Privacy of Health Information

Effective date: September 30, 2011

Revised January 2018

Relevant Legislation:

The Health Information Protection Act, 2004 or Bill 31 has come into effect on November 1, 2004. As its title states, it is intended to protect the health information of people in Ontario. It has originated from earlier Federal privacy legislation (Personal Information Protection and Electronic Document Act, or PIPEDA) after requests were made for the passage of made in Ontario’ privacy legislation for medical providers.

The Bill consists of two parts, The Personal Health Information Protection Act, 2004 (PHIPA) and the Quality of Care Information Protection Act, 2004 (QOCIPA). The reasons for enacting the Bill are as follows:

• To establish rules for the collection, use and disclosure of personal health information about individuals that protect the confidentiality of that information in the hands of a health information custodian and the privacy of individuals while receiving health care, (for LOFT this includes all clients & residents.)

• To provide individuals with the right of access to personal health information about themselves, subject to exceptions.

• To provide individuals with the right to require the correction or amendment of personal health information about themselves, subject to exceptions.

• To provide for independent review and resolution of complaints with respect to personal health information.

•To provide remedies for contravention of the Act.


Its underlying principles are:

  • Accountability
  • Identifying Purposes
  • Consent
  • Limiting Collection
  • Limiting Use, Disclosure, Retention
  • Accuracy
  • Safeguards
  • Openness
  • Access
  • Challenging Compliance



LOFT uses PHI (Personal Health Information) to identify service users’ needs related to housing and/or support. This information must be stored in a responsible (locked cabinets/offices and password protected electronic files) way and disposed of in a timely manner when it is no longer required. Client information is never shared with anyone outside of LOFT (except the funder) without written client consent.


Privacy: The fundamental right to control information about ourselves, including its collection, use and disclosure.

Confidentiality: The obligation to protect personal information in our care, to maintain its secrecy and not misuse, or wrongfully disclose it.

Health Information Custodian:

They are defined as:

• Health care practitioners, which includes:

• A member defined under the Regulated Health Professions Act. (e.g. doctors, dentist, and nurse)

• A member of the Ontario College of Social Workers and Social Service Workers who provide “health care.”

• A drugless practitioner under the Drugless Practitioners Act. (e.g. naturopath)

• A person whose primary function is to provide health care for payment. (e.g. acupuncturist)

• Persons or organizations providing community service within the meaning of the Long Term Care Act 1994.


A person or agent who operates:

• A centre, program or service for community health or mental health whose primary purpose is the provision of health care.

• A Hospital, psychiatric facility, medical institution, independent health facility.

• A long-term care facility under the Nursing Homes Act, Charitable Institutions Act, Homes for the Aged and Rest Homes Act, ‘a care home’ under the Tenant Protection Act, 1997.

• A pharmacy.

• A laboratory.

• An ambulance service.

• A home for special care.


• The Minister and Ministry of Health and Long Term Care.

• Medical Officers of Health or boards of health.

• Any other prescribed person or class of persons.


Agent: Anyone authorized by the health information custodian to do anything on behalf of the custodian with respect to personal health information. Agents can include, for example:

• An employee.

• Persons contracted to the custodian to provide services regarding the personal health information. (e.g. copying or shredding service, records management, IT consultant)

• Volunteers and students with access to personal health information.


Health Care: any observation, examination, assessment, care, service or procedure that is done for a health related purpose and is carried out or provided:

• To treat or maintain an individual’s physical or mental health.

• To prevent disease or injury or to promote health.

• As part of palliative care.

• As a community service described in the Long Term Care Act, 1994 which includes the dispensing or selling of drugs or medical equipment.


Personal Health Information: Identifying information about an individual (oral or written) which either provides the identity of the individual, or which can be used alone or with other information to identify the individual. This includes or relates to:

• Information on the physical or mental health of the individual, including information on the individual’s family history.

• Information on the provision of health care to the individual, including identifying the person providing the care.

• The plan of service within the meaning of the Long-Term Care Act, 1994.

• The individual’s health number. (e.g. OHIP card number)

• Identifying the individual’s substitute decision maker.

• Relating to the individual’s eligibility for health care or payment for care.

• Relates to the donation of a body part or bodily substance.

It does not include the medical information of a staff member, contained within their personal file. This material would be protected by other privacy legislation.


Consent: consent regarding how personal health information is collected, used or shared must be given by a client, except in specific circumstances, e.g. such as reporting for public health safety. There are two types of consent, implied or express.


• Implied Consent is where it is assumed by the health care provider (e.g. physician, LOFT) that consent has been given for the collection, use and sharing of health information in order to treat the individual, without directly asking or for the requirement to sign a consent form. The legislation also allows for the health care provider to assume that implied consent has been given in order to use or disclose health information with other health care providers, unless expressly forbidden by the client. Implied consent is assumed within the ‘circle of care’ given to the client.

• Express Consent is where the health care provider is required to request the client’s consent, either orally, in writing or electronically, before the health information can be shared. This is required where the health care provider:

1) Shares personal health information with someone who is not a health information custodian, or not within the circle of care (e.g. employer, insurance agent, fundraiser)

2) Shares personal health information between health care providers for a purpose other than providing health care.



The elements of consent are:

• It is given by a knowledgeable or capable individual or an authorized substitute decision maker of the client.

