Freedom of Information and Protection of Privacy Act

The Freedom of Information and Protection of Privacy Act (FIPPA) is provincial legislation that applies to all Ontario hospitals effective January 1, 2012.

FIPPA is intended to help to increase the transparency of the hospital system and is retroactive to January 1, 2007; as a result, records that came into a hospital‘s custody and/or control on or after January 1, 2007, are subject to the act. 

Hospitals were made subject to the FIPPA through the Broader Public Sector Accountability Act, 2010 (BPSAA)  This amendment does not change rules applicable to personal health information. The Personal Health Information Protection Act, 2004 will continue to apply to hospitals‘ collection, use and disclosure of personal health information.

Certain types of hospital records are excluded from the application of the FIPPA. Some examples include:

  • Records that relate to the operations of a hospital foundation
  • The administrative records of a health professional in relation to their personal practice
  • Records that relate to charitable donations made to a hospital

Read more about the Freedom of Information and Protection of Privacy Act or view SAH’s Frequently Asked Questions (FAQ).

SAH’s Freedom of Information (FAQ)

The Freedom of Information and Protection of Privacy Act (FIPPA or Freedom of Information – FOI) is provincial government legislation that provides the right of access to records under the custody and/or control of an organization.

The purpose of FIPPA is two-fold:

  1.  To provide a right of access to information under the control of institutions (freedom of information)
  2.  To protect the privacy of individuals with respect to personal information about themselves in the custody or the control of institutions (protection of privacy)

All records under the control or custody of the hospital, whether they are written, images, audio recordings or other information stored electronically or in hard copy are covered under FIPPA.

Hospitals will be designated as institutions under FIPPA as of January 1, 2012. After that date, any member of the public will have the right to make a request for access to a range of recorded information, including records of personal information that came into the custody or under the control of a hospital on or after January 1, 2007. Access to one’s own records of personal health information, however, will continue to be governed by the Personal Health Information Protection Act (PHIPA).

In December 2010, the Ontario government passed the Broader Public Sector Accountability Act (BPSAA). The legislation enforces new standards for reporting and accountability for hospitals, local health integration networks, school boards, colleges, universities, and other broader public sector organizations. A key element of the BPSAA is that it extends the Freedom of Information and Protection of Privacy Act (FIPPA) to public hospitals. The intent of this legislation is that public organizations spending taxpayer dollars must be transparent and open to scrutiny – a belief that is endorsed by SAH, our management team and the Board of Directors. This legislation also addresses the anomaly of Ontario being the only Canadian province in which hospitals were not covered by Freedom of Information legislation.

Yes, hospitals have been covered under the Personal Health Information Protection Act (PHIPA) since 2004. However, PHIPA only governs the collection, use and disclosure of personal health information and not other types of information. With the introduction of FIPPA, requestors have a much broader right of access to records held by hospitals. For example, requests may be made to access records under a hospital’s custody or control relating to administrative and operational functions, financial considerations and some personal information, such as salaries of employees earning more than $100,000.

Every hospital will appoint a designated Freedom of Information and Privacy Coordinator (or similar title) in order to administer the requests received under FIPPA. Ultimate responsibility for FIPPA rests with the SAH Board Chair (the Head). The administrative lead for FIPPA is the Chief Information/Chief Privacy Officer. SAH is in the process of recruiting a FIPPA Coordinator who will lead the hospital’s efforts.

Any person can make a request for access to records under FIPPA. A “person” includes individuals and organizations such as corporations, partnerships and sole proprietorships. The right of access is not limited by citizenship or place of residence. It is important to note that there may be situations where one person represents another individual (e.g., substitute decision-maker). The rights and powers which an individual may exercise on behalf of another include the right to make access requests.

As of January 1, 2012, you can write a letter or complete a Request Form and send it to the Freedom of Information and Privacy Coordinator at the hospital. You would need to include an application fee of $5.00 (a cheque or money order payable to the hospital).

