All You Need to Know About Ontario’s Personal Health Information Protection Act 2004

I. Introduction

While data has traditionally been a highly valued asset for organizations, there have been strict regulatory mandates and social expectations related to data protection processes taken to secure it. These expectations are especially heightened in cases involving sensitive data such as personal identification information (PII) or personal health information (PHI).

In Ontario, Canada, the Personal Health Information Protection Act, 2004 (PHIPA) is the primary regulation governing how PHI is to be processed, used, shared, and protected. It aims to protect Ontario residents’ privacy while ensuring healthcare providers, institutions, and supporting organizations can continue to access the PHI when necessary to deliver safe and effective care.

Not only does PHIPA apply to healthcare professionals, hospitals, pharmacies, laboratories, and any other “health information custodians” (HICs), but also any agents and service providers acting on their behalf, ensuring the residents’ personal health information is protected wherever and however it is processed.

This guide covers all the key elements of PHIPA, including who must comply, what obligations it creates, the rights it grants individuals, the powers of the regulatory body responsible for enforcing it, financial penalties for non-compliance, and, most importantly, how best organizations can comply with their obligations under the Act. Read on to learn more.

II. Who Needs to Comply With PHIPA

This Act is applicable to:

• The collection of PHI by a health information custodian after and on the day the Act has come into effect;
• The use and disclosure of PHI after and on the day the Act has come into effect by:
  • A health information custodian;
  • A person who is not a custodian but to whom the custodian has disclosed the information.
  • The collection, use, and disclosure of a health number by any person after and on the day the Act has come into effect.

In case of any conflicts with another regulation, this Act will prevail unless there are provisions within this Act that provide otherwise.

However, PHIPA will not prevail in case of a conflict with a provision of the Quality of Care Information Protection Act, 2004.

III. Definitions of Key Terms

A. Commissioner

The Information & Privacy Commissioner appointed per the Freedom of Information & Protection of Privacy Act.

B. Digital Health Identifier

The unique identifier created by the prescribed organization for an individual through validation and verification services that confirm the identity of the individual.

C. Health Care

Any observation, examination, assessment, care, service, or procedure that is done for a health‑related purpose and that:

1. is carried out or provided to diagnose, treat, or maintain an individual’s physical or mental condition,
2. is carried out or provided to prevent disease or injury or to promote health, or
3. is carried out or provided as part of palliative care, and includes,
4. the compounding, dispensing, or selling of a drug, a device, equipment, or any other item to an individual, or for the use of an individual, pursuant to a prescription, and
5. a home and community care service that is funded under section 21 of the Connecting Care Act, 2019.

D. Healthcare practitioner

Health care practitioner means:

1. a person who is a member within the meaning of the Regulated Health Professions Act, 1991, and who provides health care,
2. a person who is a member of the Ontario College of Social Workers and Social Service Workers and who provides health care, or
3. any other person whose primary function is to provide health care for payment.

E. Information Practices

Information practices, in relation to a health information custodian, means the policy of the custodian for actions in relation to personal health information, including,

1. when, how, and the purposes for which the custodian routinely collects, uses, modifies, discloses, retains, or disposes of personal health information, and
2. the administrative, technical, and physical safeguards and practices that the custodian maintains with respect to the information.

F. Health Information Custodian

A person or organization described in one of the following paragraphs who has custody or control of personal health information as a result of or in connection with performing the person’s or organization’s powers or duties or the work described in the paragraph, if any:

1. A health care practitioner or a person who operates a group practice of health care practitioners.
2. A health service provider or person or entity that is part of an Ontario Health Team and that provides a home and community care service pursuant to funding under section 21 of the Connecting Care Act, 2019, including a person or entity from whom the provider or Team has purchased the home and community care service.
3. A person who operates one of the following facilities, programs, or services:
   1. A hospital within the meaning of the Public Hospitals Act, a private hospital within the meaning of the Private Hospitals Act, a psychiatric facility within the meaning of the Mental Health Act or an integrated community health services centre within the meaning of the Integrated Community Health Services Centres Act, 2023.
   2. A long-term care home within the meaning of the Fixing Long-Term Care Act, 2021, a placement co-ordinator described in subsection 47 (1) of that Act, or a care home within the meaning of the Residential Tenancies Act, 2006.
   3. A retirement home within the meaning of the Retirement Homes Act, 2010.
   4. A pharmacy within the meaning of the Drug and Pharmacies Regulation Act.
   5. A laboratory or a specimen collection centre as defined in section 5 of the Laboratory and Specimen Collection Centre Licensing Act.
   6. An ambulance service within the meaning of the Ambulance Act.
   7. A home for special care within the meaning of the Homes for Special Care Act.
   8. A centre, program, or service for community health or mental health whose primary purpose is the provision of health care.
4. An evaluator within the meaning of the Health Care Consent Act, 1996, or an assessor within the meaning of the Substitute Decisions Act, 1992.
5. A medical officer of health of a board of health within the meaning of the Health Protection and Promotion Act.
6. The Minister, together with the Ministry of the Minister, if the context so requires.
7. Any other person prescribed as a health information custodian if the person has custody or control of personal health information as a result of or in connection with performing prescribed powers, duties, or work or any prescribed class of such persons.

IV. Obligations for Organizations Under PHIPA

Here are the important obligations for organizations per the PHIPA.

A. Consent Requirements

A health information custodian cannot collect, use, or disclose PHI about an individual unless:

• It has the individual’s consent to do so;
• It is reasonably necessary for a lawful purpose;
• The collection, use, and disclosure are permitted under this Act.

Elements of Consent

All consent elicited from an individual under this Act for the collection, use, and disclosure of personal health information by the health information custodian must be:

• Consent from the individual;
• Knowledgeable;
• Related to the information requested.
• Obtained through honest means and not deception or coercion.

Express or Implied Consent

All consent related to the collection, use, or disclosure of PHI must be express and not implied, if:

• Custodian discloses PHI to a person who is not a health information custodian;
• Custodian makes disclosure to another health information custodian, and the disclosure is not for the purpose of providing healthcare.

Knowledgeable Consent

A consent is considered knowledgeable if it is reasonable to believe that the individual understands the purpose of consent and is capable of granting or withholding consent.

B. Privacy Policy Requirements

A health information custodian must make a public written statement that:

• A general description of their information practices;
• Describes how to contact both the custodian or their contact person;
• Describe how an individual can request access to their personal health information or request correction to it.

Describe how an individual can make complaints about the custodian’s alleged violations of this Act.

C. Purpose Limitation

A health information custodian collecting PHI must not collect any information not reasonably necessary to meet the purpose of the collection, use, or disclosure. This does not include information the custodian is required to collect, use, or disclose by law.

D. Data Breach Requirements

Suppose a breach is determined to have occurred, with the digital health identifier records being stolen, lost, used, or disclosed without proper authority. In that case, the prescribed organization must notify the person to whom the personal health information relates as well as the Commissioner.

E. Data Protection Officer Requirement

A health information custodian must designate a contact person. This contact person must be authorized on behalf of the custodian to:

• Facilitate the custodian’s compliance with this Act;
• Ensure all agents of the custodian are appropriately informed of their duties;
• Respond to queries from the public;
• Respond to individual requests for access to or correction of personal health information in the control of the custodian;
• Receive complaints from the public about the custodian’s violations of this Act.

F. Record of Processing Activities

A health information custodian must ensure the records of personal health in their custody and control are retained, transferred, and disposed of securely.

All records retained by the custodian related to the access requests must be retained for as long as necessary to allow the individuals to exhaust their resources per this Act.

G. Cross-Border Data Transfer Requirements

A health information custodian may disclose PHI to an individual outside Ontario only if:

• The individual consents to such disclosure;
• This Act permits such a disclosure.
• The person receiving the information has similar methods of operation as this Act.
• The disclosure is reasonably necessary for the provision of health care to the individual.

The disclosure is reasonably necessary for the administration of payments in connection with the provision of health care to the individual.

The following conditions are met:

• The custodian is a proscribed entity per this Act.
• The disclosure is for health planning or health administration.
• The information relates to health care provided to a person in Ontario who is a resident of another province or territory of Canada.
• The disclosure is made to the government of that province or territory.

V. Data Subject Rights

Per the PHIPA, users have the following rights:

A. Right to Access

All individuals have the right of access to all records of personal health information about them in the control of the health information custodian.

The individual is required to provide a written request for access to their information in sufficient detail to enable the custodian to identify and locate their records with reasonable effort.

