Privacy
Whether you’re new to Ontario, or you’ve practiced here your whole career, knowing how to manage health information is your responsibility. Physiotherapists must keep patient information private and follow the privacy laws that apply to their work.
In Ontario, all regulated health professionals including physiotherapists must follow strict rules under the Personal Health Information Protection Act (PHIPA) to keep patient information private, secure, and confidential.
PHIPA governs how personal health information is collected, used, stored, and shared by health-care professionals and organizations.
This page outlines what you need to know as a health-care provider about privacy, your responsibilities, and how to manage breaches.
Under PHIPA, every patient has the right to:
- See and request a copy of their health record.
- Request corrections if information is inaccurate or incomplete.
- Know who has accessed their record.
- File a complaint with the College or Information and Privacy Commissioner if they believe their privacy has been violated.
Your privacy responsibilities will be different depending on if you are considered a health information custodian, or an agent of the health information custodian.
Health Information Custodian
Under PHIPA, anyone who provides health-care services and has custody or control of health records is considered a health information custodian (HIC). A health information custodian may be an organization like a hospital, school board, or corporation, or an individual physiotherapist like a clinic owner or sole practitioner in their own practice.
Agent of the Health Information Custodian
If you handle personal health information on behalf of a health information custodian, then you are an agent of the HIC. Agents can be volunteers, employees, or independent contractors. This includes physiotherapists and administrative staff in hospitals or clinics. Health information custodians are responsible for personal health information and the actions of their agents.
Guidance Based on Your Practice
Responsibilities
If you are self-employed, or if you work for a small organization, you can build a privacy approach that meets PHIPA requirements, protects data and strengthens trust with every patient. It might help to think of privacy requirements in the following way:
- Responsibility: Privacy is part of your clinical duty — it protects patients and builds trust.
- Accountability: Put someone in charge of privacy — either yourself or someone else, document well, train your team.
- Procedures: Control access, secure data, plan for breaches, and respect patient rights.
- Ongoing review: Regularly monitor and improve your privacy program.
The Information and Privacy Commissioner of Ontario has a Privacy Management Handbook for Small Health Care Organizations. This guidance document offers practical guidance to help smaller organizations understand their privacy requirements. Your specific responsibilities will depend on whether you are the health information custodian or an agent.
Responsibilities
- Follow the health information custodian’s privacy policies.
- Collect/use personal health information only for care purposes.
- Maintain confidentiality and report breaches.
- Use secure communication, such as encrypted emails.
- Complete privacy training regularly, through your organization or through the Information and Privacy Commissioner (IPC).
Tips for Agents:
- Lock your computer when stepping away.
- Share only the personal health information necessary for treatment.
- Only use clinic-approved secure email or patient portals. Do not use a personal email address unless it has been approved by the health information custodian.
- Confirm patient identity before starting a virtual care session.
- If you send an email to the wrong patient, notify the health information custodian immediately.
Responsibilities
- Be accountable for all personal health information under your control.
- Develop and document privacy policies.
- Limit access to personal health information based on roles.
- Respond to requests for patient access or corrections.
- Set retention and secure disposal policies. Have a plan to respond to breaches.
- Make sure electronic record software is PHIPA-compliant.
- Train staff and arrange confidentiality agreements.
Tips for Health Information Custodians:
- Receptionists should be able to see appointment details but not clinical notes.
- Keep records for the required period (for example, 10 years after last visit, or 10 years after patient turns 18) and shred securely when disposing.
- Maintain a step-by-step guide for notifying patients and the Information and Privacy Commissioner in case of a breach.
- Make sure vendor contracts include encryption and are compliant with PHIPA.
- Hold annual privacy training for all staff.
Responsibilities
- Be legally accountable for personal health information in your clinic.
- Appoint a privacy lead.
- Implement policies and procedures.
- Monitor and audit compliance.
- Manage vendor privacy obligations.
- Provide staff training.
Tips for Clinic Owners:
- Assign a manager or staff person to oversee privacy compliance and risk assessments.
- Review the access logs for your clinic’s electronic records software monthly to look for unauthorized access.
- Use a certified shredding service for paper records.
- Ask electronic records software providers for their encryption standards and breach protocols.
- Display a privacy notice in the waiting area and on your website.
Privacy Breaches
What is a Privacy Breach?
A privacy breach is when personal health information is stolen, lost, released or accessed without authorization.
