Sidebar Message What privacy laws govern my practice?

OTs and other regulated health professionals in Ontario need to comply with the Personal Health Information Protection Act, 2004 (PHIPA).

If you engage in commercial activities involving the collection, use or disclosure of personal information outside of Ontario, then you will also need to comply with the federal Personal Information Protection and Electronic Documents Act (PIPEDA). PIPEDA may also apply if you collect, use or disclose information that is personal, but not health information, in the course of commercial activities in Ontario (for example if you collect a home address and credit card number to process a sale that is unrelated to your duties as a health professional).

Health professionals also need to comply with Canada’s anti-spam legislation, which requires consent to send electronic messages of a commercial nature.

What is a privacy breach?

Under PHIPA, a privacy breach is the unauthorized use, disclosure, loss, or theft of personal health information. This includes the viewing of health records by someone who is not allowed to view those records (known as “snooping”). Other examples include the loss of a USB key containing health information or a briefcase with patient files stolen from someone’s car.

Reporting Privacy Breaches

OTs in Ontario need to be aware of reporting obligations under the Personal Health Information Protection Act, 2004 (PHIPA).

There are new privacy breach reporting requirements in effect as of October 1, 2017. These new requirements are in addition to the June 2016 requirements. View the legislation and related College news item.

Who needs to be notified?

If a breach occurs, the health information custodian (the person responsible for custody and control of the records) needs to notify the affected individual(s) at the first reasonable opportunity. In addition, the law now requires the health information custodian to also notify the individual that they can make a complaint about the breach to the Information and Privacy Commissioner of Ontario.

If you are an agent of a health information custodian (for example, if you are a regulated health professional who works for a group practice, a hospital or for another regulated health professional) you need to tell the responsible custodian about the breach at the first reasonable opportunity.

Reporting to the Information and Privacy Commissioner

Commencing October 1, 2017, health information custodians will also have to report certain privacy breaches directly to the Information and Privacy Commissioner. Until this time, reporting to the Commissioner is not mandatory, but may be done voluntarily.

The full list of reportable breaches can be found in s. 6.3 of Ontario Regulation 224/17 made under PHIPA:

Reporting to Regulatory Colleges

PHIPA also requires health information custodians to report certain actions taken in response to privacy breaches to the appropriate regulatory College.

This means that if a health information custodian takes any disciplinary action against an OT or other professional of a College under the Regulated Health Professions Act, 1991 or the Ontario College of Social Workers and Social Service Workers because of that professional’s unauthorized collection, use, disclosure, retention or disposal of personal health information, the custodian must report that fact to the professional’s regulatory College. This includes situations where a custodian suspends or terminates an OT’s or other regulated health professional’s employment or revokes or restricts their privileges or business affiliation. It also includes situations where the member resigns in the face of such action.

This notice must be given within 30 days of the disciplinary action or resignation occurring and it must be in writing. Additional requirements or exceptions may be set out in a future regulation.

This notice requirement under PHIPA overlaps with the mandatory reporting provisions of the Regulated Health Professions Act, 1991, which require employers to report when a member has been terminated or had their privileges or partnership revoked or restricted for reasons of professional misconduct, incompetence or incapacity. Given that each College defines professional misconduct differently, the purpose of the amendments to PHIPA is to make it clear that action taken in response to privacy breaches must be reported to the appropriate College.

Coming March 1, 2019

As of March 1, 2019, health information custodians will also be required to provide an annual report to the Information and Privacy Commissioner setting out the number of times in the preceding calendar year, personal health information in the health information custodian’s custody or control was stolen, lost, used without authority, and/or disclosed without authority.

For custodians to prepare for this reporting requirement, they must start tracking their privacy breach statistics as of January 1, 2018. Learn what you need to know or visit  

This new reporting requirement is separate and distinct from the above noted requirement to report as of October 1, 2017, individual privacy breaches to the Commissioner.

Please contact Practice with any questions at 416.214.1177/1.800.890.6570 x240 or

Other Notes

  • The maximum fines for privacy offences have doubled from $50,000 to $100,000 for individuals and from $250,000 to $500,000 for organizations. The limitation period for prosecutions of privacy offences has been removed.
  • A framework for a province-wide system of electronic health records has been introduced, but is not yet in force.
  • Health information custodians will also be required to provide annual reports to the Information and Privacy Commissioner, starting in March 2019.
Additional Privacy Law Information and Resources

Personal Health Information Protection Act, 2004 (PHIPA)

PHIPA was further enhanced by the introduction of Ontario Regulation 224/17, which amends Ontario Regulation 229/04.

What You Need to Know About Privacy Law: An Overview of PHIPA, 2004

The Personal Health Information Protection Act, 2004: A Guide for Regulated Health Professionals, published June 28, 2016

Reporting a Privacy Breach to the Commissioner: Guidelines for the Health Sector, September 2017