1. Skip to Menu
  2. Skip to Content
  3. Skip to Footer>

Legislative update affecting MLTs in Ontario: PHIPA

All regulated health professionals in Ontario must comply with the Personal Health Information Protection Act, 2004 (PHIPA). As of June 1, 2016, new reporting obligations under PHIPA took effect.

Important legal information for MLTs

  • Employers must report any discipline imposed on an MLT for a breach of privacy to the CMLTO.
  • The maximum fines for privacy offences have doubled.
  • The limitation period for prosecutions of privacy offences has been removed.
  • The respective responsibilities of health information custodians and agents have been clarified.

 PHIPA protects personal health information which is defined as information that can identify an individual (or can be combined with other information to identify an individual) and that relates to:

  • the physical or mental health of the individual (including family health history)
  • the provision of health care to the individual (including identifying the individual’s health care provider)
  • a plan of service under the Home Care and Community Services Act, 1994
  • payments or eligibility for health care or coverage for health care
  • the donation or testing of an individual’s body part or bodily substance
  • the individual’s health number
  • the identification of the individual’s substitute decision-maker.

Who is who? Health information custodian or agent?

Health professionals have different levels of responsibility depending upon whether they are the health information custodian or an agent.

Regulated health professionals or group practice operators who have custody and control of personal health information in connection with their duties, are health information custodians for purposes of PHIPA. However, even if you fall under the definition of a health information custodian, if you work for, or on behalf of, another custodian (such as another regulated health professional, a group practice or a hospital), then you are considered to be an agent of that health information custodian.

Health information custodian…
Health information agent…
is ultimately responsible for the personal health information in his or her custody or control, but may permit an agent to collect, use, disclose, retain or dispose of the information if certain requirements are met.
must ensure that the collection, use, disclosure, retention or disposal of the information is permitted by the custodian, is necessary for purposes of carrying out the agent’s duties, is not contrary to law and complies with any specific restrictions imposed by the custodian.


What is a privacy breach?

Under PHIPA, a privacy breach is considered to be the unauthorized use or disclosure of personal information or the loss or theft of personal health information. This includes viewing health records that you are not allowed to view (known as “snooping”). Other examples include where a USB key with health information goes missing or a briefcase with patient files is taken from someone’s car.

Who needs to be notified?

In the event of a privacy breach, the health information custodian needs to notify the affected individual at the first reasonable opportunity. The law now requires the health information custodian to also notify the individual that she or he may make a complaint about the breach to the Information and Privacy Commissioner of Ontario.

Health information agents must tell the responsible custodian at the first reasonable opportunity.

When new regulations are passed, health information custodians will also have to report certain privacy breaches to the Information and Privacy Commissioner directly. Until the regulations are passed, reporting to the Commissioner is not mandatory, but may be done voluntarily.

Reporting to CMLTO

The changes to PHIPA now also require health information custodians to report certain actions taken in response to privacy breaches to their regulatory College.

This means that if a health information custodian takes any disciplinary action against an MLT under the Regulated Health Professions Act, 1991 (RHPA), because of the MLT’s unauthorized collection, use, disclosure, retention or disposal of personal health information, the custodian must report that fact to the CMLTO. This includes situations where a custodian suspends or terminates an MLT’s employment or revokes or restricts his or her privileges or business affiliation. It also includes situations where the MLT resigns in the face of such action.

This notice must be given within 30 days of the disciplinary action or resignation occurring and it must be in writing. Additional requirements or exceptions may be set out in a future regulation.

This requirement under PHIPA overlaps with the mandatory RHPA reporting provisions, which require employers to report when an MLT has been terminated or had their privileges or partnership revoked or restricted for reasons of professional misconduct, incompetence or incapacity.

In addition to the new reporting obligations, the following changes have also been made to PHIPA:

  • The maximum fines for privacy offences have doubled from $50,000 to $100,000 for individuals and from $250,000 to $500,000 for organizations.
  • The limitation period for prosecutions of privacy offences has been removed.
  • The respective responsibilities of health information custodians and agents have been clarified.
  • A framework for a province-wide system of electronic health records has been introduced, but is not yet in force.

A new Quality of Care Information Protection Act, 2016 has also been passed, but is not yet in force.

Read More CMLTO News