Carlo Panaro explains how PHIPA shapes access to health records in Ontario malpractice claims
This article was provided by Bogoroch & Associates LLP
In Ontario, medical malpractice litigation is intricately linked to personal health information. Patient charts, physician notes, imaging reports, and other healthcare documentation form the backbone of most malpractice claims. However, the use, collection, and disclosure of these records are governed by a critical — and sometimes underappreciated — piece of legislation: the Personal Health Information Protection Act, 2004 (“PHIPA”).
So how do medical malpractice claims and PHIPA intersect? Here’s what you need to know.
PHIPA is Ontario’s cornerstone legislation for health privacy. It sets out the rules for how “health information custodians” — including hospitals, doctors, nurses, and other healthcare providers — manage personal health information. The legislation aims to protect patient confidentiality and strictly limits disclosure to specific, authorized circumstances.
Under PHIPA, individuals have the right to access their own health records, request corrections, and know who has viewed their information. Custodians must also take reasonable measures to safeguard this information from unauthorized access or disclosure.
For individuals pursuing a medical malpractice claim, gaining timely and complete access to their medical records is crucial. These records form the foundation of the case, helping to establish whether a healthcare provider failed to meet the requisite standard of care and whether that failure caused harm.
While PHIPA permits the disclosure of personal health information for the purpose of legal proceedings, this access is not guaranteed or immediate. Plaintiffs and their counsel must navigate procedural steps, such as submitting written requests to health information custodians or, if necessary, bringing motions to compel production.
Even when records are produced, they may be incomplete or contain redactions. Health information custodians often remove portions of the record they deem irrelevant or protected by privilege — sometimes improperly. It’s essential for plaintiff counsel to scrutinize these redactions and, where appropriate, challenge them to ensure that critical information isn’t being withheld under the guise of privacy.
Ultimately, while PHIPA provides the legal pathway for accessing health information, plaintiffs must still contend with institutional gatekeeping and procedural hurdles. Advocating for full and fair access to records is often one of the earliest — and most important — steps in building a strong case.
When a patient dies as a result of alleged medical malpractice, family members — such as parents, siblings, or children — may bring claims under the Family Law Act for the loss of care, guidance, and companionship. However, these claims often face privacy-related hurdles.
If the deceased died intestate (without a will), there may be no estate trustee to consent to the release of their medical records. Health information custodians will frequently request a Certificate of Appointment of Estate Trustee With or Without a Will before releasing any records. It’s important to note, however, that PHIPA does not require this.
Under section 23(1), paragraph 4 of PHIPA, if no estate trustee has been appointed, the person who has assumed responsibility for administering the deceased’s estate may consent to the release of their health information. Requiring a certificate of appointment as a condition for disclosure misrepresents the law and places unnecessary barriers in the path of bereaved families seeking justice.
Additional complexities arise when the plaintiff is incapable of consenting to the release of their health information — often due to serious conditions such as brain injury, coma, or cognitive impairment. For plaintiffs and their families, this can create significant barriers at an already overwhelming time.
Section 26(1) of PHIPA provides a hierarchy of substitute decision-makers who may consent to the collection, use, or disclosure of personal health information on behalf of an incapable person. This includes, in order: a court-appointed guardian of the person or property, an attorney for personal care or property under a valid power of attorney, a representative appointed under section 27, followed by spouses, parents, children, siblings, and other relatives. Consent may only be provided by the highest-ranking available person who meets the criteria set out in section 26(2).
From a plaintiff’s perspective, identifying and obtaining consent from the appropriate substitute decision-maker can delay the litigation process, particularly where there is family conflict, a lack of formal documentation (such as a power of attorney), or uncertainty about who qualifies under PHIPA’s hierarchy.
In these circumstances, plaintiff’s counsel must act quickly and carefully — not only to preserve evidence and meet limitation periods, but also to ensure compliance with privacy laws when seeking records from health information custodians. Where necessary, counsel may need to apply to the court for directions or to formally appoint a representative who can provide the required consent.
If the incapable person is a minor without a legal guardian or power of attorney in place, their parents are typically the most appropriate individuals to provide consent on their behalf.
For families navigating both a medical crisis and a legal claim, this added complexity can feel daunting. Compassionate, strategic legal guidance is essential to ensure that the rights of the injured party are fully protected and that the litigation is not stalled due to procedural roadblocks.
Under PHIPA, patients in Ontario have the right to access their personal health information — including audit trails, which document who has accessed or modified their records. These logs typically capture the date, time, and identity of each individual who interacted with a patient’s electronic health record.
For plaintiffs in medical malpractice cases, audit trails can be a powerful evidentiary tool. They may reveal whether specific healthcare providers reviewed the patient’s chart at critical moments, or if unauthorized individuals accessed sensitive information. Such data can help establish not only what was known and when, but also whether there were lapses in care or breaches of privacy.
To obtain an audit trail, patients (or their legal representatives) must submit a written request. Health information custodians are obligated to respond within 30 days and may only refuse access in narrowly defined circumstances.
Despite these clear obligations, a troubling trend has emerged: some custodians may redact key information — including staff names or contact details — from audit trails before releasing them. This practice was deemed non-compliant with PHIPA by the Information and Privacy Commissioner of Ontario in PHIPA Decision 152 (July 21, 2021). The Commissioner held that routine redactions, especially when made without issuing the required written notice under section 54(1)(c) or (d), violate the Act’s transparency requirements.
For plaintiffs and their counsel, it’s critical to scrutinize these disclosures closely. Improper redactions can obscure the very evidence needed to prove negligence or a breach of privacy — and challenging them may be necessary to ensure a fair and complete investigation of the claim.
In certain cases, plaintiffs may pursue not only a claim in negligence, but also allege a breach of privacy stemming from the unauthorized access or disclosure of their personal health information. Although PHIPA does not provide a private right of action for damages, Ontario courts have recognized that serious privacy breaches — particularly those involving intentional misconduct by healthcare providers — may give rise to liability under common law.
These claims remain a viable legal option and should be carefully considered where the facts support an allegation of both substandard care and a violation of patient privacy.
Medical malpractice litigation requires a delicate balance between seeking justice and protecting the privacy of those involved. PHIPA provides the legal framework necessary to maintain this balance, ensuring that personal health information is treated with the utmost confidentiality and care.
As the landscape of health law continues to evolve, privacy concerns will remain a key consideration. For plaintiffs, understanding the implications of PHIPA is crucial when pursuing legal action. Consulting with experienced counsel will ensure that both the legal and ethical obligations surrounding patient privacy are met, and that their case is handled with the attention and respect it deserves.
