Patient Privacy in Canada
Reviewed by the Commoner Law Editorial Team. Sourced from Canadian federal statutes and official sources. Provincial information reflects each province's own legislation and court rulings. Written in plain language for general understanding — this is educational content, not legal advice. Our editorial standards
What is this right?
Your health data is protected on two levels — PIPEDA federally for the private sector, and dedicated provincial health privacy statutes (Ontario's PHIPA, Alberta's HIA, Saskatchewan's HIPA, and so on). Whichever applies to you, the principles converge.
The core rules:
- Collect, use, and disclose only what's necessary
- Get your knowledge and consent (narrow exceptions for things like public-health reporting)
- Keep the data secure
- Retain records only as long as needed
You have the right to access your own medical records — providers usually have to respond within 30 days. You can request corrections for errors and file complaints with the privacy commissioner if your data is disclosed improperly.
When does it apply?
- Every patient whose health information is collected by providers, hospitals, pharmacies, or labs.
What to Do If Your Medical Information Is Shared Without Your Consent in Canada
- Request records in writing — providers have around 30 days to respond.
- Ask who's accessed your information and why. Audit logs exist for a reason.
- Request corrections for any errors you find.
- File with the provincial privacy commissioner if your data was disclosed without consent.
- Use patient portals where they exist — they make access logs visible.
What should you NOT do?
- Don't assume providers share records automatically. Canada has no single national electronic health record system — your records can be in five different silos.
- Don't ignore breach notifications. Follow up; document; ask what's being done.
- Don't share your health card number casually. It's a vector for identity fraud.
- Don't assume your employer can see your medical file. They get fit-for-duty information, not your diagnosis or treatment plan.
Use the jurisdiction bar at the top of the page to pick your province — you'll see how provincial law differs from Canadian federal law.
6 provinces available
Common Questions
When does patient privacy apply?
Every patient whose health information is collected by providers, hospitals, pharmacies, or labs.
What should I do if my health information in Canada was disclosed without my permission?
Request records in writing — providers have around 30 days to respond.Ask who's accessed your information and why. Audit logs exist for a reason.Request corrections for any errors you find.File with the provincial privacy commissioner if your data was disclosed without consent.Use patient portals where they exist — they make access logs visible.
What mistakes should I avoid with patient privacy?
Don't assume providers share records automatically. Canada has no single national electronic health record system — your records can be in five different silos.Don't ignore breach notifications. Follow up; document; ask what's being done.Don't share your health card number casually. It's a vector for identity fraud.Don't assume your employer can see your medical file. They get fit-for-duty information, not your diagnosis or treatment plan.
Patient Privacy in other states
Same topic, different jurisdiction. Pick the one that applies to you.