Frequently Asked Questions (FAQs)

Privacy is a person’s claim to determine for themselves when, how and to what extent information about him/her/them is communicated. Simply put, it is the right for an individual to determine who knows what about them and what they do with the knowledge.

The Personal Health Information Protection Act, 2004 (PHIPA) is Ontario’s health-specific privacy legislation which applies to health information custodians such as hospitals. PHIPA governs the way personal health information may be collected, used and disclosed within the health-care system. PHIPA also confirms a patient’s right to access their own personal health information.  

Personal health information is “identifying information” collected about an individual. It includes information about an individual’s health or health-care history in relation to:

• The individual’s physical or mental health, including family history.
• The provision of health care to the individual.
• Long-term care services.
• The individual’s health care number.
• Blood or body part donations.
• Payment or eligibility for health care.
• The identity of a health-care provider or a substitute decision-maker for the individual.

The Ottawa Hospital uses a tool called MDClone that allows us to create “synthetic data.” Synthetic data is made-up data about made-up people. MDClone analyzes real patient data and makes up new patients with new data. The synthetic data is very realistic and can be used for some analysis, such as research. Because it is made-up, it protects the privacy of the patients we serve.

To “de-identify” patient information means to remove information that identifies the patient, such as their name or address. This allows us to use the information without knowing who the patient is, which helps protect the individual’s privacy. When we de-identify the information, we can no longer tell who the patient is.

When we de-identify patient information, we usually are analyzing it for research or to test new and innovative technology or processes. We also work with outside organizations to conduct research and to test new technology or processes with de-identified information. Where possible, we try to obtain direct benefits for our patients and the hospital when working with external organizations. If we do work with outside organizations, we have contracts with them to protect the de-identified information.

See our Notice to Patients for more information about how de-identified patient information is used.  

The Ottawa Hospital has developed a comprehensive corporate policy on the use of artificial intelligence (AI) to ensure its responsible deployment across various operations. This policy includes a Framework for the Acceptable Use of AI at The Ottawa Hospital, which outlines guidelines and best practices for using AI technologies.  

The hospital has already integrated AI into its operations, such as using an AI scribe called Microsoft Dax Copilot for ambient voice capture during patient visits and the Digital Teammate to assist patients, families, and clinical teams with education and access to the health-care system.  

When we contract with third parties to use AI, we ensure their practices comply with Ontario privacy legislation. Before using an AI scribe for patient care, we will always ask for permission from the patient and explain what it means.  

Additionally, the hospital conducts regular reviews and assessments of AI technologies used in research projects to ensure compliance, reliability, security, and the integrity of research data. These measures help mitigate potential risks and support responsible AI use in both clinical and research settings. 

A health information custodian is a listed individual or organization under PHIPA that, because of their power or duties, has custody or control of personal health information.

Examples of health information custodians include:

• Health-care practitioners (such as doctors, nurses, pharmacists, psychologists, spiritual care practitioners who are a part of a health-care team, and dentists).
• Hospitals.
• Psychiatric facilities.
• Pharmacies.
• Laboratories.
• Nursing homes and long-term care facilities.
• Retirement homes and homes for special care.
• Community access centres.
• Ambulance services.
• Minister (and the Ministry) of Health and Long-Term Care.

The “circle of care” is not a defined term under PHIPA. It is a term of reference used to describe health information custodians and their authorized agents who are permitted to rely on an individual’s implied consent when collecting, using, disclosing or handling personal health information for the purpose of providing direct health care.

In a physician’s office, the circle of care includes:

• Physicians.
• Nurses.
• Specialists or other health-care providers referred by the physician.
• Health-care professionals selected by the patient, such as a pharmacist or physiotherapist.

In a hospital, the circle of care includes:

• Attending physician.
• Health-care team (i.e., residents, nurses, technicians, clinical clerks, spiritual care practitioners and employees assigned to the patient) who have direct responsibilities for providing care to the individual.

While The Ottawa Hospital takes steps to avoid processing or storage of data outside of Canada where possible, some support services are provided by vendors in the U.S. and subject to U.S. laws. In these cases, patient personal information is subject to the laws of the foreign jurisdiction which may be different, and less protective, than those of Canada.    

In practice, the hospital is not required to obtain an individual’s written or verbal consent every time personal health information is collected, used, or disclosed. PHIPA permits the hospital to assume implied consent where information is exchanged between custodians within the circle of care for the purpose of providing direct health care – unless a custodian is aware that an individual has expressly withheld or withdrawn their consent.

Consent may never be implied for an individual who specifies that their personal health information may not be collected, used or disclosed.

Implied consent is also permitted if a health information custodian, such as The Ottawa Hospital, collects, uses, or discloses names or addresses for the purposes of fundraising.

Express consent to the collection, use or disclosure of personal health information by a health information custodian is explicit and direct. It may be given verbally, in writing or by electronic means.

Implied consent permits a health-care custodian to infer from the surrounding circumstances that an individual would reasonably agree to the collection, use or disclosure of thier personal health information.

In certain circumstances, express consent will always be required:

1. For disclosure of personal health information to an individual or organization that is not a health information custodian and is outside the circle of care. For example, a physician is not able to reasonably infer that an individual would consent to have their personal health information disclosed to a third party, such as an insurance provider, who is considered to be outside the circle of care.

The physician would be required to obtain the express consent of the individual to disclose personal health information to the insurance provider.

