Your Privacy – Personal Health Information Protection Act (PHIPA) – Frequently Asked Questions
What is Privacy?
The Privacy Commissioner of Canada has defined privacy as an individual’s right to maintain control over the uses and circulation of his or her personal information.
Perth and Smiths Falls District Hospital is committed to protecting the confidentiality and security of our patients’ personal information. This remains an integral part of our values.
Perth and Smiths Falls District Hospital has adopted the Ten Privacy Principles established by the Canadian Standards Association’s Model Code for the Protection of Personal Information. These principles form part of the Personal Information Protection and Electronic Documents Act (PIPEDA) and establishes rules governing the collection, use and disclosure of personal information
What is Personal Information?
This is defined, in broad terms, as information whether oral written or electronic about an identifiable individual. Personal information includes, but is not limited to:
- Name, address and telephone number
- Age, gender, family and marital status
- ID numbers (SIN numbers, etc)
- Financial and employment information
- Medical and health information
What is NOT Personal Information?
Any data that has been collected in which all personal identifiers have been removed (making determination of identity impossible) is not considered personal information, nor is the name, title, business address or business telephone number of an employee of an organization.
Why are we Asking for your Personal Information?
We require this information to provide appropriate health care services to you, our patient. The type of information we ask for will depend on the type of services you are presenting to us for.
What does Perth & Smiths Falls District Hospital use my health information for?
Perth & Smiths Falls District Hospital uses your information for the delivery of direct patient care, administration of the health care system, research, teaching, statistics, fundraising, and to meet legal and regulatory requirements.
Examples of potential uses include:
- To identify your record quickly and accurately each time you visit the hospital.
- To provide the most appropriate treatment. Your visit to the hospital may include a number of assessments and treatments. All of this information is recorded in your chart and made available to those involved in your care. The Hospital keeps a history of your health information for your future care.
- To comply with legal and regulatory requirements. For example, we collect your health information because it is required to fund health care services.
- To improve the quality and efficiency with which we provide health care services.
- To support Perth & Smiths Falls District Hospital’s educational activities. Health information is available for teaching purposes with measures taken to protect privacy and confidentiality.
Can I request that Perth & Smiths Falls District Hospital not collect or use my health information for any of the following purposes: the delivery of direct patient care, the administration of the health care system, to conduct research, teaching, statistics, meeting legal and regulatory requirements, or fundraising?
The Hospital may use health information for the purposes of research and teaching. Hospital personnel may only collect and use the minimum amount of information necessary to fulfill the requirements for an approved study or purpose. Before researchers may access this information, the Hospital removes as much identifying information as possible. For example, you would always be asked if you want to be in a clinical trial, or any other research that may have a direct impact on your care.
Perth & Smiths Falls District Hospital is required to report certain pieces of information to the Provincial Ministry of Health (billing information), the Canadian Institute for Health Information (coded discharge abstracts), Health Canada (public health surveillance), and Cancer Care Ontario (pathology reports). This is done to ensure the health care system is running optimally, and to conduct statistical comparisons of population health characteristics over a broad geographical range.
The collection, uses, disclosures, and retentions described above are required as an ongoing component of the Hospital’s ability to provide health care to the population it serves, while working to enhance the health status of Canadians.
Who does Perth & Smiths Falls District Hospital give my health information to?
The Hospital is required to disclose patient information to several other organizations. This includes the Ministry of Health, The Canadian Institute for Health Information, Public Health, and Cancer Care Ontario. Information may also be disclosed to other physicians directly involved in the administering of care to our patients. The Hospital places appropriate safeguards on the transmission of all information disclosed to other organizations and seeks to ensure that health information protection measures are in place and in accordance with the Personal Health Information Protection Act.
Does Perth & Smiths Falls District Hospital ever sell patient information to drug companies, or anyone else?
Perth & Smiths Falls District Hospital does not sell patient information to drug companies or to anyone else.
Will Perth & Smiths Falls District Hospital disclose my health information to any outside company or my employer?
Perth & Smiths Falls District Hospital requires patient consent, or a court order to disclose health information to any organization or person not directly involved with the provision of patient care. The Hospital will ensure that proper controls are in place to only disclose what is required.
Can I access my health information?
You have a right to access your personal health information, and the Hospital has an obligation to make it available to you, with limited exceptions. Exceptions are made if releasing your information would put yourself or a third party at risk, the Hospital may choose not to disclose some, or all of that information.
Where do I go to access my health information?
