Skip to main content
University of Ontario Institute of Technology logo

Procedure for Release of Personal Health Information

Classification number LCG 1152.01
Parent policy Privacy Policy: Personal Health Information Collection, Use and Disclosure
Framework category Legal, Compliance and Governance
Approving authority Audit and Finance Committee
Policy owner General Counsel
Approval date February 22, 2023
Review date March 2025


The purpose of these Procedures is to outline a process for responding to requests for Personal Health Information consistent with applicable legislation.


For the purposes of these Procedures the following definitions apply:

“Health Care” means any observation, examination, assessment, care, service or procedure that is done for a health-related purpose and that:

  • is carried out or provided to diagnose, treat or maintain an individual’s physical or mental condition;
  • is carried out or provided to prevent disease or injury or to promote health; or
  • is carried out or provided as part of palliative care, and includes:
  • the compounding, dispensing or selling of a drug, a device, equipment or any other item to an individual, or for the use of an individual, pursuant to a prescription; and
  • a community service that is described in subsection 2 (3) of the Long-Term Care Act, 1994 and provided by a service provider within the meaning of that Act.

“Health Care Practitioner” or “Practitioner” means:

  • A person who is a member within the meaning of the Regulated Health Professions Act, 1991 and who provides Health Care;
  • A person who is registered as a drugless practitioner under the Drugless Practitioners Act and who provides Health Care;
  • a person who is a member of the Ontario College of Social Workers and Social Service Workers and who provides health care; or
  • any other person whose primary function is to provide health care for payment.

“Health Care Unit” means a unit or service acting for or on behalf of the University to provide Health Care or retain and protect Personal Health Information.

“Personal Heath Information” means oral or written information that is collected, used or disclosed by a Custodian, about an identifiable individual if the information:

  • Relates to the individual’s physical or mental health, including family health history
  • Relates to the provision of health care, including the identification of persons providing care;
  • Is a plan of service for individuals requiring long-term care;
  • Relates to payment or eligibility for health care;
  • Relates to the donation of body parts or bodily substances or is derived from the testing or examination of such parts or substances;
  • Is the individual’s health number; or identifies an individual’s substitute decision-maker.
  • Is included in a record containing Personal Health Information.

“Requester” means a person who makes a request for Personal Health Information from the University.

Scope and authority

These Procedures apply to all requests for Personal Health Information in the custody and control of the University.

The General Counsel, or successor thereof, is the Policy Owner and is responsible for overseeing the implementation, administration and interpretation of these Procedures.


Request for record transfer

  1. A client of a University Health Care Unit may request the transfer of some or all of their records. The intended recipient will dictate the process to be followed.
  2. Transfers to another Health Care Practitioner require the client to submit a consent form [LINK] to the Health Care Unit, requesting records be transferred to the other Health Care Practitioner. Consistent with PHIPA section 38 (1), personal health information about an individual may be disclosed when it is reasonably necessary for the provision of health care. Prior to making a disclosure, University Health Care Unit staff will ensure there is no notice of instruction in the client’s file that limits disclosure.
  3. Transfers to an internal Ontario Tech unit require the client to submit a consent form [LINK] to the Health Care Unit describing the type of record sharing allowed with the internal Ontario Tech unit.
  4. Transfers to an external entity or individual other than a Health Care Practitioner will follow the process for Formal request for access to Personal Health Information.

Formal request for access to Personal Health Information

  1. All requests for Personal Health Information in the custody and control of the University will be formal requests made in writing to the Health Care Unit or Privacy Office using the form provided and submitted by mail or in person.
    1. When submitting a formal access request, sufficient detail must be provided to enable an experienced employee, with a reasonable effort, to identify the personal information being sought.
    2. Requests for Personal Health Information must be accompanied by a $5.00 application fee. The application fee may be made by cheque or money order.
  2. Requests for Mixed Records or requests for a complete file made directly to a Health Care Unit will be forwarded to the Privacy Office for processing. Other requests may also be forwarded to the Privacy Office at the Director or Manager’s discretion.
  3. Requests will be processed in accordance with the Personal Health Information Act and/or Freedom of Information and Protection of Privacy Act, as applicable.

Request for a Record Search

  1. If the Privacy Offices receives a formal request, either directly from a requester or from a Health Care Unit, the Chief Privacy Officer or delegate will prepare and send a search memo to the applicable Health Care Unit. The original request and any signed consent forms will be included to allow the identity of the Requester to be verified.

