What to do if a client requests record access (PHIPA s.52-54 walkthrough)

A client emails you on a Tuesday afternoon: “I’d like a copy of my file.” You know you have obligations. You know there’s a process. But the specifics are hazy, the timelines feel urgent, and you’re not sure what you can withhold or how to explain a refusal without damaging the therapeutic relationship.

This is one of the most common compliance moments in private practice, and one of the least rehearsed. PHIPA gives individuals a clear right to access their personal health information. It also gives custodians specific, bounded exceptions. The problem isn’t that the law is unclear. The problem is that most therapists have never walked through the process end to end before a request lands in their inbox.

This guide covers the access request process under Ontario’s PHIPA. Alberta (HIA), British Columbia (PIPA), and other provinces have comparable access rights provisions with different timelines and processes.

Specifically, we’ll walk through PHIPA s.52 (the right of access), the exceptions within s.52, the response process under s.54, and template letters you can adapt. The goal: a repeatable workflow so the next access request feels routine, not alarming.

PHIPA s.52: the right of access

Section 52(1) establishes the individual’s right to access their personal health information. If you are a health information custodian and you hold a record of someone’s PHI, that person has a right to see it.

Who can make the request?

Three categories of people can submit an access request under s.52:

1. The individual themselves.
2. A substitute decision maker. If the individual is incapable of managing their own health information (as determined under Ontario’s health consent legislation), their substitute decision maker can request access.
3. An authorized representative. Any person with written authorization from the individual.

Most requests come directly from the client. When they come from a third party, your first step is confirming the authorization is valid and current.

What can they access?

The individual can access their “record of personal health information” held by the custodian. This includes clinical notes, intake forms, assessment results, treatment plans, correspondence, billing records tied to their health services, and any other documentation that constitutes their health record. The scope is broad: if it’s about them and you hold it, it’s generally accessible under s.52.

Format of access

The individual can request copies or the opportunity to examine the original. Under s.54(1), if they request a copy, you must provide one. Section 52(1.1) further provides a right to access records in electronic format where prescribed. You can’t force a client to visit your office to read paper files if they’ve asked for a PDF and your records are digital.

Timeline

You have 30 days from the date you receive the request under s.54(2). This is a hard deadline, not a suggestion.

If you need more time, s.54(3) allows an extension of up to 30 additional days, but only if meeting the original deadline would “unreasonably interfere” with your operations or if you need time to consult before responding. The extension requires written notice to the individual explaining the reason for the delay and the new expected date. You can’t just let the deadline pass quietly.

Fees

Sections 54(10) and 54(11) permit a “reasonable cost recovery” fee for copies (printing, postage, preparation time), provided the custodian first gives the individual a fee estimate. The fee cannot be a barrier to access. The Information and Privacy Commissioner of Ontario (IPC) has been clear that fees must be modest and justified.

Most solo therapists don’t charge. The goodwill cost of invoicing a client for their own records usually outweighs the few dollars recovered. For a large file spanning years of treatment, a reasonable fee is defensible.

Exceptions to access under s.52

Section 52(1) establishes the right of access, subject to specific exceptions listed in its paragraphs (a) through (f). These are not broad discretionary powers. Each exception is narrow, and using one requires written justification.

Risk to life or safety: s.52(1)(e)

You can refuse access if providing the information “could reasonably be expected to result in a risk of serious harm to the treatment or recovery of the individual or a risk of serious bodily harm to the individual or another person.”

This is a high bar. You’re not refusing because the records contain difficult content or because the client might be upset. You’re refusing because disclosure would create a concrete risk of serious harm. If a client’s file contains a safety assessment noting active suicidal ideation and you believe providing certain details could trigger a crisis, this exception may apply. Discomfort, disagreement, or emotional difficulty don’t meet the threshold.

Document your reasoning. If the refusal is ever challenged at the IPC, you’ll need to show why you believed the risk was real and serious at the time of the decision.

Third party information: s.52(2)

If the record contains personal information about another individual that cannot be severed, you can refuse access to that portion.

In therapy, this comes up when session notes reference a client’s partner, parent, or child in ways that reveal that third party’s own private details. If you can sever (redact) the third party information and still provide the rest of the record, you must do that rather than refusing access entirely. Refusal is only justified when severing would render the record meaningless.

Psychotherapy notes

This is the section that matters most to therapists.

PHIPA distinguishes between the clinical record and raw psychotherapy notes. Your clinical record includes intake assessments, treatment plans, progress summaries, correspondence, and formal documentation. Psychotherapy notes are different: your personal clinical impressions, hypotheses, and process notes recorded during or after a session, written for your own clinical use rather than as part of the official health record.

Under s.52(1)(e), you can refuse access to psychotherapy notes if you have reasonable grounds to believe that providing access “is likely to result in a risk of serious harm to the treatment or recovery of the individual.” The threshold here is specifically about harm to treatment or recovery, not physical harm. PHIPA has no blanket psychotherapy notes exemption like US HIPAA. Instead, the general s.52(1)(e) “serious harm to treatment or recovery” exception is the mechanism therapists rely on for these records.

