Privacy and access to information law is a key part of our healthcare practice. Long before there were health information protection laws, we were advising health sector clients on their obligations of confidentiality in relation to health information. We assisted our clients in the development of policies, procedures, and agreements designed to protect health information and in responding to requests for access to and the correction of health information, complaints about breach of confidentiality, records retention, staff privacy training and confidentiality agreements, background checks and discipline for the misuse of health information.

We were involved with legislative submissions on different drafts of health information protection legislation prior to 2004 and in connection with the Personal Health Information Protection Act (PHIPA) which became law in Ontario in 2004. We also contributed to the drafting of privacy legislation and amendments to access to information legislation when it became applicable to hospitals. In 2011, in the lead-up to the application of FIPPA to Ontario hospitals, we published a series of bulletins (“FOI-ables”) to assist hospitals in planning for and implementing the legislation. We are currently engaged in the same exercise with community care access centres. We assisted the Ontario Hospital Association (OHA) and HIROC with submissions during the consultation on FIPPA, including suggesting amendments that better protect quality of care information. We have drafted and edited privacy toolkits for the OHA, the Ontario Association of Community Care Access Centres (OACCAC), and health information custodians.  We have developed and delivered orientations to directors and officers of health sector clients on access to information and privacy laws and training sessions and workshops on privacy and access as well as anti-spam law to managers and staff.

We regularly advise health sector clients in relation to incident reports, electronic information systems and records, arrangements with IT services providers, record retention and destruction, access and the correction of records, quality of care restrictions on the use and disclosure of records and the use of records in the context of external and internal investigations including by health profession regulators, privacy regulators and the Coroner. We have significant experience in relation to the use of health information in the context of mental health, children’s health, amalgamations, restructurings and service integration including Health Links, transfer of programs and services, family health teams and clinics, and legal proceedings.  We assist clients to manage patient privacy in the context of changing technology, including with policies on photography and surveillance, social media and BYOD (bring your own device), as well as the use of cloud computing and other forms of records management.

We assist hospitals and other health care providers in responding to privacy breaches, which sometimes involve thousands of patient records.  Our services include advice on breach notification and remediation protocols.  We represent hospitals in privacy breach litigation, including class action representation.  Our lawyers have been involved in the leading court decisions involving health care privacy breaches.

We apply our expertise to the specific operations of health sector clients that include pharmacies, laboratories, ambulance services, long-term care facilities, associations, health information registries, and individual health care professionals.



  • Jennifer Fantini, “Protecting confidentiality in the health care setting: The menace of social media,” Hospital News, October 2012.
  • Sarah Stiner (formerly of Borden Ladner Gervais LLP), “Healthy disclosure: Ontario hospitals brace for requests under freedom-of-information legislation,” Hospital News, June 2012.
  • Bonnie Freedman, “Healthy disclosure: Ontario hospitals brace for requests under freedom-of-information legislation,” Canadian Lawyer, May 2012.
  • Hawkins & Pessione, “Application of Freedom of Information to Ontario Hospitals,” Hospital News, March 2011.

BLG FOI-ables and Health Law Bulletins

  • "CASL and Health Care Providers," Health Law Bulletin, May 2014.
  • “Bill 78: Proposed New Requirements in Relation to Certain Shared Electronic Records of Personal Health Information,” August 2013.
  • FOI-ables Issue 9: Wrap-Up, December 2011.
  • FOI-ables Issue 8: QUESTION: Since credentialing records are excluded from FIPPA, does the medical staff office have to do anything to get ready for FIPPA?, September 2011.
  • FOI-ables Issue 7: QUESTION: Are there any changes to how PHI is treated as a result of FIPPA?, September 2011.
  • FOI-ables Issue 6: QUESTION: Are emails subject to access under FIPPA?, June 2011.
  • FOI-ables Issue 5: QUESTION: Are emails subject to access under FIPPA?, June 2011.
  • FOI-ables Issue 4: QUESTION: I understand that the Board chair (the head) has a number of responsibilities under FIPPA, and may delegate some or all of those responsibilities in writing. But is there a role of the hospital Board in oversight of hospital compliance with FIPPA?, May 2011.
  • FOI-ables Issue 3: QUESTION: I understand that the Board chair (the head) has a number of responsibilities under FIPPA, and may delegate some or all of those responsibilities in writing. But who should be responsible for the day-to-day administration of FIPPA within a hospital?, May 2011.
  • FOI-ables Issue 2: QUESTION: I am the chair of hospital board and I understand that I have various powers and duties under FIPPA. Can I delegate my powers and duties?, April 2011.
  • FOI-ables Issue 1: QUESTION: I heard that there was going to be an amendment to FIPPA to extend the protection of quality of care information created outside of the QCIPA process. Is this going to happen?, April 2011.


  • Patrick Hawkins, From Law to Practice: Revisiting the Quality of Care Information Protection Act, 2007, Ontario Hospital Association.
  • McIsaac et. al., The Law of Privacy in Canada, 2000, Thomson Reuters Canada Limited, (Loose-leaf Service)
  • Hawkins & Taylor,Quality of Care Information Protection Act Toolkit, 2004, Ontario Hospital Association.
  • John Risk (formerly of Borden Ladner Gervais LLP), Records Retention Toolkit: A Guide to Maintenance and Disposal of Hospital Records, Ontario Hospital Association.

    Representative Work

    • Acted in the leading cases of Steep v. Kingston General Hospital and Hospital for Sick Children v. Leone, in which the court recognized the importance of quality assurance principles applying to documentation generated in the course of quality assurance initiatives at hospitals.
    • Advise hospitals and other healthcare institutions on health information privacy and security issues that include:
    • Policies and procedures for compliance with privacy obligations for the Pan Canadian Oncology Drug Review.
    • Data sharing and system access agreements for hospitals and other health information custodians, registries of personal health information, agencies, and Local Health Integration Networks.
    • Revision of privacy policies, to comply with PHIPA, QCIPA, FIPPA and on the introduction of new electronic health information systems.
    • Data sharing and data repository agreements.
    • Transfer of health records as part of corporate reorganisations.
    • Assisting with responding to privacy complaints, including advice with submissions to the Information & Privacy Commissioner.
    • Handling and reporting of privacy breaches, including small individual breaches and large situations involving loss or theft of data storage devices.
    • Policies and procedures relating to the conduct of meetings, delegation of authority and other governance functions for institutions under FIPPA.
    • Privacy impact assessments and audits of personal health information management practices.
    • Records retention policies.
    • Workplace privacy policies.
    • The outsourcing of operations involving access to personal health information, including the privacy dimensions of contracts with third party information technology and information management service providers.
    • The characterization of organizations collecting, using or disclosing personal health information under PHIPA and the identification of their obligations, including health information network providers.
    • The use, transfer and disclosure of personal health information by health information custodians, prescribed entities, registries and other organizations.
    • Consent requirements for the collection, use and disclosure of personal health information.
    • Documenting requirements for the security of electronic systems and personal health information.
    • The use of social media in the health care sector.