What is PHIPA Legislation?

Ontario province in Canada has its own health data privacy rights legislation. This legislation is known as PHIPA legislation. PHIPA stands for the Personal Health Information Protection Act (PHIPA). PHIPA legislation establishes a set of rules regarding Ontario residents’ personal health information (PHI). PHIPA legislation is discussed in greater detail below.

What is PHIPA Legislation: Data Custodians

PHIPA legislation applies to “custodians.” A custodian is an individual or organization that collects, maintains or uses personal health information for providing or assisting in the provision of health care or treatment; in the planning and management of the health-care system; or in the delivery of a government program or service.

Examples of custodians named in the PHIPA legislation and its regulations include:

PHIPA Legislation
  • Hospitals;
  • Health-care providers (for example, physicians, dentists, nurses, pharmacists); 
  • Public bodies;
  • Ambulance operators; and 
  • Individuals or organizations known as information managers that manage personal health information on behalf of another custodian.

PHIPA applies to any personal health information (the PHIPA equivalent of HIPAA protected health information) collected, used, stored, disclosed and maintained by custodians. 

What is PHIPA Legislation: Health Information Privacy Rights

Under PHIPA legislation, Ontario residents are given a series of rights with respect to their personal health information. Some of these PHIPA legislation rights are similar to the rights granted to patients in the HIPAA Privacy Rule. PHIPA legislation rights include:

  • The right to be informed of the reasons for the collection, use and disclosure of your personal health information. Generally, under PHIPA legislation, a data custodian may only collect, use or disclose personal health information if an individual consents or the collection, use or disclosure is permitted or required by PHIPA legislation. Data custodians may not collect, use, or disclose personal health information if other information will serve the purpose. Data custodians may not collect, use or disclose more personal health information than is necessary to meet the purpose of the collection, use, or disclosure.
  • The right to consent to collection, use, or disclosure of personal health information for marketing purposes. Generally, personal health information may not be used for these purposes without express consent. (HIPAA also contains a restriction on uses of PHI for marketing.) PHIPA legislation provides for some circumstances where personal health information may be disclosed without consent. For example, if a custodian receives a subpoena to disclose personal health information to a court, consent of the individual is not required – the custodian must comply. Other instances where personal health information may be disclosed without consent include:
    • Making information available for an information network or a registry (such as a cancer registry) where the information is to be used for facilitating or improving the provision of health care or the monitoring and evaluation of a health care program or the health-care system; 
    • Obtaining payment for health care services; and
    • For public health reasons.
  • The right to refuse or give consent to the collection, use or disclosure of your personal health information, except in certain circumstances (HIPAA also allows patients the right to refuse to give consent under certain circumstances.) 
  • The right to withdraw your consent to collection, use, or disclosure of PHI, by providing written notice. (Similarly, HIPAA gives patients the right to revoke written authorization for PHI use or disclosure.)
  • The right to expressly instruct that your personal health information not be used or disclosed for healthcare purposes without consent.
  • The right to access a copy of your personal health information. (This right is the PHIPA equivalent of the HIPAA right of access.)
  • The right to request that corrections be made to your health records. (The equivalent HIPAA right is known as the right to request amendment of PHI).

What is PHIPA Legislation: Individual Rights

PHIPA legislation provides individuals with a complaint mechanism. Under PHIPA legislation, an individual may:

  • Complain to the Information and Privacy Commissioner of Ontario if he or she has been refused access to their personal health information;
  • Complain to the Information and Privacy Commissioner of Ontario if he or she has been refused a correction request;
  • Complain to the Information and Privacy Commissioner of Ontario about a privacy breach or potential breach; and
  • Begin a proceeding in court for damages for actual harm suffered after an order has been issued or a person has been convicted of an offense under PHIPA.