Rules for Recipients of Personal Health Information from Health Information Custodians

AuthorHalyna N. Perun; Michael Orr; Fannie Dimitriadis
Pages487-507
A. GENERALLY
As we have seen thus far, the Personal Health Information Protection Act, 20041
primarily regulates the collection, use, and disclosure of personal health infor-
mation by health information custodians — a defined group of persons, large-
ly within the health care sector, known to collect, use, and disclose personal
health information regularly. Unlike one of Ontario’s earlier attempts to devel-
op privacy legislation, PHIPA does not attempt to regulate actions with respect
to personal health information in every context.2However, the Act’s reach
extends beyond health information custodians to regulate the activities of other
persons as well. These persons include a person who is not a health informa-
tion custodian to whom a health information custodian discloses personal
health information, commonly referred to as a “recipient.”3The examples of
487
1 S.O. 2004, c. 3, Sch. A [PHIPA].
2 Compare this approach to the approach reflected in the draft Privacy of Personal Infor-
mation Act, 2002. The draft Act was developed to regulate personal information,
including personal health information, across the entire private sector and the health
sector. See Ontario, A Consultation on the Draft Privacy of Personal Information Act,
2002 (Toronto: Ministry of Consumer and Business Services, 2002) [POPIA], online:
.on.ca/mcbs/english/pdf/56XSMB>. See Chapter 1, Section (B)(5)(d) for
a discussion of POPIA.
3PHIPA uses the term “recipient” in the heading for s. 49(1) to refer to such persons.
12 Rules for Recipients of
Personal Health
Information from Health
Information Custodians
recipients that most readily come to mind include employers, insurers, and
researchers. The Act’s recipient rules apply to a recipient’s use and disclosure
of personal health information, even if the recipient received the information
before 1 November 2004, the day on which the Act came into force.4
B. IDENTIFYING RECIPIENTS
1) Who Is a Recipient?
A person is subject to the recipient rules only for personal health information
that a health information custodian disclosed directly to the person. The term
“disclose” is defined in PHIPA to mean to make the information available or
release it to another person.5There are many obvious examples of such disclo-
sures. A dental surgeon discloses personal health information about a patient
to an insurer in the course of seeking payment from the insurer for treatment
provided to the patient. A physiotherapist discloses personal health informa-
tion about an athlete to the athlete’s coaches and trainer. A nurse practitioner
discloses personal health information about a child to a children’s aid society
in the course of fulfilling reporting requirements concerning children in need
of protection under the Child and Family Services Act.6Health information cus-
todians disclose personal health information to recipients everyday, whether
with consent or, as permitted by PHIPA, without consent.
2) Who Is Not a Recipient?
a) Agent
An agent of a health information custodian is not considered a “recipient” of a
disclosure of personal health information from the health information custo-
dian, as the provision of personal health information by a custodian to its agent
488
4PHIPA, s. 7(1)(b)(ii). See also General, O. Reg. 329/04, s. 20 [PHIPA Regulation].
5PHIPA, s. 2. See Chapter 2, Section E(4), for a discussion of the term “disclose.” The
rules imposed by PHIPA, s. 49 on recipients obviously apply only where the recipient
has actually received the information in question. Where the custodian has merely
made the information available to the recipient, which falls within the definition of
“disclose” for the purposes of the rules relating to collection, use, and disclosure, but
the “recipient” has not received the information in some form, then the restrictions
set by s. 49 on subsequent uses and disclosures of the information by the recipient do
not apply, because the information never actually reached the hands of the “recipient.”
6Child and Family Services Act, R.S.O. 1990, c. C.11, s. 72 [CFSA].

To continue reading

Request your trial

VLEX uses login cookies to provide you with a better browsing experience. If you click on 'Accept' or continue browsing this site we consider that you accept our cookie policy. ACCEPT