This exception exists because raw session notes often contain unfinished clinical thinking and provisional formulations that could be harmful if read without therapeutic context. A note like “client appears to be minimizing substance use, consider motivational interviewing approach” reads differently to a therapist than to a client.

Two important caveats. First, this exception applies to psychotherapy notes, not to the entire clinical record. You cannot use it to withhold treatment plans, progress notes, or discharge summaries. Second, if you refuse access to psychotherapy notes, you still need to provide everything else. The refusal is partial, not total.

What a refusal requires

Any refusal, whether full or partial, triggers two obligations under s.54:

1. Written reasons. You must explain to the individual why access is being refused and cite the specific section of PHIPA you’re relying on.
2. Complaint information. You must inform the individual of their right to file a complaint with the IPC and provide the IPC’s contact information.

Skipping either of these turns a defensible refusal into a procedural violation.

Step by step process for handling an access request

Print this, bookmark it, put it somewhere you can find it when the request arrives.

Step 1: acknowledge the request in writing (within 5 business days, recommended, not statutory)

Acknowledge receipt and set expectations about the timeline. This doesn’t mean you’ve completed the review or prepared the records.

Five business days isn’t a statutory requirement for the acknowledgment, but it’s a reasonable professional standard and shows the IPC (if the process is ever reviewed) that you took the request seriously from the start.

Step 2: verify the requester’s identity

If the request comes from a known client at their usual email address, verification is straightforward. If the request comes from a third party, ask for the written authorization and verify it. If it arrives by mail or from an unfamiliar address, take reasonable steps to confirm the person’s identity. You don’t need forensic level verification, just enough to satisfy yourself you’re not handing records to the wrong person.

Step 3: determine the scope

What records are they asking for? Everything? A specific time period? Only correspondence? Only assessment results?

If the request is vague (“I want my file”), respond with a clarifying question. This helps you prepare the right records and avoids disputes later about whether you provided everything.

Step 4: review records for s.52 exceptions

Go through the records with three questions:

• Does any portion contain third party information that can’t be severed? (s.52(2))
• Would disclosing any portion create a risk of serious harm to the individual or another person? (s.52(1)(e))
• Do any records qualify as psychotherapy notes where disclosure could harm treatment or recovery?

If the answer to all three is no, proceed to full disclosure. If any exception applies, document your reasoning in detail before proceeding.

Step 5: prepare the records

Make copies of everything within scope. If you need to sever third party information, redact it clearly (black out the text, don’t just highlight it). Organize chronologically and prepare an index if the file is large.

Match the format the client requested where reasonably possible: PDFs for electronic requests, printouts for paper requests.

Step 6: provide records within 30 days with a cover letter

Send the records with a cover letter that identifies what’s included, the time period covered, and the format. If nothing was withheld, say so explicitly. This prevents follow up questions about whether something was missed.

Step 7: if refusing any part, provide written reasons and IPC complaint information

If you’re withholding any records under s.52’s exceptions, the cover letter must include: which records are withheld, the specific PHIPA section you’re relying on, a general explanation of why the exception applies, and the IPC’s contact information for complaints.

If you need guidance on maintaining a proper record of this process for your audit trail, see our guide on how to create a manual audit log for client records in Google Workspace.

Template letters

These templates are starting points. Adjust them for your practice and the specifics of each request. They’re written so a client can read them without legal training.

Template 1: acknowledgment of access request

Dear [Client Name],

Thank you for your request to access your personal health information, received on [date]. I want to confirm that I’ve received your request and will begin reviewing your records.

Under the Personal Health Information Protection Act (PHIPA), I have 30 days from receipt of your request to provide access. I expect to have your records ready by [date, 30 days from receipt].

If I need to clarify the scope of your request or if any circumstances require additional time, I’ll contact you in writing.

If you have questions in the meantime, please don’t hesitate to reach out.

Sincerely, [Your Name] [Your Professional Designation] [Contact Information]

Template 2: providing full access

Dear [Client Name],

Further to your access request dated [date], please find enclosed a complete copy of your personal health information record held by this practice.

The enclosed records cover the period from [start date] to [end date] and include: [list record types, e.g., intake assessment, treatment plans, progress notes, correspondence].

No portions of your record have been withheld.

If you have questions about any of the enclosed records, I’m happy to discuss them with you. You may contact me at [phone/email].

Sincerely, [Your Name] [Your Professional Designation] [Contact Information]

Template 3: partial access with some records withheld

Dear [Client Name],

Further to your access request dated [date], please find enclosed your personal health information records for the period [start date] to [end date].

The following records have been provided in full: [list record types included].

The following records have been withheld [or partially redacted]: [describe what was withheld in general terms, e.g., “clinical process notes from sessions dated [dates]”].

This decision was made under section 52 of the Personal Health Information Protection Act (PHIPA). [Brief, non revealing explanation, e.g., “I have determined that disclosure of these particular records could reasonably be expected to result in a risk of serious harm to your treatment or recovery.”]

