Back to Top FAQ - The Ottawa Hospital Website scanner for suspicious and malicious URLs


What is Privacy?

Privacy is a person’s claim to determine for him/herself/them when, how and to what extent information about him/her/them is communicated. Simply put, it is the right for an individual to determine who knows what about him/her/them, and what they do with the knowledge.

What is the Personal Health Information Protection Act?

The Personal Health Information Protection Act, 2004 (PHIPA) is Ontario’s new health-specific privacy legislation which applies to health information custodians such as hospitals. PHIPA governs the way personal health information may be collected, used and disclosed within the health-care system. PHIPA also confirms a patient’s right to access one’s own personal health information.

What is Personal Health Information?

Personal Health Information is “identifying information” collected about an individual. It includes information about an individual’s health or health-care history in relation to:

  • The individual’s physical or mental health, including family history
  • The provision of health care to the individual
  • Long-term care services
  • The individual’s health-care number
  • Blood or body-part donations
  • Payment or eligibility for health care; and
  • The identity of a health-care provider or a substitute decision maker for the individual.

What is Synthetic Data?

The Ottawa Hospital uses a tool called MDClone that allows us to create “synthetic data.” Synthetic data is made-up data about made-up people.  MDClone analyzes real patient data and makes up new patients with new data.  The synthetic data is very realistic and can be used for some analysis such as research.  Because it is made-up, it protects the privacy of the patients we serve.

What is de-identified patient information?

Many times, we can use patient information without knowing who the patient is.  We will “de-identify” it which means that we will remove information such as name or address that identifies the patient.  When we de-identify the information, we can no longer tell who the patient is.

When we de-identify patient information, we usually are analyzing it for research or to test new and innovative technology or processes.  We also work with outside organizations to conduct research and to test new technology or processes with de-identified information. Where possible, we try to obtain direct benefits for our patients and the hospital when working with external organizations. If we do work with outside organizations, we have contracts with them to protect the de-identified information.

What is a health information custodian?

A health information custodian is a listed individual or organization under PHIPA that, because of their power or duties, has custody or control of personal health information.

Examples of health information custodians include:

  • Health care practitioners (such as doctors, nurses, pharmacists, psychologists, spiritual care practitioners who are a part of a health care team, and dentists)
  • Hospitals
  • Psychiatric facilities
  • Pharmacies
  • Laboratories
  • Nursing homes and long-term care facilities
  • Retirement homes and homes for special care
  • Community Access Centres
  • Ambulance services
  • Minister (and the Ministry) of Health and Long-Term Care.

What is the “circle of care”?

The “circle of care” is not a defined term under PHIPA. It is a term of reference used to describe health information custodians and their authorized agents who are permitted to rely on an individual’s implied consent when collecting, using, disclosing, or handling personal health information for the purpose of providing direct health care.

In a physician’s office, the circle of care includes:

  • Physicians
  • Nurses
  • Specialists or other health-care providers referred by the physician
  • Health care professionals selected by the patient, such as a Pharmacist or Physiotherapist

In a hospital, the circle of care includes:

  • Attending physician
  • Health-care team (i.e., residents, nurses, technicians, clinical clerks, spiritual care practitioners, and employees assigned to the patient) who have direct responsibilities of providing care to the individual.

In practice, the hospital is not required to obtain an individual’s written or verbal consent every time personal health information is collected, used, or disclosed. PHIPA permits the hospital to assume implied consent where information is exchanged between custodians within the circle of care for the purpose of providing direct health care – unless a custodian is aware that an individual has expressly withheld or withdrawn his/her consent.

Consent may never be implied for an individual who specifies that his/her/their personal health information may not be collected, used or disclosed.

Implied consent is also permitted if a health information custodian, such as The Ottawa Hospital, collects, uses, or discloses names or addresses for the purposes of fundraising.

Express consent to the collection, use or disclosure of personal health information by a health information custodian is explicit and direct. It may be given verbally, in writing or by electronic means.

Implied consent permits a health-care custodian to infer from the surrounding circumstances that an individual would reasonably agree to the collection, use or disclosure of his/her/their personal health information.

In certain circumstances, express consent will always be required:

  1. For disclosure of personal health information to an individual or organization that is not a health information custodian and is outside the circle of care. For example, a physician is not able to reasonably infer that an individual would consent to have his/her/their personal health information disclosed to third party, such as an insurance provider, who is considered to be outside the circle of care.

The physician would be required to obtain the express consent of the individual to disclose personal health information to the insurance provider.

