Changes to the Personal Health Information Protection Act (PHIPA)

The Health Information Protection Act was originally established in 2004 and consisted of two important pieces of legislation: PHIPA and the Quality of Care Information Protection Act.  The intent of the PHIPA portion of the act was to safeguard the privacy of individuals by creating a set of rules for the collection, use and disclosure of personal health information.

In response to growing concern regarding privacy violations, amendments to the Health Information Protection Act (Bill 119), received Royal Assent in the Ontario legislature in May of this year.  The primary purpose of these changes was to enhance the privacy and security of personal health records and to improve transparency when a privacy breach occurs. The key PHIPA amendments contained within Bill 119 are as follows:

1. Revised Definition of “Use”

The definition of “use” has been amended by striking out “means to handle or deal with the information” and substituting “means to view, handle or otherwise deal with the information”.

2. Enhanced Reporting Requirement

  • In the event of a privacy breach, it is mandatory for health information custodians (i.e., the person or organization who has custody and control of the records) to notify the affected individual at the first reasonable opportunity.
    • The law now also requires the health information custodian to notify the affected individual of their right to make a complaint regarding the breach to the Information and Privacy Commissioner of Ontario.
    • As defined in regulation, health information custodians will also be required to report certain privacy breaches directly to the Information and Privacy Commissioner.
  • If a health information custodian takes any disciplinary action against a member of a regulated health care profession because of that member’s unauthorized collection, use, disclosure, retention or disposal of personal health information, the health information custodian must now report that fact to the member’s regulatory College.
    • This includes situations where a custodian suspends or terminates a member’s employment or revokes or restricts a member’s practice. It also includes situations where the member resigns in the face of such action. [1]
    • This notice must be given within 30 days of the disciplinary action or resignation occurring and it must be in writing. Additional requirements or exceptions may be set out in a future regulation.
  • In the event of a privacy breach, the responsible agent of a health information custodian (e.g., an RT working for a hospital or home care company) is required to inform the health care custodian at the first reasonable opportunity.

[1] Note: these requirements under PHIPA overlap with the mandatory reporting provisions already in existence in the Regulated Health Professions Act (RHPA), which require employers to report when a member has been terminated or had their practice restricted for reasons of professional misconduct, incompetence or incapacity.

3. Increased Fines for Privacy Breaches

The maximum fines for privacy breaches have been increased from $50,000 to $100,000 for individuals and from $250,000 to $500,000 for organizations.

4. Strengthened Processes for the Prosecution for Privacy Breaches

The process to prosecute offences under PHIPA has been strengthened by removing the requirement that prosecutions must be commenced within six months of when the alleged offence occurred.

For More Information

For more information on how the amendments to PHIPA impact RT practice, please contact Carole Hamp, RRT, Manager of Quality Practice, at