Law & Governance

Law & Governance 9(2) November -0001 : 0-0


Kathy O'Brien


Personal Health Information Protection Act, 2004 ("PHIPA") came into force on November 1, 2004. Below are some Frequently Asked Questions regarding PHIPA
What is the so-called "circle of care"? PHIPA deems a person to have given implied consent to disclose their personal health information within the "circle of care" for the purpose of providing healthcare to that patient. The term isn't actually found in PHIPA, but it means the following health information custodians: healthcare practitioners, CCACs, service providers to CCACs, public hospitals, private hospitals, mental hospitals, psychiatric facilities, independent health facilities, homes for the aged, nursing homes, pharmacies, laboratories, ambulances, and community health or mental health centres.

How can we tell whether we have a patient's "implied consent"? The elements of implied consent are two-fold:

The hospital must post a notice, where the patient is likely to see it, describing how it intends to collect, use and disclose the patient's personal health information; and

The notice must give the patient the option to withhold consent. For example, "Unless you tell us not to, we will tell anyone who calls the hospital or visits the hospital asking about you that you are in the hospital (room #, extension #). We will also share your basic health condition."

We regularly allow chart reviews (for research purposes) to be conducted by our physicians without patient consent. Will PHIPA change this? Yes. Any research, including chart reviews, conducted without the patient's consent must follow the detailed Research Ethics Board review process outlined in PHIPA (section 44 and further elaborated upon in Regulation 329/04).

Under PHIPA, can we report gunshot wounds to the police? No. There is other legislation that has been introduced by the Ontario government that, if and when passed, will require hospitals to report the fact of a gunshot wound victim to the local police. However, until that legislation (Bill 110) is passed, there is still a requirement to obtain patient consent to disclose a gunshot wound to police, unless disclosure is "necessary for the purpose of eliminating or reducing a significant risk of serious bodily harm to a person or group of persons" (section 40).

What happens if we find out an employee has accessed a patient's record without needing to? Under PHIPA the hospital has a new legal duty to notify any patient whose record has been accessed by an unauthorized person, at the first reasonable opportunity. Any employee, volunteer, professional staff member or student who is aware that personal health information has been lost, stolen, or accessed by an unauthorized person is also required to report that information to the hospital. The hospital's privacy policy must have a section requiring compliance from all employees, volunteers, professional staff members, and students, and disciplinary action for breach of the privacy policy must be taken by the hospital.

How will our hospital's relationship with our foundation change? PHIPA and its regulations dictate that only the name of the patient and the patient's mailing address (or the name and mailing address of the patient's substitute decision-maker) can be disclosed to the foundation without the patient's consent (express or implied), for fundraising purposes. Even with the patient's consent, the following conditions apply to the disclosure of personal health information to a foundation for fundraising purposes:

  • The patient must be given notice that his or her personal health information will be disclosed to the foundation for fundraising purposes and given the chance to withhold consent for 60 days;
  • All further solicitations must provide the patient with an easy way to opt out of receiving the solicitations; and
  • The communications cannot include any information about the individual's healthcare or state of health.

Hospitals should cease to provide personal health information to their parallel foundations until they have a commitment from the foundation to comply with these requirements. Hospitals should request and review the foundation's privacy policy to ensure it is in compliance with these requirements.

Our foundation regularly sends out campaign contribution requests to the community at large. Will this be a violation of PHIPA if a recipient has recently been discharged from the hospital?

No, as long as the foundation is sending a general mailing and that mailing is not based on names and contact information received from the hospital. If the mailing is based on names and contact information received from the hospital, the foundation must not target any patients who were admitted to or treated at the hospital less than 60 days ago.

We have physicians carrying on private practice from offices they rent in our hospital. Must they comply with our privacy policy? No. Physicians carrying on a private medical practice on hospital premises are not agents of the hospital. They are responsible for their own personal health information that they collect as health information custodians. Physicians are, however, required to comply with the hospital's privacy policy and information practices where they are acting as agents of the hospital and collecting, using or disclosing the personal health information of hospital patients.

About the Author(s)

Kathy O' Brien is a partner at Cassels Brock LLP. She practises corporate
and commercial law, focusing on healthcare issues for not-for-profit and
charitable corporations. She can be reached at


Reprinted with permission.


Be the first to comment on this!

Note: Please enter a display name. Your email address will not be publically displayed