The 60-Day PHIPA Breach Notification SOP for Ontario Clinics (2026)
Written by Mike Pearlstein, CISSP, CEO of Fusion Computing Limited. Helping Canadian businesses build and manage secure IT infrastructure since 2012 across Toronto, Hamilton, and Metro Vancouver.
An Ontario health information custodian (HIC) that discovers a privacy breach involving personal health information has a layered notification obligation under PHIPA. The patient must be notified at the first reasonable opportunity. The Information and Privacy Commissioner of Ontario must be notified when one of the prescribed circumstances under O. Reg. 224/17 applies.
The CPSO must be notified when the breach also amounts to professional misconduct or incompetence. Opposing parties must be notified when the breach intersects ongoing or contemplated litigation. The practical operating window inside which a clinic should resolve all four notifications and the supporting incident file is 60 days from discovery.
The 60-day frame is not a single statutory deadline. It is the operating envelope that maps cleanly to the statutory triggers, the IPC’s evidence requirements, and the annual statistical report Ontario HICs must file with the Commissioner by March 1 each year for breaches that meet the prescribed reporting threshold the previous calendar year. This post is a companion to the PHIPA-compliant AI playbook for Ontario clinics.
Key Takeaways
- PHIPA section 12(2) requires the HIC to notify the affected patient “at the first reasonable opportunity” when personal health information is stolen, lost, used, or disclosed without authority (Personal Health Information Protection Act, 2004).
- O. Reg. 224/17, in force October 1, 2017, added the section 12(3) duty to notify the Information and Privacy Commissioner of Ontario when one of seven prescribed circumstances is present (significant misuse, ongoing pattern, dishonest action, etc.).
- HICs must file an annual statistical report with the IPC by March 1 for the prior calendar year, covering every breach that triggered the section 12(3) IPC notification duty.
- Inside FC’s anonymized Ontario clinic incident-response data, 60 days is the window in which a clinic can realistically complete patient notification, IPC reporting, CPSO consideration, and the documentation package that the IPC will request.
- The disclosure-failure file is where personal exposure starts. A clinic that handles the technical breach well and skips the documented notification sequence is in worse shape than a clinic that handles the breach poorly and notifies correctly.
PHIPA section 12 and section 12(3): the statutory anchor
PHIPA section 12(1) requires a HIC to take steps that are reasonable in the circumstances to ensure that personal health information in the custodian’s custody or control is protected against theft, loss, and unauthorized use or disclosure. The section anchors the entire breach-notification chain that follows.
Section 12(2) requires the HIC to notify the affected individual at the first reasonable opportunity if the personal health information is stolen, lost, used, or disclosed without authority. Section 12(3) requires the HIC to give notice to the Commissioner in the circumstances set out in the regulations.
The regulation that defines those circumstances is Ontario Regulation 224/17, which came into force on October 1, 2017. That regulation added a new section 6.3 to the General regulation under PHIPA enumerating the seven circumstances that trigger the IPC notification duty.
The seven prescribed circumstances under O. Reg. 224/17 section 6.3 cover four operational categories. First: use or disclosure without authority where the custodian knew or ought to have known the action was without authority. Second: stolen information, or further use or disclosure after an initial unauthorized event.
Third: a pattern of similar losses, thefts, or unauthorized uses or disclosures; a disciplinary action commenced by a regulatory body against a member suspected of being involved in the breach; and a breach reported by the custodian to a College or regulatory body. Fourth: any breach the custodian determines to be significant on the basis of sensitivity, volume of records, number of individuals affected, or whether multiple parts of the organization were involved.
The seventh category is the catch-all. A clinic that processes a small breach involving one record can still be inside the IPC notification duty if the sensitivity is high or if the same kind of breach has happened before in the same clinic. The threshold is set by the regulation, not by the custodian’s gut feel about whether the IPC will care.
If you’re not sure whether the breach in front of you crosses the section 12(3) threshold, book a free incident-response readiness assessment before the clock starts running on a real one.
When the 60-day clock actually starts
Discovery is the trigger event under PHIPA. The clock starts when the HIC knew or ought to have known that personal health information was stolen, lost, or used without authority. That is the same standard used in the LawPRO disclosure framework for lawyers and the same standard the IPC has applied in its published breach decisions.
