While there are a few minor changes in regards to PHI, for the most part, the rules will remain the same and the provisions of PHIPA continue to apply.

In this regard, section 8 of PHIPA provides:

8(1) Subject to subsection (2), [FIPPA does] not apply to personal health information in the custody or under the control of a health information custodian unless this Act specifies otherwise.  

(2) Sections 11, 12, 15, 16, 17, 33 and 34, subsection 35 (2) and sections 36 and 44 of FIPPA … apply in respect of records of personal health information in the custody or under the control of a health information custodian that is an institution within the meaning of either of those Acts, as the case may be, or that is acting as part of such an institution.  

(3) A record of personal health information prepared by or in the custody or control of an institution within the meaning of the FIPPA … shall be deemed to be a record to which clause 32 (b) of the FIPPA … applies.

(4) This Act does not limit a person’s right of access under section 10 of the FIPPA … to a record of personal health information if all the types of information referred to in subsection 4 (1) are reasonably severed from the record.

What each of these subsections means for hospitals is that:

8(1) FIPPA does not generally apply to records of personal health information (PHI). The rules of PHIPA still apply unchanged to those records.  

8(2) When FIPPA comes into force, hospitals can now apply the exemptions in sections 11, 12, 15, 16 and 17 under FIPPA as reasons why access may not be provided to PHI. In addition, under section 34, hospitals will be required to provide annual statistical reporting to the Information and Privacy Commissioner (IPC) on the number of requests and refusals for access to records of PHI, the amount of fees collected for such requests and other information. Finally, section 44 requires hospitals to include all PHI in its “personal information bank” as required under FIPPA, which requires organization of personal information by individual identifier (however, this will already be the system in place at all hospitals for health records, so this is not likely to require any changes).  

8(3) Hospitals shall include the records of PHI in the list of the general types of records maintained by the hospital which is to be provided to the minister.

8(4) This subsection allows any person (ie. someone other than the patient) to access a record that contains PHI where all types of PHI can be “reasonably severed” from the record. This will require hospitals, on an access request for a record, to determine if any PHI contained in the record can be extracted such that the record can be produced without violating the patient’s privacy and the principles of PHIPA.

From a practical perspective, subsections 8(1) to 8(3) do not require much work or change regarding how PHI is handled. The more substantial change will be subsection 8(4) and the requirement to consider extracting out the PHI from a record on an access request. The challenge will be whether this can reasonably be done while protecting the patient’s information. In general terms, access can most likely be refused where someone other than the patient requests access to the patient’s actual health record but access may be permitted to other records that contain some PHI along with other non-PHI with the PHI extracted out.


  • The rules for PHI records are largely unchanged by FIPPA. Therefore, these do not have to be a focus of FIPPA implementation efforts.
  • Hospitals will need to provide annual statistical reporting to the IPC, with the first report required as of January 1, 2013. Processes will need to be established to capture the required data commencing January 1, 2012.  
  • Health records staff will need to become involved in access requests that involve records that contain PHI, to determine if the PHI can reasonably be severed and an extracted record produced.  

For additional information, please see the publication by the IPC – Applying PHIPA and FIPPA to Personal Health Information: Guidance for Hospitals at