When sending a referral for a patient, it is important to understand if the site receiving the referral is a Health Information Custodian (HIC), under the Personal Health Information Protection Act (PHIPA), or not.
PHIPA law applies to HICs, who are responsible for the Personal Health Information (PHI) in its custody or control, and must take certain steps to fulfill that responsibility.
If sending a referral to a site that is clearly labeled as a non-HIC, referring providers must ensure they have express consent from the patient and must be careful not to disclose of any unnecessary PHI.
Who is a Health Information Custodian?
As defined in PHIPA, a HIC is responsible for collecting, using and disclosing personal health information on behalf of clients.
Examples of custodians include:
- health care practitioners and clinics (including doctors, nurses, speech-language pathologists, chiropractors, dental professionals, dietitians, medical laboratory technologists, massage therapists, midwives, occupational therapists, opticians and physiotherapists)
- community care access corporations
- hospitals
- psychiatric facilities
- long-term care homes
- pharmacies
- laboratories
- ambulance services
- retirement homes and homes for special care
- medical officers of health of boards of health
- the Minister of Health and Long-Term Care
- Canadian Blood Services,
- the Ontario Air Ambulance Services Corporation
- a person who, as a result of the bankruptcy or insolvency of a health information custodian, obtains complete custody or control of records of personal health information held by the health information custodian
- every local health integration network
Who is Not a Health Information Custodian?
Individuals or organizations must be specifically named in PHIPA s. 3 or O.Reg 329/04 s. 3 in order to be considered HICs. However, PHIPA also sets out some specific examples of persons not considered HICs for the purposes of the act:
- faith healers or traditional aboriginal healers or midwives
- a person who would otherwise be a health information custodian who is an agent/employee of another health information custodian. For example, a physician with privileges in a hospital acts as the hospital’s agent when entering information into hospital records
- a person who would otherwise be a health information custodian who is an agent/employee of an organization that is not a health information custodian, but this exception applies only where the agent/employee is not providing health care. If the agent/employee is providing health care (e.g. a nurse employed by a school board to provide health care to students, or a physician retained by a private company to provide health care to company employees) then the agent/employee is a health information custodian
- a person providing fitness or weight-management services
- a person who the regulations say is not a health information custodian
Persons who are not health information custodians should consider the application of the Act to
them in a few contexts. Generally, except as permitted or required by law, such persons cannot use or disclose that information for any purpose other than the purpose for which the custodian disclosed the information to them under the Act, or for the purpose of carrying out a statutory or legal duty.
Note: This document is provided for general information purposes only and does not constitute legal advice. Additional information is available in the document Frequently Asked Questions - Personal Health Information Protection Act published by the Information Privacy Commissioner of Ontario.