Search for Personal Health Information

  1. Before initiating a search, the Health Care Unit will verify the signed consent of the Requester, and initiate a tracking form with the identity of the patient. If necessary, additional distinguishing identifiers will be verified, such as health card number, address, date of birth.
  2. The Health Care Unit will designate a member of staff to track and manage ongoing access request files. The designate will verify the request and consent for completeness and specific request details. Requests may be made for:
    1. a full file; or
    2. specific date range; and/or
    3. specific content.
  3. The designate will arrange to have the necessary content extracted from the file (i.e. specific date of lab reports, results or specific physician notes, or full file) and copied as necessary. Records will be provided to the Practitioner who treated the patient along with a clear statement about what release is requested.
  4. The Practitioner reviews the documents for the purpose of compliance with Section 52 of PHIPA, in context of the specific content requested for release. The Practitioner completes the tracking form and identifies any concerns with release.

Concern for Release of Personal Health Information

  1.  When a Practitioner identifies a concern with the release of the medical file during their review, the Practitioner will meet with the Director or Manager to discuss the concerns, and whether the concerns can be addressed by having the Practitioner meet with the patient to discuss the content and context of the file before direct release. The Director or Manager will review the concerns in the context of Sections 51 and 52 of PHIPA.
  2. The Director or manager will determine whether:
    • Information will be redacted as per Section 54 of PHIPA; or
    • The Practitioner will meet with the patient who has requested the file before direct release.
    • FIPPA exemptions may apply to the records.
  3. If the request was initiated by a search memo to the Health Care Unit, the Director or Manager will respond to the Chief Privacy Officer to explain the concern, and whether:
    1. Information will be redacted as per Section 54 of PHIPA; or
    2. The Practitioner will meet with the patient who has requested the file before direct release.
  4. When no concern is identified by the Practitioner, the Director or Manager will review the materials.

Review of Personal Health Information

  1. The Director or Manager reviews the materials signed off by the Practitioner(s) to:
    1. Confirm that all documents required to fulfill the request have been identified and signed off.
    2. Confirm that all files meet note-taking standards.
    3. Identify any terminology which may be unfamiliar to non-health professionals and to provide explanations for same in a covering document to be included with the file.
  2. For requests to the Campus Health Centre, where it is determined that FIPPA exemptions do not apply, the Director signs off on the request, and provides a written summary of the records provided including an explanation of any redactions according to Section 54 of PHIPA.
  3. For requests initiated by a formal search memo to the Health Care Units, or where FIPPA exemptions may apply, the Director or Manager will release the Records to the Chief Privacy Officer for a review and determination of any exemptions to be applied prior to releasing records to the Requester.

Fees for Record Search and Preparation

  1. For requests to the Campus Health Centre, the clerk completes the “Record of Requests for Access to Personal Health Information” form and invoices for the services required to release the file, as outlined in section 10.3.
  2. For requests to other Campus Health Units, Campus Health Unit staff complete the Records Search Form. Privacy Office Staff calculate the fees for the services required to release the file, as outlined in section 10.3.
  3. Charges are calculated at the current suggested Ontario Medical Association rates and include photo copying, time to complete the request, and delivery charges. The invoice will be included with the records and provided to the patient or representative who has filed the request by the Ontario Tech Chief Privacy Officer or Campus Health Centre, as applicable.

Release of Records

  1. For requests to the Campus Health Centre, the Campus Health Centre will keep a copy of all records released and notify the Chief Privacy Officer of the release of records relating to any patient who is a student of the University.
  2. For requests initiated by a search memo, or where FIPPA exemptions may apply, the Privacy Office will keep a copy of all records released.
  3. Records may be released:
    1. In person if the patient comes in to physically pick up the file. The patient will be asked to show photo identification and may be asked to meet with a health professional as per section 8.2 b).
    2. Through delivery by registered mail, courier or secure electronic means with signature or secure access code required by recipient named in the request for release.


  1. Each year, the Campus Health Centre will report to the University on all files of patients who are students of the University over the course of the year and will file statistical reporting with the Information and Privacy Commissioner on those releases of information.
  2. The Privacy Office will file statistical reporting with the Information and Privacy Commissioner on requests initiated by a search memo.

Monitoring and review

These Procedures will be reviewed as necessary and at least every three years. The Chief Privacy Officer, or successor thereof, is responsible to monitor and review these Procedures.

Relevant legislation

Freedom of Information and Protection of Privacy Act

Related policies, procedures & documents

Personal Health Information Access and Privacy Policy
Access to Information and the Protection of Privacy Policy