What PHIPA Protects: Personal Health Information, Consent & Exemptions
PHIPA protects personal health information (PHI) — identifying information about a person's physical or mental health, the care they receive, their health-card number, and related payment or donation details, in any format. PHIPA requires consent (often implied within the circle of care) before PHI is collected, used, or disclosed, and gives patients the right to access and correct their records. Some information — such as de-identified data — falls outside PHIPA.
What is personal health information under PHIPA?
Personal health information is identifying information about an individual that relates to: their physical or mental health (including family history); the health care provided to them; payments or eligibility for care; the donation of body parts or substances; their health-card number; and the identity of their substitute decision-maker. It is protected whether stored on paper, in an EMR, in email, or in the cloud.
Consent under PHIPA
PHIPA is built on consent. Within the circle of care, custodians may rely on the patient's implied consent to share PHI for treatment. Outside of care — for example, disclosure to a third party for a non-care purpose — express consent is typically required. Patients can withhold or withdraw consent (a "lock-box"), and custodians must respect that.
The two exemptions to express consent
A common exam and search question is "what are the two exemptions to express consent in PHIPA?" Broadly, express consent is not required where: (1) the collection, use, or disclosure is within the circle of care for the purpose of providing health care (implied consent applies); and (2) the law permits or requires disclosure without consent — for example, mandatory reporting, court orders, or specified public-health and safety situations. Always confirm the specific provision before relying on an exemption.
Your right to access and correct your records
PHIPA gives individuals the right to access their own records of PHI and to request corrections if information is inaccurate or incomplete. Custodians must respond within set timelines and can refuse only on limited statutory grounds. Patients can view their information unless a narrow exception applies.
What is NOT covered by PHIPA?
PHIPA generally does not cover: information that has been de-identified so individuals can't be recognized; health information held by organizations that are not custodians (such as insurers or employers in those roles); and certain records subject to other regimes. De-identified, aggregate data used for analytics typically falls outside PHIPA — though re-identification risk must still be managed.
Frequently Asked Questions
What information is protected under PHIPA?
Identifying personal health information — physical and mental health details, care received, health-card number, payment/eligibility, and donation information — in any format.
What are the two exemptions to express consent in PHIPA?
Broadly: sharing within the circle of care for providing health care (implied consent), and disclosures that the law permits or requires without consent, such as mandatory reporting.
Does PHIPA allow patients to view their information?
Yes. Patients have a right to access their own records and to request corrections, subject to limited statutory exceptions.
What is not covered by PHIPA?
De-identified data, information held by non-custodians such as insurers or employers in those roles, and certain records governed by other laws.
Sources & citations
Protect PHI the way PHIPA requires
Northline implements encryption, access controls, and audit logging so the personal health information you hold stays compliant and secure.
Book a free PHIPA readiness consultThis guide is general information from Northline Technologies, an IT solutions provider, and is not legal advice. For binding interpretation of PHIPA, consult a qualified Ontario privacy lawyer or the Information and Privacy Commissioner of Ontario.