Ontario is unique for having passed provincial legislation specifically regarding the privacy of Personal Health Information (PHI) that has also been deemed “Substantially Similar” to federal law. There are many details clinics need to keep in mind and actions they need to take to become compliant.
Jump to a section:
- Privacy Laws for Health Records in Ontario
- Personal Health Information (PHI) in Ontario
- PHIPA’s Basic Principles of Collection, Use and Disclosure
- Action Items for Compliance with PHIPA
- Consent under PHIPA
- Who enforces privacy laws for Ontario?
- Other Privacy Laws in Ontario
Privacy Laws for Health Records in Ontario
Private-sector businesses conducting commercial transactions in Ontario - including all disciplines of allied health clinics and solo practitioners - must handle personal information in accordance with Ontario’s privacy legislation:
This is because PHIPA has been deemed “Substantially Similar” to federal privacy law:
PHIPA Ontario, therefore, can in most cases be used in place of Canada’s federal law where health records are concerned. The law applies to all “health information custodians,” including allied health clinics delivering health care services and practitioners who provide health care for payment, regardless of whether the services are publicly funded or not.
You can read more about federal privacy law in Canada and how that relates to provincial law in our Guide document: PIPEDA and Other Privacy Laws in Canada.
Personal Health Information (PHI) in Ontario
In Ontario, personal information includes any and all information related to the provision of health care for an individuals physical or mental health. This includes:
personal identification information
plans of service
eligibility for health care
information regarding body parts or substances
PHI also includes any other information not specifically listed that can identify the individual or a substitute decision maker who acts on the individual’s behalf.
PHIPA’s Basic Principles of Collection, Use and Disclosure
Under PHIPA, clinics in Ontario must follow a set of basic principles when they are collecting, using or disclosing PHI. These are:
Only collect, use or disclose PHI if the individual consents or if required by PHIPA.
Do not collect, use or disclose PHI if other information will serve the purpose.
Do not collect, use or disclose more PHI than necessary to meet the purpose.
For marketing purposes, express consent is required.
You may ask for consent to collect, use or disclose information for fundraising purposes, and if you limit information to name and mailing address and you provide an easy way to opt out, you may assume implied consent.
Limit collection of health numbers to purposes related to provincially-funded health resources, explicit disclosure by the individual, official purposes of health professionals, health administration, planning or research.
Collect PHI directly from the individual unless otherwise impossible. If you must collect PHI indirectly, consult PHIPA on acceptable reasons and parameters.
Action Items for Compliance with PHIPA
To uphold those basic principles under PHIPA, there are many tasks that clinics, practitioners, and staff need to make sure they are completing.
1) Keep up-to-date health records
Keep all PHI and information that identifies individuals, administrative and clinical, as up-to-date as possible. The law also allows for prioritization. For instance, in a clinical setting, it will often be much more important to have up-to-date clinical health records than administrative contact information. In an ideal world, all data is perfect. In practice, first choose to spend time keeping health records as accurate as possible and then work on keeping additional patient information accurate as well.
Clinics and practitioners are required to make a reasonable effort to correct any record that is inaccurate or incomplete and respond to an individual’s request to correct a record within 30 days. Clinics and practitioners should also be available, to a reasonable extent, to inform anyone to whom the information has been disclosed of changes.
2) Keep records secure
Protect PHI from theft, loss, and unauthorized use - make sure records are retained, transferred and disposed of in a secure manner.
Juvonno can help you keep PHI secure: Security FAQ
3) Store records for appropriate time frames
When a record is requested by an individual, keep records until all procedural matters involving that request have been completed. For example, until a complaint to the Privacy Commissioner has been fully resolved.
4) Create Breech Procedures
If PHI is ever disclosed in a manner not described in your information practices that you make public, you must first, inform the individual of that use or disclosure, make a note of the disclosure in your records of PHI, and keep the note as part of the individual’s record.
5) Appoint a Privacy Contact Person
Designate a contact person who is responsible for compliance, training, responding to inquiries & access to records, receiving complaints about contraventions of the Act.
6) Publish Privacy Practices
Make available to the public a written statement of your clinic/practitioner’s PHI practices, contact information for your PHI contact person, process for obtaining access to records or correcting a record, how to make a complaint to your clinic, you the practitioner or to the Privacy Commissioner directly.
7) Consider Appointing an Agent/Handler
When preferred, a clinic/practitioner may permit an agent to handle PHI.
8) Obtain Consent
Obtain express or implied consent, where appropriate, for the collection, use and disclosure of PHI. (Scroll down to the Consent section of this document for more information on consent required in Ontario).
9) Provide Access to PHI
When requested, provide individuals access to their PHI within 30 days of a request made orally or in writing.
Right of Access Limitations under PHIPA The right of access applies only to records that are dedicated to one individual. If a record is about more than one individual, only the portion of the record about that individual may be granted. Right of access also does not apply to quality of care information, quality assurance information, raw data from psychological tests and assessments or other types of specified information. Certain legal privileges, laws, proceedings, inspections, and investigations may restrict disclosure in some cases. Right of access does not apply if disclosure would result in serious harm to any person.
Consent under PHIPA
PHIPA Ontario’s general principles state that clinics need either express or implied consent to collect, use and disclose PHI. The specifics of when you need express consent or when implied consent is OK are highly strict under PHIPA. First, let’s review the difference between the two:
Definition of Implied Consent - permission for an action can be assumed based on the circumstance and related information. When PHI disclosure is for the purpose of providing further health care - for example, in the case of disclosing PHI when referring care to another practitioner - consent can be implied.
Definition of Express Consent - the act of an individual expressly giving permission for an action. When PHI disclosure is for any other purpose not related to extending health care services, consent must be express.
Although, Consent is NOT required for collection, use and disclosure when the clinic/practitioner believes based on reasonable grounds that collection, use or disclosure is necessary to eliminate or reduce a significant risk of bodily harm to one or more persons.
There are also other very specific exceptions to consent regulations.
It’s OK to USE PHI without consent:
when you are using the information for the purpose for which it was already collected
if you are required by law to disclose it
for risk/error management or to improve the quality of care
to educate agents who provide health care
for purposes involving disposing of or modifying the information to conceal the identity of the individual
when your purpose is to obtain consent for a legal proceeding, to obtain payment for healthcare, for research (subject to certain conditions), or if permitted and/or required by law.
Please refer to PHIPA Ontario for further details if any of these situations applies to you or your clinic.
It’s OK to DISCLOSE PHI without consent:
If an individual has provided religious affiliation, consent may be implied to disclose an individual’s name and the name and location in the health care facility to a religious representative.
A pharmacist may disclose PHI to a third party who is being asked to provide payment for medication or related goods.
when disclosure is to provide further health care
when disclosure is related to a deceased individual
to mitigate risks (exercise good judgement in determining what is a significant risk)
when PHI is given to a successor
for research approved by the ethics board
to monitor health care payments
to analyze the health care system
or if disclosure has been otherwise approved by the Commissioner.
Please refer to PHIPA Ontario for further details if any of these situations applies to you or your clinic.
When is consent on behalf of another reasonable?
An individual may authorize another person to act on his or her behalf.
A parent may consent on behalf of a child who is less than 16 years of age.
A substitute decision maker may consent on behalf of an individual who is incapable of consent.
An estate trustee or administrative person may provide consent for a deceased person.
A person who is required by law to act on behalf of another person may provide consent for that individual.
Who enforces privacy laws for Ontario?
Ontario’s privacy laws are upheld and enforced by the Information and Privacy Commissioner of Ontario.
Privacy is a fundamental right for all people living in Ontario. The Commissioner is responsible for ensuring that Health information custodians follow the rules set out under the Personal Health Information Protection Act (PHIPA).
An individual found guilty of committing an offence under PHIPA can be liable for a fine of up to $100,000, while an organization or institution can be liable for a fine of up to $500,000.
Other Privacy Laws in Ontario
If you are practicing under Ontario’s government or any other public-sector entity, for example a police force, you’ll also need to make sure you comply with Ontario’s public-sector legislation:
- Freedom of Information and Protection of Privacy Act - for the general public sector
As well as Ontario’s
- Municipal Freedom of Information and Protection of Privacy Act - specifically for municipal governments and organizations.
If you think you might be practicing under provincial or municipal public-sector law in Ontario, have a look at Ontario’s resource for step-by-step advice on how to follow the law from beginning to end: Planning for Success: Privacy Impact Assessment Guide