What’s the same?

All Ontario health care professionals need to comply with the Personal Health Information Protection Act, 2004 (PHIPA). PHIPA ensures privacy, access, security and confidentiality when collecting, using, disclosing, correcting or destroying personal health information.

More about PHIPA

PHIPA establishes rules for working with patient information. As a health professional, you need to:

  • Ensure the information collected is accurate, complete and up-to-date
  • Ensure that information is protected against theft, loss and unauthorized use or disclosure (this includes not disclosing certain information to other health professionals when requested by patients by putting it into a “lock-box”  (the Office of the Information and Privacy Commissioner of Ontario (IPC) has a great resource – link provided below)
  • Ensure authorized individuals are able to access the information when required
  • Ensure records containing personal health information are protected against unauthorized copying, modification or disposal
  • Notify patients if information is stolen, lost, accessed by unauthorized persons or disclosed without authorization
  • Ensure health records are retained, transferred and disposed of in a secure manner
  • Develop privacy policies and designate a contact person
  • Inform patients/clients about information practices including how to obtain access to or request correction of a record(NOTE: When a correction is made to a record, the original content should be preserved and the person making the correction should be identified along with the reason for the correction. See also the section on correcting records).

What is a Health Information Custodian and do I need one?

Under PHIPA, a Health Information Custodian (HIC) is responsible for custody and control of a patient’s health record and for ensuring the rules of PHIPA are met.

The HIC can be an individual health care provider, a corporation, an organization or a facility (as described in PHIPA). It depends on the situation.

When health care providers work together in an inter-professional setting, there should be a single HIC or single place for patients to go to access their health information.

Be clear about who is the HIC and be certain that the HIC is willing and able to comply with the rules of PHIPA. A written agreement outlining the expectations of the HIC and anyone acting on behalf of the HIC (for example, a contact person) is recommended.

What’s different?

There are no significant differences between the Colleges. We all need to protect health information.

In Practice

Willow Pines Rehab Clinic has a number of health professionals on staff:

  • Chen, physiotherapist
  • Ingrid, occupational therapist
  • Rakesh, chiropractor
  • Sara, massage therapist
  • Fatima, kinesiologist
  • Greg, audiologist
  • Carol, speech-language pathologist

Although it is rare for a patient to seek treatment from all seven health professions, many patients do see more than one practitioner. Having multiple patient files within the same clinic made it difficult for both patients and providers. Willow Pines decided to create a single patient file in which all providers document information and have the clinic owner take on the responsibilities of the HIC. Centralizing oversight of the privacy, security and confidentiality requirements made sense for the patients (looking for a copy of their record) and made life easier for the providers.


The Personal Health Information Protection Act, 2004

Office of the Information and Privacy Commissioner of Ontario, including:
1.    Guide to PHIPA
2.    Frequently Asked Questions: PHIPA
3.    Lock-Box Fact Sheet