Skip to primary content
Skip to main menu
Skip to section menu (if applicable)

Chapter 5 – Use: Sharing PHI within Your Agency

This chapter explains what it means for you to “use” PHI, when you are allowed to use it without consent, and when you cannot use it.

Key Points

Custodians and their agents should be familiar with the difference between “using” and “disclosing” personal health information (PHI).

PHI can be used without client consent in specific circumstances that are set out in PHIPA.

If you have collected PHI about a client because you reasonably needed the information to provide health care and you could not get the information you needed from the client accurately or in a timely fashion, the client can instruct you not to use that information (sometimes referred to informally as a “lockbox” for use).

Also, if you collected the PHI about a client without consent, the capable client (or where applicable, his/her substitute decision-maker) may instruct you not to use it for the purpose for which you collected it.

PHIPA reference

For more complete information, you should also look at the following section of PHIPA: 37


What is the difference between a “use” and a “disclosure” of PHI?

PHI is “used” when it is shared between a custodian and agent, or among the agents of a custodian. For example, if a staff member of an agency shares a client’s PHI with one of the social workers who works with the agency, the information is being used. This is different than a “disclosure,” which happens when you give the PHI to someone who is not collecting, using or disclosing PHI on behalf of the agency.

As mentioned in the first part of the Toolkit, the agents of a custodian include staff, health care practitioners, volunteers, students, researchers and independent contractors.

Uses of PHI

As a custodian of PHI (or an agent of a custodian), you are allowed to use PHI for a number of purposes without having to get your client’s consent. Most of these uses relate to supporting and improving the programs and services you offer. One of the main purposes of PHIPA is to allow PHI to flow appropriately within the health system to enhance the care and services given to clients.

You can use PHI without client consent in the following situations:

  • For the purpose for which the information was created and all functions related to the purpose (but you cannot use it if the client previously consented to a collection and now withdraws the consent; or if you collected it indirectly for health care purposes, from someone other than the client, and the client tells you not to use it)
  • For risk management
  • For other activities to improve the quality of your programs or services (an example might be chart audits to ensure that staff are documenting properly)
  • In order to get consent from a client
  • For purposes of disposing of the information (such as hiring a shredding company) or in order to de-identify the information
  • To share information with staff to provide better care to clients
  • To plan or deliver programs or services that you provide to clients, or if you are funding other programs or services and need to allocate resources or monitor for fraud
  • In order to obtain payment for health care services
  • For research conducted by the custodian without consent, as long as you have followed the research rules in PHIPA (section 44, which includes getting Research Ethics Board approval)
  • If you or your agent are a party or witness in a proceeding (or anticipated proceeding) before a court or tribunal, such as a Consent and Capacity Board or the Ontario Review Board; at an inquest; or as part of a regulated college’s review of a member’s conduct, such as a physician, psychologist, nurse or social worker
  • In order to educate your agents to provide health care (for example, if you are training a new drug counsellor)
  • For any other purpose allowed under PHIPA or another law (or by a treaty, agreement or arrangement made under a law of Ontario or Canada)

In spite of all of the uses of PHI that are allowed under PHIPA without the client’s consent, you are still free to ask for consent. It is important for custodians to think about whether they will rely on all of the uses that PHIPA authorizes without having to get consent. What should be clear, though, is that if you do ask for a client’s consent, he/she may give it; not give it (which means you will not be able to use the PHI); or give it and then change his/her mind. Through your written public statement (discussed in Chapter 2) you will need to be clear about why you collect, use and disclose PHI, and when you will ask for consent.

If you use (or disclose) a client’s PHI in a way that is outside the scope of your information practices that you have already made available through your written public statement, you must

  • tell your client about the uses and disclosures (unless they relate to a record of PHI the client would not have a right to access), and
  • make a note of the uses and disclosures in the client’s record of PHI (or in a way that can be linked to the record).

If you are an agent of a custodian, you should familiarize yourself with your agency’s privacy policies and other expectations about privacy and PHIPA.


Questions and Answers

Q: Six months ago, we provided training to staff on how and what to document in the client’s health record. I want to do a random audit of client records to assess whether the training was successful and appropriate data is being captured.

Is this a use of PHI? Do I have to get the consent of clients whose charts will be reviewed?

Is this type of review “research” under PHIPA, and if so, do I have to take any special steps such as getting approval from a research ethics board?

A: This is, in fact, a use of PHI.

PHIPA allows you to use PHI without consent for the purpose of improving or maintaining the quality of care you provide, and of your programs and services. You should find out whether this is what your agency’s policy is, or whether you are expected to get your client’s express (written or oral) consent.

This is different than using PHI for “research” without consent, which requires you to comply with the detailed research rules set out in PHIPA. This would include getting approval of a research ethics board. (Most of the time, this type of research is done through teaching hospitals or other health facilities.)