Skip to primary content
Skip to main menu
Skip to section menu (if applicable)

Chapter 7 – Access to and Correction of Records of Personal Health Information

This chapter explains the process for clients to make formal written requests for access to and correction of their records of PHI. The access and correction rules under PHIPA apply to all health settings.

Key Points

Access requests can be formal or informal.

If there is a formal written request for access, it falls under PHIPA and the client has certain rights. The custodian has numerous obligations, including responding in a certain way and within certain time frames.

Subject to limited and specific exceptions, the general rule is that your clients have a right of access to the records of personal health information (PHI) you hold about them.

A client may also ask to have a record of his/her PHI corrected. If the client can demonstrate that it is inaccurate or incomplete for the purpose for which you will use it, in most cases you must correct it.

However, you have the right to refuse to correct the record if it consists of a professional opinion made in good faith (yours or someone else’s); or, if you did not create the record and lack the knowledge, expertise or authority to make the requested change.

The client has specific rights under the access and correction rules, including the ability to attach a statement of disagreement to a record you refuse to correct, and to make a complaint to the Information and Privacy Commissioner in a number of circumstances.

Most custodians will develop processes to guide staff and clients about requests for access to, or correction of, a record of PHI (such as to whom within the agency an access request made by a client should be forwarded, how to give the types of notices and responses required by the Act, and how to apply the criteria for denial of access as set out in PHIPA).

PHIPA reference

For more complete information, you should also look at the following sections of PHIPA: 51-55

Formal versus informal requests

Nothing prevents you from giving access to, or making a correction requested by, a client in an informal way. For example, during a session with your client, you may decide to show him/her something in the health record. In that situation, though, a client is not entitled to all of the protections under the PHIPA rules.

Substitute decision-maker’s right of access

A client’s substitute decision-maker has the same right of access as the client.

Background on access

In 1992, following a dispute about a client’s access to her health records held by a physician, the Supreme Court of Canada made an important decision about who owns a health record, and when people have the right to see what is in their records. Based on the facts of that case, the Supreme Court decided that the physician owned the actual record, but held it in trust for the individual whose information it contained. This case gave rise to a general right of people to access their health records, with certain exceptions. The court’s ruling on ownership is a good way to think of the way you hold information on your client’s behalf.

In keeping with that case, the starting point for the rules under PHIPA is that everyone has a right of access to his/her records of PHI, unless one of the exceptions under the Act applies. This means that a client may ask you for access to PHI that you have in your possession, including records of PHI that are held outside the traditional health record. If agency staff members have separate files or progress notes in their offices because they are working with a particular client, the client could ask to see those notes.

For example, a client may make a written request for access to a record of PHI held by a specific person, such as a drug counsellor who is working with a team to provide care to the client. A client could also ask for access to PHI held by specific individuals who work for your agency or in specific locations. You should work with the client to get a sense of what information he/she is really looking for.

PHIPA requires that if the client’s request is too broad, you must assist the client to help you narrow it.

Questions and Answers

Q: In the case of marital/family therapy, who does the record belong to?

A: Information provided by an individual during marital or family therapy is accessible by that individual only, unless that individual consents to its release to others participating in the therapy. You should ensure that the method you use to record information does not prevent you from severing that information from other parts of the record.

Records to which the access rules do not apply

PHIPA sets out situations where an individual does not have a right to ask for certain records. The exclusions that may be applicable to your agency are

  • PHI collected or created in order to comply with a health college’s quality assurance program (which monitors the practices of all regulated health professionals such as physicians, nurses and occupational therapists),
  • raw data from standardized psychological tests or assessments (most applicable to information generated by psychologists), and
  • PHI that a custodian uses solely for research approved under PHIPA.

