What Is PHIPA? Ontario's Health Privacy Law Explained
PHIPA — the Personal Health Information Protection Act — is Ontario's provincial law governing personal health information (PHI), which is stricter than federal PIPEDA in several key respects. PHIPA applies to "health information custodians" — physicians, hospitals, pharmacies, labs, dental offices, physiotherapy clinics, and their agents — operating in Ontario. It is administered by the Information and Privacy Commissioner of Ontario (IPC).
How PHIPA differs from PIPEDA
- 72-hour breach notification — PHIPA requires notification to the IPC within 72 hours of discovering a breach; PIPEDA has no specific timeframe ("without unreasonable delay")
- Health information custodians — PHIPA defines specific covered entities; PIPEDA applies broadly to any organization in commercial activity
- Stronger patient rights — patients can restrict access to their records even from their own health providers in certain circumstances
- Agent agreements — health information custodians must have written agreements with all "agents" (vendors, IT providers) handling PHI, specifying security requirements
- Retention — health records must be retained for a minimum of 10 years (or until age 18 for minors) vs. PIPEDA's purpose-based retention
What qualifies as personal health information under PHIPA?
Personal health information includes any information that identifies an individual and relates to:
- Physical or mental health conditions
- Health care provided (diagnosis, treatment, prescriptions)
- Payment for health care services
- Donation of body parts or substances
- Health card numbers
- Genetic information
72-hour breach notification requirement
When a health information custodian discovers a breach (unauthorized collection, use, disclosure, retention, or disposal of PHI), they must:
- Notify the IPC within 72 hours of discovering the breach
- Notify the affected individuals at the first reasonable opportunity
- Investigate, contain, and document the breach
- Take corrective action to prevent future breaches
The 72-hour clock starts when the organization discovers the breach — not when IT confirms its scope. Healthcare organizations should assume a breach until the investigation determines otherwise.
PHIPA requirements for IT providers
IT providers (including MSPs like Outsource IT Canada) serving Ontario healthcare organizations must sign an "agent agreement" that specifies:
- Security controls the IT provider will implement to protect PHI
- Breach notification obligations from the IT provider to the healthcare organization
- Data handling and disposal procedures
- Subcontractor restrictions (who else the IT provider can share PHI with)
Common EMR systems and PHIPA compliance
Ontario healthcare organizations commonly use:
- OSCAR / OSCAR Pro (WELL Health) — open-source EMR; requires properly configured hosting with Canadian data residency
- Practice Fusion — US-hosted; requires careful PHIPA analysis for Ontario clinics
- Epic — enterprise EMR; used by Ontario hospital networks; Canadian data options available
- Accuro (QHR Technologies) — Canadian-built; strong PHIPA alignment
- Telus Health (Wolf, Med Access) — Canadian; PHIPA-focused feature set
Related glossary terms
- PIPEDA — Federal privacy law
- PIPA — Alberta and BC privacy laws
- BDR — Backup and Disaster Recovery
- MFA — Multi-Factor Authentication
- MDR — Managed Detection and Response
How Outsource IT Canada can help
- Managed IT Services — 24/7 monitoring and flat-rate IT support for Canadian businesses
- Cybersecurity Services — EDR, MDR, dark web monitoring, and incident response
- PIPEDA Compliance — privacy impact assessments and breach notification procedures
- Get a free assessment — call (416) 623-9677
Ready to transform your IT? Call (416) 623-9677 for a free assessment.