Formal legal notice, access policy, and enforcement notice

Confidential personal health information access notice

This page is intended to provide a detailed legal and operational notice regarding restricted access, confidentiality, monitoring, audit logging, enforcement, incident response, and possible reporting in relation to a system that may contain confidential personal health information and related medical information under Ontario and Canadian law. It is written to be more detailed than a standard splash warning and to tie its terms directly to applicable statutory and regulatory sources. [page:1][page:2]

Return to login Jump to sources
System
Matthew's Medical Records Portal
Primary law
Personal Health Information Protection Act, 2004 (Ontario)
Updated
June 10, 2026

1. Legal status of this document

This document is intended to function as a formal legal notice, restricted access notice, privacy warning, logging and monitoring notice, and enforcement notice for this system. It is not represented as a substitute for legislation itself, and it is not intended to override any statutory obligation, professional duty, agency relationship, custodial obligation, employment term, or contract that may already apply to a person accessing or attempting to access this system. [page:1][page:2]

The purpose of this document is to communicate clearly that the information and records available through this system may be subject to Ontario’s Personal Health Information Protection Act, 2004 (“PHIPA”), related Ontario privacy expectations, and potentially additional Canadian privacy obligations depending on the organization, activity, and context. PHIPA expressly states that one purpose of the Act is to establish rules for the collection, use, and disclosure of personal health information that protect confidentiality and privacy, and to provide effective remedies for contraventions. PHIPA, s. 1(a), (e). [page:1]

This notice should be read as a formal warning and compliance statement. It should not be treated as limiting any right, remedy, or reporting obligation otherwise available in law.

2. Information covered by this notice

If this system contains identifying information relating to an individual’s physical or mental health, the provision of health care, payments or eligibility for health care, health numbers, substitute decision-makers, or similar medical-related information, that information may qualify as “personal health information” within the meaning of PHIPA. PHIPA defines personal health information broadly in section 4(1), and defines identifying information in section 4(2) as information that identifies an individual or for which it is reasonably foreseeable that it could be used, alone or with other information, to identify an individual. PHIPA, s. 4(1), (2). [page:1]

PHIPA also sets out who may be a “health information custodian” in section 3. Whether the operator of this site is itself a health information custodian, an agent, a service provider, or another related actor is a fact-specific legal question, but the confidentiality and restricted-access posture of this system is based on the possibility that the information handled here falls within PHIPA’s protected scope. PHIPA, s. 3, 4. [page:1]

3. Access restriction and authorization rule

Access to this system is strictly limited to persons who have been expressly authorized for a legitimate, necessary, and lawful purpose. No person may access, attempt to access, test, probe, scrape, enumerate, bypass, collect from, or otherwise interact with this system unless they are authorized to do so by the operator or another person legally entitled to grant such authorization. [page:2]

Ontario IPC guidance on unauthorized access makes clear that unauthorized collection, use, or disclosure of personal health information without consent and for purposes not permitted or required by PHIPA must be taken seriously, regardless of motive. The IPC further states that privacy protection should be integral to health care delivery and embedded into the culture of every health care organization. [page:2]

This means that curiosity, convenience, personal interest, informal review, “testing,” or unauthorized troubleshooting are not valid justifications for access. The need-to-know principle applies, and access should be limited through technical, administrative, and policy controls. The IPC expressly recommends measures such as password controls, search controls, and access limitation based on need-to-know. [page:2]

4. Security obligations under Ontario law

PHIPA requires that reasonable steps be taken to protect personal health information against theft, loss, and unauthorized use or disclosure, and to protect records containing the information against unauthorized copying, modification, or disposal. PHIPA, s. 12(1). [page:1]

PHIPA also includes provisions dealing with information practices and electronic audit logs. In particular, section 10 addresses information practices, and section 10.1 addresses electronic audit logs. These provisions support the use of documented privacy practices and technical audit records in electronic systems containing personal health information. PHIPA, s. 10, 10.1. [page:1]

IPC guidance recommends that organizations develop privacy policies and procedures, require privacy training, use warning flags and privacy notices in electronic systems, require confidentiality agreements and end-user agreements, and develop comprehensive privacy breach management policies and procedures. These measures support a defensible compliance posture and help demonstrate that the operator took privacy and security seriously. [page:2]

5. Logging, audit, and monitoring notice

This system may log, monitor, correlate, review, preserve, and analyze access attempts, authentication events, security events, and related technical metadata for the purposes of access control, intrusion detection, fraud prevention, audit, breach assessment, incident investigation, remediation, evidence preservation, legal advice, regulatory compliance, and dispute resolution. This may include IP address, forwarded IP information, reverse DNS, browser user agent, request metadata, timestamps, success and failure events, temporary bans, and other reasonably necessary technical records. PHIPA supports electronic audit logs, and IPC guidance specifically recommends that all accesses to personal health information in electronic systems be logged, audited, and monitored on an ongoing, targeted, and random basis. PHIPA, s. 10.1; IPC Unauthorized Access guidance. [page:1][page:2]

Logged information may be retained as evidence where necessary to identify unauthorized access, investigate privacy incidents, support internal review, support legal or regulatory reporting, respond to law enforcement requests, or preserve proof relevant to civil or regulatory proceedings. Retention should remain tied to legitimate protective and compliance purposes and should not be indefinite without reason. [page:1][page:2]

Where additional client-side signals are collected, such as browser-posted identifiers or optional network-related information, those signals are collected only to the extent reasonably necessary for security analysis, fraud prevention, audit, and incident response. The collection of such data should remain proportionate and should be disclosed clearly to users. [page:2]

