Ontario's Health Privacy Legislation Comes into Force

On November 1, 2004, Ontario adopted new legal protections for health information which will have broad implications for patients, as well as for physicians, medical labs, hospitals, insurance companies and others who have custody or control of personal health information in the province. The new Personal Health Information Protection Act (Act, or PHIPA) imposes familiar "˜fair information practices' on the collection, use and disclosure of personal health information that are designed to safeguard the integrity and confidentiality of such information. Like most Canadian privacy laws, PHIPA also provides individuals a right of access and correction or amendment to personal health information, subject to limited exceptions. Unlike most privacy laws of general application, the Act is tailored to the health context and includes some unique provisions, including a "lock-box" clause which allows patients to instruct a health information custodian not to disclose specified personal health information to another custodian, subject to specific exceptions. PHIPA designates the Office of the Information and Privacy Commissioner of Ontario as the agency responsible for overseeing compliance. It also gives individuals the right to complain to the Commissioner about the privacy practices of any healthcare practitioner or organization covered by the Act. Organizations can be liable for up to $250,000 for offences under the Act, while individuals within organizations can be personally liable for fines of up to $50,000. Offences include: wilfully collecting, using or disclosing personal health information in contravention of PHIPA; obtaining or attempting to obtain health information under false pretences; knowingly disposing of health records to avoid providing access; misusing Ontario health card numbers; obstructing the Commissioner or one of its delegates in the performance of its oversight functions; disciplining or harassing an individual who has alerted the Commissioner of an alleged contravention; or failing to comply with a Commissioner's order. This is the second attempt at health privacy legislation in Ontario. An earlier health privacy bill was abandoned in 2001 by the Conservative government after several stakeholders, including the then federal Privacy Commissioner, criticized it as being insufficient. The federal Commissioner had argued it would be unlikely to meet the test for "substantial similarity" to the federal Personal Information Protection and Electronic Documents Act (PIPEDA). This would have meant that the federal statute would continue to apply to the collection, use and disclosure of health information. Even if the Act is accepted as being substantially similar by the federal government, PIPEDA will still apply to all commercial exchanges of personal health information between provinces and territories and to information transfers outside Canada. Full text of Personal Health Information Protection Act, SO 2004, c 3: http://www.e-laws.gov.on.ca/DBLaws/Statutes/English/04p03_e.htm. For frequently-asked questions on PHIPA, visit: http://makeashorterlink.com/?L2C341DB9. For the full text of PIPEDA, see: http://www.privcom.gc.ca/legislation/02_06_01_01_e.asp. Summary by: Jason Young