PHIPA compliance for custodians and health-tech vendors.
Ontario's Personal Health Information Protection Act is one of the most prescriptive privacy regimes in Canada. We help health information custodians and the vendors that serve them build PHIPA programs that pass IPC scrutiny, without grinding clinical or product operations to a halt.
- Org fines up to
- $1,000,000
- Breach reporting
- Mandatory to IPC
- Scope
- Custodians + agents
What PHIPA actually requires
PHIPA governs the collection, use, and disclosure of personal health information by health information custodians in Ontario. The core obligations: knowledgeable consent (express for most disclosures, implied within the circle of care), a designated contact person, written information practices, safeguards proportionate to sensitivity, individual access and correction rights, retention discipline, audit logging of all access to electronic records, and mandatory breach reporting in defined cases.
Agents, including electronic service providers and health-tech vendors, can only handle PHI on the custodian's behalf under a written agreement that flows down PHIPA-equivalent obligations. The custodian remains accountable.
Where PHIPA programs typically fall short
- Audit logs that no one reviews. PHIPA requires logging access to electronic PHI and a process to detect and address unauthorized access. The IPC has issued orders specifically on this.
- Agent agreements missing PHIPA flow-downs. Vendor contracts that protect IP but not PHI, with no breach notification clause.
- Lock-box requests handled ad hoc. Individuals can restrict disclosure; the technical and procedural response needs to be designed in advance.
- Breach response without IPC criteria. Custodians unsure when reporting is mandatory versus discretionary.
- Health-tech products designed without PHIPA in mind. Data flows, retention defaults, and analytics features that create custodian liability after deployment.
How we work with health-tech vendors
For vendors building products used by Ontario custodians, PHIPA compliance is a sales requirement. Hospital procurement asks specific questions: data residency, encryption standards, audit logging, breach notification SLAs, sub-processor controls, agent agreement terms, and proof of staff training.
We help vendors prepare a PHIPA-ready posture: privacy and security documentation, a defensible agent agreement template, technical controls mapped to IPC expectations, and the artefacts custodian procurement teams ask for.
PHIPA and AI in healthcare
AI tools, clinical decision support, ambient scribes, triage chatbots, touch PHI by design. We pair PHIPA reviews with AI governance work (ISO/IEC 42001, NIST AI RMF) so model documentation, bias monitoring, and human-oversight controls are built into the privacy program from day one.
Common questions
- Who is subject to PHIPA?
- Ontario's Personal Health Information Protection Act applies to health information custodians, hospitals, physicians, pharmacies, long-term care homes, community care, labs, and most other regulated health providers, and to their agents and electronic service providers. Health-tech vendors handling PHI on behalf of a custodian inherit obligations through their contracts.
- What are the penalties under PHIPA?
- Individuals face fines up to $200,000 and/or one year imprisonment; organizations face fines up to $1,000,000. The Information and Privacy Commissioner of Ontario (IPC) investigates and orders corrective action. Mandatory breach reporting to the IPC and to affected individuals applies in defined circumstances.
- Do we need to report breaches to the IPC?
- Yes, in defined cases: theft or loss of PHI, unauthorized use or disclosure, further unauthorized use, pattern of similar breaches, disciplinary action against an agent, or a significant breach by scale or sensitivity. The IPC also requires an annual statistical report on breaches.
- How does PHIPA interact with PIPEDA?
- Ontario PHIPA is declared substantially similar to PIPEDA for health information handled by custodians within Ontario. PIPEDA still applies to commercial activities outside the custodian relationship and to interprovincial data flows. Most Ontario health-tech vendors are designed to satisfy both.
- What about other provinces?
- Each province has its own health privacy law: HIA in Alberta, PHIA in Manitoba and New Brunswick, the Health Information Act in Nova Scotia, and so on. Quebec health information is governed by the Act respecting health and social services information. We tailor programs to the provinces you operate in.
Your next enterprise contract is waiting on this.
- Flat fee, total cost known up front
- Canadian data residency available on paid engagements