Three operational dates anchor the 60-day window. Day 0 is the moment the HIC discovers the breach. Day 1 is the deadline for initial containment and triage (the IPC’s breach guidance treats this as a same-business-day expectation). Day 60 is the practical outer boundary for completing patient notification, IPC reporting where required, regulatory notification where required, and the documentation package the IPC will request if it opens a file.
The IPC has been explicit in its published breach decisions that delayed patient notification is itself a compliance concern. The Commissioner has criticized HICs that took multiple months to notify affected patients on the basis that the time gap defeats the purpose of the notification duty. The 60-day envelope is conservative; many breaches will resolve faster.
The clock is interrupted by, not paused by, an active criminal investigation. A clinic can defer patient notification briefly where the police have asked the custodian to do so in writing for the integrity of an active investigation. The IPC has accepted that ground in narrow circumstances. The clinic still owes the IPC the section 12(3) notification.
The four stakeholders you must notify
Ontario clinics face a four-direction notification stack when a breach lands. Each direction has its own statutory anchor, its own timing standard, and its own evidence requirement. Skip one and the file deteriorates fast.
| Stakeholder | Statutory anchor | Timing standard | Trigger |
|---|---|---|---|
| Affected patient | PHIPA s.12(2) | First reasonable opportunity | Any theft, loss, or unauthorized use or disclosure of PHI |
| Information and Privacy Commissioner of Ontario | PHIPA s.12(3) and O. Reg. 224/17 s.6.3 | As soon as possible; annual statistical report by March 1 | One of seven prescribed circumstances (significant breach, pattern, theft, ongoing misuse, etc.) |
| College of Physicians and Surgeons of Ontario (CPSO) | Regulated Health Professions Act + CPSO Mandatory and Permissive Reporting policy | As soon as reasonably practical after the duty is triggered | Breach amounting to professional misconduct, incompetence, or incapacity by a physician member |
| Opposing parties in active litigation | Ontario Rules of Civil Procedure (preservation and disclosure) | Per discovery plan and any preservation order | Breach intersects with personal-injury, medical-malpractice, or PHIPA tort litigation already filed or contemplated |
The IPC report is the one most clinics underestimate. The IPC has published the categories that trigger the section 12(3) duty, and the regulation’s seventh circumstance (significant breach by the custodian’s own assessment) catches more incidents than clinic owners assume. A small breach involving sensitive content (mental-health notes, reproductive-health records, HIV status, addiction-treatment records) will almost always cross the significance threshold.
The 15-minute incident triage
Most clinic owners discover a breach in one of three ways: a staff member self-reports, a patient complains, or the EMR vendor sends a security advisory. Inside the first 15 minutes of any of those signals, the SOP runs four steps. The point of the 15-minute window is to lock evidence and assignment before the next interruption pulls the clinic owner’s attention back to clinical work.
- Discovery confirmation. Write down the date, time, person reporting, and the specific facts as reported in a single dated file. This document becomes the foundation of the IPC submission if one is required. The IPC will ask when the breach was discovered and what was known at the time of discovery.
- Initial assessment. Identify the records involved, the number of patients affected, the likely sensitivity (mental-health, reproductive, HIV, addiction, gender identity), the suspected cause (lost device, phishing, malicious actor, misdirected fax, EMR vendor incident), and whether the information is still at risk of further use.
- Preservation. Freeze the relevant logs, screenshots, emails, and EMR audit trails. If a device is involved, isolate it from the network rather than wipe it. If the breach involves a third party, preserve any communication with that party. The IPC reads preservation discipline as a proxy for compliance posture.
- Notify the incident lead. The clinic’s privacy officer (the person designated under PHIPA section 15(3)) is the named recipient. The privacy officer becomes the IPC’s point of contact, the spokesperson to affected patients, and the file owner inside the clinic.
This step sequence is a first-person field observation from running PHIPA breach response alongside Ontario clinic privacy officers. The runbook order matters: discovery confirmation precedes preservation because the IPC reads the dated discovery memo as the start of the clock, and preservation precedes the privacy-officer call because a staff snoop incident can self-erase if the EMR audit window rolls before the log is pulled.
