- Report a Privacy Breach
- Collection, Use and Disclosure of Personal Health Information
- Responding to a Privacy Breach
- Unauthorized Access
- Access and Correction
- PHIPA Complaint Process
- Safeguarding Personal Health Information
WHAT IS A DISCLOSURE OF PERSONAL HEALTH INFORMATION UNDER PHIPA?
The term “disclose” means to make the personal health information available or to release it to another health information custodian or person. It does not include using the personal health information or providing it back to the person who provided it or disclosed it in the first place, whether or not it has been manipulated or altered, as long as it does not include additional identifying information.
WHAT ARE THE RULES REGARDING THE DISCLOSURE OF PERSONAL HEALTH INFORMATION?
As a general rule, you need consent to disclose an individual’s personal health information, unless PHIPA allows the disclosure without consent. You must not disclose personal health information if other information will suffice, and you can only disclose as much personal health information as is necessary to meet the purpose of the disclosure.
For more information about the requirements for a valid consent to disclose personal health information, please see our section on Consent and Your Personal Health Information and our guidance document, Frequently Asked Questions: Personal Health Information Protection Act.
When disclosing personal health information, you need to take reasonable steps to ensure that no information is inadvertently disclosed to unintended recipients. You also need to take reasonable steps to ensure that the information is as accurate, complete and current as is necessary for the purposes of the disclosure or clearly set out the limitations, if any, on the accuracy, completeness or currency of the information.
WHEN CAN PERSONAL HEALTH INFORMATION BE DISCLOSED WITHOUT CONSENT?
You may disclose personal health information without an individual’s consent in certain circumstances. However, simply because a disclosure is permitted does not mean it is mandatory, unless it is necessary to carry out a statutory or legal duty.
Here are some examples of permitted disclosures of personal health information without consent:
- In order for the Ministry of Health and Long-Term Care to provide funding to a custodian for the provision of health care;
- You need to contact a relative or friend or other potential substitute decision-maker of an individual who is injured, incapacitated or ill and unable to give consent personally;
- To disclose that an individual is a patient or resident in a facility, the individual’s general health status and the location of the individual in the facility, but only if the custodian offers the individual the option, at the first reasonable opportunity after admission to the facility, to object to such disclosures and the individual has not objected;
- To disclose personal health information about a deceased individual:
- for the purpose of identifying the individual;
- for the purpose of informing any person whom it is reasonable to inform of the fact that the individual is deceased and the circumstances of death, where appropriate; or
- to the spouse, partner, sibling or child of the deceased individual if the recipients of the information reasonably require the information to make decisions about their own health care or their children’s health care;
- To eliminate or reduce a significant risk of serious bodily harm to a person or group of persons;
- When transferring records to the archives for conservation;
- To a person carrying out an inspection, investigation or similar procedure that is authorized by a warrant or PHIPA or another Act, for the purpose of complying with the warrant or for the purpose of facilitating the inspection, investigation or similar procedure;
- To determine or verify someone’s eligibility for publicly funded health care or related goods, services or benefits;
- For the purpose of administration and enforcement of the law by specific professional regulatory colleges and other regulatory bodies;
- To a prescribed person, listed in the regulations, who compiles and maintains a registry of personal health information for the purposes of facilitating or improving the provision of health care or the storage or donation of body parts or bodily substances;
- To a prescribed entity, listed in the regulations, for the purpose of analysis or compiling statistical information with respect to the management, evaluation or monitoring of the health system;
- To the Public Guardian and Trustee, a children’s aid society and the Children’s Lawyer for the purpose of carrying out their statutory functions;
- To a person conducting an audit or reviewing an accreditation or application for accreditation related to the services of a custodian;
- For the purpose of legal proceedings, or contemplated legal proceedings, in which the custodian or the agent or former agent of the custodian is, or is expected to be, a party or witness, if the information relates to or is a matter in issue in the proceeding or contemplated proceeding;
- For the purpose of research, subject to restrictions and conditions;
- For any purpose as required or permitted by law; and
- To a custodian (provided that custodian falls within the categories of custodians who can rely on assumed implied consent) if the disclosure is reasonably necessary for providing health care and consent cannot be obtained in a timely manner, unless there is an express request from the individual instructing otherwise.
This post is also available in: French