Yes, under the Act a formal access request must be made in writing. Only a formal request provides the requester with the opportunity to appeal the hospital’s decision to the IPC at a later date.

FIPPA utilizes a “user pay” principle whereby the requester must bear some of the costs incurred by the hospital in processing the request. This includes a nominal initial application fee of $5.00 and a number of specified processing fees. For example, the fee for record searching is $7.50 per 15 minutes. There are also a number of other fees related to processing a FIPPA request, such as photocopying or the production of computer discs. Hospitals are required to provide a fee estimate for requests where processing costs are expected to be greater than $25. For fee estimates of over $100, hospitals may request a deposit of 50% of the fee estimate before taking any further steps to process the request.

FIPPA will apply to “records” that have been in the “custody or control” of a hospital since January 1, 2007, unless the record is subject to an express exclusion under the Act. “Record” means any record of information however recorded, whether in printed form, on film, by electronic means or otherwise. A hospital does not have the duty to create a record, but it does have a duty to provide an electronic record in a requested format if producing it does not unreasonably interfere with the operations of the hospital. Costs related to the fulfillment request may be passed along to the requester.

There are a number of exemptions and exclusions from the right of access. For example, where the disclosure of a record could reasonably be expected to interfere with a law enforcement matter, it may be exempt from disclosure. As another example, records that relate to the operations of a hospital foundation are excluded from the right of access. There are many types of exemptions or exclusions – far too many to list. Each Freedom of Information (FOI) request will be dealt with on a case by case basis and any exemptions or exclusions will be identified and noted to the requestor.

Records that are subject to express exclusions under the Act are not covered by the Act. For example, records that relate to employment, labour relations, the appointments or privileges of health professionals, regulated health professionals’ private practice records, as well as research and teaching records, hospital foundation and charitable donation records, and records relating to the provision of abortion services are excluded from the Act. It is also important to note that FIPPA does not apply to “personal health information” that is subject to the Personal Health Information Protection Act (PHIPA). As a result of an amendment to the Quality of Care Information Protection Act (QCIPA), FIPPA also does not apply to “quality of care information” prepared by or for a designated quality of care committee under QCIPA.

In general, custody means the keeping, care, watch, preservation or security of the record for a legitimate business purpose. While physical possession of a record may not be sufficient to constitute custody, it is the best evidence of custody. In general, control of a record does not mean having actual physical possession of the record, but rather the power or authority to make a decision about the use or disclosure of the record.

The Act requires the institution to respond to access requests within 30 calendar days from the date a request is received. The 30-day time period starts to run the day the institution receives a complete request. A complete request is one that has been clarified or one which provides sufficient detail to allow the institution to understand what information is being requested. The $5.00 application fee must also have been received. The institution may extend the 30-day time limit in two situations:

  1. The request is for a large number of records or necessitates a search through a large number of records and meeting the time limit would unreasonably interfere with the operations of the institution.
  2. Consultations with a person outside the institution are necessary to comply with the request and cannot reasonably be completed within the time limit.

If you do not receive the hospital’s response within the 30-day time frame, you can appeal to the IPC office on the basis of a “deemed refusal.” The hospital may decide not to release all of the information that you request, in which case it would have to cite the sections of FIPPA it is using to withhold the information from you. If you disagree, you can then ask the IPC to review the decision by making an “appeal.” You can do this by writing a letter or using the IPC Appeal Form and enclosing an appeal fee.

Yes, under FIPPA there are mandatory fees for a requester appealing a decision to the IPC. A $10.00 fee applies to personal information request appeals and a $25.00 fee applies for general records request appeals. There is no fee for a third party to appeal an institution’s decision to disclose information.

Generally speaking, FIPPA does not currently apply to the long-term care (LTC) sector. As such, on an individual FIPPA request basis, the hospital would need to determine if it has “custody or control” of the LTC home record to determine whether the record is responsive to the specific FIPPA request. For greater clarity, if a hospital has custody or control of a LTC home record, then that record is subject to FOI even though generally the LTC sector is not.

