Protecting personal health information is not just good business practice for Ontario’s health and wellness providers; it’s a legal obligation. Whether you operate a medical clinic, dental office, physiotherapy clinic, massage therapy practice, or any other wellness-related business, you are subject to provincial and federal privacy laws. Understanding your responsibilities is essential for legal compliance and building patient trust.
This blog post outlines the key legal requirements around patient privacy in Ontario, common pitfalls, and practical tips for health and wellness businesses to stay compliant.
Understanding PHIPA: Ontario’s Health Privacy Legislation
Ontario’s primary legislation governing personal health information is the Personal Health Information Protection Act (PHIPA). PHIPA sets out rules about how personal health information (PHI) must be collected, used, and disclosed by health information custodians (HICs).
A health information custodian under PHIPA includes:
- Regulated health professionals (e.g., physicians, dentists, physiotherapists, chiropractors)
- Hospitals, pharmacies, laboratories
- Community care access centres
- Long-term care homes and retirement homes
If your business delivers health care services and handles personal health information, you are likely considered a HIC under PHIPA.
What Is Personal Health Information (PHI)?
Personal health information (PHI) under PHIPA refers to any identifying information about an individual that relates to their physical or mental health, including:
- Medical history, test results, diagnosis, or treatment
- Health insurance information
- Information collected in the course of providing health services
- Any identifying information about the individual that is collected during the delivery of health care services
This means even administrative data, like an appointment record with a name and time, may qualify as PHI.
Consent: The Cornerstone of Patient Privacy
Under PHIPA, consent is required to collect, use, or disclose PHI. There are two types of consent: express and implied.
- Express consent is in the form of a direct verbal or written agreement from the individual. It is typically required when disclosing information outside the circle of care to third parties such as insurance companies, lawyers, or employers.
- Implied consent is found when it is reasonable to believe the patient is aware of how their information will be used and has not objected (this is common in the circle of care or overall community of care providers for an individual).
Health care providers must also inform patients how their information will be used, with whom it may be shared, and the safeguards to protect it.
Obligations of Health Information Custodians
Health information custodians (HICs) must ensure that personal health information is kept secure and confidential and that only authorized staff can access it. Records must be stored and disposed of securely, and there must be policies and procedures for handling PHI.
In addition, HICs must designate a contact person responsible for privacy compliance and handling patient complaints. They must also report any privacy breaches to the Information and Privacy Commissioner of Ontario in accordance with mandatory reporting requirements.
Electronic Health Records and Digital Privacy
As more health businesses adopt electronic medical records, data security becomes increasingly complex. PHIPA does not prohibit digital records but does require that health information be adequately protected from unauthorized access, loss, or theft.
Best practices include:
- Encrypting stored and transmitted data
- Using strong passwords and two-factor authentication
- Regularly updating software
- Limiting access to those who need it
Businesses must also have agreements with third-party vendors (like cloud storage providers) to ensure they meet PHIPA requirements.
Third-Party Service Providers and Privacy Risk
If your business outsources billing, information technology (IT), marketing, or transcription services, those service providers may have access to PHI. Under PHIPA, you remain responsible for how your patients’ information is handled.
It’s critical to carefully vet third-party providers and sign written agreements outlining privacy obligations. Information shared with external contractors must be limited to necessary information, and the business should conduct ongoing monitoring and compliance checks.
Dealing with Privacy Breaches
A privacy breach occurs when PHI is stolen, lost, or accessed without authorization. PHIPA requires HICs to notify affected individuals as soon as possible and inform the Information and Privacy Commissioner of certain breach types (e.g. deliberate snooping, large-scale breaches, or recurring issues). Businesses must keep records of all privacy breaches for at least one year.
Failing to report or respond appropriately can lead to significant fines and reputational damage. The Information and Privacy Commissioner has the authority to investigate complaints and issue orders, including administrative penalties.
Employee Training and Internal Policies
Employee negligence is one of the leading causes of privacy breaches. Every health and wellness business should implement privacy training and internal policies covering confidentiality obligations, appropriate access to patient records, secure record handling and disposal, and reporting suspected breaches.
Training should be repeated regularly and documented.
Balancing Marketing and Privacy
Many health and wellness businesses use email marketing or social media. PHIPA and Canada’s Anti-Spam Legislation (CASL) both apply.
Key considerations:
- Do not use patient personal health information for marketing without express consent
- Maintain separate records for marketing contacts
- Ensure marketing messages comply with CASL (e.g., consent, unsubscribe mechanisms)
Even testimonials or photos used in promotional materials require written consent.
Practical Tips for Remaining Compliant
Here are steps your business can take to remain compliant:
- Conduct a privacy audit to identify risks.
- Develop a clear, written privacy policy and share it with patients.
- Appoint a Privacy Officer to oversee compliance.
- Implement secure data handling procedures.
- Ensure contracts with third-party providers include privacy clauses.
- Train staff and update training annually.
- Stay current on legislation changes and Information and Privacy Commissioner guidance.
The Benefit of Experienced Legal Advice
While many privacy practices can be implemented internally, consulting a business lawyer experienced in privacy law is essential for mitigating risk. Your privacy lawyer can assist in drafting or reviewing service provider agreements and respond to privacy complaints or investigations by the Information and Privacy Commissioner. They can also develop privacy policies for new technologies or services and deal with complex or large-scale breaches.
Bader Law: Oakville Business Lawyers Advising Ontario Businesses on Client Privacy
Protecting patient privacy isn’t just a legal requirement; it’s part of ethical health care and a foundation for patient trust. Bader Law helps Ontario health and wellness businesses understand their obligations under PHIPA and related legislation. Our business lawyers have extensive experience with privacy matters and help clients implement effective policies and procedures. We also ensure all staff and third-party providers align with privacy best practices. To discuss your privacy-related business law matter with our team, please call (289) 652-9092 or contact us online.