Ajax Privacy and Cybersecurity Lawyer, Rajen Akalu, of Akalu Law P.C., provides his comments on the Personal Health Information Privacy Act (PHIPA) Ontario

Understanding Ontario’s Personal Health Information Protection Act (PHIPA)

The Personal Health Information Protection Act (PHIPA) is a law that governs the collection, use, and disclosure of personal health information (PHI) in Ontario. Enacted in 2004, PHIPA sets the rules for how health care providers—like doctors, hospitals, and pharmacies—handle sensitive health data.

Its primary goal is to ensure that your personal health information is kept private, confidential, and secure, while still allowing the health care system to function effectively and share information when necessary for patient care. PHIPA is administered by the Information Privacy Commissioner Ontario (IPC).  Decisions made pursuant to PHIPA are accessible on their website Health privacy law specialist (and really nice lawyer) Kate Dewhirst provides very useful summaries of all PHIPA decisions.

What Counts as Personal Health Information?

The controlling definition in PHIPA is personal health information (PHI).  PHI under PHIPA includes any information that can identify you and relates to:

  • Your physical or mental health
  • Your health history
  • The health care you’ve received
  • Your health card number
  • Payment or eligibility for health care services

Even something as seemingly minor as a prescription refill or lab result falls under PHIPA’s protection.  This is important because once data is deemed PHI it will be subject to the Act.

Who Must Follow PHIPA?

PHIPA applies to individuals and organizations known as health information custodians (HICs). These include:

  • Doctors, nurses, dentists, and other regulated health professionals
  • Hospitals, long-term care homes, and clinics
  • Pharmacies and laboratories
  • Community care access centers

It also covers agents of these custodians—such as administrative staff, students, or volunteers—who have access to personal health data.

Patient Rights Under PHIPA

PHIPA gives individuals several key rights when it comes to their health information:

  1. Access and Correction

You have the right to:

  • Access your own health records
  • Request corrections to inaccurate or incomplete information
  1. Consent and Control

In most cases, health care providers need your express or implied consent to collect, use, or share your information. You can:

  • Withhold or withdraw consent (with some exceptions)
  • Instruct providers not to share your information with specific people or organizations
  1. Privacy and Security

Health care providers must take reasonable steps to:

  • Safeguard your information
  • Prevent unauthorized access, theft, or loss

When Can Information Be Shared Without Consent?

There are specific situations where your information can be shared without your consent, such as:

  • To prevent a serious risk of harm to yourself or others
  • For law enforcement or legal proceedings
  • For public health investigations (e.g., infectious disease outbreaks)

Even in these cases, disclosures are limited to only what’s necessary.

What Happens if There’s a Breach?

If your health information is accessed or disclosed improperly, PHIPA requires that you be notified. The Information and Privacy Commissioner of Ontario (IPC) oversees compliance with PHIPA and has the authority to:

  • Investigate complaints
  • Order changes to how health organizations handle data
  • Impose penalties and fines for serious violations

Final Thoughts

PHIPA is a cornerstone of health privacy in Ontario. It strikes a balance between protecting individuals’ personal health information and enabling efficient, effective health care. As PHIPA is dealing with sensitive data and potentially vulnerable populations, compliance for HICs can get complicated quite quickly.

For example, a family member may want access to the health records of a now incapacitated parent.  The access policy will need to have a robust procedure to verify the identity of the requester.  Similarly, there are third parties such as social workers that make request of a child’s medical file in order to make a determination in a custody and access dispute.  In cases of medical negligence, plaintiff’s counsel will want access to their client’s file and this may expose the hospital to liability.  Legal help is needed here in order to facilitate the disclosure of information and remain in compliance with PHIPA in these circumstances.

For patients, being aware of your rights under PHIPA empowers you to take control of your own health information—and to ask the right questions when it matters most.

Rajen Akalu
647 299 5079
rajen@akalulaw.com