Your Privacy Rights and Choices
Privacy is a fundamental right of every Ontarian. In order to protect that right, Ontario Health atHome is required by law to protect your personal information and to follow strict rules when collecting, using and disclosing it. These laws also give you certain rights and choices about how we use and share your personal information
Learn more by contacting your local privacy office.
Definitions of personal information and personal health information
“Personal information” means recorded information about you as an individual. It may include your name, address, sex, age, education and employment history. It can also include identifying numbers such as a Social Insurance Number and your personal views or opinions.
“Personal health information” is a specific type of personal information. It includes any verbal, written or electronic information about you which relates to your physical or mental health (including family medical history), health care services provided to you (including a plan of service), the identity of persons who provided you with health care services and the identity of your substitute decision maker(s). It also includes your Ontario health card number and information related to payment or eligibility for health care.
Ontario’s access and privacy legislation
Our practices are governed by two privacy laws:
- Personal Health Information Protection Act (PHIPA) (opens in a new tab)
- Applies to personal health information
- Access can only be provided with patient/SDM authorization (with VERY few exceptions)
- Freedom of Information and Protection of Privacy Act (FIPPA) (opens in a new tab)
- Applies to all records held by a publicly-funded organization (except personal health information)
- Anyone can request a copy of any record and copies must be provided (with very few exceptions)
Both laws outline:
- How and when we can collect information from people;
- How we can use the personal information we collect;
- That we must protect the personal information we collect; and
- How, when and to whom we can disclose personal information we have collected.
Compliance with both Acts is overseen by the Information and Privacy Commissioner of Ontario.
Why we collect and use your information
We only collect your information for specific purposes. Collection of your information is limited to only what is necessary for the specified purpose.
Some of the most common reasons we collect and use your information include:
- To coordinate and/or deliver the in-home support services you need
- To assist you with the application process for placement in a long-term care home
- To coordinate and/or deliver school health services you need
- To monitor and evaluate the quality of our programs and services
- To support our internal educational activities
- To conduct research
- To receive payment for providing health care through government programs
- To meet legal and regulatory requirements
In the event we wish to collect your information for other purposes, we will explain the reason for the collection and give you an opportunity to ask us any questions before we collect it. This may happen during a verbal conversation or the explanation might be provided within a written document such as a handout or form.
In the event we wish to use or disclose your information for other purposes, we will explain the reason and obtain your consent.
How we collect and use your information
We collect your information directly from you or from your substitute decision-maker (i.e. a person legally permitted to act on your behalf should you become incapable of making your own decisions).
With your consent, or if the law permits, we may also collect personal health information about you from other sources including:
- Other health care providers involved in your care (now and in the past)
- Community support service agencies providing you with care and/or support
- Caregivers which may include, family members, friends, neighbours, etc.
- Local, regional and provincial systems which contain your personal health information including third-party electronic medical records, the Integrated Assessment Record, Connecting Ontario Clinical Viewer or Clinical Connect and Electronic Child Health Network.
Who can see and use your personal health information
Implied consent to collect, use and share your information to provide health care
When you seek health care from us and unless you tell us otherwise, we assume that we have your permission to collect, use and share your health information among the health care providers at our organization who “need to know” it to provide you with exceptional care. This may include nurses, social workers, therapists and other professionals or their support staff who provide or assist in providing health care to you.
Unless you tell us otherwise, we also assume that we have your permission to collect and use health information from and share information with health care providers outside our organization who provide or assist in providing health care to you. This might include your family doctor or specialists, pharmacists, staff at a hospital, long-term care home or retirement home, nurses and personal support workers, community support service workers, ambulance services, vendors who provide you with equipment and supplies and other regulated health professionals involved with your care now or in the future.
In an effort to facilitate and coordinate your health care, we share your health information with other care providers using regional and provincial systems. More specifically, we make information related to the services you receive from us and/or your assessment information available to others involved in your care through:
- Ontario Health’s Home and Community Care provincial electronic medical record
- Ontario Health’s provincial electronic health record – ConnectingOntario Clinical Viewer (opens in a new tab) or ClinicalConnect (opens in a new tab)
- Ontario Health’s Integrated Assessment Record (opens in a new tab)
- Ontario’s pediatric digital health record – Electronic Child Health Network (opens in a new tab)
We also use regional and provincial systems to send referrals to other health care providers. For example:
If you have any questions or concerns about information sharing through regional and provincial systems, please call your local privacy officer.