6. Prohibited conduct

The following conduct is prohibited and may trigger containment, investigation, or reporting:

  1. Accessing or attempting to access the system without express authorization. [page:2]
  2. Using another person’s credentials, sharing credentials, or otherwise impersonating an authorized user. [page:2]
  3. Viewing, collecting, copying, downloading, screenshotting, exporting, recording, disclosing, or retaining information without lawful authority. PHIPA, s. 1(a), 12(1). [page:1]
  4. Testing passwords, brute forcing, probing, scanning, enumerating records, scraping pages, or automating requests in an effort to gain or expand access. [page:2]
  5. Using VPN chains, proxy manipulation, forged headers, or other evasive measures to conceal origin, identity, or intent. [page:2]
  6. Modifying, deleting, corrupting, suppressing, or attempting to alter records, audit trails, evidence, or technical safeguards. PHIPA, s. 12(1). [page:1]

Unauthorized access is not excused by motive. The IPC expressly says unauthorized access must be taken seriously regardless of motive. [page:2]

7. Reporting, escalation, and external channels

Suspected or confirmed unauthorized access, misuse, copying, disclosure, circumvention, or related security incidents may be investigated internally and may be escalated externally where appropriate, necessary, or required by law. IPC guidance specifically recommends policies that identify when the actions of agents may be reported to third parties, including police, health regulatory colleges, and/or the Attorney General or their agent to commence a prosecution under PHIPA. [page:2]

Depending on the facts and the role of the operator, possible reporting or escalation channels may include:

  • The Information and Privacy Commissioner of Ontario for PHIPA-related breach, complaint, review, or enforcement matters. PHIPA Part VI; IPC guidance. [page:1][page:2]
  • The affected health information custodian, principal organization, privacy officer, compliance officer, or legal counsel. [page:1][page:2]
  • Law enforcement where criminal conduct, fraud, intrusion, theft, extortion, or malicious misuse is suspected. [page:2]
  • A relevant health regulatory college where circumstances engage professional reporting expectations. IPC guidance specifically mentions reporting to a health regulatory college. [page:2]
  • The Attorney General of Ontario or their agent in relation to prosecution steps under PHIPA where appropriate. IPC guidance mentions this route, and PHIPA provides offences in section 72. [page:1][page:2]
This notice does not promise that every incident will be reported to every authority. Reporting depends on the facts, legal obligations, and professional advice available at the time.

8. Administrative, civil, and offence consequences

PHIPA includes an enforcement regime in Part VI, including administrative penalties in section 61.1, damages for breach of privacy in section 65, and offences in section 72. PHIPA Part VI; s. 61.1, 65, 72. [page:1]

The IPC explains that administrative monetary penalties under PHIPA may reach up to $50,000 for individuals and $500,000 for organizations. It also explains that a person guilty of an offence under PHIPA may face fines and, for individuals, possible imprisonment, while organizations may face substantially larger fines. The IPC further notes that persons affected by certain PHIPA contraventions may seek damages, including up to $10,000 for mental anguish in the circumstances allowed by the statute. [page:2]

In practical terms, an unauthorized user or agent may face one or more of the following: access suspension, IP bans, credential invalidation, internal investigation, termination of access, professional discipline, complaint proceedings, regulatory review, civil claims, or offence-related processes. The IPC’s unauthorized access guidance expressly refers to damage to professional reputation, termination, disciplinary action, fines, and civil lawsuits as potential consequences of snooping. [page:2]

9. Retention, evidence preservation, and review

Security logs, audit trails, incident notes, and related technical evidence may be retained for so long as reasonably necessary to protect the system, evaluate incidents, obtain legal advice, preserve evidence, comply with legal obligations, support insurance or regulatory processes, or defend or advance claims. PHIPA’s security and enforcement framework, combined with IPC guidance on breach management and audit, supports maintaining appropriate records for these purposes. PHIPA, s. 10.1, 12; IPC guidance. [page:1][page:2]

This notice and the technical safeguards associated with it may be revised from time to time in response to operational changes, legal developments, privacy assessments, incident lessons learned, or professional advice. [page:2]

10. User acknowledgment and reservation of rights

By proceeding to or beyond the login interface, submitting credentials, or attempting to access this system in any way, a user is placed on notice that the system is restricted, that confidentiality obligations apply, and that technical logging, monitoring, and evidence preservation may occur for lawful security and compliance purposes. This notice does not replace any independent contractual, professional, statutory, employment, or agency obligation that may already apply. [page:1][page:2]

The operator reserves the right to take any lawful and appropriate measure to protect the system, the confidentiality of the records it contains, any affected individuals, and any affected custodians or organizations, including technical containment, access restriction, account disablement, audit review, escalation, notification, evidence preservation, complaint, reporting, and legal action where appropriate. [page:1][page:2]

11. Sources and statutory references

  • Ontario, Personal Health Information Protection Act, 2004, S.O. 2004, c. 3, Sch. A, especially s. 1, s. 3, s. 4, s. 10, s. 10.1, s. 12, Part VI, s. 61.1, s. 65, and s. 72. [page:1]
  • Information and Privacy Commissioner of Ontario, Unauthorized access, including recommendations on privacy notices, warning flags, confidentiality agreements, need-to-know controls, password/search controls, logging, auditing, monitoring, breach management, and possible reporting to police, health regulatory colleges, and/or the Attorney General or their agent. [page:2]

For a site-specific production version, this notice should ideally be reviewed by Ontario counsel experienced in health privacy, especially if the operator is clearly functioning as a health information custodian or agent under PHIPA. [page:1][page:2]