When you are a patient at Perth & Smiths Falls District Hospital, you should ask your healthcare provider for information that you want to know. Once you have left the Hospital, you will need to contact the Health Records Department to view or request a copy of your health records. Please allow a reasonable amount of time for the Hospital to process your request and note that you may be charge an administrative fee.
The Health Records Department will ask you to present the proper form of identification in order for you to access your health records.
How do I get a copy of my health records?
To get a copy of your health records, you can:
- Submit your request, in writing, to the Hospital CEO. Your written request for a copy of your health records should include:
- your name, address and date of birth;
- your signature or the signature of a legal representative (if applicable)
- the date and the signature of a witness* Please note the Hospital will only accept original letters. Faxes are not acceptable.
- Go to the Hospital’s Health Records Department and request an Authorization of Release of Information Form.
Please allow a reasonable amount of time for the Hospital to process your request. Should you wish to receive photocopies of your health records a reasonable fee is charged.
Can my family see my health information?
Although you have the right to access your charts, this right does not automatically extend to family members and/or friends. If you consent to let a friend or family member see your chart, then the friend/family member may access the part(s) that you have consented to let them see.
What if I am unable to give consent?
If you are unable to give consent for a friend or family member to access your health records due to reasons of competency or consciousness, the consent decision falls to the appointed substitute decision maker such as a parent or guardian. This person is bound by law to act on your behalf and must make decisions based on their belief of what you would wish done if you were able to decide.
Can all Hospital staff access my health records?
Only Hospital staff involved in your care may access your patient record. All Hospital staff are bound by a strict confidentiality agreement, which is signed as a condition of employment. This agreement seeks to ensure staff only access information on a need to know basis.
Can my family physician access my Hospital health information?
Perth & Smiths Falls District Hospital does release copies of your Emergency record to your family physician. Other records may also be sent at the request of the physician caring for you while you are in hospital.
Can I find out who has viewed my Hospital health records?
Yes. If you have concerns about unauthorized personnel accessing your information, you can make a request to the Privacy Officer or Health Records to view all accesses to your health records. The Privacy Officer will provide this information to you in a timely manner. If you have further concerns upon receipt of your audit report, you may make a complaint to the Hospital’s Privacy Officer, who will pursue the issue on your behalf.
What happens if I want my health records released to another individual?
Whether you want your health records released to a relative, friend, family doctor or another institution, you must submit a signed consent giving the hospital authorization to release your information. The consent is valid for six months and it must be dated and witnessed.
Do I need parental consent if I am a youth?
Yes. If you want your health records released and you are not at least 16 years old, you must have a parent or legal guardian submit the request on your behalf.
What happens if I am inquiring about the health records for a deceased patient?
To obtain health records for individuals who are deceased or incapable of signing a consent form, proof of executorships or legal signing authority must be submitted along with your written request.
Can I copy the health records myself?
Health Records are considered to be the hospital’s property and cannot be removed from the hospital. Only the Hospital’s Health Record’s personnel can photocopy your records.
How is my health information protected?
There are three components to protecting patient information at Perth & Smiths Falls District Hospital:
- Physical Safeguards: Perth & Smiths Falls District Hospital has a number of physical safeguards which range from locked doors to staff wearing photo identification to identify themselves as Perth & Smiths Falls District Hospital employees.
- Technical Safeguards: Perth & Smiths Falls District Hospital’s technical department upgrades the security capabilities of the patient information system on an ongoing basis. We have implemented role based access controls to ensure staff only may access electronic information on a need to know basis. The Perth & Smiths Falls District Hospital patient information system also uses passwords to protect the system from inappropriate accesses from within and a firewall to protect our system from users on the Internet.
When I called the hospital to see how my family member was doing, the Hospital staff would not describe what the problem with my family member was or their condition. Why is that?
When you call Perth & Smiths Falls District Hospital, staff has no way to verify that you are who you say you are. Therefore, in order to protect patient privacy, only a minimal amount of information is given out over the phone.
I have noticed that many areas of the hospital are open and I can sometimes overhear staff talking to patients or family about health information. Is this not a breach of patient privacy?
Despite the pressures of an acute care hospital setting, staff makes every effort to discuss health information confidentially.
What is the Personal Health Information Protection Act? (PHIPA)
The Personal Health Information Protection Act, 2004 (PHIPA) is Ontario’s new health-specific privacy legislation. PHIPA will govern the manner in which personal health information may be collected, used and disclosed within the health care system. It will also regulate individuals and organizations that receive personal information from health care professionals.
PHIPA creates a consistent approach to protecting personal health information across the health care system. By providing a level playing field for all health care profession, PHIPA builds upon and codifies many of the existing high standards and protections enshrined in the common law, various professional codes, policies and guidelines.
