Privacy & Security

Personal Health Information Protection Act (PHIPA)

The Personal Health Information Protection Act (PHIPA) is Ontario’s health specific privacy legislation which came into force on November 1, 2004. PHIPA governs the manner in which personal health information may be collected, used and disclosed within the health sector. It regulates health information custodians (such as hospitals; independent health facilities and family physicians), as well as individuals and organizations that receive personal health information from custodians.  The hospitals and Independent Health Facilities (IHFs) who participate in the shared electronic systems such as The Southwestern Ontario Diagnostic Imaging Network (SWODIN) is considered health information custodians under PHIPA. The staff and affiliates who work in those organizations are referred to in PHIPA as ‘agents’. Agents are permitted by health information custodians to collect, use and disclose personal health information on behalf of the custodian.

What is Personal Health Information?

Personal health information is “identifying information” about an individual, whether oral or recorded if the information:

  • relates to the individual’s physical or mental condition, including family medical history,
  • relates to the provision of health care to the individual,
  • is a plan of service for the individual,
  • relates to payments, or eligibility for health care or for coverage for health care,
  • relates to the donation of any body part or bodily substance or is derived from the testing or examination of any such body part or bodily substance,
  • is the individual’s health number or,
  • identifies a health care provider or a substitute decision-maker for the individual.

The information contained by SWODIN, relating to the patients who have received care at any of our participating hospitals and IHFs is considered personal health information (PHI) under PHIPA.

Patient rights under PHIPA?

PHIPA gives individuals the right to:

  • be informed of the purposes for the collection, use and disclosure of personal health information,
  • be notified by a custodian if personal health information has been stolen, lost or accessed by unauthorized persons,
  • refuse or withdraw their consent to the use and disclosure of their personal health information,
  • request access to their personal health information,
  • request corrections to be made to their personal health information,
  • complain to the Information and Privacy Commissioner if they feel that any of their rights under PHIPA have been violated.

The development and use of shared electronic systems within SWODIN do not amend or alter your rights under PHIPA.

What is a Health Information Network Provider?

PHIPA contains requirements that apply to a specific type of electronic service provider, referred to as a health information network provider. A health information network provider is a person or organization who provides services to two or more custodians, to enable the custodians to use electronic means to disclose personal health information to one another.

London Health Sciences Centre (LHSC) and St. Joseph’s Health Care London (St. Joseph’s) share the responsibility of health information network provider for SWODIN; Picture Archive and Communication System (PACS) and Emergency Neuro Image Transfer System (ENITS). LHSC and St. Joseph’s also function as health information custodians in all 3 systems.

*Adapted from ‘Frequently Asked Questions: Personal Health Information Protection Act’ 2015. Published by the Office of the Information and Privacy Commissioner of Ontario.

If you have any additional questions about PHIPA or would like to contact the Information and Privacy Commissioners Office please go to or call 1-800-387-0073

Who can view, use or disclose/share personal health information in these shared electronic solutions?

Each health information custodian participating in the shared electronic systems identifies agents in their organizations who may need access to the shared electronic systems.

Examples of agents who may require access to the shared electronic systems include:

  • Care providers such as physicians and nurses – to provide health care
  • Diagnostic Imaging technologists – to perform quality checks on the personal health information in the electronic shared systems
  • Support staff at local hospitals and independent health facilities – to assist with booking appointments and supporting the clinical staff
  • Staff in local Health Records departments – to assist with access and disclosure requests
  • Privacy Officers or designated staff – to investigate privacy concerns or complaints from patients or their families
  • IT (Information Technology) staff – to ensure the electronic shared systems are secure and working correctly

Agents must be staff or affiliates of the health information custodian organizations.

Agents are provided with their own unique username and password, and their activities in the shared electronic systems are audited to ensure appropriate use.

Accessing; Correcting and Withdrawing Consent to Personal Health Information in the Electronic Shared Systems

Patients or their substitute decision makers should contact their local hospital (see a listing of our partner organizations below) to request access, correction, or to place any restrictions to personal health information in the electronic shared systems.

View a table that shows the electronic solution that is shared by the participating organizations. This document is listed below.

Related Documents:

Privacy Framework 2021 

Contributing Organizations