Personal Health Information & Privacy

Privacy is a sensitive, complex area in health care. As the volume and types of data being collected, used and disclosed have grown, regulatory and legal requirements have expanded. It’s key to have practical, industry-savvy advice to help your organization protect the privacy of patient and client information and comply with legal obligations.

Our health care practice is at the forefront of privacy and access to information law. Long before there were health information protection laws, we were advising health sector clients on health information confidentiality.

We have proven expertise with the privacy, information security, and access to information laws governing health information across the health care sector.

Our services include:

  • advising on the purchase, implementation and use of electronic health information systems and on data-sharing agreements between and among health care institutions
  • expertise in the procurement and integration of health information systems
  • developing policies, procedures and agreements designed to protect health information and comply with legal obligations
  • handling privacy, security, and access to information-related patient and client complaints and regulatory investigations
  • understanding and implementing best practices in order to help prevent privacy incidents from occurring
  • navigating often complex U.S.-Canada cross-border regulatory landscapes, including data transfers and multi-jurisdictional breaches
  • advising on the unique issues relating to the privacy of mental health information and the health information of children and adolescents
  • counseling on privacy issues in the clinical research context
  • crafting staff privacy training programs
  • drafting confidentiality agreements
  • understanding the privacy implications of corporate amalgamations, restructurings and service integration
  • responding to requests for access to and the correction of personal health information
  • assisting with privacy incidents, including cybersecurity breaches and ransomware
  • assisting with regulatory inquiries and investigations

Our diverse range of health sector clients includes:

  • hospitals, clinics and health systems
  • pharmacies
  • laboratories
  • ambulance services
  • long-term care facilities
  • associations
  • health information registries
  • individual health care professionals
  • retirement homes
  • community-based health organizations
  • technology companies developing health-related services and products

We have helped clients, including the Ontario Hospital Association (OHA) and Healthcare Insurance Reciprocal of Canada (HIROC), with submissions on new legislation including the Personal Health Information Protection Act and Freedom of Information and Protection of Privacy Act. We assist hospitals, community-based health organizations and other health care providers in responding to potential privacy and cybersecurity breaches, including advising on incident investigation, breach notification to applicable regulators and affected individuals, and incident remediation.

In the event of a privacy breach, our lawyers—who have argued the leading privacy decisions—represent hospitals in litigation, including class action defence.


  • Drafted guides to Freedom of Information legislation (FIPPA) and health information privacy law (PHIPA) for different classes of health services providers.
  • Regularly assist health information custodians to understand their obligations under provincial health information privacy laws and to respond to inquiries and investigations by the applicable Commissioner.
  • Analyze and advise on privacy models for regional and provincial shared records and other electronic health information systems, services and repositories (authentication/identification, e-referral, e-notification, clinical collaboration, integrated decision support).

Key Contacts

Stay Up to Date

Subscribe to receive our insights and perspectives on the latest legal developments that will affect you.