These legislated rules were designed to give individuals greater control over how their personal health information is collected, used or disclosed. They provide health care professionals with a flexible framework to access and use health information as necessary in order to deliver adequate and timely health care.
In addition, PHIPA confirms a patient’s existing right to access one’s own personal health information and provides a means for redress through the Office of the Information and Privacy Commissioner/Ontario (IPC) when privacy rights relating to personal health information have been violated.
The IPC has been designated as the oversight body responsible for administering and enforcing these new health sector privacy rules.
Does the Act apply to me?
The Act will have an impact on every individual residing in the province of Ontario. In general, the Act will provide individuals with more control over how their personal health information is collected, used and disclosed by health information custodians. With some exceptions, individuals will be able to access and request correction of their own personal health information.
The Act does not apply to all personal health information , but only that which is collected, used and disclosed by health information custodians. The Act also applies to the use and disclosure of personal health information by those persons who receive personal health information from health information custodians. For example, recipients may include insurance companies, employers, researchers, and others. Those who perform services on behalf of a health information custodian are defined as agents. Agents of health information custodians are also required to follow the rules set out in the Act.
What is the purpose of PHIPA?
PHIPA establishes a set of uniform rules about the manner in which personal health information may be collected, used or disclosed, and includes provisions that:
- Require patient consent for the collection, use and disclosure of personal health information, with necessary but limited exceptions that would allow health care providers to provide efficient care;
- Require that health information custodians treat all personal health information as confidential and keep it secure;
- Strengthen an individual’s right to access his/her personal health records, as well as the right to correct errors;
- Give a patient the right to instruct health information custodians not to share any part of his/her personal health information with other health care providers;
- Establish clear rules for the use of personal health information for fundraising or marketing purposes;
- Set guidelines for the use and disclosure of personal health information for research purposes;
- Ensure accountability by granting an individual the right to complain to the IPC about the practices of a health care organization; and
- Establish remedies for breaches of the legislation.
Why do we need a health privacy law in Ontario?
Personal health information is among the most sensitive of personal information. People are understandably protective about sharing personal details relating to their medical conditions. At the same time, personal health information must flow freely between health care professionals in order to ensure the best treatment for patients.
The nature of our health care system requires that health information may pass through many links in the health care chain: from a doctor’s office, to a referral to a specialist, to a medical lab, to a hospital or to an insurance company for reimbursement of claims. There are also circumstances in which personal health information must be readily shared, such as in the case of a medical emergency. Beyond patient care, personal health information is needed for important activities such as health research vital to develop new treatments and cures. The increasing use of technology to transfer and store medical data instantaneously has also increased the need for legislated rules to assure Ontarians that their personal health information will be strongly protected.
What is a health information custodian?
A health information custodian is a listed individual or organization under PHIPA that, as a result of their power or duties, has custody or control of personal health information. Examples of health information custodians include:
- Health care practitioners, including doctors, nurses, pharmacists, psychologists and dentists;
- Psychiatric facilities;
- Nursing homes and long-term care facilities;
- Retirement homes and homes for special care;
- Community care access centers;
- Ambulance services
- Boards of health;
- The Minister of Health and Long-Term Care; and
- Entities prescribed by regulations that are not defined as health information custodians but are permitted to collect personal health information from health information custodians for the purpose of health planning and management.
What is an agent?
PHIPA defines an agent to include any person who is authorized by a health information custodian to perform services or activities on the custodian’s behalf and for the purposes of the custodian.
An agent may include an individual or company that contracts with, is employed by or volunteers for a health information custodian an, as a result, may have access to personal health information. PHIPA permits custodians to provide personal health information to their agents only if the custodian is permitted to collect, use, disclose, retain or dispose of the information.
For example, an agency relationship under PHIPA includes a nurse who is employed by, or a medical student who volunteers at, a hospital. An agency relationship may also include a physician who is not employed by a hospital but has admitting privileges to use the hospital’s equipment
What is personal health information?
Personal health information is “identifying information” collected about an individual. It is information about an individual’s health or health care history in relation to:
- The individual’s physical or mental condition, including family medical history;
- The provision of health care to the individual;
- Long-term health care services;
- The individual’s health cared number;
- Blood or body-part donations;
- Payment or eligibility for health care; and
- The identity of a health care provider or a substitute decision maker for the individual.
Personal health information does not include identifying information about an employee or agent of the custodian that is not maintained for the provision of health care. For example, a doctor’s note to support an absence from work in the personnel file of a secretary employed by a health information custodian is not considered personal health information.
