Frequently Asked Questions
Personal health information refers to identifying information about an individual in oral or recorded form, if the information:
- relates to the physical or mental health of the individual, including information that consists of the health history of the individual’s family
- relates to the providing of health care to the individual, including the identification of a person as a provider of health care to the individual
- is a plan of service for the individual
- relates to payments or eligibility for health care, or eligibility for coverage for health care, in respect of the individual
- relates to the donation by the individual of any body part or bodily substance of the individual or is derived from the testing or examination of any such body part or bodily substance
- is the individual’s health number, or
- identifies an individual’s substitute decision-maker
Identifying information means information that identifies an individual or for which there is a reasonable basis to believe that the information could be used, either alone or along with other information, to identify an individual.
The Personal Health Information Protection Act (PHIPA) is Ontario’s health specific privacy legislation which came into force on November 1, 2004. PHIPA governs the way personal health information may be collected, used and disclosed within the health sector. It regulates health information custodians, as well as individuals and organizations that receive personal health information from custodians.
PHIPA creates a consistent approach to protecting personal health information across the health sector. The legislation was designed to give individuals greater control over how their personal health information is collected, used or disclosed. PHIPA balances the privacy rights of individuals with the legitimate need of custodians to collect, use and disclose personal health information in order to deliver effective and timely health care and to plan and manage our publicly funded health system.
If you want to access your personal health information, you should speak with your service provider about any information that you want to know and they can assist you on how to get access to your health information.
If you want to get a copy of your health records, you will be referred to VHA’s Health Records department to view or obtain copies of your health record. The Health Records department will ask you to provide certain information and/or complete certain forms in order for you to access your chart(s). There is no fee to access your health records through the Health Records department.
VHA has a privacy breach protocol to follow in the event of an actual or suspected breach.
VHA Staff are responsible for promptly reporting suspected or actual privacy breaches to the Privacy Officer so that the situation can be appropriately investigated, addressed and handled in accordance with the breach protocol.
VHA takes every report seriously and will investigate each report to identify the facts and, where necessary, effect improvements to its practices and procedures.
VHA’s privacy breach protocol includes:
- reporting actual or suspected breach
- identifying scope of breach
- containment of breach
- notification to affected individuals and applicable regulatory bodies
There are 3 components to protecting personal health information at VHA:
- Physical Safeguards: VHA has a number of physical safeguards to ensure protection of personal health information, which range from locked filing cabinets to staff wearing photo identification to identify themselves as VHA employees.
- Technical Safeguards: VHA’s IT department upgrades the security capabilities of the information system on an ongoing basis. All system access requires passwords and authentication to protect against inappropriate or improper access and to maintain a record of who has accessed the information. Access rights to VHA staff are given based on their role and their need to access information to complete the functions of their role.
If you believe that your privacy rights have been violated, you have the right to submit a written complaint to VHA’s Privacy Office. All privacy complaints will be treated in a confidential manner.
You may also submit a written complaint to the Information Privacy Commissioner of Ontario at:
Information and Privacy Commissioner of Ontario
2 Bloor Street East, Suite 1400
Canada M4W 1A8
VHA’s Privacy Officer may be reached
by email: firstname.lastname@example.org
by phone: 416-489-2500 ext. 8782
by fax: 416-644-1829
in person: 30 Soudan Ave, Suite 600, Toronto, ON M4S 1V6
Express consent to the collection, use or disclosure of personal health information is consent that has been clearly and unmistakably given. Express consent may be explicitly provided, either orally or in writing.
Implied consent to the collection, use or disclosure of personal health information is consent that can be concluded based on an individual’s action or inaction in the circumstances. For example, when an individual discloses their personal health information for the purpose of receiving care, the service provider can reasonably infer the individual has given consent to the collection of that information.
Under PHIPA, Individuals are deemed capable of consent if they are able to understand information relevant to deciding whether to consent to the collection, use or disclosure of their personal health information, and to appreciate the reasonably foreseeable consequences of giving, not giving, withholding or withdrawing their consent.
If it is believed that an individual is incapable of providing consent, PHIPA permits a substitute decision-maker, such as a relative, spouse, child’s parent, or the Public Guardian and Trustee, to make a decision on an individual’s behalf.