What is a Health Information Custodian?
A Health Information Custodian (HIC) is an individual or an organization responsible for the custody, control, and protection of personal health information (PHI). This includes s collecting, using, disclosing, retaining, and securely disposing of PHI. In Ontario, this role is defined and governed by the Personal Health Information Protection Act (PHIPA).
An HIC is usually the health care provider or organization that delivers care directly to a client. For example:
- Hospitals and Clinics.
- Health care practitioners, including dietitians in private practice.
PHIPA defines health care broadly. It includes any assessment, care, service, or procedure that:
- Diagnoses, treats, maintains, or promotes physical or mental health.
- Prevents disease or injury.
- Provides palliative care.
- Includes services involving prescribed drugs, devices, or equipment, and certain community services.
Agents of a Health Information Custodian
Agents are individuals who act on behalf of the HIC and handle PHI for the HIC’s purposes. Agents may include:
- Employees and
- Health care practitioners (if they are acting on behalf of the HIC).
- Volunteers, students, and researchers.
- Independent contractors and third-party service providers.
Important: An HIC can only share PHI with agents if the HIC is legally permitted to collect, use, or disclose that information.
Responsibilities of agents
- Follow the same care and diligence as the HIC.
- Collect only the minimum information needed.
- Safeguard PHI from loss, theft, or unauthorized access.
- Report any privacy breaches to the HIC immediately.
- Comply with both PHIPA and the HIC’s privacy policies.
When dietitians work as agents for a facility, the HIC is responsible for ensuring that agents are trained, and aware of their legal duties, often through training and confidentiality agreements.
If you are an independent contractor
Some dietitians work as independent contractors. For example, they may run their own private dietetic practice with two or more health professionals in a clinic setting.
Before providing dietetic care to clients, independent contractors should clarify whether they are acting as the HIC or an agent of another HIC. This distinction determines one’s legal responsibilities for handling PHI.
Personal health information and consent
HICs and their agents may rely on implied consent to collect, use, or disclose PHI for the purpose of providing direct health care, unless the individual has expressly restricted this sharing.
Agents manage PHI only on behalf of the HIC, not for their own purposes.
Sharing information: Circle of care
Under the circle of care, PHI may be shared between HICs (or their agents) for healthcare purposes without express consent. Disclosure is prohibited only if the individual (or substitute decision‑maker) has stated that their information must not be shared.
Responsibilities of HICs
HICs are responsible for:
- Establishing privacy policies and standards.
- Educating agents about PHIPA obligations.
- Promoting a culture of privacy.
- Ensuring third-party contracts include adequate PHI safeguards.
Both HICs and agents must consistently:
- Respect principles of consent, access, security, and privacy.
What are the responsibilities of private practice dietitians who are HICs?
Most dietitians in private practice are HICs. Responsibilities include:
- Maintaining privacy and confidentiality of client health records.
- Retaining and securely destroying records in accordance with the CDO’s Record Keeping Standard.
- Establising policies and plans for managing client health and financial records.
- Including a plan in your will for who will manage client records in case of sudden incapacity or death.
Dietitians can refer to the Privacy Toolkit for a step-by-step guide to setting up privacy policies and practices.
Special Situations
Fitness centres and grocery stores
Workplaces such as fitness centres and grocery stores are not usually HICs, as their primary purpose is not health care. While pharmacies may qualify, grocery and retail settings are generally governed by the Personal Information Protection and Electronic Documents Act (PIPEDA), the federal privacy law for commercial organizations. Dietitians working in these settings are often the HIC and may consider seeking legal advice.
Health care practitioners working for non‑HICs
A health care practitioner who has custody or control of PHI while working for a non‑HIC organization (for example, schools, sports teams, corporations) is themselves often considered a HIC and must comply with PHIPA.
Recipients vs. Agents
Recipients (for example, schools, employers, insurers, courts) are not agents because they do not manage PHI on the HIC’s behalf. Disclosure to recipients generally requires client express consent unless otherwise permitted by law.
Lock‑box provisions
HICs must apply the lock‑box when a client restricts the collection, use, or disclosure of part or all their PHI. Agents may also be required to apply lock‑box restrictions in accordance with organizational policy.
