- Guidance for Organizations
-
Access to information
- Open government
- Responding to access requests
- Appeals
- Annual Statistical Reporting FAQ
- Interpretation bulletins
- Tribunal and Dispute Resolution Division policies
- Code of Procedure
- Part X of the Child, Youth and Family Services Act: A Guide to Access and Privacy for Service Providers
- CYFSA FAQ: Information for service providers
- Protection of privacy
- Health privacy
- Policy Consultations
Our PHIPA processes
TYPES OF PHIPA FILES
The IPC handles four types of files under the Personal Health Information Protection Act (PHIPA).
Access and correction complaint files
We receive and resolve complaints from individuals who have been denied access to, or the correction of, their records of personal health information.
Collection, use and disclosure complaint files
We receive and resolve complaints about PHIPA contraventions, such as unauthorized disclosures of personal health information.
Custodian-reported privacy breaches
We investigate privacy breaches that are reported to us by health information custodians (custodian) to remedy or contain the breach and prevent future occurrences.
IPC-initiated Files
We have the authority to initiate our own investigation of potential PHIPA contraventions. For example, we may initiate an investigation if we learn about a privacy breach, such as the discovery of abandoned medical records, even where we learn about it from an unaffected party. Investigations are also conducted when there are large-scale or systemic contraventions of PHIPA, and it would not be practical to address each complaint separately.
STAGES OF OUR PHIPA PROCESS
There are three stages to the IPC's PHIPA process:
Intake
The first stage of the access complaint process in which the registrar reviews complaints to determine whether further documentation is required from the parties. The registrar will frequently request documentation from the parties before streaming complaints to the appropriate stage.
After intake, a file moves on to our early resolution team or to mediation, or it is closed. If a file is closed, a letter is sent to the parties explaining our decision to close it.
On June 11, 2024, the IPC launched an expedited process to resolve access complaints that meet certain criteria quickly, so complainants can receive resolutions sooner.
Investigation/Mediation
If we receive a complaint, a mediator is assigned to the file to help resolve the issues under dispute. If we initiate our own investigation or receive a breach report from a custodian, an investigator determines whether we are satisfied with the response to the breach. In both circumstances, the investigator/mediator gathers relevant facts.
At the end of the investigation/mediation stage, a file can be:
- consensually resolved, with the terms of resolution confirmed with the parties in a letter that is not published by the IPC;
- transferred to adjudication and accompanied by a report that sets out the facts gathered and issues under dispute; or
- in the case of IPC-initiated files and custodian-reported privacy breaches, closed if we are satisfied with the response of the custodian. This decision is published but generally does not include the names of any of the parties involved.
Adjudication
At this stage, we adjudicate the issues under dispute.
During the adjudication stage:
- The adjudicator decides whether there are reasonable grounds to commence a “review” under PHIPA. If there are none, the adjudicator closes the file and prepares a decision to be published by the IPC (but generally does not name any of the parties).
- If there are reasonable grounds to start a review, the adjudicator issues a Notice of Review, seeking representations — or submissions — on the facts and issues under dispute. After reviewing this information, and any additional facts, the adjudicator decides whether or not to issue an order. The adjudicator’s decision is published and usually names the custodian and any other persons who were party to the review, but generally does not name complainants or other individuals whose personal health information was at issue.