- What is Privacy?
- What is the Personal Health Information Protection Act?
- What is personal health information?
- What is NOT personal information?
- What does Sunnybrook use my health information for?
- Who does Sunnybrook give my health information to?
- Does Sunnybrook ever sell patient information to drug companies, or anyone else?
- Can I access my health information?
- Where do I go to access my health record?
- Can the husband/wife of a patient access their spouse's records?
- Can all Sunnybrook staff access my patient record?
- What if I am unable to give consent to release my personal health information?
- Will my family or friends be able to call the hospital to get information about me over the phone?
- What is a breach of privacy?
- What is a "lock-box?"
- What if some of the information in my health record is incorrect?
- How does an individual correct error or omissions to their records?
- Can the hospital refuse to correct an individual's personal health information?
- How is my personal health information protected?
- How does an individual initiate a complaint?
- Where can I find out more about information privacy rights and protection at Sunnybrook?
The individual right to retain control over the collection, use and disclosure of his/her personal information.
The Personal Health Information Protection Act, 2004 (PHIPA) is Ontario's new health-specific privacy legislation. PHIPA will govern the manner in which personal health information may be collected, used and disclosed within the health care system. It will also regulate individuals and organizations that receive personal information from health care professionals.
Personal health information is "identifying information" collected about an individual.
It is information about an individual's health or health care history in relation to:
- The providing of health care to the individual, including the identification of a person as a provider of health care to the individual;
- A plan of service within the meaning of the Long-Term Care Act, 1994 for the individual;
- To payments or eligibility for health care in respect of the individual;
- To the donation by the individual of any body part or bodily substance of the individual or is derived from the testing or examination of any such body part or bodily substance;
- Individual's health number, or
- An individual's substitute decision-maker
Any data that has been collected in which all personal identifiers have been removed (making determination of identity impossible) is not considered personal information, nor is the name, title, business address or business telephone number of an employee of an organization.
Sunnybrook uses your information for the delivery of patient care, administration of the healthcare system, research, teaching, statistics, fundraising, and to meet legal and regulatory requirements.
The Hospital is required to disclose patient information to several other organizations. This includes the Ministry of Health, The Canadian Institute for Health Information (CIHI), Public Health, and Cancer Care Ontario. Information may also be disclosed to other physicians directly involved in the administering of care to our patients. The Hospital places appropriate safeguards on the transmission of all information disclosed to other organizations and seeks to ensure that health information protection measures are in place and in accordance with the Personal Health Information Protection Act.
Sunnybrook does not sell patient information to drug companies or to anyone else.
The Hospital is required to disclose patient information to several other organizations. This includes the Ministry of Health, The Canadian Institute for Health Information, Public Health, and Cancer Care Ontario. Information may also be disclosed to other physicians directly involved in the administering of care to our patients. The Hospital places appropriate safeguards on the transmission of all information disclosed to other organizations and seeks to ensure that health information protection measures are in place and in accordance with the Personal Health Information Protection Act.
To get a copy of your health records, you can:
- Submit your request, in writing, to Sunnybrook's Health Data Resources Department.
Your written request for a copy of your health records should include: your name, address and date of birth; your signature or the signature of a legal representative (if applicable) the date and the signature of a witness
* Please note the Hospital will only accept original letters. Faxes are not acceptable.*
- Go to the Hospital's Health Records Department and request an Authorization of Release of Information Form.
Please allow a reasonable amount of time for the Hospital to process your request. Should you wish to receive photocopies of your health records a reasonable fee is charged.
- Submit your request, in writing, to Sunnybrook's Health Data Resources Department.
No, unless the patient's husband or wife is designated as the substitute decision maker.
Only Sunnybrook staff involved in your care may access your patient record. All Sunnybrook staff are bound by a strict confidentiality agreement, which is signed as a condition of employment. This agreement seeks to ensure staff access patient information on a need to know basis.
If you are unable to give consent for a friend or family member to access your health records due to reasons of competency or consciousness, the consent decision falls to the appointed substitute decision maker such as a parent or guardian. This person is bound by law to act on your behalf and must make decisions based on their belief of what you would wish done if you were able to decide.
Sunnybrook's clinical care team has no way to verify the identity of the caller. Therefore, in order to protect patient privacy, minimal information is disclosed over the phone.
Breach of privacy, confidentiality or security refers to the unauthorized access, collection, use, or disclosure of any personal information or personal health information.
Privacy Lockbox Brochure (100kb pdf)
The "lock-box" is a term used to describe the right of an individual to instruct a health information custodian not to disclose specified personal health information to another custodian.
How does the lock-box work?
When an individual requests a health information custodian not to disclose his/her personal health information to another custodian, the custodian is obliged to inform the recipient custodian that some personal health information is inaccessible as a result of it having been "locked " by the individual. The custodian who receives "locked" personal health information may choose to explore this matter with the individual. The custodian would need to obtain the express consent of that individual to access and use that information.
However, a custodian is permitted to disclose the information to a recipient custodian where in his/her professional opinion, the disclosure is necessary for the purpose of eliminating or reducing a significant risk of serious bodily harm to the patient.
An individual who believes that his/her personal health information is incomplete or inaccurate may request a health information custodian to correct his/her record. It is the responsibility of the custodian to ensure that personal health information is complete and accurate.
An individual seeking to correct his/her personal health information is required to submit a written request to the health information custodian. The custodian must respond within 30 days of receiving a correction request.
PHIPA provides limited grounds for extending this 30-day time frame. For example, extensions are permitted where replying within 30 days would unreasonably interfere with the custodian's activities, or where the time necessary to undertake the consultations associated with the request would exceed 30 days.
The hospital is obligated to correct personal health information where an individual demonstrates, to the satisfaction of the hospital, that the record is in fact inaccurate or incomplete and the individual gives the custodian the necessary information to correct the record.
However, the hospital may refuse to correct personal health information that is a professional opinion or an observation of the health care provider.
- Physical Safeguards: Sunnybrook has a number of physical safeguards and measures to protect Sunnybrook's patient records including facility access controls, workstation security and mobile device security requirements.
- Technical Safeguards: Sunnybrook's Information Technology department upgrades the security capabilities of the patient information system on an ongoing basis. We have implemented role based access controls to ensure staff only may access electronic information on a need to know basis. Sunnybrook's patient information system also uses passwords to protect the system from inappropriate accesses from within and a firewall to protect our system from users on the Internet.
An individual who feels his/her privacy rights under PHIPA have been violated has the right to submit a written complaint to Sunnybrook's Privacy Office. All privacy complaints will be treated in a confidential manner.
An individual may also submit a written complaint to the Information Privacy Commissioner of Ontario.
Information and Privacy Commissioner / Ontario
2 Bloor Street East, Suite 1400
Canada M4W 1A8
You can get more information from the following sources:
- Email: You can email the Chief Privacy Officer at privacy[at]sunnybrook.ca
- Telephone: You can call the Office of the Chief Privacy Officer at (416) 480-6100 x 1236.
These PDF downloads will open in a new window.