1. Express consent is required where information is disclosed by one custodian to another for a purpose other than providing or assisting in providing health care.
2. Express consent is also required where a custodian:
   1. Collects, uses, or discloses personal health information other than an individual’s name and mailing address for fundraising purposes.
   2. Collects personal information for marketing research and activities.
   3. Collects, uses or discloses personal information for research purposes, unless certain conditions and restrictions are met.

No, under PHIPA there are disclosures that are allowed without consent, this is one of those disclosures. 

Your health information can be sent to the specialist, who will, in turn, send a report to your referring doctor (i.e., family doctor). It is not necessary to obtain your consent. This is good clinical practice and appropriate for optimizing continuity of care. 

When you go to another health-care organization, The Ottawa Hospital may provide that health-care organization with information about you to help your care. When you come to The Ottawa Hospital, we may get information about you from other health-care organizations to help your care.

We often do this electronically such as:

• Sharing patient information with our Atlas Alliance health-care partner hospitals in real time through Epic.
• Providing patient data to regional databases in Ottawa area and provincial databases that other health-care organizations can access to help your care. We also view patient information about you in these databases to help your care.

Sharing patient information electronically is important because it means our doctors, nurses, and other health-care providers have the most up-to-date information possible about you.

The Ottawa Hospital shares certain information with other health-care organizations through the Care Everywhere platform. Care Everywhere is a platform that allows health-care organizations to exchange electronic medical records quickly and securely. This functionality is particularly useful during emergencies, enabling providers to coordinate care effectively. 

We use your email address to send you information such as appointment reminders, surveys about your experience at the hospital, educational material, requisitions, or other information related to your visit.

You do not have to agree to this. We can contact you instead by phone, MyChart, or letter mail.

Remember, emails are not protected in the same way that phone calls and letter mail are protected. You should be aware of the risks and terms associated with using emails for care.

You can change your mind at any time and withdraw your consent to communicate via email by adjusting your preferences in MyChart. If you do not have access to MyChart, please contact admitting or patient registration departments at one of our campuses: 

The Ottawa Hospital – Civic Campus

The Ottawa Hospital – General Campus

The Ottawa Hospital – Riverside Campus

There are a few risks of you emailing your health information to us or us emailing your health information to you:

• Email can be intercepted when it is being sent.  Because it is not encrypted, it could be read.
• Email could be sent to the wrong email address accidentally.
• Your computer may not be secure. For example, it may not be password protected and someone could view the information in your email.  
• We could receive a court order that requires us to produce the email.

A more secure way to send information to us is to sign up for MyChart. Visit the MyChart page for more information. 

With limited exceptions, PHIPA provides individuals with a general right to access their own personal health information held by a health information custodian. 

An individual may request access to their own personal health information by submitting a written request to the Health Records Department of the campus where they are receiving care. 

No, unless the spouse has been designated substitute decision-maker and the hospital has evidence of that. 

The hospital is responsible to assist individuals by providing access to their health records. However, it may refuse access in limited situations only, where for example:

• The information in question is subject to legal privilege.
• Its disclosure could reasonably be expected to result in a risk of serious bodily harm to a person.
• The information was collected as part of an investigation.
• Another law prohibits the disclosure of that information.

PHIPA permits the hospital to remove some of the information to allow partial access to the individual.

An individual who believes that their personal health information is incomplete or inaccurate may request the hospital to correct their record. An individual seeking a correction to their personal health information is required to submit a written request to the hospital. The hospital must then respond within 30 days of receiving a correction request. 

The hospital is obligated to correct personal health information where an individual demonstrates, to the satisfaction of the hospital, that the record is in fact inaccurate or incomplete and the individual gives the custodian the necessary information to correct the record.

However, the hospital may refuse to correct personal health information that is a professional opinion or an observation of the health-care provider. 

Breach of privacy, confidentiality or security refers to the unauthorized access, collection, use or disclosure of any personal information or personal health information.

The Ottawa Hospital has taken a variety of steps to prevent privacy breaches. They include:

• Creating and enforcing policies that clearly limit access to personal health information.
• Providing education sessions for all employees, physicians and physician residents.
• Ensuring new employees, physicians and physician residents sign a confidentiality agreement that outlines their obligations.
• Displaying an automatic notice reminding employees, physicians, and physician residents of their obligations when they log in and access personal health information.
• Performing random audits of the hospital’s database for electronic health records to ensure employees, physicians and physician residents are only accessing patient information that is necessary to do their jobs.
• Providing employees and physicians with locked offices, filing cabinets and secure methods to dispose of documents.
• Restricting access to personal health information only to those employees, physicians and physician residents who need to know.
• Ensuring all relevant computers and memory sticks are encrypted and password-protected to protect confidential information.

As soon as the hospital learns of a privacy breach, the Information and Privacy Office takes the following steps:

• Identifies the extent of the breach and takes steps to contain it.
• Investigates the cause of the breach and works to eliminate the risk of it happening again.
• Notifies the patient(s) whose privacy was breached.

Hospital staff who do not follow the hospital’s privacy policy could face disciplinary action up to and including dismissal. Physicians and physician residents who breach their duty to protect the confidentiality of patients and safeguard patients’ personal health information could have their privileges at The Ottawa Hospital suspended or taken away. In addition, privacy breaches involving regulated health professionals are reported to their respective colleges.

No.