  1. Express consent is required where information is disclosed by one custodian to another for a purpose other than providing or assisting in providing health care.
  2. Express consent is also required where a custodian:
    • Collects, uses, or discloses personal health information other than an individual’s name and mailing address for fundraising purposes
    • Collects personal information for marketing research and activities
    • Collects, uses, or discloses personal information for research purposes, unless certain conditions and restrictions are met

Does TOH share patient information electronically?

When you go to another healthcare organization, TOH may provide that healthcare organization with information about you to help your care.  When you come to TOH, we may get information about you from other healthcare organizations to help your care.

We often do this electronically such as:

  • We share patient information with our Atlas Alliance healthcare partner hospitals in real time through Epic.
  • We provide patient data to regional databases in Ottawa area and provincial databases that other healthcare organizations can access to help your care. We also view patient information about you in these databases to help your care.

Sharing patient information electronically because it means our doctors, nurses, and other healthcare providers have the most up-to-date information possible about you.

Why do you need my email address?

We use your email address to send you information such as appointment reminders, surveys about your experience at the hospital, educational material, requisitions, or other information related to your visit.

You do not have to agree to this.  We can contact you instead by phone, MyChart, or letter mail.

Remember emails are not protected in the same way that phone calls and letter mail are protected.  You should be aware of the risks and terms associated with using emails for care.

You can change your mind at any time and withdraw your consent to communicate via email by adjusting your preferences in MyChart.  If you do not have access to MyChart, please contact Admitting / Patient Registration Departments at one of our campuses:

  • Civic Campus – 613-798-5555 ext. 18720
  • Riverside Campus – 613-738-8400 ext. 82231
  • General Campus – 613-737-8899 ext. 78800

What are the risks of emailing your health information?

There are a few risks of you emailing your health information to us or us emailing your health information to you:

  • Email can be intercepted when it is being sent. Because it is not encrypted, it could be read.
  • Email could be sent to the wrong email address accidentally.
  • Your computer may not be secure. For example, it may not be password protected and someone could view the information in your email.
  • We could receive a court order that requires us to produce the email.

A more secure way to send information to us is to sign up for MyChart.  Visit the MyChart page to find out how.

What is a breach of Privacy?

Breach of privacy, confidentiality or security refers to the unauthorized access, collection, use, or disclosure of any personal information or personal health information.

Are individuals permitted to access their own personal health information?

With limited exceptions, PHIPA provides individuals with a general right to access their own personal health information held by a health information custodian.

How does an individual obtain access to his/her/their personal health information?

An individual may request access to his/her/their own personal health information by submitting a written request to the Health Records Department of the campus where they are receiving care.

Can the husband/wife of a patient access their spouse’s chart?

No, unless he/she/they has been designated Substitute Decision Maker and the hospital has evidence of that.

Can the hospital refuse to provide access to an individual’s personal health information?

The hospital is responsible to assist individuals by providing access to their health records. However, it may refuse access in limited situations only, where for example:

  • The information in question is subject to legal privilege
  • Its disclosure could reasonably be expected to result in a risk or serious bodily harm to a person
  • The information was collected as part of an investigation, or
  • Another law prohibits the disclosure of that information
  • PHIPA permits the hospital to remove some of the information to allow partial access to the individual.

Can an individual correct errors in his/her/their personal health information? How does an individual correct errors?

An individual who believes that his/her/their personal health information is incomplete or inaccurate, may request the hospital to correct his/her/their record. An individual seeking a correction to his/her/their personal health information is required to submit a written request to the hospital that must then respond within 30 days of receiving a correction request.

Can the hospital refuse to correct an individual’s personal health information?

The hospital is obligated to correct personal health information where an individual demonstrates, to the satisfaction of the hospital, that the record is in fact inaccurate or incomplete and the individual gives the custodian the necessary information to correct the record.

However, the hospital may refuse to correct personal health information that is a professional opinion or an observation of the health-care provider.

Is it a breach of privacy if physicians send Personal Health Information to OHIP for billing?


No, under PHIPA there are disclosures that are allowed without consent, this is one of those disclosures.

Your health information can be sent to the specialist, who will, in turn, send a report to your referring doctor (i.e., family doctor). It is not necessary to obtain your consent. This is good clinical practice and appropriate for optimizing continuity of care.

Does any of my health information leave Canada?

While TOH takes steps to avoid processing or storage of data outside of Canada where possible, some support services are provided by vendors in the U.S. and subject to U.S. laws. In these cases, patient personal information is subject to the laws of the foreign jurisdiction which may be different, and less protective, than those of Canada.

Last updated on: November 1st, 2023