The public has a right to access information held by a public body or a health custodian, including their personal and health information.
The information they can access depends on what the Acts allow. The Access to Information and Protection of Privacy Act (ATIPPA) applies to public bodies and the Health Information Privacy and Management Act (HIPMA) applies to health custodians. These Acts set out rules that public bodies and custodians must follow when an individual makes a request for access to information.
An individual also has the right to request a correction to their personal health information.
Access to Information and Protection of Privacy Act (ATIPPA)
An individual can request access to information held by a public body through the Access and Privacy Officer at the ATIPPA office. [link to public body list]
Certain types of information can be made available to the public without having to submit an access request form. This can be done in two ways:
- contact the public body who holds the information
- or through the Access to Information Registry.
This open registry contains previous access requests that may include the desired information. Public bodies are required to populate the registry with access requests and other information that includes their organizational structure, their responsibilities and functions, current manuals and policy statements used in carrying out a program, activity, or service.
Access and Privacy Officer (APO)
The Access and Privacy Officer (APO) is responsible for receiving, managing, and responding to requests for information held by public bodies listed under ATIPPA. The APO is designated under the Act and has a duty to assist the public. Once a request is submitted, the APO will decide whether to accept or refuse the access request and provide assistance, as necessary.
The APO does not decide what records or information will be released in response to your request. That responsibility rests with the public body from whom the records were requested. When responding to an access request, the APO will pass along the public body’s decision about whether to grant access to the records related to the request.
An individual has the right to request a correction of any personal information held by a public body, including where the information is inaccurate or if information is missing. The IPC can investigate complaints about this process, including:
• if an individual does not receive a response correction
• if the request for correction of an individual’s personal information has been denied
The purpose of ATIPPA is to make public bodies more accountable to the public and to protect personal privacy. Our office has developed resources to support public bodies on fulfilling their obligations as outlined in the Act.
Health Information Privacy and Management Act (HIPMA)
An individual has the right to view their personal health information, receive a copy of it, and see who has accessed their information (record of user activity), under the Health Information Privacy and Management Act (HIPMA).
A request can be made to the health custodian in writing, unless the custodian agrees otherwise. A custodian has 30 days, or an additional 60 days if more time is needed, to respond to a request from the date it was received. It is recommended to keep a copy of the request and the response if the individual wants to make a complaint to our office. If they do not receive a response by the deadline indicated by the custodian, they can make a complaint to our office.
Record of user activity
An individual can also ask the custodian for a record of user activity. This record will indicate who has looked at an individual's personal health information that is stored on the custodian’s electronic system.
Fees
The custodian may charge a fee as outlined in the Act, however, a record of user activity is free of charge. The custodian can't charge for transferring personal health information to a new provider if they are no longer providing care to that individual.
Individuals have the right to request a correction to their personal health information. The request should be made in writing to the custodian who has 30 days to respond upon receipt of the request. If providing a response will seriously interfere with the operations of the custodian, they can take an extra 15 days as long as they give reasons for the delay and let you know when you can expect a response.
The custodian will either make the requested correction to the record or refuse to do so. If they refuse, the individual can have a statement of disagreement added to their record and can make a complaint to our office. The statement of disagreement is a short note written by the individual that explains the requested correction and their reasons for it.
A custodian is not required to make a correction or to add a statement of disagreement to a ‘good faith’ professional opinion, or if the requested correction is deemed to be of a repetitious, frivolous, or vexatious nature.
A custodian is not allowed to charge a fee for correcting a record or adding a statement of disagreement.
If it is believed that the custodian has not followed HIPMA in managing a request for correction, a complaint can be made to our office.
The purpose of HIPMA is to establish strong and effective mechanisms to protect personal health information, rules for the collection, use, disclosure, security, and management of personal health information, and provide individuals with the right to access their personal health information or request the correction of inaccuracies.
We have created a HIPMA guide for small custodians to assist them in understanding and complying with their obligations under the Act. More information can be found under Resources.
If an individual doesn’t receive the information they requested by the deadline or is not satisfied with the information provided, they can make a complaint to the Information and Privacy Commissioner (IPC). Complaints can be made about a time extension taken by a custodian, the failure of a custodian to assist you in making your access request, or the fee charged for providing access.