Regulation Matters 2020 Issue 3, December

New Obligations for Privacy Health Information

in the Amended Personal Health Information Protection Act

Accessing personal health information electronically has become more prevalent recently, especially amid the pandemic. As a result, Ontario’s Personal Health Information Protection Act, 2004 (PHIPA), was significantly amended earlier this year to address the management of electronic health information. Some of the amendments took effect upon enactment, while others will come into force on a future date. Dietitians should prepare now to comply with these legislative requirements and are encouraged to discuss changes needed to their policies and procedures with their legal counsel.

To help you with this task, we have updated the Privacy of Personal Information Dietetic Practice Toolkit for Registered Dietitians in Ontario   (Privacy Toolkit) to reflect the changes in law.  The updated guide includes the requirement to notify the Information and Privacy Commissioner of Ontario (the Commissioner) immediately of significant privacy breaches and to file an annual report with the Commissioner of all privacy breaches.


Access Rights for Clients

PHIPA has provisions regarding the right of clients to access their personal health information contained in electronic records. One of these provisions requires dietitians who are Health Information Custodians (HICs) and who are using electronic health records to provide client access to the health record, when requested, in an electronic format that facilitates portability of the information for the individual (if the format meets requirements as per the regulations, which have not yet been made) (See Privacy Toolkit, Access Rights, page 23).  Future regulations may provide additional restrictions, requirements, or exceptions. 

Additional Powers of the Information and Privacy Commissioner of Ontario 

The Information and Privacy Commissioner has been given significant additional powers including the ability to impose administrative monetary penalties for non-compliance with PHIPA, and a doubling of the fines for offences under PHIPA.


Principles of safeguarding personal health information require that HICs take reasonable steps to protect the information against theft, loss, unauthorized use, disclosure, copying, modification, or disposal. Some amendments regarding administrative and technical safeguards will come into force later. Dietitians who use electronic records to handle personal health information are encouraged to implement now the necessary administrative (e.g., policies, training), and technical safeguards (e.g., audit log). You may retain an IT consultant to assist you.

Audit Log – Maintain, Monitor, and Audit

Dietitian HICs will need to have an audit log for any electronic health records to record who accesses the client’s records to prevent snooping or other privacy breaches. The HIC must regularly monitor the audit log for suspicious activity. See full details of the audit log requirements in the Privacy Toolkit. The Commissioner can require Dietitian HICs to produce the audit log upon request. 

Dietitians in private practice or other settings who are agents and not HICs (e.g. working in interdisciplinary teams where the employer is the HIC) should work with their employer and confirm audit logs are a feature of the electronic health record.  

Management of Apps and Online Portals 

A new entity subject to PHIPA are “Consumer electronic service providers” (e.g., apps and online portals in which clients can access and store personal information about themselves). Developers of apps or online portals that process personal health information (PHI) previously had few obligations under PHIPA. Details will be set out in future regulations but dietitians or their companies who access, modify, or manage PHI records electronically through an app or portal will need to become familiar with the rules about sharing, or managing requests to disclose information with Consumer Electronic Service Providers (e.g. dietitians who manage or process PHI electronically such as through an app or portal for online claim submissions). 

IPC Oversight of Apps and Online Portals
The amendment gives the Information and Privacy Commissioner oversight of apps that collect personal health information directly from an individual (e.g. blood sugar readings), providing increased privacy protection for consumers. The Commissioner will have the power to forbid a HIC from sharing information with apps when concerns about the service provider’s privacy policies or practices exist. 

Client Rights and Consent
Clients will have the right to manage their own health records using various digital tools, apps, portals, or consumer electronic service providers. For example, they could use apps to access copies of healthcare reports which may be stored on a smartphone. Even practitioners who do not use those apps/portals will need to be familiar with the rules about sharing or managing requests to disclose information with the consumer electronic service providers.

Custodians now offering such services will need to obtain client consent when providing the information to an app or portal, follow any rules for providing that information, and be alert to any directions from the Commissioner prohibiting the provision of information to named, non-compliant apps/portals.