As an agent or health information custodian, if you suspect or confirm a breach, you should do the following:
- Contain it immediately. Shut down access or secure the record.
- Notify your organization’s privacy officer or your health information custodian right away. If you are the health information custodian, review the steps in your privacy policy.
- Investigate the cause and assess the impact.
- Document everything about the breach and how it was handled.
- Notify affected individuals as required by PHIPA.
- Report the breach to the Information and Privacy Commissioner if it falls within the seven categories listed below.
Reporting a Breach
Reporting to the Information and Privacy Commissioner (IPC)
According to PHIPA, health information custodians must report the following seven types of breaches to the Information and Privacy Commissioner of Ontario (IPC) at the earliest reasonable opportunity:
- Use or disclosure without authority — accessing or sharing personal health information without consent or legal permission. For example, looking at someone’s file out of curiosity or sending personal health information to the wrong person.
- Stolen information – loss or theft of records or devices with personal health information. For example, computers stolen from a clinic.
- Further unauthorized use or disclosure — after an initial breach.
- Pattern of similar breaches — multiple incidents indicating systemic issues.
- Disciplinary action against a college registrant — if you, as a health information custodian, take disciplinary measures due to the breach. For example, a physiotherapist is required to do additional privacy training or is suspended or terminated because they did not follow the privacy policy of your organization.
- Disciplinary action against a non-regulated health-care provider or staff — the same reporting obligations apply to other agents.
- Significant breach — incidents that are serious in scope or impact. For example, many patient files that are affected because a clinic has been abandoned.
Reporting to the College of Physiotherapists of Ontario
The College also requires that physiotherapists and their employers report certain events within 30 days.
Reporting Summary
| Triggering Event | Report to IPC | Report to College (CPO) |
|---|---|---|
| Unauthorized use/disclosure (PHIPA category) | ✔ | ❌ (only if disciplinary action in the workplace) |
| Theft or loss of personal health information | ✔ | ❌ (only if disciplinary action in the workplace) |
| Repeat breaches/pattern | ✔ | ❌ (only if disciplinary action in the workplace) |
| Significant breach | ✔ | ❌ (only if disciplinary action in the workplace) |
| Unauthorized EHR access | ✔ | ❌ (only if disciplinary action in the workplace) |
| Disciplinary action due to breach | ✔ | ✔ within 30 days |
| Resignation while under investigation | ❌ | ✔ within 30 days |
Communicating with Patients by Email or Text
Physiotherapists must follow the requirements in the Personal Health Information Protection Act (PHIPA) when using email or text to communicate with patients. Here’s how to keep information safe and protect privacy:
- Use Secure Methods
- Whenever possible, use encrypted email or secure messaging platforms.
- If encryption isn’t available, avoid sharing sensitive health details. Stick to simple things like appointment reminders.
- Get Patient Consent
- Before using email or text for anything beyond basic scheduling, ask for the patient’s permission.
- Explain:
- What type of messages you’ll send
- The risks of using email or text
- How their information will be stored and protected
- Keep Information Minimal
- Only share what’s necessary.
- Never include detailed health information in unencrypted messages.
- Protect Your Devices
- Use strong passwords and two-factor authentication.
- Keep software up to date.
- Lock devices when not in use.
- Have a Policy
- Create a written policy for email and text communication.
- Train staff so everyone understands privacy rules.
- Record and Retain Properly
- Add anything clinically relevant from messages and communication to the patient’s official record.
- Delete messages securely when they’re no longer needed.
- Report Breaches
- If information is lost, stolen, or sent to the wrong person, report it to the Information and Privacy Commissioner of Ontario (IPC) immediately.
Privacy Considerations When Starting or Leaving a Practice
Before you start working for an organization, ask to review their privacy policy. Be sure to sign up for privacy training when it is available through the College or the Information and Privacy Commissioner.
If you are starting your own practice, as a sole practitioner or with a goal of hiring others, you are likely the health information custodian and you must develop your own privacy policy.
- Create a formal privacy policy covering personal health information collection, access, retention, disposal, breach handling, and agents’ duties.
- Write a public privacy statement for patients to review.
- Train staff on PHIPA compliance and update policies over time.
- Have administrative, technical, and physical controls (e.g., passwords, audit logs, lockable storage).
- Keep audit logs of electronic health record access as required by PHIPA.
- Have systems in place to keep personal health information for the mandatory retention period and to dispose of securely when appropriate.
- Ensure physiotherapists in your organization keep complete, timely, and dated notes as outlined in the Documentation Standard.