• Provides clear identification of the information that is collected, used and disclosed and the purpose for which it is to be collected, used or disclosed.

• Not be obtained by deception or coercion.

• Provides the right and effect of withdrawal of consent. (Not retroactively)


Capable Individual:

A capable client is one who has the ability to understand the information that is relevant to deciding whether to give consent to the collection, use or sharing of information, or to appreciate the consequences of giving, not giving, withholding or withdrawing consent. A capable client can be of all ages and is entitled to make their own decisions regarding personal health information. However, clients under the age of sixteen can have their parents or guardians make decisions on their behalf, unless the client has expressly stated he/she does not want the parent or guardian to make decisions on their behalf, or the client has already made treatment decisions with regards to their care. When an individual is not capable of making decisions in respect to their personal health information, there must be a substitute decision maker over the age of sixteen, to whom LOFT can turn to for consent to be able to collect, use or disclose information on behalf of the individual. This substitute (it should only be one) can include: a court appointed guardian; an attorney for personal care; a representative appointed by the Consent and Capacity Board; spouse or partner; a child or parent; a brother or sister; any other relative; the Public Guardian or Trustee (as a last resort).



In relation to the personal health information in the custody or under the control of LOFT, to disclose means to make the information available, or to release it to another health information custodian or to another person. The Act permits LOFT (Part IV, Ss 38-50), to disclose personal health information without a client’s express consent, where the disclosure is:

• To health care practitioners within the circle of care (e.g. long-term service providers, health care facilities, other programs/services), if the disclosure is:

1) – reasonably necessary for the provision of health care

2) – not reasonably possible to obtain consent in a timely manner

3) – the client has not instructed LOFT not to make the disclosure

• To determine or verify eligibility for government programs or related benefits or services.

• In order for the Minister or other agency to determine or provide funding or payment for the provision of health care; or, in order for the Minister to monitor or verify claims for payment for health care funded by the Ministry.

• To a person conducting an audit, inspection, investigation or similar procedure that is authorized by a warrant or under an Act.

• To the Medical Officer of Health or Public Health Authority within the meaning of the Health Protection and Promotion Act if the disclosure is necessary for the purpose of eliminating or reducing a significant risk or serious bodily harm to a person or group of persons.

• For contacting a relative, friend or substitute decision maker of an individual who is incapacitated, injured or ill and is unable to give consent.

• In order to identify the individual if the individual is reasonably suspected of being deceased, or to relatives of the deceased who require the information to make decisions about their own health care.


• To a prescribed person who compiles and maintains a health information registry.

• For the purpose of a proceeding or contemplated proceeding in which LOFT or a staff member is expected to be a party or witness if the information relates to, or is a matter in issue in the proceeding.

• In order to comply with a summons, order or similar requirement issued in a proceeding by a person having jurisdiction to compel the production of the information.

• For the purposes of research if the research project is approved by an ethics board or similar body.

• To a prescribed body for the purpose of analysis or compiling statistical information with respect to the management, monitoring, evaluation of resources or for the planning of all or part of the health system.

• To a professional health or social work college for the purpose of enforcement or administration of the college’s governing Act.

• As permitted or required by law.




Privacy Officer:

The Privacy Officer is the person or persons appointed by LOFT to:

• Address privacy questions, concerns or challenges regarding personal health information.

• Ensure the improvement and security of information handling practices.

• Provide privacy training and orientation to all staff, volunteers and students.

• Update and revise program privacy policies and procedures.

• Allow and monitor individuals requesting access to their personal health information.

• Make decisions regarding the capacity or incapacity of clients.



As a result of PHIPA, LOFT is now legally responsible for the personal health information in its custody and control. It must also take certain steps to fulfill this responsibility. Clients have also been given rights under the legislation.

Employer’s Obligations:

• To put in place information practices that comply with the Act. (e.g. to take steps to ensure the records are accurate, complete and appropriately stored, transferred or disposed of)

• To collect only the personal health information needed to provide the care.

• To take steps to safeguard the personal health information in LOFT’s care and control. (e.g. protection against theft, loss, unauthorized use, disclosure, copying, modification or disposal; all records are properly transferred or disposed of after active use)

• To provide a written description of the practices in use to protect this information.

• To obtain an individual’s consent when collecting, using and disclosing personal health information, except in limited circumstances.

• To designate a contact person(s) or privacy officer(s) whom individuals can contact if they have any questions or concerns regarding their personal health information.

• To ensure that employee’s or agents are appropriately informed of their obligations regarding personal health information.

Staff Obligations:

• To comply with program operational polices/procedures and LOFT principles by keeping client information confidential at all times.

• To ensure that consent has been given by the client when collecting, using and sharing personal health information.

• To keep all client notes and files current at all times.

• To attend training or orientation regarding client privacy.

Client’s Rights:

• To understand the reason for the collection, use and disclosure of personal health information.

• To give permission or “consent” to how their personal health information is collected, used and shared.

• To withdraw their consent, or place restrictions on what, or with whom their personal health information is shared.

• To request access to their personal health information.

• To request corrections be made to their personal health records.

• To complain to the Information Privacy Commissioner about the manner, in which LOFT has collected, used, disclosed or handled their personal health information.


See program manual.