If you operate a healthcare practice in Ontario, you are almost certainly a health information custodian under the Personal Health Information Protection Act (PHIPA). This means you have specific, enforceable obligations around how you collect, use, store, and disclose your patients' personal health information.
What is PHIPA?
PHIPA is Ontario's health privacy law, governing the handling of personal health information (PHI) by health information custodians. It applies to a broad range of healthcare providers including physicians, dentists, pharmacists, nurses, chiropractors, physiotherapists, and their respective organizations.
Who is a Health Information Custodian?
A health information custodian is an entity that has custody or control of personal health information as a result of providing health care. This includes individual practitioners, hospitals, clinics, and health authorities.
Core PHIPA Obligations
As a health information custodian, your core obligations include collecting only the PHI you need, using PHI only for the purposes it was collected, obtaining consent before disclosing PHI (except in limited circumstances), implementing reasonable security measures to protect PHI, notifying individuals of privacy breaches that create a real risk of significant harm, and providing individuals access to their own health records.
Security Requirements Under PHIPA
PHIPA requires custodians to take steps that are reasonable in the circumstances to protect PHI against theft, loss, and unauthorized use, disclosure, copying, modification, or disposal. What is "reasonable" depends on the sensitivity of the information, the amount held, and the size of the organization — but electronic PHI generally requires encryption, access controls, and audit logging at minimum.
Data Residency Considerations
PHIPA requires custodians to enter into agreements with any agents who handle PHI on their behalf, and those agreements must ensure the same level of protection as PHIPA requires. Storing patient records on US cloud services without appropriate agreements — and without ensuring Canadian law governs the data — creates significant compliance risk.
Breach Notification Under PHIPA
Amendments to PHIPA that came into force in 2017 require custodians to notify the Information and Privacy Commissioner of Ontario and affected individuals of privacy breaches at the first reasonable opportunity. Breaches must be documented and records maintained.
Penalties for PHIPA Violations
PHIPA provides for administrative penalties and fines up to $100,000 for individuals and $500,000 for organizations. Serious violations can also result in professional discipline proceedings with your regulatory college.
SecureVault's Canadian-hosted, encrypted document platform helps Ontario healthcare providers meet their PHIPA obligations — with audit trails, access controls, breach notification procedures, and a Data Processing Agreement covering your compliance requirements.
Protect your clients' documents with SecureVault
Canadian-hosted, PIPEDA-compliant document security built for regulated professionals.
Start Free Trial →