What does the “provision of health care” mean?
The provision of health care means any observation, examination, assessment, care, service or procedure provided for health care purposes. This includes the following:
- The treatment or maintenance of an individual’s physical or mental condition;
- The prevention of disease or injury or the promotion of health care;
- The compounding, dispensing, or selling of a drug, device or equipment pursuant to a prescription; and
- A community service that is described in the Long-Term Care Act, 1994
How does PHIPA protect personal health information?
The ability of an individual to control how his/her own personal information is collected, used and disclosed is key to his/her privacy rights. PHIPA gives patients control over their own personal health information by requiring health information custodians to obtain consent for the collection, use or disclosure of personal health information, with limited exceptions. PHIPA establishes certain privacy rights for individuals and imposes specific obligations on health information custodians in protecting personal health information.
What rights do individuals have?
Individuals can expect to be well informed about how their personal health information will
be collected, used and disclosed by health information custodians. Individuals can also expect the administrative, technical and physical safeguards relating to their personal health information to continue to be in place.
PHIPA give individuals the right to:
- Understand the purposes for the collection, use and disclosure of personal health information;
- Refuse or give consent to the collection, use or disclosure of personal health information, except in circumstances specified in PHIPA;
- Withdraw consent by providing notice to the health information custodian’
- Request access to one’s own personal health information;
- Request corrections to be made to one’s own personal health information;
- Complain to the IPC about a custodian’s refusal to give access to all or part of a health records; and
- Complain to the IPC about any breach of PHIPA in the manner in which personal health information has been collected, used, disclosed or handled.
PHIPA establishes a formal process for individuals to access and correct their own personal health information with timeframes and rights of complaint and appeal if an access or correction request is denied.
What responsibilities do health information custodians have?
PHIPA requires health information custodians who have custody or control of personal health information to establish and implement information practices that comply with its provisions. This does not mean that custodians are expected to completely set aside their existing policies and practices. In fact, PHIPA builds upon existing policies and guidelines for health care professionals and provides enforceable rules relating to the collection, use or disclosure of personal health information.
PHIPA will require health information custodians to:
- Obtain an individual’s consent when collecting, using and disclosing personal health information, except in limited circumstances as specified under PHIPA;
- Collect personal health information appropriately (by lawful means and for lawful purposes) and no more than is reasonably necessary;
- Take reasonable precautions to safeguard personal health information, even when it is used and disclosed outside of Ontario, including;
- Protection against theft or loss;
- Protection against unauthorized use, disclosure, copying, modification or destruction; and
- Notification to an individual at the first reasonable opportunity if the information is stolen lost or accessed by an unauthorized person.
- Ensure health records are as accurate, up-to-date and complete as necessary for the purposes which they use or disclose personal health information;
- Ensure health records are stored, transferred and disposed of in a secure manner;
- Designate or take on the role of a contact person who is responsible for:
- Responding to access/correction requests;
- Responding to inquiries about the custodian’s information practices;
- Receiving complaints regarding any alleged breaches of PHIPA; and
- Ensuring overall compliance with PHIPA.
- Provide a written statement that is readily available to the public and describes:
- A custodian’s information practices;
- How to reach the contact person; and
- How an individual may obtain access, request a correction or make a complaint regarding his/her personal health information.
- Inform an individual of any uses and disclosures of personal health information without the individual’s consent that occurred outside the custodian’s information practices; and
- Ensure that all agents of the custodian are appropriately informed of their duties under PHIPA.
What is “consent” under the new Personal Health Information Act”?
The general rule is that health information custodians need to obtain an individual’s knowledgeable consent to collect, use and disclose personal health information. An individual’s consent may be implied or express. There are very limited circumstances where a custodian may collect use or disclose personal health information without the consent of the individual.
What are the requirements for consent?
Under PHIPA, consent is considered to be valid if it is:
- Voluntary (not obtained through deception or coercion);
- Related to the information in question;
- Given by the individual.
Knowledgeable consent means that individual must know why a health information custodian collects, uses or discloses their personal health information and that they may withhold or withdraw their consent.
Administratively, health information custodians may ensure that consent is knowledgeable by posting a conspicuous notice that describes the purposes for the collection, use and disclosure of personal health information.
What is the difference between express and implied consent?
Where consent is required under the new legislation, consent may be either express or implied.
Express consent is explicit and direct. It may be given verbally, in writing or by electronic means.
Implied consent permits a health care custodian to infer from the surrounding circumstances that an individual would reasonably agree to the collection, use or disclosure of his/her personal health information.
Can an individual withdraw his/her consent?
Yes, An individual may withdraw his/her consent by providing notice to the health information custodian. This applies to implied as well as express consent.
A withdrawal of consent is not retroactive. This means that where a disclosure has been made on the basis of a consent, the custodian is not required to retrieve the information that has already been disclosed.
Can an individual place a condition or restriction on his/her consent?
Yes. An individual may restrict a health information custodian from sharing his/her personal information with another custodian. In doing so, an individual can be said to have placed his/her personal health information into a “lock-box.”
However, an individual’s restriction may not impede the collection, use or disclosure of personal health information that is required by law, professional or institutional practice.
When is implied consent sufficient?
Health Information custodians who collect, use and disclose personal health information while providing direct health care may rely on an individual’s implied consent. If a custodian can reasonably infer that an individual understands the purpose of the collection, use or disclosure of his/her personal health information, then implied consent is sufficient with the circle of care.
In practice, this means that custodians are not required to obtain an individual’s written or verbal consent every time they collect, use or disclose that information – unless a custodian is aware that an individual has expressly withheld or withdrawn his/her consent. Consent may never be implied for an individual who specifies that his/her personal health information may not be collected, used or disclosed. For example, an individual does not need to expressly consent to the collection of personal health information by a pharmacist, who is a health care custodian within the circle of care, for the purpose of filling a prescription. By virtue of the individual’s voluntary disclosure of his/her name and the content of the prescription, the pharmacist can reasonably infer that the individual has agreed to the collection.
If an individual has provided information about his/her religious affiliation to a health care facility, the facility may rely on implied consent to disclose the individual’s name and location with the facility to a person representing his/her religious organization. Before making this disclosure, the facility must provide the individual with an opportunity to withhold or withdraw the consent.
When is express consent required?
In certain circumstances express consent will always be required:
Express consent is required for disclosure of personal health information to an individual or organization outside the circle of care.
For example, a pharmacist is not able to reasonably infer that an individual would consent to have his/her personal health information disclosed to a third party, such as an insurance provider, who is considered to be outside the circle of care. The pharmacist would be required to obtain the express consent of the individual in order to disclose personal health information to the insurance provider.
Express consent is required where information is disclosed by one custodian to another for a purpose other than providing or assisting in providing health care.
Express consent is also required where a custodian:
Collects, uses or discloses personal health information other than an individual’s name and mailing address for fundraising purposes;
Collects personal information for marketing research or activities; and
Collects, uses or discloses personal information for research purposes, unless certain conditions and restrictions are met.
What is a “lock-box?”
The “lock-box” is a term used to describe the right of an individual to instruct a health information custodian not to disclose specified personal health information to another custodian.
How does the lock-box work?
When an individual requests a health information custodian not to disclose his/her personal health information to another custodian, the custodian is obliged to inform the recipient custodian that some personal health information is inaccessible as a result of it having been “locked ” by the individual. The custodian who receives “locked” personal health information may choose to explore this matter with the individual. The custodian would need to obtain the express consent of that individual to access and use that information.
However, a custodian is permitted to disclose the information to a recipient custodian where in his/her professional opinion, the disclosure is necessary for the purpose of eliminating or reducing a significant risk of serious bodily harm to the patient.
What happens when an individual is incapable of providing consent?
PHIPA generally presumes that individuals are capable of making their own decisions regarding the collection, use or disclosure of their personal health information if they are able to understand and appreciate the consequences of providing, withholding or withdrawing their consent.
If a health information custodian believes that an individual is incapable of providing consent, PHIPA permits a substitute decision make (such as a relative, spouse, child’s parent, or the Public Guardian and Trustee) to make a decision on an individual behalf. For example, a substitute decision maker is authorized to provide personal health information on behalf of a child under the age of 16 who is unable to provide an answer to a medical question.
In cases of emergency care, must consent to the collection, use and disclosure of personal information be obtained?
No. There are exemptions to obtaining consent in certain health care emergencies. Examples of such cases are when a patient is unconscious, too sick or not lucid, or when collection is clearly in the interest of the individual and consent cannot be obtained in a timely way.
Can personal information be shared without patient consent between providers in an emergency situation?
What is the “circle of care”?
The “circle of care” is not a defined term under PHIPA. It is a term of reference used to describe health information custodians who are permitted to rely on an individuals implied consent when collecting, using, disclosing or handling personal health information for the purpose of providing direct health care.
What is “collection” of personal health information under PHIPA?
PHIPA defines collection as the gathering, acquiring, receiving or obtaining of personal health information. This means that personal health information can be collected by a health information custodian or an authorized agent under PHIPA in several ways, such as when a doctor makes notes about a patient in his/her medical file or when a pharmacist fills out a prescription.
What are the general rules covering the collection of personal health information?
PHIPA permits custodians within the circle of care to rely on an individual’s implied consent in order to collect personal health information for the purpose of health care services. Health information custodians must collect personal health information directly from the individual involved and may only collect as much information as is necessary to meet the purpose of the collection.
When collecting personal health information, custodians must have a policy in place readily available to the public about their information practices and how individuals may exercise their rights under PHIPA. Some suggested methods include the use of visible brochures, posters, notices posted on walls and verbal explanations.
What are the exceptions to the general rules for the collection of personal information?
As a general rule, custodians should collect personal health information directly from individuals. PHIPA permits health information custodians to collect personal health information about an individual indirectly in limited circumstances where:
The individual consents;
The collection is necessary for providing health care and it is not possible to obtain the information in a timely manner, or the collection would result in inaccurate information, such as in emergency cases;
The custodian collects personal health information for the purposes of research from a person who is not a health information custodian, provided that certain conditions are met;
The custodian is required or permitted by law,
The collection is for the purposes of conducting proceedings or investigations under provincial or federal laws;
The custodian is a prescribed entity who collects personal information from a person who is not an information custodian for the purpose of health planning or management; or
The IPC authorizes another manner of collection
What is “use’ of personal health information under PHIPA?
Use of personal health information under PHIPA is defined as handling or dealing with personal health information that is in the custody or control of a health information custodian. This includes accessing or reproducing health information as required by the custodian or his/her authorized agent in performing their duties.
What are the general rules covering the use of personal health information?
As a general rule, consent is required to use an individual’s personal health information unless PHIPA allows the use without consent.
However, a health information custodian and its authorized agents who need to access and share personal health information in providing health care are permitted to rely on an individual’s implied consent if it is reasonable to do so in the circumstances, and so long as the individual has not expressly stated otherwise.
It is the custodian’s responsibility to exercise the highest level of care when using personal health information. In addition, the custodian must take reasonable steps to ensure that the individual’s personal health information is accurate, complete and up-to-date when using the information.
Where a custodian is authorized to use the information, the custodian may provide the information to an agent of the custodian to use if for that purpose on behalf of the custodian. The transfer of information between a custodian and its agent is considered to b a use and not a disclosure to the purposes of PHIPA.
What are the exceptions to the general rules for the use of personal health information?
PHIPA sets out a limited set of acceptable uses of personal health information by health information custodians without an individual’s consent, including for the following purposes:
Risk management, error management, or activities to improve or maintain the quality of care or any related program or service;
Educating agents to provide health care;
The planning or delivering of programs or services;
The allocation of resources to any program or service provided or funded by the custodian;
Obtaining payment, processing, monitoring, verifying or reimbursing health care claims; and
For research, provide that specific requirements and conditions are met.
A custodian may provide personal health information to an agent of the custodian to use for any of the above-noted purposes.
What is “disclosure” of personal health information under PHIPA?
The term “disclose” under PHIPA means to release or make available personal health information that is under the control or custody of a health information custodian or its authorized agent to another custodian or organization outside the circle of care.
What are the general rules for the disclosure of personal health information?
As a general rule, consent is required to disclose an individual’s personal health information unless PHIPA allows disclosure without consent.
However, PHIPA permits a health information custodian and its authorized agents to rely on implied consent for the disclosure of personal health information within the circle of care while providing health care services. A custodian may disclose personal health information to health care practitioners; long-term care service providers; and persons who operate health care facilities, programs and services, if the disclosure is reasonably necessary for the provision of health care, it is not reasonably possible to obtain consent in a timely way, and the individual has not instructed the custodian not to make the disclosure.
Although PHIPA permits custodians to disclose personal health information in certain limited situations, disclosure is not required, unless it is necessary to carry out a statutory or legal duty.
Express consent from an individual to whom the personal information relates will always be required when it is disclosed outside the circle of care.
It is the custodian’s responsibility to exercise the highest level of care when disclosing personal health information. In addition, the custodian must take reasonable steps to ensure that the individual’s personal health information is accurate, complete and up-to-date when disclosing the information.
What are the exceptions to the general rules for the disclosure of personal health information?
