Personal Health Information Protection Act

Overview

The Personal Health Information Protection Act (SO 2004, c.3, Sch. A) prohibits any retaliation against a person who has disclosed an actual or foreseen contravention to the Act to the Information and Privacy Commissioner. Any retaliation is subject to a fine.

What kind of disclosure is protected?

The Act protects any person (including a partnership, association or other entity)  who, while acting in good faith and on the basis of reasonable belief, has disclosed information to the Privacy Commissioner about a person having contravened to the Act, with respect to provisions regarding personal health information s.56(1).

Under the Act, personal health information s.4 means identifying information about an individual in oral or recorded form, if the information: 

 

  • relates to the physical or mental health of the individual, including information that consists of the health history of the individual’s family;
  • relates to the providing of health care to the individual, including the identification of a person as a provider of health care to the individual;
  • is a plan of service within the meaning of the Home Care and Community Services Act, 1994 for the individual;
  • relates to payments or eligibility for health care, or eligibility for coverage for health care, in respect of the individual;
  • relates to the donation by the individual of any body part or bodily substance of the individual or is derived from the testing or examination of any such body part or bodily substance;
  • is the individual’s health number; or
  • identifies an individual’s substitute decision-maker.

Who is eligible for protection?

In order to be protected under the Act, the individual must be a person (including a partnership, association or other entity) who acts in good faith and on the basis of reasonable belief when disclosing information to the Privacy Commissioner.

How are whistleblowers protected?

Under the Act, any person who disclosed information is protected from any action or proceeding commenced in court s.71(1).  The Act prohibits any kind of reprisal s.70 against a person who has made or has the intention to make a protected disclosure under the Act s.56(1). The Act also protects persons who refuse, or demonstrate their intention to refuse to do any acts in violation of the Act s.70 (a)-(b)

Any person who knowingly takes any kind of reprisal against a person who has disclosed information to the Privacy Commissioner is guilty of a fine s.72(1)(j) not exceeding $100,000 s. 72(a) if a natural person or not exceeding $500,000 if not a natural person s. 72(2)(b).

Similarly, any corporation (also known as not natural persons) including its officers, members, employees or other agents who knowingly take any kind of reprisal against a person who has disclosed information to the Privacy Commissioner is guilty of a fine no more than $500,000 s.72(2)(b) and s.72(3).

A person may not be found  liable under this Act if they are in compliance with the requirements by the Commissioner under this Act s.70(4).

A person who willfully makes a false statement in order to mislead the Commissioner or who fails to comply with an order made by the Commissioner is also guilty s. 72(h)-(i).

How should disclosures be made?

Be careful! Despite presenting some challenges for follow ups, one of the best protections for whistleblowers is their anonymity. Be cautious when providing any information through electronic means, especially emails! Read the security tips section.

Disclosures sent to the Privacy Commissioner must be made in writing and filed within one year after the subject-matter of the complaint first came to the attention of the complainant, or whatever longer period The Commissioner permits s. 56(2). When sending information to the Privacy Commissioner, do not send personal or sensitive information by email. Additionally, The Commissioner may decide not to review the subject-matter of the complaint for whatever reason the Commissioner considers proper s. 56(4)

Mail: 
Information and Privacy Commissioner of Ontario
2 Bloor Street East, Suite 1400
Toronto, ON M4W 1A8

Email: 
info@ipc.on.ca

Phone: 
Toronto Area: 416-326-3333
Long distance: 1-800-387-0073 
TDD/TTY: 416-325-7539
Fax: 416-325-9195

Additional contact information for the Office is available at https://www.ipc.on.ca/about-us/contact-us/.