Denying the client’s request for access to a record of PHI

A client has a general right to access his/her record of PHI. However, you must deny access to any part of a record where one or more of the following applies:

    • You have reason to believe that giving the client access would interfere with any legal privilege attached to the record or information in the record
    • The disclosure is prohibited by law or court order
    • The information in the record was collected or created primarily in anticipation of, or for use in, a proceeding, and the proceeding, together with all appeals or processes resulting from it, have not been concluded
    • All of the following conditions apply:

(a) the information was collected or created in the course of an inspection, investigation or similar legally authorized procedure, or done in order to detect, monitor or prevent fraud; the inspection, investigation, or other procedure and any other appeals or processes have concluded

(b) granting the access could reasonably be expected to:

      1. result in a risk of serious harm to the treatment or recovery of the individual or a risk of serious bodily harm to any person
      2. lead to the identification of a person who was legally required to give the information to the custodian, or

(c) the person who provided information in the record to the custodian did so in confidence and the custodian believes that person’s identity should be protected

  • Specific situations under municipal or provincial freedom of information legislation apply (which are not relevant to most mental health and addictions agencies and programs)

You must remember to word your response very carefully, in order to meet the requirements of the Act. The following chart will guide you, and you can also refer to the four sample letters provided at the end of this chapter once you decide how you will answer your client’s request.

It may be helpful as part of your access and correction procedures to make a clinician or someone else within your agency responsible for assessing whether any of the reasons above for denying the access request apply.


You locate the record the client asked for. There is no reason to deny access to the record. Letter #1 – Make the record available to the client for examination, and if requested, provide a copy. If it is practical to do so, you should also explain any terms, codes, or abbreviations used in the record.
You look for but cannot find the record the client has asked for. Letter #2 – You must give the client written notice that, after a reasonable search, you have concluded that the record was not found or does not exist.
You locate the record the client asked for, but one of the exceptions to the right of access applies to all or part of the record. Letter #3 – You must give access to as much of the record as possible (which may include severing the part the client is not entitled to see).You must give the client written notice of the denial of access, and the reasons for the refusal. Cite the actual PHIPA provision, unless it is one of subsections 52(1)(c), (d) or (e); if it is, go to “Letter #4” below.

Check to make sure that the reason for denial is not one that requires you to respond under “Letter #4” below.

You locate the record the client asked for, but one of the exceptions to the right of access applies to all or part of the record.

You must deny access to any part or all of the record if you believe that giving it

  • would result in a risk of serious harm to the treatment or recovery of the client, or a risk of serious bodily harm to someone else,
  • would interfere with an inspection or investigation under a statute (such as theCoroners Act) and the matter is ongoing (including any appeals or other related processes)
  • would reveal the identity of someone who gave you the information in confidence, or
  • would lead to the identification of a person who was required by law to provide the information to you.

You must also deny access if the information was collected/created for use in a court or other proceeding that is not yet finished (such as a court or tribunal hearing, mediation or arbitration).

Letter #4 – You must give access to as much of the record as possible (which may include severing the part of the record the client is not entitled to see).

You must also give the client written notice that you can neither confirm nor deny the existence of the requested records based on specific sections of PHIPA.

You must not tell the client which section of PHIPA you are relying on, as this might escalate a situation that you are already concerned about (for example, harm to the client’s treatment or recovery).

When you deny an access request to part or all of a record of PHI, you must do the following things:

  • Sever the part of the record to which the client is not entitled, and provide the rest
  • Inform the client of his/her right to make a complaint to the Information and Privacy Commissioner


You must respond to the client’s request as soon as possible, and otherwise within 30 calendar days. You can only extend the time to 60 days if you need the extra time to locate the record or to consult about any reasons for denying the access request. If you extend the time beyond 30 days, you must first inform the client and give the reason for the extension.

A client can also ask that you respond to a request for access sooner than 30 days. If the client is able to demonstrate the urgency of the situation, you must fulfill the request if you are reasonably able to give the required response within that time period.


You may charge a fee for the access, but only if you first tell the client how much you think it will cost. Since there have been no guidelines or regulations from the government to tell you what you should charge, you must limit any fees to reasonable cost recovery (for example, what it cost you in staff time and photocopying costs to provide access). You should follow your agency’s policies where they exist.

Denial on the basis of harm

You may be familiar with the concept of denying the client access to his/her record on the basis of serious harm to the treatment or recovery of the client, or serious harm to another person. A similar test was found in the Mental Health Act, but now appears in PHIPA.

