Ontario’s health care system operates within a legal framework that balances patient privacy, data protection, and access to information. This framework also regulates hospital electronic communications with the public. Some of the Acts in this section require certain records to be maintained. Please refer to the OHA's Records Retention Toolkit: A Guide to the Maintenance and Disposal of Hospital Records for specific details on these compliance requirements.
The following Acts are covered in this section:
Canada’s Anti-Spam Legislation (CASL) [federal]
Freedom of Information and Protection of Privacy Act (FIPPA)
Personal Health Information Protection Act, 2004 (PHIPA)
Quality of Care Information Protection Act, 2016 (QCIPA)
Note: Another piece of legislation that would fall into this category is the Enhancing Digital Security and Trust Act, 2024. It currently does not have any compliance requirements, however, once regulations are made or directives are issued under the Act, it will be added to this page.
CASL sets out rules with respect to the sending of “commercial electronic messages”, as defined in the Act, which includes emails, text messages, and messages to social networking accounts. These rules relate to what consent is required to send commercial electronic messages and the contents of such messages.
CASL applies to any hospital that sends “commercial electronic messages”. Electronic messages that are not commercial in nature or fall within one of the exclusions set out in the Act or its regulations are not subject to CASL.
What are the key requirements for hospitals under CASL?
Hospitals must not send, or permit to be sent, commercial electronic messages (subject to certain exceptions) without a recipient’s consent. Additionally, the contents of the message must comply with CASL, which includes the requirement for an unsubscribe mechanism. (ss 6, 10-11; SOR/2013-221; SOR/2012-36)
The Act does not contain any compliance deadlines.
Any person who contravenes the consent and content requirements set out in CASL commits a violation and is liable to an administrative monetary penalty (AMP). (s 20(1)) Any officer, director, agent or mandatary of a corporation that directed, authored, assented to, acquiesced in or participated in the commission of the violation is also liable for the violation, whether or not the corporation is proceeded against. (s 31) The Act also provides a due diligence defence. (s 33)
The Canadian Radio-television and Telecommunications Commission (CRTC) is responsible for the enforcement of CASL and will determine the amount of an AMP based on a series of factors set out in the Act. The maximum AMP for an individual is $1 million. (s 20)
For more information about CASL, please refer to the following resources:
FIPPA establishes a framework for the protection of individuals’ “personal information”, as defined in the Act, held by certain institutions. It sets out rules for the collection, retention, use, disclosure, and disposal of personal information, and provides an individual right to access personal information and an individual right to request correction of personal information.
FIPPA also provides all members of the public with a right of access to records in the custody or control of certain institutions. It sets out the process for making and fulfilling such requests as well as the circumstances where the public does not have a right of access.
Finally, FIPPA establishes the Ontario Information and Privacy Commissioner (IPC) and sets out its responsibilities and powers to oversee the administration and enforcement of the Act.
FIPPA applies to “institutions”, which is defined in the Act to include all public hospitals. Certain provisions apply to the “head” of an institution, which is the chair of the board of directors of the hospital. A head may, however, delegate in writing any power or duty of the head to an officer of the hospital.
Although FIPPA applies to hospitals, it excludes employment-related records, and the Personal Health Information Protection Act, 2004 (PHIPA) stipulates that FIPPA does not apply to personal health information in the custody or control of hospitals. Practically, then, FIPPA is most relevant in its application to hospital administrative records and records containing personal information that are neither clinical records nor employment-related records.
What are the key requirements for hospitals under FIPPA?
- Upon receiving a request from an individual for access to a record, the head of a hospital must respond to the request in accordance with the Act, including by giving written notice to the person making the request indicating whether or not access to all or part of the record will be given. (ss 24-30) Unless one of the circumstances set out in the Act provide that the head of a hospital can or must refuse to disclose a record, the request must be granted. (ss 10, 12-23)
- Every head of a hospital must ensure that reasonable measures respecting the records in the custody of, or under the control of, the hospital are developed, documented and put into place. (s 10.1)
- The head of a hospital must disclose a record to the public or affected persons if the head has reasonable and probable grounds to believe that it is in the public interest to do so and the record reveals a grave environmental, health or safety hazard to the public. Notice of the disclosure shall be given to any person to whom the information in the record relates. (s 11)
- The head of a hospital must make manuals, directives or guidelines (and associated instructions/guidance) related to an enactment on rights, privileges or benefits conferred (and whether to suspend or revoke them) or related to an enactment that imposes obligations or liabilities, available on the internet or in print in the designated reading room, library or office. (ss 33, 35)
- The head of a hospital must make an annual report to the IPC that sets out, with respect to both FIPPA and PHIPA, the number of requests for access, number of refusals to disclose, the uses or purposes for which personal information is disclosed, the fees collected, and any other practice put into place. (s 34) The annual report shall be made available on the internet or in print in the designated reading room, library or office. (s 35)
As of July 1, 2025, the annual report will also be required to include the number of thefts, losses or unauthorized uses or disclosures of personal information.
