Privacy and security

CIHI is committed to protecting the privacy of Canadians and ensuring the security of their personal health information. The personal health information collected by CIHI is governed by CIHI’s Privacy Policy on the Collection, Use, Disclosure and Retention of Personal Health Information and De-Identified Data, 2010 (PDF).

Find out more about our Terms of Use, including the Website Privacy Notice.

Collection, use and disclosure

CIHI is a secondary data collector of health information. Data obtained from hospitals and other health care facilities, long-term care homes, regional health authorities, medical practitioners and governments is disclosed to CIHI under the authority of jurisdictional privacy or health information legislation and is subject to related data-sharing agreements.

CIHI uses health information to conduct analyses on Canada’s health systems and the health of Canadians in a manner consistent with its mandate and core functions, specifically to deliver comparable and actionable information to accelerate improvements in health care, health system performance and population health across the continuum of care. Generally, CIHI uses de-identified record-level data for analytical purposes. Data sets used for internal CIHI analysis purposes do not contain names or direct identifiers, such as health care numbers, dates of birth and full postal codes.

CIHI’s disclosures of health information are made at the highest degree of anonymity possible while still meeting the research and/or analytical purposes. CIHI publicly releases aggregated data in a manner designed to minimize any risk of re-identification and residual disclosure.

Generally, data disclosed to third parties for research purposes is in the form of de-identified record-level data or aggregate data. Data requestors are required to enter into a non-disclosure/confidentiality agreement with CIHI. The agreement establishes privacy and security controls that must be met by the recipient organization.

CIHI does not disclose personal health information except under the following limited circumstances and where the recipients have entered into a data protection agreement or other legally binding instrument(s) with CIHI:

  • The recipient has obtained the consent of the individuals concerned; or
  • The recipient is a prescribed entity under Section 45 of Ontario’s Personal Health Information Protection Act, 2004 (PHIPA) for the purpose of analysis or compiling statistical information with respect to the management of, evaluation or monitoring of, allocation of resources to or planning for all or part of the health system, including the delivery of services, provided the requirements of PHIPA and CIHI’s internal requirements are met; or
  • The recipient is a prescribed person under Subsection 13(1) O.Reg.329/04 of Ontario’s PHIPA for the purposes of facilitating or improving the provision of health care, provided the requirements of PHIPA and CIHI’s internal requirements are met; or
  • The disclosure is otherwise authorized by law; or
  • The disclosure is required by law.

Find out more about CIHI, our data holdings and the reports we publish.

Privacy questions, concerns or complaints

Chief Privacy Officer
Canadian Institute for Health Information
495 Richmond Road, Suite 600
Ottawa, Ontario  K2A 4H6

613-694-6526
privacy@cihi.ca
Fax: 613-241-8120

An individual may also direct complaints to the privacy commissioner of the jurisdiction in which they reside.

Individuals may also direct complaints regarding CIHI’s compliance with Ontario’s PHIPA and its regulation to the Information and Privacy Commissioner of Ontario:

Information and Privacy Commissioner of Ontario
2 Bloor Street East, Suite 1400
Toronto, Ontario  M4W 1A8

416-326-3333
Toll-free (in Ontario): 1-800-387-0073
Fax: 416-325-9195
info@ipc.on.ca
www.ipc.on.ca

CIHI’s Privacy Program

Our comprehensive Privacy Program ensures the confidentiality and security of our Canadian health care data holdings. Part of this program is a set of governing privacy and security policies. These policies set out how we collect, store, analyze and disseminate data on Canada’s health care systems. Our program also includes

  • A Privacy and Legal Services department committed to developing a culture of privacy at CIHI
  • An active Privacy, Confidentiality and Security Committee that includes representation from across the organization
  • A chief privacy advisor, who provides advice and counsel on privacy matters
  • A Governance and Privacy Committee of the Board of Directors
  • Mandatory privacy and security training to keep Canadian health care information protection matters front and centre

CIHI adheres to all applicable privacy legislation, including Ontario’s PHIPA. We are a prescribed entity for the purposes of Section 45(1) of the act, which also applies to health information custodians in Ontario, such as the Ministry of Health, hospitals and physicians. These entities can disclose personal health information to us without patient consent for the purposes of analysis and compiling statistical information for the management of the health system. This designation and the strict responsibilities that come with it also assure our data partners across the country that

  • Our privacy policies, based on the 10 privacy principles of the Canadian Standards Association’s Model Code for the Protection of Personal Information, and security policies comply with the highest standards
  • Our overall information management practices safeguard the important and sensitive information with which we are trusted

The Information and Privacy Commissioner of Ontario (IPC/ON) reviews our practices and procedures every 3 years. Our privacy policies, practices and procedures were approved by the commissioner first in 2005 and every 3 years thereafter. Documentation related to the 2023 review and approval of CIHI is publicly available on the IPC/ON’s website.

 

CIHI’s Information Security Program

Our comprehensive Information Security Program is dedicated to protecting the privacy of Canadians by ensuring the confidentiality, integrity and availability of our health care information. The physical, technical and administrative safeguards implemented by CIHI follow or exceed industry standards and are designed to protect personal health information against theft, loss and unauthorized use or disclosure and to protect records of personal health information against unauthorized copying, modification or disposal.

CIHI maintains the International Organization for Standardization (ISO) 27001 certification of its Information Security Management System. This certification clearly demonstrates our commitment to protect the personal health information that we maintain, and to continuously improve our information security position. It is an important part of our overall privacy and security programs and provides both our stakeholders and the public with the assurance that we treat data protection seriously. Our program also includes the following components:

  • Information security risk management 
  • Information Security Audit Program
  • A comprehensive suite of policies, procedures and standards designed to protect the confidentiality, integrity and availability of our information 
  • Privacy and Security Incident Management Program
  • Staff training and awareness

Security questions or concerns

Chief Information Security Officer
Canadian Institute for Health Information
4110 Yonge Street, Suite 300
Toronto, Ontario  M2P 2B7

416-481-2002
security@cihi.ca
Fax: 416-481-8120

Privacy impact assessments

Privacy impact assessments (PIAs) evaluate and address the privacy impacts of programs and systems. CIHI is committed to completing PIAs on all its data holdings:

If you have a disability and would like CIHI information in a different format, visit our Accessibility page.