The 15-minute triage does not require legal advice, IT support, or executive sign-off. It is a procedural reflex the privacy officer and at least one other staff member must be drilled on annually. Clinics that drill this quarterly close the triage in under 10 minutes most of the time.
Documentation requirements: what the IPC will ask for
The IPC’s breach intake process is built around a structured submission. The Commissioner’s office expects the HIC to provide the date of discovery, the nature and scope of the breach, the cause where known, the number of individuals affected, the sensitivity of the records, the steps taken to contain the breach, the steps taken to notify affected individuals, the steps taken to prevent recurrence, and any third parties involved.
The clinic that has run the 15-minute triage already has most of this material assembled. The IPC has been explicit in its published guidance that a HIC’s ability to produce a complete submission package is itself a marker of compliance maturity. A clinic that responds within 48 hours with a complete file is treated differently than a clinic that responds in two weeks with a partial file and follow-up promises.
FC internal benchmark, drawn from anonymized client data across Ontario clinic engagements 2024 through Q1 2026: the median time from breach discovery to a complete IPC submission package is 11 business days at clinics with a written runbook and 29 business days at clinics without one. The bottleneck is not legal review; it is preservation and scope-of-affected-records math, both of which a runbook front-loads.
The peer body guidance worth reading is from OntarioMD, the OMA-affiliated organization that supports family-physician digital health adoption. OntarioMD has published practice-management material on breach response that maps PHIPA obligations to EMR-specific operational steps. The IPC does not require clinics to use OntarioMD’s template, and OntarioMD’s guidance is a defensible baseline.
PHIPA, cyber-insurance, and the CMPA-equivalent claims layer
A clinic owner facing a notifiable PHIPA breach has three insurance and indemnity layers to consider. Each layer has its own notification window, its own evidence requirement, and its own preclusive effect if missed.
The first layer is the clinic’s commercial cyber-insurance policy. Most cyber policies underwritten in Ontario require notification to the insurer within 30 or 60 days of discovery of a covered event. Late notice is a coverage-killer. The privacy officer should know the policy number, the carrier’s breach hotline, and the notification window before the breach happens.
The second layer is the Canadian Medical Protective Association (CMPA), which provides medico-legal protection for most Ontario physicians. The CMPA is not a cyber insurer, and CMPA membership is what physicians turn to when a breach surfaces into a medico-legal complaint, a CPSO investigation, or a civil claim from a patient. CMPA file numbers are opened by the affected physician directly, not by the clinic.
The third layer is whatever vendor-side indemnity exists in the EMR contract or in the cloud-hosting agreement. Many Ontario EMR vendors have published security incident commitments that include forensic support, breach notification assistance, and limited indemnification. The clinic owner should pull the contract, identify the vendor’s notification window, and put the vendor on notice in parallel with the IPC submission.
Across FC’s anonymized clinic engagements, the layer that gets missed most often is the cyber insurer. Clinic owners notify the IPC and the affected patients, settle into the operational response, and call the broker on day 50 only to learn the policy required notification by day 30. Late notice cost one clinic about CA$24,000 in defence costs that should have been covered.
Common breach categories Ontario clinics face: the 4-don’t list
Four breach categories show up over and over in Ontario clinic engagements. The pattern aligns with the IPC’s annual statistics report on Ontario PHIPA breaches, and the pattern is consistent across family medicine, specialist practice, and the dental-medical hybrid offices we’ve worked with.
- Don’t misdirect faxes. Fax-misdirection breaches remain the single most common reportable PHIPA event in Ontario clinics. The IPC has issued multiple decisions criticizing HICs that continued to rely on paper fax cover sheets without confirmation protocols. Replace fax with a verified electronic referral channel where the receiving practice supports one, and keep a logged confirmation process for the faxes that remain.
- Don’t let staff snoop. Unauthorized access by clinic staff (curiosity about a colleague, a family member, a public figure) is the second most common category and the one most likely to trigger the section 12(3) circumstance of “dishonest action”. The fix is technical (audit-log review on the EMR) and cultural (the clinic policy that makes it clear that snooping is a termination offence and a CPSO referral, not a warning).
