PIPEDA & PHIPA

Last Updated: January 31, 2025

Ontario’s Personal Health Information Protection Act (“PHIPA”) requires that HICs have consent to collect, use or disclose personal health information, but there are various limited exceptions to that rule for the provision of health care. Healthcare providers would be considered a HIC under the legislation and thus governed by the PHIPA.

DemandHub does not have the same obligations as a HIC under the legislation. However, DemandHub is considered an “electronic service provider” under the PHIPA Regulations. An electronic service provider is a person who supplies services that enables a HIC to collect, use, modify, disclose, retain or dispose of personal health information electronically.

As an electronic service provider, DemandHub may not (i) use any personal health information to which it has access in the course of providing services to the HIC, except as necessary in the course of providing the service; (ii) disclose the personal health information to any third party; or (iii) permit its employees or any person acting on its behalf to be able to have access to the information unless the employee or person acting on its behalf agrees to comply with the restrictions in the legislation.

Accordingly, DemandHub will have to rely on the consent rules under the public sector privacy legislation (PIPEDA) to share any personal information with the third party. In particular, if DemandHub receives patient information from a doctor directly, it must have the individual’s express consent to disclose such information or use it for a purpose not connected to the services.