Limitations of Access Rights

However, this right would not be applicable if:

• The record or the information in the record is subject to a legal privilege that restricts disclosure of the record;
• Another regulation or a court order restricts the individual's access to such information;
• The requested information was primarily collected for use in an ongoing proceeding;
• The following conditions are met:
  • The information was collected or created in the course of an inspection, investigation, or similar procedure authorized by law, or was collected to detect, monitor, or prevent a person from receiving a service;
  • The inspection, investigation, or similar procedure is ongoing.
• Granting the individual their right would:
  • Result in risk of serious harm to the individual or another person;
  • Lead to the identification of a person required by law to provide information to the custodian;
  • Lead to the identification of the person who provided the information explicitly or implicitly, with the understanding that their identification would be kept confidential.
• The following conditions are met:
  • The custodian is deemed to be an institution per the Freedom of Information and Protection of Privacy Act, or the Municipal Freedom of Information and Protection of Privacy Act, or acting on behalf of such an institution;
  • The custodian has refused to provide access to the information as part of their obligations per the Freedom of Information and Protection of Privacy Act or the Municipal Freedom of Information and Protection of Privacy Act.

Once the custodian receives such a request, it must:

• Make the records available and provide a copy if practical, along with an explanation of the key terms;
• Give a written notice if it cannot find the required record;
• Give a written notice if you are refusing such a request, along with the reason;
• Provide the individual with information on how to contest their decision to refuse such a request or make a complaint to the Commissioner.

Response Period

The health information custodian must respond to the request within 30 days of receiving the request. This may be extended by another 30 days if meeting with the request in the aforementioned time limit would interfere with the operations of the health information custodian  or if the time required to undertake the necessary consultations would not make it practical to comply within the stated time.

Fee for Access

The health information custodian may charge a fee for providing the information requested or a copy of it if the custodian first gives the individual an estimation of the fee. The exact amount must not exceed the amount of reasonable cost recovery. The custodian may also choose to waive the fee if it is fair to do so in their opinion.

B. Right to Correction

If the individual is given access to their personal health information, the individual may request correction to the information if they believe the personal health information is inaccurate, incomplete, or for the purpose for which it was initially collected.

Response Period

Once such a request is received, the health information custodian will have 30 days to respond to the request with a written notice granting or refusing the request. They may also request an extension to this time if meeting with the request in the aforementioned time limit would interfere with the operations of the custodian or if the time required to undertake the necessary consultations would not make it practical to comply within the stated time.

If the individual can demonstrate the validity of their request to the custodian’s satisfaction, the health information custodian must correct the record. However, they are exempt from correcting if:

• It consists of a record not created by the custodian, and the custodian does not have the knowledge, expertise or authority to correct the record; or
• It consists of a professional opinion or observation that a custodian made in good faith about the individual.

VI. Regulatory Authority

The Information and Privacy Commissioner of Ontario has the exclusive authority to enforce the provisions of the law. The Commissioner may, on his or her own initiative, conduct a review of any matter if the Commissioner has reasonable grounds to believe that a person has contravened or is about to contravene a provision of this Act or its regulations and that the subject matter of the review relates to the contravention.

VII. Penalties for Non-compliance

Any entity found guilty of an offence under this Act is liable to:

• An administrative penalty of $200,000 if the entity is a person or a term of imprisonment of not more than 1 year, or both;
• An administrative penalty of not more than $1,000,000 if the entity is not a person.

VIII. How Securiti Can Help

Securiti is the pioneer of the DataAI Command Center, a centralized platform that enables the safe use of data+AI by providing unified data intelligence, controls, and orchestration across hybrid multicloud environments. Its effectiveness and reliability are reflected in the fact that several of the world's leading corporations rely on Securiti for their data AI security, privacy, governance, and compliance needs.

The DataAI Command Center is equipped with several individual modules and solutions that are designed to ensure compliance with all major obligations a business may be subject to under PHIPA. These include DSR automation, consent management, vendor management, and notice management, among several others.

Furthermore, the centralized dashboard allows for real-time insights into a business's obligations and compliance activities, thus enabling proactive interventions whenever necessary or convenient.

Request a demo today to learn more about how Securiti can help you comply with PHIPA, as well as some of Canada’s other major health data regulations.