Updated Privacy Expectations

Changes were made to the Personal Health Information Protection Act (PHIPA) in 2020 and health professionals should be familiar with them.

Read the Updated 2020: Guide to PHIPA

Key changes include:

  • Health Information Custodians will be required to establish and monitor an audit log for any electronic health records. The log must keep track of who accesses which parts of a patient’s records and when, to prevent snooping or other privacy breaches.
  • Health Information Custodians using electronic health records will have to provide patients access to an electronic version of their records to allow for patient portability of their records. New rules are coming for consumer electronic service providers (e.g., apps and online portals where patients can access and store personal information about themselves). Even PTs who do not use those apps or portals will need to become familiar with the rules about sharing, or managing requests to disclose, information with the consumer electronic service providers.
  • The Information and Privacy Commissioner (IPC) has been given significant additional powers, including increased access to information from Health Information Custodians (e.g., access to the electronic health record audit log), the ability to impose administrative financial penalties for non-compliance with PHIPA and doubling of fines for offences under PHIPA.
  • Do not forget that you must notify the Information and Privacy Commissioner immediately of any significant privacy breaches. You are required to file an annual statistical report with the IPC outlining all privacy breaches.


Ontarians have the right to privacy. Health care professionals must follow the rules of the Personal Health Information Protection Act (PHIPA).

PHIPA governs the collection, use and disclosure of ‘personal health information’ (such as identifying information about an individual that relates to their physical or mental health) by Health Information Custodians (HICs). Healthcare practitioners, hospitals and pharmacies are all defined as HICs. Agents of HICs (for example, employees of a physiotherapy clinic) hold the same duties and responsibilities as HICs under the Act.

As of January 1, 2018, changes were made to Ontario’s Personal Health Information Protection Act (PHIPA). If you are a Health Information Custodian (HIC) working in a hospital or a clinic owner it is important to understand how the rules will affect your organization. One of the most critical changes requires health organizations document privacy and data breaches.

As of March 1, 2019 you could be asked by the Information and Privacy Commissioner to show a record of your breaches from the past year. 

What You Need To Know About Privacy Breaches

  • Health Information Custodians (HICs) must determine that the loss or unauthorized use or disclosure of personal health information is significant after considering all relevant circumstances, including whether the personal health information is sensitive, whether the loss or unauthorized use or disclosure involved a large volume of personal health information or involved many individuals’ personal health information and whether more than one health information custodian or agent was responsible for the loss or unauthorized use or disclosure.

  • Health Information Custodians must notify the affected person at the first reasonable opportunity, mentioning that a complaint may be made to the Information and Privacy Commissioner of Ontario. Examples might include stolen or lost charts, or if health information about patients erroneously included in a distribution email sent to individuals not involved in the care of the patient. 

  • Agents of Health Information Custodians (e.g. the PT) must let their employer know at the first reasonable opportunity and ensure that the breach is contained.

  • The HIC must notify the regulatory College if an employee or agent of the custodian was terminated, suspended or subject to disciplinary action as the result of a breach.

  • Disciplinary action can include suspension or termination of employment, revocation or restrictions on privileges or business affiliations, or situations where a member resigns before disciplinary actions are completed.

  • You must notify the College in writing within 30 days of an action or resignation.

What You Need To Do

You must notify the Information & Privacy Commissioner, if you have reasonable grounds to believe a breach has occurred.

These are the types of breaches to be aware of:

  • lost information
  • use of information without authority and becoming aware the information is used after the initial breach
  • patterns of conduct of unauthorized disclosure
  • significant breaches
  • disciplinary actions against both a PT and another non regulated professional (for example: office staff or a PTA).

When to Notify Colleges

PHIPA already requires HICs to notify a College if a member is terminated, suspended or subject to disciplinary action as the result of unauthorized collection, use, disclosure, retention or disposal of personal health information.

The new rules expand that obligation, now requiring HICs to notify a College of an event relating to a loss or unauthorized use or disclosure of personal health information. 

Information and Privacy Commissioner — Mandatory Statistics Reporting 

According to rules under the Personal Health Information Protection Act (PHIPA), health information custodians in Ontario are required to report statistics relating to health privacy breaches annually to the Information and Privacy Commissioner of Ontario. 

The report details the number of times that personal health information held by a health information custodian (HIC) was stolen, lost, used without authority and/or disclosed without authority. The other sections of the report focus on the cause of the breach and the number of individuals affected. 

Health information custodians that have experienced at least one health privacy breach during the reporting year (January to December) are required by law to complete the online questionnaire. The deadline to submit is March 1 of each year.

If you have zero privacy breaches you are not required to submit a report. 

Note that HICs that are also organizations under FIPPA/MFIPPA (including hospitals and universities) have a separate statistical reporting obligation, with an annual deadline of March 31. This is not a requirement for physiotherapy clinic owners.

IPC Statistical Reporting Guides & Workbooks

IPC Health Privacy Breach Statistical Report FAQs

Have Questions? Contact the Practice Advisor

practiceadvice@collegept.org | 647-484-8800 | 1-800-583-5885