You have the right to make a complaint about this decision to the Information and Privacy Commissioner of Ontario:

Information and Privacy Commissioner of Ontario 2 Bloor Street East, Suite 1400 Toronto, ON M4W 1A8 Phone: 1-800-387-0073 Website: www.ipc.on.ca

If you would like to discuss this decision, I’m available to do so. Please contact me at [phone/email].

Sincerely, [Your Name] [Your Professional Designation] [Contact Information]

Template 4: extension notice

Dear [Client Name],

I’m writing regarding your access request dated [date]. I’ve begun reviewing your records but require additional time to complete the process.

Under section 54(3) of PHIPA, I’m extending the response period by [number] days. The reason for this extension is: [brief explanation, e.g., “the volume of records spanning [X years] of treatment requires additional time to review and prepare”].

I now expect to provide your records by [new date, no more than 60 days from original request].

I apologize for the delay and will provide your records as soon as they are ready. If you have questions, please contact me at [phone/email].

Sincerely, [Your Name] [Your Professional Designation] [Contact Information]

For more communication templates covering other PHIPA related scenarios (consent, breach notification, data handling), see our PHIPA compliant client communication templates.

Where Google Workspace fits into record access

When a client requests their records, you need to find everything. If your practice runs on Google Workspace, client information is scattered across Gmail, Drive, Calendar. Probably a few other places too.

Finding client records in Gmail

Gmail search operators make this manageable. To find all email correspondence with a specific client:

• from:client@email.com OR to:client@email.com returns every message sent to or received from that address
• "Client Name" (in quotes) catches emails where the client is mentioned but wasn’t the sender or recipient
• Add a date range: after:2024/01/01 before:2025/12/31 to match the scope of the request
• Combine them: (from:client@email.com OR to:client@email.com OR "Client Name") after:2024/01/01 before:2025/12/31

Export the results by selecting all matching messages and printing to PDF. For a deeper look at security settings affecting your email data, see our Google Workspace admin console security settings guide.

Finding client records in Drive and Calendar

Search Drive for the client’s name, case number, or shared folder names. Drive indexes document content, so a name search will surface Docs, Sheets, and PDFs that mention the client inside the file.

Calendar entries for therapy sessions contain PHI: client names, session types, sometimes brief notes. Search your calendar for the client’s name across the relevant date range. Google Calendar doesn’t have an export by search feature, so you may need to screenshot or manually document relevant entries.

For bulk export, Google Takeout downloads all your Google Workspace data (Gmail in MBOX format, Drive files, Calendar data). It exports everything, not just one client’s records, so you’ll need to filter afterward. It’s useful when the request covers a long time period.

Tracking your response

Log the access request in your audit trail: date received, scope, what you provided, what you withheld and why, and the date you responded. For guidance on setting up that log, see our guide on creating a manual audit log for client records.

What this guide doesn’t cover

This walkthrough handles the common scenario: a current or former client requests a copy of their records, you review the file, and you respond within 30 days with full or partial access.

There are situations where the process gets more complicated.

When a lawyer sends a records request (whether on behalf of the client or an opposing party), the rules around authorization, scope, and privilege get more complicated. Court orders and subpoenas are a different legal mechanism from s.52 access requests.

Child custody disputes. These raise questions about substitute decision makers, competing parental rights, and what constitutes the child’s best interests. They frequently involve competing claims from two parents, each asserting authority over the child’s records.

Couples and family therapy records add another layer. If you’ve done couples or family work, the records may contain intertwined information about multiple individuals. Each person’s s.52 right applies to their own information, but severing overlapping content can be difficult.

College complaints. If a client has filed (or is threatening to file) a complaint with the College of Registered Psychotherapists of Ontario (CRPO) or another regulatory college, the access request may be part of a broader dispute. The legal process doesn’t change, but the stakes increase.

For any of these situations, consult a health privacy lawyer before responding. The cost of a one hour consultation is small compared to the cost of an IPC complaint or college investigation triggered by a mishandled request. Since January 2024, the IPC can also impose administrative monetary penalties under PHIPA, adding financial consequences to what was previously a reputational risk.

Record keeping matters here too. You can’t provide complete access to records you can’t find. If this guide has exposed gaps in how you organize client records, addressing those gaps now will make every future request easier. Our guide on email retention policies for Ontario therapists covers the retention side, and our PHIPA email requirements guide covers the broader requirements for your email setup.

A note on the therapeutic relationship

Access requests sometimes feel adversarial. A client asking for their records can trigger anxiety about what’s in the file, whether the notes will be misunderstood, or whether the request signals a complaint is coming.

Most of the time, it’s none of those things. Clients request records because they’re switching providers, applying for disability benefits, or organizing their personal health information. The request is a right, not an accusation.

Responding promptly and without defensiveness strengthens the therapeutic relationship rather than straining it. Handle the process well and the access request becomes a non event. That’s the goal.

---

This guide is part of the Google Workspace for Canadian Therapists project. We run a private Facebook group where Canadian therapists on Google Workspace share compliance tips, templates, and admin console walkthroughs. Join the group.

---

This content is for informational purposes only and does not constitute legal advice. Privacy regulations vary by province and are subject to change. Verify current requirements with your provincial regulatory body.