Hospital  >  Patients & Visitors  >  Privacy & confidentiality  >  Privacy FAQ's

Privacy FAQ's

What is Information Privacy?

An individual’s right to retain control over the collection, use and disclosure of his/her personal information.

What is the Personal Health Information Protection Act?

The Personal Health Information Protection Act, 2004 (PHIPA) is Ontario's health information privacy statute and regulations. PHIPA governs the manner in which personal health information may be collected, used and disclosed within the Ontario health care system.

What is personal health information?

Personal health information is "identifying information" regarding an individual's health status or health care history as it is defined within Ontario’s Personal Health Information Protection Act.

What is NOT personal information?

Any information for which all personal identifiers have been removed which makes impossible the identification of the person to whom the information pertains is not considered personal information, nor is the name, title, business address or business telephone number of an employee of an organization.

What does Sunnybrook use my health information for?

Sunnybrook may use your information for the purposes permitted within PHIPA, including clinical services delivery, administration of the hospital and for research and teaching purposes.

Does Sunnybrook share my personal health Information with anyone outside of the hospital?

Sunnybrook may be required to disclose patient information to other physicians or care providers involved in the care of our patients and to certain organizations managing care delivery within the province of Ontario. These include but are not limited to Ontario’s Ministry of Health, The Canadian Institute for Health Information (CIHI), and Public Health Ontario. Information may also be disclosed to Ontario prescribed health information registry’s such as Connecting Ontario, Cancer Care Ontario, the BORN neonatal registry, the Integrated Assessment record and others. The Hospital places appropriate safeguards on the transmission of all information disclosed to other organizations and seeks to ensure that health information protection measures are in place by the recipients in accordance with the Personal Health Information Protection Act.

Does Sunnybrook ever sell patient information to drug companies, or anyone else?

Sunnybrook does not sell patient information.

Can I access my health information at Sunnybrook?

Yes. Information regarding how to obtain a copy of your Sunnybrook medical records can be found on our Health Records page. Patients and substitute decision makers may also apply for online access to records via the Sunnybrook MyChart Service at

Can a personal care provider access a person’s Sunnybrook records?

Yes, if that person is designated as the patient’s substitute decision maker or is otherwise permitted to access the records by law.

Can any Sunnybrook staff member access my patient record?

Only Sunnybrook staff involved in your care or administering your care record may access your record. All Sunnybrook staff are bound by a confidentiality agreement which is signed as a condition of employment. This agreement seeks to ensure staff access patient information on a need-to-know basis.

What if I am unable to give consent to have a person use or access my personal health information?

If you are unable to give consent for a friend or family member to access your health records due to reasons of competency or consciousness, the consent decision falls to the appointed substitute decision maker such as a parent or guardian. This person is bound by law to act on your behalf and must make decisions based on their belief of what you would wish done if you were able to decide.

What is a breach of privacy?

A ‘breach’ of patient privacy refers to the unauthorized access, collection, use, or disclosure of any personal information or personal health information.

What is a health record ‘lock-box?’

A health record ‘lock-box’ is a term used to describe the right of an individual under PHIPA to instruct a health care provider to not use and/or disclose specified personal health information.

How does the lock-box work?
When an individual requests Sunnybrook to not use or disclose personal health information, Sunnybrook is obligated to inform anyone using or disclosing the information that access has been restricted by the individual to whom the information pertains. The person attempting to use or receive disclosed ‘locked’ personal health information may generally seek access with the express consent of the individual or indicate a legally authorized purpose for use or disclosure without consent.

What if some of the information in my health record is incorrect?

An individual who believes that their personal health information is incomplete or inaccurate must access a copy of the record and then submit a request in writing to Sunnybrook to correct the hospital record. Corrections proceed under the provision of PHIPA.

Can the hospital refuse to correct an individual's personal health information?

Sunnybrook is obligated to correct personal health information where an individual demonstrates that the record is in fact inaccurate or incomplete and the individual provides Sunnybrook with the necessary information to correct the record.

Sunnybrook may be permitted under PHIPA to refuse to correct personal health information that is a professional opinion or an observation of the health care provider.

How is my personal health information protected?

  • Administrative Safeguards: Sunnybrook's privacy policy governs the way in which all hospital employees manage and access patient information. In addition, all hospital employees must sign a confidentiality agreement as a condition of employment.
  • Physical Safeguards: Sunnybrook has deployed physical safeguards and measures to protect Sunnybrook's patient records including facility access controls, workstation security and mobile device security requirements.
  • Technical Safeguards: Sunnybrook's Information Services department and Information Security Team actively manages the security capabilities of Sunnybrook patient information systems on an ongoing basis.

How does an individual initiate a Sunnybrook privacy complaint?

An individual who feels their privacy rights under PHIPA have been violated by Sunnybrook has the right to submit a written complaint to Sunnybrook's Privacy Office. All privacy complaints will be treated in a confidential manner. Sunnybrook is legally required to respond to privacy complaints in a timely manner.

An individual may also submit a written complaint to the Information Privacy Commissioner of Ontario.

Information and Privacy Commissioner / Ontario

2 Bloor Street East, Suite 1400
Toronto, Ontario
Canada M4W 1A8

Where can I find out more about information privacy rights and protection at Sunnybrook?

You can get more information from the following sources:
  • Email: You may email the Sunnybrook Privacy Office at
  • Telephone: You may call the Sunnybrook Privacy Office at 416-480-6100 ext. 61236.

Privacy Downloads

These PDF downloads will open in a new window.

PDF Download Sunnybrook's Privacy Policy

PDF Download Sunnybrook's Security Policy

PDF Download Privacy Brochure