PHIPA recognizes the need for a flexible approach to regulating information exchanges between custodians in order to enable them to continue to provide timely and adequate health care. PHIPA permits custodians to disclose personal health information without an individual’s consent in the following specific situations:
- If the disclosure is reasonably necessary for providing health care and the consent cannot be obtained in a timely manner, unless there is an express request from the individual instructing otherwise;
- For the purpose of contacting a relative or friend of an individual who is injured, incapacitated, ill or unable to give consent personally;
- To confirm that an individual is a patient or resident in a facility or to confirm the status of his/her health condition, unless there is an express request from the individual instructing otherwise;
- To identify an individual who is deceased or in order to allow a spouse, partner or relative of a deceased to make decisions about their own care or the care of their children or to inform estate trustees of an individual’s death;
- To eliminate or reduce a significant risk or serious bodily harm to any person or the public, such as where a hospital determines that a disclosure to the police is necessary to prevent a life-threatening situation;
- When transferring records to a custodian’s successor or to the archives for conservation;
- For the purpose of carrying out an inspection, investigation or similar procedure that is authorized by a warrant or another Act;
- For determining or verifying eligibility for health care or related benefits;
- For the purpose of administration and enforcement of various Acts by the professional Colleges and other regulatory bodies;
- To a prescribed person listed in the regulations who complies and maintains a registry of persona health information;
- To a health data institute for the purposes of health planning and management of the health care system;
- To the Public Guardian and Trustee, Children’s Aid Society and the Children’s Lawyer for the purpose of carrying out their statutory functions;
- To a person conducting an audit or reviewing an accreditation or application for accreditation related to the services of a custodian;
- To a medical officer or a public health authority if required under the Health Protection and Promotion Act (for example, to report a communicable disease);
- For the purpose of legal proceedings; and
- For the purpose of research.
What is a health data institute?
PHIPA permits the Minister of Health and Long-Term Care to direct a health information custodian to disclose personal health information to an approved and secure health data institute. A health data institute is an independent organization authorized to receive personal health information form the Ministry for health care management and planning purposes.
Before the Ministry releases personal health information to the health data institute, the Minister must provide a comprehensive proposal for review and comment to the IPC. The institute may then release only de-identified information to the Ministry, unless the IPC approves disclosure with minimal identifiers that is determined to be in the public interest.
PHIPA requires that the health data institute comply with safeguards to respect the confidentiality of personal health information. In order to ensure compliance, the IPC will review and approve the practices and procedures of the institute every three years.
What are the requirements for the collection, use and disclosure of personal health information for health care research?
A health information custodian may not collect, use or disclose personal health information for health care research purposes without the individual’s express consent. However, in recognizing the importance of health research, PHIPA permits the collection, use or disclosure of personal health information for research purposes without an individual’s consent only if strict conditions are met.
For example, custodians who use personal health information for research and, similarly, researchers who seek disclosure of personal health information for research, must both submit a detailed research plan to a Research Ethics Board (REB) for approval. IN reviewing a research proposal involving the use and disclosure of personal health records, and REB must consider whether:
- The research cannot be reasonably accomplished without access to the information;
- There is a public interest in conducting the research;
- Obtaining consent directly is impracticable; and
- Adequate safeguards are in place to protect the privacy of individuals and the confidentiality of their information.
A researcher requesting disclosure of personal health information from a custodian must submit a written application with an approved research plan to the custodian and must enter into an agreement that may impose further restrictions on the manner in which the researcher may use and disclose the information. A researcher with an approved research plan who receives personal health information from a custodian shall:
- Comply with the conditions imposed by the REB;
- Use personal health information only for the purpose set out in the research plan;
- Not publish information in a form that could identify the individual;
- Not disclose information unless required by law or to entities prescribe by law (See: Regulations under PHIPA and QOCIPA);
- Not attempt to contact the individual whose personal information is the subject of the research project unless the custodian obtains the consent of that individual; and
- Notify the custodian in writing of any breaches of either the agreement or PHIPA.
Researchers who lawfully obtained person health information from a custodian may continue to use and disclose the information for a three-year period after PHIPA comes into force.
Ontario Health Card Numbers
Who can collect, use or disclose Ontario health card numbers and under what circumstances?
Health Information custodians and those individuals or organizations designated in the Regulations are permitted to collect, use or disclose Ontario health care numbers. An individual or organization that is not a health information custodian is limited to collecting and using health care numbers if related to the following purposes:
- For the provision of publicly-funded health services;
- For the purposes which the custodian disclosed the number;
- For the regulation of health professionals; or
- For health administration, planning, research or epidemiological studies.
An individual or organization that is not a health information custodian is not permitted to disclose health care numbers except if required by law.
Access to Personal Health Information
Are individuals permitted to access their own personal health information?
