Skip to Content

share feedback print font size font shrink font grow youtube facebook twitter donate

Personal Health Information Protection Act frequently-asked questions
Please feel free to read our condensed PHIPA FAQs or you may download the full version by clicking here.
What is privacy? 

Privacy is a person's claim to determine for him/herself when, how and to what extent information about him/her is communicated. Simply put, it is the right for an individual to determine who knows what about him/her, and what they do with the knowledge.

What is the personal health information protection act?

The Personal Health Information Protection Act, 2004 (PHIPA) is Ontario's health-specific privacy legislation which applies to health information custodians such as hospitals. PHIPA governs the manner in which personal health information may be collected, used and disclosed within the health care system. PHIPA also confirms a patient's right to access one's own personal health information.

What is personal health information?

Personal health information is "identifying information" collected about an individual. It includes information about an individual's health or health care history in relation to:

  • The individual's physical or mental health, including family history;
  • The provision of health care to the individual;
  • Long-term care services;
  • The individual's health card number;
  • Blood or body-part donations;
  • Payment or eligibility for health care; and
  • The identity of a health care provider or a substitute decision maker for the individual.
What is the "circle of care"?

The "circle of care" is not a defined term under PHIPA. It is a term of reference used to describe health information custodians and their authorized agents who are permitted to rely on an individual's implied consent when collecting, using, disclosing or handling personal health information for the purpose of providing direct health care.

In a hospital, the circle of care includes the:
  • Attending physician
  • Health care team (i.e. residents, nurses, technicians, clinical clerks, and employees assigned to the patient) who have direct responsibilities of providing care to the individual

PHIPA requires that hospitals obtain an individual's consent to collect, use and disclose his/her personal health information. How will GRH obtain such a consent?

In practice, the hospital is not required to obtain an individual's written or verbal consent every time personal health information is collected, used or disclosed. PHIPA permits the hospital to assume implied consent where information is exchanged between custodians within the circle of care for the purpose of providing direct health care – unless a custodian is aware that an individual has expressly withheld or withdrawn his/her consent.

Consent may never be implied for an individual who specifies that his/her personal health information may not be collected, used or disclosed. Implied consent is also permitted if a health information custodian, such as GRH, collects, uses or discloses names or addresses for the purposes of fundraising.

What is the difference between express and implied consent?

Express consent to the collection, use or disclosure of personal health information by a health information custodian is explicit and direct. It may be given verbally, in writing or by electronic means.

Implied consent permits a health care custodian to infer from the surrounding circumstances that an individual would reasonably agree to the collection, use or disclosure of his/her personal health information.

What is a breach of privacy?

Breach of privacy, confidentiality or security refers to the unauthorized access, collection, use, or disclosure of any personal health information or personal information.

Are individuals permitted to access their own personal health information?

With limited exceptions, PHIPA provides individuals with a general right to access their own personal health information held by a health information custodian. For more information please visit our release of medical records page.

Can the husband/wife of a patient access their spouse's chart? 

No, unless he/she has been designated substitute decision maker and the hospital has evidence of that.

Can the hospital refuse to provide access to an individual's personal health information?

The hospital is responsible to assist individuals by providing access to their health records. However, it may refuse access in limited situations only, where for example:

  • The information in question is subject to legal privilege;
  • Its disclosure could reasonably be expected to result in a risk or serious bodily harm to a person;
  • The information was collected as part of an investigation; or
  • Another law prohibits the disclosure of that information.
PHIPA permits the hospital to remove some of the information to allow partial access to the individual.

Can an individual correct errors in his/her personal health information? How does an individual correct errors? 

An individual who believes that his/her personal health information is incomplete or inaccurate may request the hospital to correct his/her record. An individual seeking a correction to his/her personal health information is required to submit a written request to the hospital, which then must respond within 30 days of receiving a correction request.

If I am referred to a specialist, can my health information be sent to the specialist and back to my family doctor without my consent? 

Your health information can be sent to the specialist, who will, in turn, send a report to your referring doctor (i.e. family doctor). It is not necessary to obtain your consent. This is good clinical practice and appropriate for optimizing continuity of care

Copyright © 2009. Grand River Hospital. All Rights Reserved. | Privacy Policy | Sitemap

BIN # 88918 0394 RR 0001  |  Created by Blue Lemon Media