The Personal Health Information Protection Act, 2004 (PHIPA); Updates and Resources

The Personal Health Information Protection Act, 2004 (PHIPA) recently has been amended with some key changes.  This include requirements to:

  • establish and monitor an audit log for any electronic health records to record who accesses which parts of which client’s records and when, so as to prevent snooping or other privacy breaches;
  • provide client access to an electronic version of their record to facilitate portability of those records; and
  • become familiar with the rules about sharing, or managing requests to disclose, information with consumer electronic service providers who operate apps and on-line portals through which clients can access and store their personal information.

The amendments also provide new powers to the Privacy Commissioner of Ontario to access information from custodians (e.g., access to the electronic health record audit log), impose administrative monetary penalties for non-compliance with PHIPA, and a doubling of the fines for offences under PHIPA.

Some recent documents provided by the Health Professions Regulators of Ontario, an umbrella group of Ontario Health Regulatory Colleges, contains information about PHIPA which will be useful for College members to review. The information was provided by Steinecke Maciura LeBlanc, a leading law firm with a focus on professional regulation.  It was written as a general overview of the Personal Health Information Protection Act, 2004 for regulated health professionals in Ontario. It is not intended to provide legal advice. 

The document, What You Need to Know About Privacy Law is an excellent and relatively short summary of commonly discussed aspects of PHIPA.

A document entitled The Personal Health Information Protection Act, 2004: A Guide for Regulated Health Professionals, originally prepared by Richard Steinecke in 2004 and most recently updated in 2020, is a more detailed guide.  This guide contains important information about, among other things, creating policies, procedures and practices relevant to the collection, use and disclosure of  personal health information; responding to requests for access and correction of information; and what to do in the event of a privacy breach. It also contains a number of sample documents, including a sample consent form which members may find useful.

This information was not prepared by the College and is intended only as general guidance to members. It may not be applicable to all situations. Where legislative interpretation in a particular situation is necessary, it should be sought from a lawyer authorized and qualified in this area.

For members who wish to find out more about any of the recent amendments to PHIPA, the website of the Office of the Privacy Commissioner of Ontario is a good source of additional information.