With limited exceptions, PHIPA provides individuals with the general right to access their own personal health information held by a health information custodian and sets out a formal procedure for access requests.
How does an individual obtain access to his/her personal health information?
An individual may request access to his/her own personal health information by submitting a written request to the health information custodian (Health Records Department). The request must contain sufficient detail to allow the custodian to locate the record in question. The health information custodian should then provide either access to or a copy of the record. There will be a fee for processing and copying the record. The individual will be asked to sign a consent form that permits the release of the information,
How long does a health information custodian have to respond to an individual’s request to personal health information?
A health information custodian must respond no later than 30 days after the request was made.
Extensions beyond this 30-day time frame are allowed where meeting this time frame would interfere with the custodian’s operations, or where outside consultations are required in order to comply with the request. In such situations, the custodian must inform the individual in writing about the delay and the reasons for the delay.
Can a health information custodian refuse to provide access to an individual’s personal health information?
Health information custodians are responsible to assist individuals by providing access to their health records.
Custodians may refuse access only in certain situations where, for example:
- The information in questions is subject to a legal privilege;
- Its disclosure could reasonably be expected to result in a risk of serious bodily harm to a person;
- The information was collected as part of an investigation; or
- Another law prohibits the disclosure of that information.
PHIPA permits custodians to remove some of the information to allow partial access to the individual. If a health information custodian denies an individual access to his/her personal health information, the individual has the right to file a complaint with the IPC.
Is there a fee associated with an access request?
Health information custodians may charge a reasonable fee for providing access to an individual’s personal health records. PHIPA also permits custodians to waive all or part of the fee associated with an access request.
In charging a fee, PHIPA requires custodians to provide the individual with a fee estimate limited to either a prescribed amount set out in the Regulations, it there is such a fee schedule, or an amount that is reasonable for cost recovery.
Corrections to Personal Health Information
Can an individual correct an error in his/her personal health information?
An individual who believes that his/her personal health information is incomplete or inaccurate may request a health information custodian to correct his/her record. It is the responsibility of the custodian to ensure that personal health information is complete and accurate.
How does an individual correct error or omissions?
An individual seeking to correct his/her personal health information is required to submit a written request to the health information custodian. The custodian must respond within 30 days of receiving a correction request.
PHIPA provides limited grounds for extending this 30-day time frame. For example, extensions are permitted where replying within 30 days would unreasonably interfere with the custodian’s activities, or where the time necessary to undertake the consultations associated with the request would exceed 30 days.
Can a health information custodian refuse to correct an individual’s personal health information?
A health information custodian is obligated to correct personal health information where an individual demonstrates, to the satisfaction of the custodian, that the record is in fact inaccurate or incomplete for the purposes the custodian used or disclosed the information and the individual gives the custodian then necessary information to correct the record.
However, a custodian may refuse to correct personal health information relating to the professional opinion or observation of a health care provider. If a correction is refused on such a basis, the custodian is required to inform the individual of the refusal, the reasons for the refusal, the individual’s right to file a complaint regarding the refusal to the IPC and the right of the individual to attach a statement of disagreement to the record.
How will PHIPA be enforced?
The IPC has been designated as the independent oversight body responsible for ensuring that health information custodians collect, use and disclose personal health information according to the rules set out under PHIPA. The IPC will play a significant role in enforcing overall compliance.
The IPC has various powers under PHIPA, including the authority to investigate and adjudicate complaints. These include the authority to:
- Require a complainant to try to resolve the issue directly with the custodian;
- Investigate a complaint initiated by an individual or in the absence of a complaint, self-initiate reviews; and
- Appoint a mediator to resolve the complaint.
The IPC also has the authority to issue orders requiring compliance with PHIPA, including:
- The disclosure of personal health information;
- Correction of an individual’s personal health information;
- The disposal of records of personal health information; and
- The charging or ceasing of a particular information practice by a health information custodian.
How does an individual initiate a complaint?
An individual who feels that his/her privacy rights under PHIPA have been violated has the right to submit a written complaint to the IPC. For example and individual may complain about:
- A health information custodian’s information practices;
- A refusal to grant access to his/her personal health information; or
- A refusal to correct or amend his/her personal health information.
An individual must file a complaint with the IPC within one year from when the individual became aware of the problem, but provides the IPC with the discretion to extend this one-year limitation period.
For complaints that deal with access or correction, an individual must file a complaint with the IPC within six months from the time a health information custodian refuses an access or correction request by that individual.
Information and Privacy Commissioner / Ontario
2 Bloor Street East, Suite 1400
Canada M4W 1A8