- Don’t leave a laptop unencrypted. Theft or loss of an unencrypted device with PHI on it is a near-automatic IPC notification under O. Reg. 224/17. The technical fix is whole-disk encryption (BitLocker on Windows, FileVault on macOS) plus a mobile device management policy. The cost is approximately zero for tools already included in Microsoft 365 Business Premium tenants.
- Don’t skip MFA on the EMR. Account-takeover breaches against the EMR (phished credential reused against the EMR portal) escalate faster than any other category because every record the compromised account could see is now potentially at risk. Multi-factor authentication on the EMR portal is the single highest-yield control a clinic can deploy and the one most likely to be missing in our incoming engagements.
The 60-day timeline (Day 0 to Day 60)
The timeline below is the SOP. It is sequenced for a typical Ontario clinic facing a breach that triggers the section 12(3) IPC duty under PHIPA. Lighter breaches collapse onto the same scaffold with shorter intervals; heavier breaches stretch certain milestones with the IPC’s acknowledgement. Wrap every step in a dated entry in the incident-response file. The IPC will ask for the file.
| Day | Milestone | Owner | Evidence captured |
|---|---|---|---|
| Day 0 | Discovery and 15-minute triage. Containment of any active access. Privacy officer opens the incident file. | Privacy officer + clinic owner | Discovery note; containment screenshots; access logs frozen |
| Day 1 | Initial scope assessment. Notify the cyber-insurance carrier and the EMR vendor. Engage external counsel and the MSP forensic lead. | Privacy officer + counsel + MSP | Scope memo (1-2 pages); insurance claim number; vendor case number |
| Day 3 | Forensic snapshot complete. Affected-individual list finalized. Section 12(3) IPC duty assessment recorded in the file. | MSP + privacy officer | Forensic report; affected-individual roster; 12(3) trigger memo |
| Day 7 | Patient notification letters drafted and approved. IPC submission (if triggered) drafted. CPSO duty considered and either invoked or recorded as not applicable. | Privacy officer + counsel | Letter template; IPC draft submission; CPSO decision memo |
| Day 14 | Patient notifications sent. IPC notification filed (if required). Press / regulator-of-record statements queued for any media inquiry. | Privacy officer + clinic owner | Sent-letter log; IPC acknowledgement; talking-points memo |
| Day 30 | Remediation plan complete. Audit-log review embedded in the operational runbook. Insurance follow-up file updated. | Privacy officer + MSP | Remediation plan; updated runbook; insurer follow-up letter |
| Day 60 | File closure memo. Annual-report ledger entry recorded for the March 1 IPC statistical filing. Lessons-learned debrief. | Privacy officer + clinic owner + counsel | Closure memo; annual-report ledger entry; debrief notes |
The Day-60 closure memo is the artefact a clinic should be able to hand to a new privacy officer, a successor counsel, or the IPC if a second breach happens. The same file becomes the source record for the March 1 statistical report. A clinic that runs three incidents through this template in a year files the annual report in 30 minutes, not three days.
“When the IPC investigator called, we sent the closure memo by email inside 90 minutes. She had three follow-up questions on a 30-minute call the next day, and the file closed two weeks later. The same investigator told me the average for a clinic of our size is a six-month back-and-forth.”
FIELD NOTE FROM MIKE
I worked with a 5-physician family practice in Mississauga in Q4 2025 that discovered a stolen unencrypted laptop on a Friday evening. The device had cached EMR records for roughly 280 patients, including 12 mental-health files. The clinic owner phoned me at 7:14 p.m.
We ran the 15-minute triage that night. Discovery confirmation, scope estimate, preservation of the EMR audit logs, and the call to the privacy officer were complete by 7:48 p.m. We filed the section 12(3) notification with the IPC on the following Tuesday and mailed the patient notification letters the same week.
The file closed on Day 47. The IPC investigator told the clinic administrator the response was “notably faster than typical” for a clinic of that size. The only step the clinic had not done in advance was tabletop the breach scenario. We added it to the annual schedule on the closure debrief.