FIPPA was amended by Bill 122, the Broader Public Sector Accountability Act, passed in December 2010 to bring hospitals under Ontario’s freedom of information and privacy regime. No other health care organizations were added at that time. However, many health-related organizations and agencies have already been made subject to the Act through designation as “institutions” under the FIPPA regulation. For example, Local Health Integration Networks (LHINs) were added as an institution in 2005, and Cancer Care Ontario was added in 2010. The Ministry of Health and Long-Term Care and other provincial and municipal institutions involved in the delivery of health care are also subject to FIPPA.

No. Hospitals may continue to respond to informal requests for information. The access to information regime established by FIPPA is only one avenue through which hospitals are able to release information. Because of the resources involved in the formal FOI process, it should be reserved for requests where information will not be released, or where there is some question as to the hospital’s ability to disclose records.

Yes, a request for a record can be refused if the record or part of the record falls within one of the exemptions or if the request is deemed to be frivolous or vexatious. Once the decision to refuse access to the record, in whole or in part, has been made, written notice of the decision (a “decision letter”) must be provided to the requester and any affected third-parties. The decision letter must be provided to the requester within the 30-day time period (or within the period of extended time, if any).

If the “third-party information” is personal health information, the request cannot be processed under FIPPA. Records sometimes contain information concerning a person other than the requester. Before granting access to a record affecting a third party, the hospital must give written notice to the third party to whom the information relates.

FIPPA provides that before access is granted to a record that might contain information referred to in the third-party exemption, that party must be notified and given the opportunity to make representations before a final access decision is made. If a third-party claims in its representations that the record is exempt, the burden of establishing that the record falls within the exemption rests with that third party. Similarly, where an institution asserts that this provision applies, the burden of proof is on the institution. It should be noted that the final decision on whether the record should be disclosed rests with the institution, not the third party.

No, a hospital is not able to publicly identify/post the names of individuals who make access requests. The costs of handling a particular request can only be published as long as the requester cannot be identified in any way.

Hospitals must provide access to only those records that are in their custody or control and not otherwise exempt or excluded either under FIPPA provisions, PHIPA or other legislation. The general right to access hospital records is limited by the retrospective application provision, such that a person’s right of access applies only to records that came into the custody or under the control of the hospital on or after January 1, 2007.

Not necessarily. Portions of the record may be severed prior to disclosing the record. When information falls within an exemption and can reasonably be severed from the record, FIPPA provides the requester with a right of access to the remainder of the record. One method of severing is to blank out the exempt information from a photocopy of the record using a black marker, and releasing a copy of the severed photocopy to the requester. Generally, the smallest unit of information to be disclosed after severing is a sentence. But even where only a sentence remains, some information, such as a name, might be removed and the remainder released. When information is severed from a record, the notification to the requester must specify the section(s) of the Act under which access to the severed information is refused. As well, where information must be severed from a record, it is not feasible to allow a requester the option of viewing the original. It is not necessary to disclose “disconnected” snippets of information. Severing does not apply where the Act specifically exempts from disclosure an entire class of records such as qualified in-camera meeting records that discuss litigation or drafts of by-laws or resolutions. In all cases, the information in a record must be assessed to determine whether portions are severable.

Exclusions provide that most employment and labour relations records collected, maintained, prepared or used by, or on behalf of a hospital are excluded from FIPPA.  

After personal health information has been deleted from the record, the rest of the record is subject to FIPPA, unless a FIPPA exclusion applies to it.

This issue has not yet been definitively decided. It may depend on whether the deleted emails have been retained by the institution on backup tapes and how difficult the retrieval process would be. Generally speaking, if providing access to requested information is so difficult that it interferes with the operations of an institution, then the requested document is not considered to be a record under the Act.

For more information about FIPPA, please call Sault Area Hospital at (705)759-3434, ext. 6866 or email