be appealed to the Information and Privacy Commissioner’s office. 

top of page

What is freedom of information?

  • Freedom of Information (FOI) is legislation that gives the public a legal right to access records from government institutions, with some exceptions. 
  • Health Information Custodians that are part of a municipal or provincial government institution are subject to FOI with respect to general records.
  • Records requested under FOI that contain another individual’s personal health information must be severed prior to disclosure.
  • If a requested health record cannot reasonably be severed, it will not be disclosed.
  • Individuals that want to access their own health records must make the request under PHIPA directly to the health care provider instead of through FOI legislation.

top of page

What is implied consent?

  • It is a consent that is not expressed by an individual, but can be inferred from the surrounding circumstances. 
  • HICs often rely on implied consent for the collection, use or disclosure of personal health information, although only certain HICs may assume implied consent.
  • HICs can not rely on implied consent when disclosing personal health information to someone that is not a HIC or when disclosure is to another HIC but for a purpose not related to health care.

top of page

Does PHIPA allow me to access non-health related information that happens to be part of my health record, or do I have to request that under freedom of information?

  • PHIPA allows individual to access all information in their health records without the having to submit a separate request under freedom of information legislation.
  • In cases where a record is not dedicated primarily to the health care of an individual though (i.e. where a record contains very little personal health information about the requester), the requester may be directed to submit an FOI request.

top of page

Do I have to prove my identity if I call about my health information?

  • Callers may be asked to answer specific questions or provide documentation to prove their identity since HICs are required to take reasonable steps to ensure that personal health information is not disclosed to those not entitled to the information.

top of page

When might the Region use or disclose personal health information without consent?

  • Only in cases where use or disclosure is required or permitted by legislation
  • Examples include:
    • disclosing details to the Children’s Aid Society (CAS) under the Child and Family Services Act about children in need of protection
    • to researchers, but only in accordance with PHIPA’s stipulations
    • to those authorized to carry out certain statutory functions or law enforcement investigations, such as CAS, the Children’s Lawyer, police officers, etc. 
  • Staff will ensure to limit the disclosure to only what is needed to fulfil the request or legal requirements.

top of page

What will the Information and Privacy Commissioner’s Office do if I file a formal privacy breach complaint?

  • The IPC will conduct an investigation to gather relevant details (assuming it has jurisdiction to investigate). 
  • As part of the investigation, the IPC may:
    • review the personal health information at issue
    • ensure containment and notification steps have been taken
    • review applicable policies and procedures
    • obtain the Health Information Custodian’s position on the complaint; etc. 
  • Once the investigation is completed a report containing future-oriented recommendations or orders will be issued to help the HIC prevent similar privacy breaches from occurring in the future. 

top of page