- The head of a hospital must conduct an annual review to ensure that information provided to the Chair of the Management Board of Cabinet (the responsible minister for FIPPA) is accurate, complete and up to date. (s 36)
- Hospitals must comply with the various provisions of FIPPA that set out how personal information can be collected, retained, used, disclosed, and disposed of. (ss 38-43; Reg 459; Reg 460, ss 3-5, 10) Several provisions relate specifically to how hospitals may use and disclose personal information for the purpose of fundraising activities of a hospital or associated foundation.
As of July 1, 2025, the head of a hospital must also take steps that are reasonable in the circumstances to ensure that personal information in the custody or under the control of the hospital is protected against theft, loss and unauthorized use or disclosure and to ensure that records of containing personal information are protected against unauthorized copying, modification and disposal. (s 40(5))
As of July 1, 2025, the following requirements will be added:
- Before a hospital collects personal information, the head of the hospital must ensure that a privacy impact assessment (PIA) is prepared and contains the information required by the Act. A PIA must also be prepared if the purpose for which personal information is used or disclosed is significantly changed. (s 38)
- The head of a hospital must notify individuals if their personal information is lost, stolen, or used or disclosed in an unauthorized manner and there is a reason to believe there is a real risk of significant harm to the individual. A report of the breach must also be provided to the IPC and a record of the breach must be maintained by the hospital. (s 40.1)
- If a request for information should have been made to another institution, the head of a hospital must, within 15 days after the request is received, forward the request to the other institution and provide written notice to the person who made the request that the request has been forwarded. (s 25)
- Subject to an extension of time, the head of a hospital must provide written notice to a person who makes a request for access to a record and, if access is to be given, give the person access to the record within 30 days after the request is received. (ss 26-27)
- In certain circumstances where the interest or personal privacy of another person would be affected by the disclosure of a requested record, the head of the hospital must give written notice to the affected person within 30 days after the request is received. (s 28)
- Disclosures made in the public interest and notices with respect to such disclosures must occur as soon as practicable. (s 11)
- An annual report to the IPC must be submitted on or before March 31 with respect to the preceding calendar year.
As of July 1, 2025, the following compliance deadline will be added:
- Breach notification to an individual and reporting to the IPC must occur "as soon as feasible" after the breach is identified. (s 40.1)
Director Liability
The Act does not contain any director specific offence provisions.
For more information about FIPPA, please refer to the following resources:
PHIPA is the legal framework that ensures patients’ personal health information (PHI) is protected. It sets out rules for the collection, use and disclosure of PHI, including what consent is required. The Act also outlines what measures must be taken by health information custodians (HICs) to maintain the security of PHI, what steps must be taken if a PHI breach occurs, what access rights individuals have to their PHI and the process for requesting PHI corrections. Additionally, the rules for the provincial electronic health record (EHR) are set out in the Act. Finally, PHIPA provides the Ontario Information and Privacy Commissioner (IPC) with a wide array of powers to oversee the administration and enforcement of the Act.
PHIPA applies to HICs, which is defined in the Act to include all public hospitals.
What are the key requirements for hospitals under PHIPA?
