Application of the Legislation: Who and What Is Covered?

AuthorHalyna N. Perun; Michael Orr; Fannie Dimitriadis
2Application of the
Legislation: Who and
What Is Covered?
The Personal Health Information Protection Act, 20041primarily governs the col-
lection, use, and disclosure of personal health information by health informa-
tion custodians.2Further, the Act provides patients3with a right to request
1 S.O. 2004, c. 3, Sch. A [PHIPA].
2 Both “personal health information” and “health information custodian” are defined in
PHIPA and discussed in detail below.
3 “Patient” is used largely throughout this book as the most immediately understandable
term to refer to the person who is the subject of personal health information. PHIPA uses
the term “individual” to refer to the subject of personal health information. “Individual” is
defined to mean “the individual, whether living or deceased, with respect to whom the
information was or is being collected” (see PHIPA, s. 2). Of course, not all persons and
entities in the health sector use the word “patient” in all contexts to describe recipients of
health care services. Depending on the context, the subject of the personal health informa-
tion may more appropriately be called a “client” or “resident,” etc. or may be a patient, out-
patient, former patient, or deceased patient. Nevertheless, for consistency and ease of
reference, this Guide commonly uses the term “patient” to refer to all of these. Further-
more, when referring to a “patient” or “individual” providing a consent, making a request
(e.g., for access or correction), providing an instruction, or taking some other step, the
word “patient” or “individual” also can be read as including the patient’s “substitute deci-
sion-maker” (see PHIPA, s. 25, and Chapter 6). The Guide does not generally repeat the
phrase “patient or his or her substitute decision-maker, as the case may be,” but in gener-
al, references to “patient” include references to the patient’s substitute decision-maker.
access to and correction of their records of personal health information held by
health information custodians. PHIPA also imposes administrative require-
ments on custodians with respect to records of personal health information. In
other words, recognizing that the collection, use, and disclosure of personal
health information in the health sector requires special rules, PHIPA focuses
on personal health information in the health sector specifically.
For the most part, persons who PHIPA identifies as health information
custodians are those who would be expected to fall into that category as a result
of their role in the health care sector. They are persons who gather, create, and
hold personal health information as a fundamental aspect of their work. They
are persons who are accustomed to dealing with sensitive health information,
and most have long been subject to confidentiality requirements.4
Although it focuses on health information custodians, PHIPA also
extends its reach to apply in a narrower manner to persons who are not custo-
dians, but to whom a health information custodian disclosed personal health
information. The Act refers to these persons as “recipients.”5In addition,
PHIPA recognizes that health information custodians will often act through
agents, and creates rules governing the activities of such agents in handling
personal health information. Further, the Act governs the activities of persons
who provide services to health information custodians to enable the custodians
to use electronic means to deal with personal health information. Finally,
PHIPA governs the activities of all persons with respect to health numbers.
The scope of the Act could have been different. The Act could have been
drafted so as to apply to the collection, use, and disclosure of personal health
information by all entities, and not focus primarily on the activities of health
information custodians. Alternatively, the Act could have been drafted to address
the collection, use, and disclosure of all personal information, rather than only
personal health information.6Canada’s federal Personal Information Protection
and Electronic Documents Act establishes rules for the collection, use, and disclo-
4 Confidentiality requirements for physicians date back to ancient times and the Hippo-
cratic Oath. Legislation governing regulated health professionals and hospitals have
included confidentiality requirements for some time. See, for example, Professional
Misconduct, O. Reg. 856/93, ss. 1(1)[10] and 1(2), made under the Medicine Act, 1991,
S.O. 1991, c. 30. Professional organizations have also included confidentiality require-
ments in their codes of ethics. See Canadian Medical Association, Code of Ethics
(Update 2004), which includes provisions concerning the privacy and confidentiality
of a patient’s personal health information, online at .
5 The term “recipient” is used in the heading for PHIPA, s. 49(1).
6 As discussed in Chapter 1, in February 2002 Ontario’s Ministry of Consumer and
Business Services released A Consultation on the Privacy of Personal Information Act,
2002. The draft legislation, which was prepared in consultation with the Ministry of
sure of personal information in the course of commercial activities.7The scope
of PHIPA is not qualified in such a way. A health information custodian’s dis-
closure of personal health information is governed by PHIPA, however, regard-
less of whether the disclosure occurs in the context of a commercial activity.
This chapter discusses the application of PHIPA in four parts. First, the
chapter discusses who is covered by the Act. This discussion centres largely on
the definition of “health information custodian,” which includes an explanation
of related concepts such as “health care practitioner,” “health care,” and “cus-
tody or control,” but also includes PHIPA’s application to non-custodians,
including agents of custodians, recipients of personal health information from
custodians, and persons who provide services to custodians to enable them to
use electronic means to handle personal health information. Second, the chap-
ter discusses what is covered by PHIPA, which involves a detailed explanation
of the term “personal health information.” Third, the chapter explains the
detailed rules contained in PHIPA relating to the collection, use, and disclosure
of the health number, and the use of the health card. Finally, the chapter
describes three key terms in the Act: collect, use, and disclose. This chapter thus
discusses several key concepts and sets a foundation for understanding the Act.
1) Health Information Custodians
a) Who Is a Health Information Custodian?
i) Definition
The concept of a “health information custodian” is central to the application of
PHIPA. The term “health information custodian” is a defined term in the Act,
and thus has a more precise meaning than simply someone who has custody
of personal health information.8Only those persons captured by one of the cat-
Application of the Legislation: Who and What Is Covered? 21
Health and Long-Term Care, was drafted so as to apply to the health sector and to
business and not-for-profit sectors outside the health sector, with separate rules for
personal health information in the health sector. However, legislation of this scope
was not introduced. See Ontario, A Consultation on the Draft Privacy of Personal Infor-
mation Act, 2002 (Toronto: Ministry of Consumer and Business Services, 2002),
7 S.C. 2000, c. 5, s. 4(1)(a) [PIPEDA].
8PHIPA, s. 3. Note, however, that no person is a custodian unless it has “custody or
control of personal health information as a result of or in connection with” its role:
PHIPA, s. 3(1).

To continue reading

Request your trial

VLEX uses login cookies to provide you with a better browsing experience. If you click on 'Accept' or continue browsing this site we consider that you accept our cookie policy. ACCEPT