Privacy breaches
In the event of a breach, the HIC must notify the affected individual as soon as possible. Agents must promptly report any suspected breach to the HIC or designated privacy officer.
Virtual Care
Dietitians providing virtual care services involving PHI outside Ontario and within Canada must comply with PHIPA, any applicable provincial and federal privacy legislation (PIPEDA). For virtual care services outside of Canada, dietitians may wish to seek legal advice on their privacy obligations in another jurisdiction.
Key Takeaways
Health Information Custodian (HIC):
A HIC is responsible for the custody, control, and protection of personal health information (PHI) under Ontario’s PHIPA.
Private practice dietitians are in most cases HICs:
Dietitians who provide health care independently and directly to clients in private practice are in most cases HICs and must fully comply with PHIPA. Dietitians who are contractors or work in interdisciplinary clinic settings as sole practitioners should seek guidance if they are considered HICs or agents of a HIC.
Agents act on behalf of a HIC:
Employees, students, volunteers, and third‑party service providers who access PHI for a HIC are often considered agents and must follow PHIPA and organizational privacy policies.
Implied consent applies to direct care:
HICs and their agents may rely on implied consent to collect, use, and disclose PHI for direct health care—unless a client restricts sharing.
Circle of care allows information sharing:
PHI may be shared between HICs (and their agents) for health‑care purposes without express consent unless a client has invoked restrictions. Dietitians who are agents should seek the policies of their organization prior to collecting, using, disclosing, retaining, or disposing personal health information.
Lock‑box requests must be respected:
If a client limits how their PHI is shared, HICs (and sometimes agents) must enforce these restrictions.
Different roles = different responsibilities:
Dietitians’ obligations depend on whether they are acting as a HIC or as an agent of a HIC.
Non‑HIC workplaces matter:
Dietitians working for organizations that are not HICs (for examples, schools, corporations, fitness centres) are usually HICs themselves under PHIPA.
Retail settings are usually not HICs:
Grocery and most retail stores are generally governed by PIPEDA, not PHIPA, because health care is not their primary purpose. If a dietitian works in these settings, they are generally the HIC.
Privacy breaches require immediate action:
HICs must notify affected individuals as soon as possible, and agents must report breaches to the HIC right away.
Assess your knowledge: Is the dietitian the HIC or agent?
Answer the following questions to assess your knowledge. For each situation listed below, indicate whether the dietitian is most likely a HIC or an agent.
Scenario 1
A dietitian directly employed by a school board to provide nutrition education to students. Is the dietitian acting as a HIC or an agent?
Correct answer: HIC
Scenario 2
A dietitian employed by a hospital to provide outpatient nutrition counselling. Is the dietitian acting as a HIC or an agent?
Correct answer: Agent
Scenario 3
A dietitian employed by a professional sports team to develop individualized meal plans for the players. Is the dietitian acting as a HIC or an agent?
Correct answer: HIC
Scenario 4
A dietitian providing nutrition care services to clients of a spa or fitness center. Is the dietitian acting as a HIC or an agent?
Correct answer: HIC
Scenario 5
A dietitian providing nutrition counselling to employees of a large corporation through their employee assistance program. Is the dietitian acting as a HIC or an agent?
Correct answer: HIC
Scenario 6
A dietitian providing nutrition care to residents of a long-term care home. Is the dietitian acting as a HIC or an agent?
Correct answer: This may depend. In most cases, a dietitian is an agent.
Resources
Office of the Information and Privacy Commissioner of Ontario:
Circle of Care
Lock-Box Fact Sheet
College Standards, Guidelines and other articles
College of Dietitians of Ontario. (2020). Privacy Toolkit.
College of Dietitians of Ontario. (2017). Record Keeping Standards and Guidelines.
College of Dietitians of Ontario (2020). Privacy Breaches: Obligations for Dietitians.
College of Dietitians of Ontario. (2023). Virtual Care Standards and Guidelines.
Legislation
Personal Health Information Protection Act, 2004, S.O. 2004, c. 3, Sched.
Personal Information Protection and Electronic Documents Act (S.C. 2000, c.5)