- Hospitals must have policies, which are referred to as “information practices” in the Act, in place for how the hospital collects, uses, modifies, discloses, retains, and disposes of PHI, as well as the administrative, technical and physical safeguards and practices that the hospital uses for PHI. (ss 2, 10)
- Hospitals are required to notify individuals if their PHI is lost, stolen, or used or disclosed in an unauthorized manner. (ss 12(2), 16(2)) Hospitals must also report to the IPC if the breach meets the prescribed circumstances. (s 12(3); O Reg 329/04, s 6.3)
- Hospitals must designate a contact person (for example, a Privacy Officer) to facilitate the hospital’s compliance with PHIPA, ensure “agents” of the hospital are appropriately informed of their duties, respond to inquiries about the hospital’s information practices, respond to requests for access to or correction of PHI, and receive complaints about the hospital with respect to PHIPA compliance. (s 15)
- A written statement must be made available to the public that provides a general description of the hospital’s information practices, how to contact the hospital’s contact person, how to request access to or a correction of PHI and how to make a complaint. (s 16)
- Hospitals are required to give written notice to the relevant regulatory college when a regulated health professional (i) is suspended, terminated, or subject to disciplinary action, or (ii) has their privileges revoked, suspended or restricted, for committing a privacy breach. Written notice is also required when a health professional resigns due to a privacy breach. (s 17.1)
- Upon receiving a request from an individual for access to their PHI, a hospital must either make the record available, including providing a copy, if requested, or give written notice to the individual about why the request will not be granted. (s 54) Similarly, upon receiving a request to make a correction to an individual’s PHI record, the hospital must give notice whether the request was granted or refused. (s 55)
- Hospitals must provide an annual report to the IPC with privacy breach statistics. The IPC hosts an Online Statistical Reporting System to submit annual reports. (O Reg 329/04, s 6.4)
- Hospitals must provide certain PHI to Ontario Health for the EHR. (O Reg 329/04, s 18.1.3)
- Breach notifications to individuals and the IPC must both occur at the “first reasonable opportunity”. (s 12(2); O Reg 329/04, s 6.3(3))
- Notifications to regulatory colleges for employment or privilege changes related to PHI breaches must be made within 30 days of the event occurring. (s 17.1(2))
- Annual reports to the IPC must be submitted on or before March 1 regarding the previous calendar year. (O Reg 329/04, s 6.4)
- Responses to PHI access requests and corrections must be given as soon as possible in the circumstances, but no later than 30 days after receiving the request (subject to certain extension rules). (ss 54(2), 55(3))
Under PHIPA, it is an offence to willfully collect, use, disclose or destroy PHI in contravention of the Act, obstruct the IPC in the performance of its functions, or fail to comply with an order of the IPC. (s 72(1)) If a corporation, such as a hospital, commits an offence, directors can also be held liable if they authorized the offence or knowingly refrained from preventing the offence from being committed. (s 72(3)) Individuals may be fined up to a maximum of $200,000. (s 72(4))
The IPC may also make orders to ensure compliance with the Act and issue administrative monetary penalties (AMPs) as part of its enforcement powers for violations of the Act. (s 61.1) AMPs issued may be a maximum of $50,000 for an individual. (O Reg 329/04, s 35(1))
For more information about PHIPA, please refer to the following resources:
The QCIPA creates a framework that enables discussions by “quality of care committees” with respect to “quality of care information”, as defined in the Act, to remain confidential by prohibiting disclosure. This prohibition on disclosure includes freedom of information requests under the Freedom of Information and Protection of Privacy Act and legal proceedings. The intent of this confidentiality is to allow for open, honest discussions about errors, system problems and opportunities for improvement that can improve the quality of health care delivered to patients.
Who does the QCIPA apply to?
The QCIPA applies to “health facilities,” which is defined in the Act and its regulations to include all public hospitals and long-term care (LTC) homes.
What are the key requirements for hospitals under the QCIPA?
- Hospitals and LTC homes must not disclose quality of care information except in limited circumstances set out in the Act. Examples of such circumstances include when disclosure is appropriate for the purpose of improving or maintaining the quality of health care provided by the facility, or when disclosure is necessary to eliminate or reduce a significant risk of serious bodily harm to a person or group of persons. (s 9)
- A hospital or LTC home must designate, in writing, that a quality of care committee is acting as such a committee for the purposes of the QCIPA. The terms of reference of the quality of care committee and its designation must be available on request to members of the public. (O Reg 483/16, s 2)
A quality of care committee must be designated, in writing, before beginning to act as such a committee. (O Reg 483/16, s 2)
Under the QCIPA, if a corporation commits an offence under the Act, every officer, member, employee or other agent of the corporation who authorized the offence, or who had the authority to prevent the offence from being committed but knowingly refrained from doing so, is a party to and guilty of the offence and is liable, on conviction, to the penalty for the offence, whether or not the corporation has been prosecuted or convicted. The penalty for contravening the Act is a fine of up to $50,000 for individuals. (s 12)
For more information about the QCIPA, please refer to the following resource:
