Personal Health Information Protection Act, 2004

The Personal Health Information Protection Act, 2004 ( PHIPA) enacted by Ontario is the Province’s new health-specific privacy legislation. It governs the manner in which personal health information is collected, used , and disclosed within the health care system. It also regulates individuals and organizations that receive personal information from health care professionals . PHIPA came into force on November 1 2004, after which time all health information custodians must comply.

This Act is designed to give individuals greater control over how their personal health information is collected, used , or disclosed. In addition, PHIPA confirms a patient's existing right to access one's own personal health information. It provides a means for complaint and correction through the Office of the Information and Privacy Commissioner/Ontario (IPC) when privacy rights relating to personal health information have been violated. It should be noted , however , that there is no obligation for custodians to seek consent for personal health information that was collected prior to this date.

The necessity of health privacy information in Ontario is based on the fact that the nature of our health care system requires that health information may pass through many hands, i.e.; from a doctor's office, to a specialist, a medical lab, a hospital , or an insurance company for reimbursement of claims. Also, personal health information must be readily shared, such as in the case of a medical emergency. The increasing use of technology to transfer and store medical data instantaneously has also increased the need for legislated rules to assure that that personal health information will be protected.

Certain organizations including insurance companies, schools , and employers – who may have custody or control of health information, are not governed by PHIPA. They are bound by PHIPA only when they receive personal health information from a health information custodian. Under other circumstances, they are governed by PIPEDA.

Health information custodians are individuals or organizations under PHIPA that, as a result of their power or duties, have custody or control of personal health information. They include:

• Health care practitioners, including doctors, nurses, pharmacists, psychologists and dentists;
• Hospitals;
• Psychiatric facilities;
• Pharmacies;
• Laboratories;
• Nursing homes and long-term care facilities;
• Retirement homes and homes for special care;
• Community care access centres;
• Ambulance services;
• Boards of health;
• The Minister of Health and Long-Term Care; and
• Entities prescribed by regulations that are not defined as health information custodians but are permitted to collect personal health information from health information custodians for the purpose of health planning and management.

Custodians do not include :

• Aboriginal healers or midwives who provide traditional healing services to aboriginal persons or members of an aboriginal community; and
• Persons who provide health treatment by spiritual means or by prayer.

Personal Health information

The Information and Privacy Commissioner has indicated that personal health information includes:

“information about an individual's health or health care history in relation to:

• The individual's physical or mental condition, including family medical history;
• The provision of health care to the individual;
• Long-term health care services;
• The individual's health card number;
• Blood or body-part donations;
• Payment or eligibility for health care; and
• The identity of a health care provider or a substitute decision maker for the individual.”

Rights of an individual

The Act establishes the means by which an individual can gain access to, withhold , and correct their own health information and establishes the process for complaint and appeal if access to or correction of the material is not forthcoming.

Custodian Obligations

Custodians of personal health information must establish and implement information practices that relate to the collection, use , or disclosure of personal health information. This includes:

• Obtaining consent when collecting, using , and disclosing an individual’s health information,
• Collecting only the information necessary and by lawful means,
• Safeguarding the information,
• Storing, transferring and disposing of information in a secure manner,
• Appointing a person responsible for dealing with the information, its use, disclosure , and correctness.

Executive Order HO-001

The first-ever “Executive Order” ruling by Ontario’s Information and Privacy Commissioner under the authority of Ontario’s Personal Health Information Protection Act (PHIPA) was released October 31, 2005.

The ruling stems from the incident in Toronto in the fall of 2005 in which medical records were used to replicate the scene of the 9/11 terrorist attack on the World Trade Center during a movie shoot. Patient health records, most of them dating back to 1992, originated with a Toronto X-ray and ultrasound clinic. The records had been passed on to a shredding company who sent them to a recycling company that subsequently sold them intact to the film company for use in the movie.

Although the ruling was directed at a limited number of specific companies involved in the incident, it is fully expected that all healthcare organizations throughout Ontario will now incorporate the standards of this new order. It now represents the de facto precedent by which document disposal will be judged in the future. A complete copy of the order and an executive summary are avaiable on the download section of this website or from the IPC website at http://www.ipc.on.ca/docs/ho-001.pdf .

IPC Factsheet - Secure Destruction of Personal Information

Following on Order HO-001, the office of the IPC produced a fact sheet entitled “Secure Destruction of Personal Information”. This fact sheet provides a landmark guide for the best practices for the destruction of personal information and should be read and observed by all businesses and organizations that require document destruction services. Some key points of this fact sheet that is available on the download section of this website or from the IPC website are:

Match the destruction method to the media: any personal information permanently destroyed or erased in an irreversible manner that ensures that the record cannot be reconstructed in any way.

For paper records: destruction means cross-cut shredding, not simply continuous (single strip) shredding, which can be reconstructed

Select and engage your service provider with due diligence: If you are engaging an external business to destroy records, be selective. Look for a provider accredited by an industrial trade association, such as the National Association for Information Destruction, or willing to commit to upholding its principles, including undergoing independent audits.

Insist on a signed contract spelling out the terms of the relationship: The office of the IPC even includes a sample for suggested clauses for a contract that can be used.

Office of the Information and Privacy Commissioner/ Ontario (IPC)

The IPC is responsible for the promotion of “open government” and the protection of personal privacy.

Under its statutory mandate, the IPC is responsible for:

• Resolving appeals from refusals to provide access to information;
• Investigating privacy complaints about information held by government organizations;
• Ensuring that the government organizations comply with the access and privacy provisions of the Acts;
• Educating the public about Ontario's access and privacy laws; and
• Conducting research on access and privacy issues, and providing advice and comment on proposed government legislation and programs.

The IPC can be reached at

Information and Privacy Commissioner/Ontario 
2 Bloor Street East
Suite 1400
Toronto, Ontario
M4W 1A8

Email This e-mail address is being protected from spam bots, you need JavaScript enabled to view it

Toronto Area (416 / local 905):
(416) 326-3333 

Long Distance:
1-800-387-0073

Link to Privacy Act http://laws.justice.gc.ca/en/P-21/94799.html
Link to PIPEDA http://www.e-laws.gov.on.ca/DBLaws/Statutes/English/04p03_e.htm
Link to PHIPA http://www.e-laws.gov.on.ca/DBLaws/Statutes/English/04p03_e.htm