Express consent to share information with other people
Generally, we must get your express permission to share your health information with:
- organizations who do not provide you with health care, like insurance companies or your employer
- a health care provider for reasons other than providing you with health care
- people who are not legally allowed to make decisions for you, like family members and friends
People outside the health care system who receive your health information from us can only use it or share it for the reasons that they lawfully received it or if it is allowed or required by law.
Using your health information without your consent
Ontario’s health privacy law allows or requires us to use your health information without your consent in some situations, including:
- to educate those acting on our behalf in providing health care
- to contact you to get your consent, or the consent of someone who may consent on your behalf
- to do research with the approval of a research ethics board, who must abide by research regulations and requirements
- to receive payment for our services
- to plan or deliver our programs or services
- for risk management purposes
- in a legal proceeding (i.e. a court case) where we or someone acting on our behalf is a party or a witness
- as permitted or required by law
Sharing your health information without your consent
The law allows or requires us to share your health information with others without your consent in some situations, including:
- if sharing the information is necessary to provide you with health care and we cannot get your consent in a timely manner
- to obtain payment for providing health care through government programs, like the Ontario Health Insurance Plan (OHIP)
- to contact a relative, friend or someone who may consent on your behalf, if you are injured, incapacitated or ill and unable to give consent
- to report certain diseases to public health authorities
- when we suspect certain types of abuse
- to reduce or eliminate a risk of serious bodily harm
- to assist with a law enforcement investigation or to comply with a warrant
- in a legal proceeding where we or someone acting on our behalf is a party or witness
- as permitted or required by law
The law also allows us to share your health information with certain organizations that help improve health care delivery and/or plan and manage the health care system. These organizations are designated by law and have their practices and procedures reviewed and approved by the Information and Privacy Commissioner of Ontario. We share information with:
- Ontario Health (opens in a new tab)
- Ontario’s Ministry of Health or Ministry of Long Term Care (opens in a new tab)
- Canadian Institute for Health Information (opens in a new tab) (CIHI)
- Canadian arm of the InterRAi (opens in a new tab) research consortium
Whenever possible, we share aggregate and/or anonymized/de-identified data. We also rely on data sharing agreements that require all of our partners ensure your privacy a priority.
How we protect your information
We use a combination of physical, technological and administrative measures to protect your personal information from loss or theft while also protecting it from unauthorized access, use, modification, disclosure, copying and destruction.
We have developed policies and procedures which outline how we meet our legal responsibility to protect the personal information we collect.
We regularly teach our staff about your privacy rights and their legal responsibilities.
We have privacy and security requirements in place for contracted service providers and vendors.
How you can see or get a copy of the information we have about you
You have the right to request a copy of your personal information. Note: There are certain exceptions to this right and a fee may apply.
- Learn more about how you request a copy of your personal health information.
- Learn more about, how you can request a copy of other information.
What to do if you find an error in the information we have about you
If you believe your record is inaccurate or incomplete, you may write to us and ask for a correction.
We will respond to your request as soon as possible. If we cannot respond to your request within 30 days, we will tell you so and give you a reason for the delay.
We are not required to correct a record that was created by someone else or if it contains a professional opinion or observation made in good faith. If we choose not to make the correction, we will tell you why and ask you if you would like to attach a statement of disagreement to your health record that will be made available to those who see the record.
What to do if you wish to limit who can collect, use or disclose your personal health information
In some cases, you can tell us not to collect, use or share some or all of your health information.
Please share your wishes with a member of your health care team (i.e. your Care Coordinator) as soon as possible. If your care provider cannot meet your needs, our Privacy Officer or Health Records Department will be asked to assist you.
If you direct us to limit who we share your health information with, we must tell other health care providers that we are unable to give them all the information we feel they will need to provide you with health care.
