Patient Privacy in Ontario
Reviewed by the Commoner Law Editorial Team. Sourced from Canadian federal statutes and official sources. Provincial information reflects each province's own legislation and court rulings. Written in plain language for general understanding — this is educational content, not legal advice. Our editorial standards
What is this right?
Your health information is protected at both the federal level (PIPEDA) and by provincial health privacy laws. Most provinces have dedicated health privacy statutes, such as Ontario's PHIPA, Alberta's HIA, and Saskatchewan's HIPA.
The key principles are:
- Only collect, use, and disclose what is necessary
- Require your knowledge and consent (with limited exceptions like public health reporting)
- Keep your data secure
- Retain records only as long as needed
You have the right to access your own medical records — providers must typically respond within 30 days. You can also request corrections to errors in your file and file complaints with the privacy commissioner if your information is improperly disclosed.
When does it apply?
- Every patient whose health information is collected by healthcare providers, hospitals, pharmacies, or labs.
What to Do If Your Medical Information Is Shared Without Your Consent in Canada
- Request your medical records in writing — the provider must respond within approximately 30 days.
- Ask who has access to your health information and why.
- Request corrections if you find errors in your medical records.
- File a complaint with the provincial privacy commissioner if your health information is disclosed without your consent.
- Use patient portals where available to monitor who is accessing your records.
What should you NOT do?
- Don't assume providers automatically share records — there is no single national electronic health record system in Canada.
- Don't ignore breach notifications — if a provider tells you your data was compromised, take it seriously and follow up.
- Don't share your health card number casually — it can be used for identity fraud.
- Don't assume your employer can access your full medical details — they are only entitled to fit-for-duty information, not your diagnosis or treatment specifics.
How Ontario differs from federal law
Ontario has dedicated health privacy legislation — the Personal Health Information Protection Act, 2004 (PHIPA) — that specifically protects your medical records and health information.
- PHIPA governs how health information custodians (doctors, hospitals, pharmacies, labs, long-term care homes, etc.) collect, use, and disclose your personal health information.
- Your health information can generally only be used for the purpose for which it was collected (usually providing you with care). Sharing it with others — including family members — requires your consent, except in limited circumstances (e.g., mandatory public health reporting).
- You have the right to access your own health records by making a request to your health care provider. They must respond within 30 days. They can charge a reasonable fee for copies.
- You have the right to request corrections to your health records if you believe they contain errors.
- The Information and Privacy Commissioner of Ontario (IPC) oversees PHIPA. If you believe your health information was improperly collected, used, or disclosed, you can file a complaint or review request with the IPC.
- Health information breaches must be reported to the IPC if they meet certain thresholds (e.g., unauthorized access to large numbers of records, or theft/loss of records).
Additional Steps in Ontario
Request your records in writing from your health care provider. If they deny access or you believe your privacy has been violated, contact the Information and Privacy Commissioner of Ontario at 1-800-387-0073 or ipc.on.ca. The IPC can investigate, order access, and impose penalties for violations. You may also have a civil lawsuit for damages if someone willfully violates PHIPA (section 65).
Relevant Law: Personal Health Information Protection Act, 2004, S.O. 2004, c. 3, Sched. A; Freedom of Information and Protection of Privacy Act, R.S.O. 1990, c. F.31
Common Questions
When does patient privacy apply?
Every patient whose health information is collected by healthcare providers, hospitals, pharmacies, or labs.
What should I do if my health information in Canada was disclosed without my permission?
Request your medical records in writing — the provider must respond within approximately 30 days.Ask who has access to your health information and why.Request corrections if you find errors in your medical records.File a complaint with the provincial privacy commissioner if your health information is disclosed without your consent.Use patient portals where available to monitor who is accessing your records.
What mistakes should I avoid with patient privacy?
Don't assume providers automatically share records — there is no single national electronic health record system in Canada.Don't ignore breach notifications — if a provider tells you your data was compromised, take it seriously and follow up.Don't share your health card number casually — it can be used for identity fraud.Don't assume your employer can access your full medical details — they are only entitled to fit-for-duty information, not your diagnosis or treatment specifics.
Legal Resources
We may earn a commission if you use these services — at no extra cost to you. This supports our mission to make legal information free for everyone.