Skip links

Your Privacy: Personal Health Information Protection Act (PHIPA)

Hands Holding a Piece of Paper Called Privacy

Your Privacy: Personal Health Information Privacy Act (PHIPA)

The Personal Health Information Protection Act, 2004 is a provincial law that governs the collection, use and disclosure of personal health information within the health sector. The object is to keep personal health information confidential and secure, while allowing for the effective delivery of health care.

Under this legislation, persons and organizations that provide health care are collectively known as health information “custodians.”

Frequently Asked Questions (FAQs)

The following are answers to questions most frequently asked about The Personal Health Information Protection Act.

What is personal health information?

Personal health information includes any identifying information about an individual’s health or health history, health care, payments or eligibility for health care, eligibility for coverage for health care or Ontario health card number.

Do health information custodians need my permission to access my personal health information?

Custodians are permitted to collect, use and disclose your personal health information, on the basis of implied consent, for the purpose of providing your health care.

An example where implied consent would be sufficient is if a family physician refers you to a medical specialist for consultation or to a laboratory for testing and discloses your  personal health information for that purpose.

They are also permitted to collect, use and disclose your personal health information where permitted or required by law.

Can I prevent health information custodians from collecting, using or disclosing my personal health information?

Yes. You have the right to withdraw your consent at any time.

In addition, custodians must respond to inquiries and complaints about the personal health information they hold about you.

The information practices of custodians must be available in written form, as well as information on how to contact them.

As a patient, do I have the right to see my personal health information?

Yes. You have a right to access your records of personal health under the law. You may be asked to make the request in writing, and custodians are allowed, depending on the circumstances, 30 to 60 days to respond to your request. You may be charged a reasonable fee to cover the costs.

Certain limited exceptions to access exist, but where custodians deny access to your records, they must explain the grounds for doing so, and you have the right to complain about denials or other access decisions to the Office of the Information and Privacy
Commissioner, Ontario (IPC) within six months of the decision.

What if my record of personal health information is inaccurate or incomplete?

You can request that your health information be corrected. However, health information custodians may require that you make the request in writing and, depending on the circumstances, they are given 30 to 60 days to respond.

Custodians are not required to correct your records in all circumstances. For example, custodians do not have to correct professional opinions. However, you may require that a statement of disagreement be attached to your records, and that your
disagreement be communicated to others involved in your treatment and care.

Where a correction is refused, a custodian must give a reason. You can then complain to the IPC (within six months of the decision).

What do I do if I have a complaint?

Complaints about the actions of custodians in their handling of your personal health information can be made to the IPC. These include the improper collection, use or disclosure of your personal health information. Complaints should be made within one year of you becoming aware of a problem.

View PDF and Printable Version
Return to top of page