What happens if your information is lost, stolen or improperly accessed, used or disclosed
Under the law, we will tell you if your personal information is lost, stolen or improperly accessed, used or shared. We will also provide you with:
- An overview of what happened including details about what exactly was lost, stolen, accessed or disclosed without authorization and with whom
- A description of what steps have been taken to ensure it doesn’t happen again e.g. employee coaching/re-education, policy and practice review
- Information about how to protect yourself from harm (if applicable to the circumstances)
- Information about how you can exercise your right to make a complaint to the Information and Privacy Commissioner of Ontario.
Depending on the circumstances, we may also have to report what happened to the Information and Privacy Commissioner of Ontario and/or a professional college.
What to do if you have concerns about the way we handle your information
If you have concerns about the way we handle your information, please speak to your local privacy officer as soon as possible.
If we are unable to resolve your concerns, you have the right to file a complaint with Ontario’s Information and Privacy Commissioner (IPC) about any decision, action or inaction that you believe does not comply with the law, such as:
- if you are unable to resolve a complaint or concern about how your health information has been handled;
- if you are unable to see all of your health information, or want to complain about a delay in responding to your request;
- if you feel the health information in your record is incorrect and you have been unable to persuade us to correct the information to your satisfaction or to attach your statement of disagreement to your record; or,
- if you disagree with the fee that we charged for you to see or get a copy of your health record.
You can contact the IPC at:
Information and Privacy Commissioner of Ontario
2 Bloor Street East, Suite 1400
Toronto, ON, M4W 1A8
Telephone: 416-326-3333 or 1-800-387-0073
TTY: 416-325-7539
www.ipc.on.ca
Note: If you choose to ask your questions or raise concerns over email, please limit the personal health information you include in the message.
People who can make decisions for you about your health information
We presume that you are able to make your own decisions about your health information.
If you cannot make your own decisions, another person will make decisions for you. The law tells us who to turn to first on a list of “substitute decision makers.” That person can make decisions about your health information that relates to a specific treatment. Alternatively, you may decide, in advance and in writing, who can make decisions on your behalf when you are no longer capable to make them.
We may give your substitute decision maker information about you to help them make decisions on your behalf. They can also ask to see your records and our staff will give them information about your health. We will ask you or the person who can consent on your behalf, before giving your health information to your other family members or others.
How we meet the ten internationally recognized privacy principles
- Accountability
We take responsibility for the personal information in our custody and control. We have a Privacy Officer who writes and verifies compliance with policies and procedures related to the collection, use and disclosure of personal information and who provides our staff, Board of Directors and others who do work on our behalf with education about their duty of confidentiality.
- Identifying Purposes
We ensure that individuals know the purpose for which personal information is required prior to collection, use, or disclosure of the information.
- Consent
We obtain consent for the collection, use, or disclosure of personal information unless disclosure without consent is permitted or required by law.
- Limiting Collection
The collection of personal information shall be limited to that which is necessary for our stated purposes.
- Limiting Use, Disclosure and Retention
We only use and disclose personal information if the reason to do so is consistent with the purpose for which we collected it and no other information will serve that purpose; if the law permits or requires us to do; or, the individual provides express consent to do so. We retain records in accordance with our Record Retention Schedule.
- Accuracy
We ensure that personal information is as accurate, complete and up-to-date as is necessary for our stated purposes. We respect an individual’s right to request a correction to their personal information.
- Safeguards
We use a combination of physical, technological and administrative measures to protect your personal information from loss or theft while also protecting it from unauthorized access, use, modification, disclosure, copying and destruction.
- Openness
We document our information practices in writing and make this information available to the public. If personal information is lost, stolen or inappropriately accessed, used, or disclosed, we inform the affected individual as soon as possible.
- Individual Access
We have an established process for individuals to request and obtain access to personal information.
- Challenging Compliance
We invite individuals to make inquiries or complaints about our information practices and respond to these as soon as possible. If someone is not satisfied with how a complaint or inquiry is handled, they are informed of their right to contact the Information and Privacy Commissioner of Ontario and provided with the contact information they would require to do so.
Helpful links
Information and Privacy Commissioner of Ontario (opens in a new tab)
Personal Health Information and Protection Act (opens in a new tab)
Freedom of Information and Protection of Privacy Act (opens in a new tab)
Speak Up Ontario Resources for Individuals and Families (opens in a new tab)
The Ontario Caregiver Organization – Health Privacy and Consent Resources (opens in a new tab)