PATI EN T HEALTH INFOR MAT I ON PROT E CT I ON ACT ( PHI PA)
hiropractors interact with patient health information all day, every day.
Good information is crucial to positive patient experiences and outcomes.
How you collect, use and disclose that patient information is critical to meeting
the regulatory obligations of the College of Chiropractors of Ontario (CCO)
and a variety of laws. The Personal Health Information Protection Act (PHIPA) is
one example of Ontario legislation with which chiropractors must be compliant.
This article is designed to provide an
overview of the specific requirements
of PHIPA. CCO Standards of Practice
S-002: Record Keeping and S-022:
Ownership, Storage, Security and
Destruction of Records of Personal
Health Information identify and
explain a number of the ways that
PHIPA regulation overlaps with and
complements the requirements set out by
the CCO. Chiropractors are encouraged
to ensure that they are in compliance
with all aspects of that regulation.
Compliance with PHIPA does not
guarantee compliance with all regulations
governing patient health information.
Personal health information is broadly
defined by the act. The definition
includes all information that relates to:
• the physical or mental health of the
patient, including family medical
• the providing of health care to the
• payments or eligibility for health care,
or eligibility for coverage for health
care, in respect of the individual.
PHIPA was first enacted in 2004 with
the purpose of establishing rules for the
collection, use and disclosure of personal
health information that protect patient
confidentiality and privacy without
negatively impacting care. PHIPA also
sets out patients’ rights to access their
own personal health information and
require corrections or amendments
to that information. PHIPA applies
to health information custodians,
the definition of which includes
chiropractors and clinic staff.
Collecting Personal Health Information
Whether the information is conveyed
in oral or written form is not relevant.
All information conveyed to a health
information custodian is covered by
A health information custodian may
collect personal health information
directly (from the patient) or indirectly
(from someone else). As a general rule,
direct collection is preferred.
Consent is required for collection
of health information with a few
exceptions. When you share a patient
with another health provider, consent
to share the patient’s health information
within the “circle of care” is implied
unless it has been withdrawn by the
patient. Patients should be kept informed
Indirect collection of personal health
information requires the consent of
the patient and that the information is
reasonably necessary for providing health
care. Information may only be collected
indirectly if it is not reasonably possible
to collect the information directly from
the patient in a timely manner or when
information collected directly cannot
be reasonably relied upon to be accurate
or complete. For example, a patient
who is not fluent in English may not
be able to provide complete, accurate
personal health information in English
and may consent to have a friend or
family member answer a chiropractor’s
questions on their behalf.
While several other exemptions to
the direct collection requirement are
outlined in the statute, these are likely
to be the most relevant to chiropractors.
Keep in mind that a patient may
withdraw their consent for their personal
health information to be used by a health