- Provide access to patient records within 30 days.
- Respond to patient requests to correct their records within 30 days.
If you are leaving a practice, it is important to understand your responsibilities during the transition.
- As an agent, you must follow the health information custodian’s privacy policies and procedures.
- You are responsible for protecting patient information while you have access to it. Confirm who will take over responsibility for patient records after you leave.
- Make sure patients can still access their records after you leave.
- Complete your physiotherapy charting so records are complete and accurate before you transfer them.
- Coordinate with the health information custodian to transfer active patients to another provider.
- If you can’t transfer care, provide discharge plans so patients aren’t left without support.
- Do not take any patient records or contact information with you unless authorized by the health information custodian.
- Follow the health information custodian’s instructions for secure handling and disposal of any personal health information.
Disclosure of Personal Health Information Without Consent
Under Ontario’s Personal Health Information Protection Act (PHIPA), patient consent is usually required before sharing personal health information. However, there are some situations where disclosure is allowed or required without consent. Here’s what you need to know.
Most of the time, you need consent to share health information. But PHIPA makes exceptions in certain cases:
- Sharing for Care
Health information can be shared among health professionals involved in a patient’s care without asking for consent. This is called implied consent and applies when the information is needed to provide treatment, and the patient hasn’t said “no.” - When the Law Requires It
Sometimes, you must share information because the law says so. Examples include court orders, subpoenas, or mandatory regulatory or public health reporting. - Preventing Serious Harm
If you believe someone is at risk of serious bodily harm, you can share information to prevent or reduce that risk. This includes contacting 911. - Public Health and Emergencies
Information can be shared without consent to manage urgent public health issues or respond to emergencies that threaten safety. - Research and Health System Planning
PHIPA allows disclosure for research or health system planning, but only under strict conditions, such as getting ethics approval and with privacy safeguards. - Legal Proceedings and Law Enforcement
Information can be shared for legal proceedings or to law enforcement if required by law, or in situations like preventing harm. Contact a lawyer if you have any questions.
In all other cases, you need the patient’s consent before sharing their health information. If you’re unsure, check PHIPA or speak with your privacy officer.
How to Use the Lock Box
Sometimes a patient shares information with their physiotherapist that they would prefer not to be shared with anyone else. If the physiotherapist determines that the information is relevant to the clinical picture (meaning that it could affect the treatment plan going forward), they must record the information in the patient’s chart. However, they can limit who can access the information through the use of the lock box. This is also known as a consent directive under PHIPA.
The lock box lets patients control who sees all or part of their health records, even when you’re providing care.
A patient can ask you not to use or share:
- A specific piece of information (like a particular diagnosis or an incident),
- Their entire record, or
- Any records with certain providers (like no access for a specific doctor or therapist).
Clinical Example: Lock Box in Home Care Physiotherapy
A physiotherapist is providing home therapy for a patient recovering from hip surgery. During the initial visit, the patient says:
“I don’t want my family doctor to know about my recent mental health diagnosis. Please keep that part of my record private.”
Under PHIPA’s lock box provision, the physiotherapist must:
- Document the patient’s directive in their clinical notes and the electronic health record:
“Patient requested that mental health information not be shared with Dr. Smith (family physician).” - Restrict access: When sending progress reports or updates to the family doctor, the physiotherapist excludes any mention of the mental health diagnosis.
- Continue care safely: The physiotherapist can still provide hip rehab without sharing the locked information. If the mental health condition becomes relevant (e.g., affects mobility or safety), the physiotherapist should:
- Explain why sharing might be necessary for safe care.
- Get the patient’s consent again before disclosing.
- If the patient refuses and there’s a serious risk of harm, PHIPA allows disclosure under the “risk of serious harm” exception.
Resources and Links
Privacy Checklist — Test Your Privacy Knowledge
How to Write a Public Privacy Statement for Your Practice
Personal Health Information Protection Act (PHIPA)
Information and Privacy Commissioner of Ontario
College of Physiotherapists of Ontario – A guide to PHIPA
PHIPA 2020 Update – Summary of Key Changes (PDF)
Privacy Management Handbook for Small Health Care Organizations
Questions or Concerns?
If you have questions about your responsibilities, contact the College practice advisors, your organization’s privacy officer or the Information and Privacy Commissioner.
If you are a patient with concerns about your privacy, contact the health provider directly or make a complaint with the College and/or Information and Privacy Commissioner of Ontario.