Our goal is to promote confidence in the digital health care system by guiding custodians to respect the privacy and access rights of Ontarians, and supporting the pioneering use of personal health information for research and analytics to the extent it serves the public good.
This fact sheet describes the risks of using email and custodians’ obligations under the Personal Health Information Protection Act. It outlines some of the technical, physical and administrative safeguards needed to protect personal health information when communicating by email and the policies, procedures and training custodians should have in place.
Submission of the Information and Privacy Commissioner of Ontario to the Standing Committee on Justice Policy on Bill 119: The Health Information Protection Act, 2015.
Being asked for identification is something just about everyone has experienced at one time or another, for example when making a large purchase or applying for a gym membership. Most of us in Ontario have also at one time or another been asked for our health card identification when visiting the doctor or the emergency room at the hospital. However, being asked for our health card outside of the health care context is something that does not occur regularly and has raised a few questions about when it is acceptable to ask for or show a health card.
In Ontario, only individuals or institutions that provide provincially-funded health care services may require you to present your health card. A doctor’s office, hospital, walk-in clinic or medical laboratory can ask to see your health card if they are providing you with health care.
Individuals and institutions that do not provide health care themselves may ask you to provide your health card or health number as long as they make it clear that it is voluntary on your part and that the information will only be used for purposes related to the provision of health care. For example, your child’s school may ask for your child’s health card number in case of an urgent medical situation. An employer may also ask for your health card number to expedite emergency medical service.
Organizations not directly involved in the delivery of provincially-funded health care are not permitted to make note of, record, collect, or use a health number for identification purposes. However, individuals are free to volunteer their health cards as a means of identification. For example, you may voluntarily decide to provide your health card to a librarian in order for them to confirm your identity for a library card. However, while the librarian may view your health card, they are not permitted to record the health number.
While you are free to show your health card to organizations outside of the health care system, it would be prudent to consider who you are showing your health card to. Identity theft is a real and growing crime as is health card fraud. If you have any concerns that your health card number has been misused, or if you have any questions about the collection, use and disclosure of health card information, you can always contact our office.
Health cards are important pieces of ID, commonly requested by a variety of individuals and organizations, not just health information custodians. However, Ontarians may not be aware of their rights and responsibilities when requiring, requesting, using and disclosing this personal information.
We’ve updated our existing frequently asked questions on health cards and health numbers in order to clarify who may collect, use or disclose health numbers for health care purposes, as well as the use of health cards as a proof of identity. The revised guidance answers these questions:
Who may require individuals to produce their health cards?
Who may collect, use or disclose health numbers and under what circumstances?
Who may ask individuals to provide their health cards or health numbers?
Can health cards serve as proof of identity?
What should you consider before asking individuals to provide a health card or health number?
Health information custodians or members of the public who have other questions or concerns related to health cards or numbers should contact our office.
This revised FAQ has a new look and feel and has been rewritten with cleaner, easy to understand, gender-neutral language. Also included are a few additions to the original publication:
Questions on assumed implied consent and consent from children under 16.
Questions regarding the relationship between PHIPA and FIPPA/MFIPPA.
Notification requirements in the event of a breach.
Responsibilities with respect to accountability and openness.
Requirements in the event of a change of practice.
Emergency disclosure.
Obtaining health records of a deceased individual.
Storing, accessing and disclosing personal health information outside of Ontario.
Fees associated with a request to access health records.
Unauthorized access continues to be a growing problem in the health sector in Ontario. The province’s Personal Health Information Protection Act, (PHIPA), permits health information custodians (HIC) to collect, use and disclose personal health information for the purposes of providing or assisting in the provision of health care based on implied or assumed implied consent but prohibits the collection, use and disclosure of personal health information for any other purpose without the express consent of the individual, unless permitted or required by PHIPA.
It is important that HICs and their agents recognize that the issue of unauthorized access to personal health information, regardless of motive, is significant and is taken seriously. The protection of privacy should be integral to the delivery of health care and embedded into the culture of health care organizations. Developing and implementing a comprehensive approach, incorporating a variety of measures and ensuring agents are aware of the relevant privacy policies and procedures can go a long way toward preventing unauthorized access.
The purpose of this paper is to shed light on the extent of the problem and the potential consequences for individuals, custodians and their agents, and the entire health sector, and to provide guidance to custodians on minimizing the risk of unauthorized access.