Here are a few other changes you should keep in mind:

An attending physician who wished to deny access had to apply to the Consent and Capacity Board for permission. A health information custodian who wishes to deny access does not need to go to the Consent and Capacity Board, but must inform the client of his/her right to make a complaint to the Information and Privacy Commissioner.
Access rules applied only to individuals who were capable. Access rules now apply to capable and incapable individuals, and to their substitute decision-makers.
Attending physician had the clinical expertise to decide whether there was reason to limit or deny an access request; psychiatrist member of the Board was also able to consider this matter. You may consult a physician or psychologist to assist you in determining the risk of harm.
Time frame was 7 days. Time frame is as soon as possible, and no later than 30 days; you may extend to 60 days total if you give client notice and you need the time in order to locate the record or consult with others about the request.
Consent and Capacity Board made the decision. Decision to deny is the custodian’s; client can complain to the Information and Privacy Commissioner.

Correction of records

Once you have granted a client access to records of PHI, he/she may also ask that you make changes to those records. You must make the corrections if

  • your client demonstrates that the record is incomplete or inaccurate for the purposes for which you use the PHI, and
  • he/she gives you the information you need to make the correction.

However, you may choose not to make the corrections if

  • the PHI in question is a professional opinion made in good faith (either yours or someone else’s; “professional” is not defined under PHIPA but generally could mean the opinion of anyone who has the authority to be charting the client’s care — for example, a health care practitioner), or
  • you did not originally create the record and you lack the knowledge, expertise or authority to make the correction.

Method of correction

The best method of correction is to strike out the incorrect information, but under no circumstances can you obliterate it. If it is not possible to strike out the incorrect information, you should consult PHIPA for other acceptable methods. If you are a health professional or are otherwise bound by certain professional standards, you need to consider those as well.

If you refuse to make a correction, you must tell your client of the right to make a complaint to the Information and Privacy Commissioner.


The timelines for correction are the same as those for access: you must respond as soon as possible and no later than 30 calendar days. The exception is, if you require further time in order to locate the records or consult about correction, you can do so as long as you inform the client.


You cannot charge a fee for correction of a record.

Questions and Answers

Q: A client disagrees with her diagnosis, and has asked that it be removed from her health record. Am I required to make the change?

A: You can, but do not have to, change the record of PHI if the diagnosis was a professional opinion made in good faith; or if you didn’t create the record and you lack the expertise, knowledge or authority within your agency to change or remove the diagnosis.

If you do make the correction, you must

  • do it using an appropriate method (discussed above),
  • notify the client that you have done so, and
  • if the client requests it, give the corrected information to anyone to whom you previously gave the incorrect information (however, you do not have to do this if you believe that the correction would have no impact on the client’s ongoing health care or interfere with some other benefit he/she may be entitled to).

If you choose not to make the correction, you must

  • notify the client of the refusal,
  • tell the client that he/she can prepare a short written “statement of disagreement” for you to attach to the record (setting out why the client believes the PHI is incorrect), and
  • tell the client of his/her right to ask that you give the statement of disagreement to anyone to whom you had previously given the information the client is disputing.

However, even if a client asks, you do not have to give a copy of the statement of disagreement to others if you believe that there would be no impact on the client’s ongoing health care or that it would not interfere with any benefits he/she might be entitled to.

Q: We have had numerous requests for access to, and correction of, records by a particular client. We are a small agency and are spending a lot of time on responding to these requests.

We want to be fair, but is there any way to stop any future requests?

A: Clients are entitled to pursue their rights under PHIPA, and you should use reasonable efforts to make sure that this happens.

In rare situations, though, you may conclude that a client is not making requests in good faith. If you think that your client is making repeated requests just to annoy you or to overwhelm your agency’s limited resources, you can refuse to respond to his/her requests for access or correction.

For the access request, you can simply not respond, and that lack of a response will be treated as a refusal. The client is free to make a complaint to the Information and Privacy Commissioner. In the case of a request for correction, you must tell the client why you are not making the correction, and tell the client of his/her right to make a complaint to the Commissioner.

In both cases, the Commissioner will decide whether your position that the request is “frivolous,” “vexatious” or “made in bad faith” is legitimate.

You do need to be careful not to invade your client’s privacy (for example, you don’t necessarily have the right to ask specifically why the client wants access to the information).

Q: During assessments, clients provide us with information about other people (including family and friends). Do these family and friends have equal access to the client’s records?

A: No. If the client provides information about family and friends, the information becomes part of the client’s record of PHI. It is not accessible by the family or friends (unless the family member or friend is the client’s substitute decision-maker).

Related Resources

Template: Access Response – Letter 1
Template: Access Response – Letter 2
Template: Access Response – Letter 3
Template: Access Response – Letter 4