Many Ontarian patients assume their medical records are private, but there are multiple circumstances where this data may be shared. That said, under Ontario’s Personal Health Information Protection Act (PHIPA), patients do have rights regarding how their data is stored and shared.
PHIPA provides clear protections that allow you to give or deny consent to access your health information and request corrections to this data when necessary. This article will help patients understand who can access their medical records, what rights and control they have over how their data is shared and how PocketHealth can help.
To understand who can access your medical records and why, it is helpful to review the types of consent under PHIPA.
Personal health information, as defined by PHIPA, includes identifying information about a patient’s physical and mental health, their family medical history, plans for home and community care services and, when applicable, the identity of their substitute decision-maker.
Some medical record-specific examples of PHI include:
Implied consent in Ontario means that health care providers, or those assisting them in this capacity, may assume they have a patient’s implied consent to disclose or use their PHI to provide reasonable care. This is referred to as your “circle of care,” which includes anyone on your health team, such as pharmacists, nurses, specialists and so on.
One example of implied consent is when your doctor sends you to a lab for bloodwork. There is implied consent that you are allowing your doctor to send your PHI to the lab because it is for the purpose of providing care. This means you do not need to provide consent every time you see a new provider or facility, enabling timely, efficient and coordinated care.
That said, it is important to know your rights and the safeguards in place for your personal health information. Some guardrails for implied consent include:
Express consent refers to specific data-sharing agreements that require clear digital, verbal or written consent from the patient. This is required when PHI access isn’t already implied or granted, as required by PHIPA. Just as you can withhold implied consent, you can also withhold express consent.
Examples where express consent is needed include:
Understanding the different types of consent helps you know why some providers can access your records automatically, and when this access is unavailable. It also helps you determine when to deny access to your PHI, allowing you to take charge of your own health information privacy.
Here is an overview of who can typically access your health or medical records and why.
Most importantly, as a patient, you have the legal right to request access to your own records. This includes obtaining copies for yourself or requesting corrections, if necessary.
Under PHIPA, a “health information custodian” is any person or organization that has custody or control of someone’s health data due to performing their duties of work. Access must be for care purposes and relevant to these duties. Examples include:
These health professionals are directly involved in your care. Under PHIPA, they have implied consent to access your medical information for the purpose of providing you with health care. This means they don’t need to ask for your consent every time they access your records. This streamlines and coordinates care, avoiding delays and interruptions. However, you do have the right to withdraw this consent or control who has access to your information.
Other people who may have access to a patient’s personal health information could include substitute decision-makers (SDE), when applicable. These are legally authorized individuals who have access to the patient’s records to make medical decisions about their care. It is intended for situations in which the patient is deemed unable to make their own decisions regarding their PHI. Examples of these substitute decision-makers include:
Certain third parties may obtain or request access to your health records. Usually, this requires your express consent and is for a specific, time-bound purpose, though there may be exceptions. Here are some common third parties for this type of access:
While these scenarios may have different requirements for implied versus express patient consent, here are some common situations where your medical information may be shared:
There are common misconceptions about who can access your records without your consent. One misconception is that implied consent means you cannot control who can see your records. When, in fact, under PHIPA, you do have the right to control this. Similarly, consent can often be changed at any time, whether implied or express.
Another misconception is that family members automatically have access to your PHI. This is usually only true for underage children or those who have already been granted legal authority as a POA for other matters. Typically, most family members cannot see your records without your formal permission.
Under PHIPA, patients have the right to withhold implied consent, withdraw express consent and place restrictions on the information being shared and who it is shared with.
Keep in mind, however, that restricting access to your PHI within your circle of care could affect the care you receive from these providers. For instance, prescriptions may be delayed if your pharmacist must obtain your permission to access your records every time you need medication refilled. If you decide to restrict access to your records, consider discussing possible limitations on your care with your provider in advance.
Here are the four steps you can take to manage third-party access to your personal health information:
When patients have control over sharing their own records, it puts them in the driver’s seat, allowing them to choose who receives their records on their own terms. PocketHealth is a secure, patient-centred platform that gives you control over your records.
You can easily access your imaging records from your account and upload other important health data, giving you a complete view of your health history under a single login. From there, you can decide who to share your medical records with and send this information anytime you like.
In addition to record management, PocketHealth offers features that make understanding your health data easier. Personalized insights and AI-enabled educational tools illustrate key anatomy in your medical images and provide clear summaries of your imaging reports. This empowers you to understand your health records and be more involved in your care.
Having access to consolidated records, such as with PocketHealth, puts you in control of your own information. You can easily and securely share it with whoever you choose, allowing you to manage how your data is accessed without needing to officially request it from your provider.
Here are some commonly asked questions regarding accessing your medical records.
Under PHIPA, you own the actual data that lies within these medical records and have the legal right to request access. However, the provider owns the record where the data resides and is responsible for maintaining the systems that safeguard this data.
Most health facilities offer some form of online record access. If available from your provider, you can view your records through a patient portal or you could use a health record platform, such as PocketHealth. Another option is to submit an official request to have them sent to you digitally as a PDF or equivalent format.
If you need to request a copy of your records, you will likely need to complete a form and allow time for a response. Consider asking for a fee estimate, as many clinics charge a small fee for this. In rare cases where the provider does not have digital versions of your records, you may receive a paper copy or another alternative, such as a CD.
According to the College of Physicians and Surgeons of Ontario, providers should retain medical records for up to 10 years from the last recorded entry for adult patients, or 10 years after the child’s 18th birthday. There can be exceptions to this.
Unless you specifically request that your implied consent be revoked, all providers within your circle of care have access to your medical records. You also have the right to request your own records or send them to other physicians or specialists. Third parties, such as unauthorized family members and insurance companies, must have your express consent to view your health information.
Published: December 22, 2025
Trusted by more than 900+ hospitals and clinics.