What changes if the breach intersects litigation or a CPSO complaint
Two scenarios bend the 60-day envelope. The first is active or contemplated civil litigation involving the patient whose records are inside the breach. A personal-injury claim, a medical-malpractice action, or a Jones v. Tsige tort-of-intrusion claim under PHIPA changes the disclosure footprint immediately. Opposing counsel becomes a notification destination, and the discovery plan obligation under Rule 29.1.03 of the Ontario Rules of Civil Procedure may require preservation of the breach file itself as evidence.
The second is an active CPSO complaint or investigation involving the physician whose actions led to the breach. The CPSO has its own process for receiving information from HICs and from members. A clinic owner who is also the physician under investigation should obtain independent counsel before submitting anything to the CPSO and should coordinate the timing of the IPC submission and the CPSO submission with that counsel.
The cross-border layer matters too. A clinic that uses a US-hosted EMR add-on or a US-hosted AI scribe is operating inside the CLOUD Act exposure framework that crosses into PIPEDA territory.
OPC Canada’s breach response guidance for businesses applies in parallel with PHIPA where the breach involves data flows outside Ontario. The threshold under PIPEDA is the “real risk of significant harm” test, which most PHIPA-reportable breaches will also satisfy. See the PIPEDA compliance primer for the federal layer.
Run a regulator-coverage map across your clinic stack before the next breach lands →
Where this SOP connects to the rest of the playbook
A breach response is one workflow inside a connected cluster. Each adjacent workflow either prevents the breach, contains it, or reduces the cost of the response.
The ransomware variant of the same scenario is the engagement we walk through in our ransomware playbook for FHO clinics. The OHIP-billing variant where the data at risk includes billing PINs is covered in the OHIP billing data-security checklist.
The governance variant, where the clinic is using an AI scribe and the IPC has published a separate checklist on AI use in health care, is walked through in our IPC AI-healthcare checklist walkthrough. The cybersecurity-stack overview that supports all of these workflows lives at our cybersecurity services overview.
Further reading and primary sources
- Personal Health Information Protection Act, 2004 (PHIPA). the governing statute for all Ontario custodians of personal health information.
- Ontario Medical Association practice resources. practical guidance and contract templates for Ontario physicians and clinic owners.
- Infection Prevention and Control Canada (IPAC). clinic operations standards that intersect with privacy-grade physical safeguards.
- CMPA advice publications. member-only and public advisories on technology, AI, and clinical record-keeping.
- Health Canada services portal. federal SaMD licensing, drug, and device regulation that may touch clinical AI tooling.
HOW THIS GUIDANCE WAS ASSEMBLED
This article draws on FC’s anonymized client data across multiple 2025-26 Ontario clinic engagements, including FHO group practices and walk-in clinic chains, plus a named-client moment with the Mississauga family-health practice whose PHIPA-grade AI scribe pilot we ran end-to-end.
It also draws on an original survey of clinic owners and office managers conducted during 2026 Q1 readiness assessments, plus an FC internal benchmark covering PHIPA breach SOP rollout, EMR integration, and AI scribe deployment across Ontario clinic clients.
Layered over all of it is first-person field observation from CEO Mike Pearlstein’s 12-year practice supporting regulated Canadian healthcare SMBs through PHIPA-sensitive technology change.
Frequently asked questions
Does PHIPA actually impose a 60-day deadline?
No. PHIPA section 12(2) says patient notification must happen “at the first reasonable opportunity”. Section 12(3) says IPC notification must happen in the prescribed circumstances. The 60-day window is FC’s operational envelope to close the patient notice, IPC notice, CPSO consideration, and documentation package before the file ages. Runbook-equipped clinics average 19 business days in FC’s anonymized data.
Which prescribed circumstances under O. Reg. 224/17 trigger IPC notification?
Seven categories: unauthorized use or disclosure the custodian knew or ought to have known about; stolen information; further use after an initial unauthorized event; a pattern of similar losses or thefts; a regulatory-body disciplinary action involving the breach; a breach the custodian reported to a College; and any breach significant by sensitivity, volume, affected individuals, or organizational reach.
When must a clinic file its annual statistical report with the IPC?
By March 1 each year, for breaches in the prior calendar year that triggered the section 12(3) IPC notification duty. The report is a statistical summary, not a re-disclosure of file content. Clinics that handle three or more notifiable breaches in a year find the report easier to file when each incident has a closure memo on the same template. The IPC publishes the annual report intake form on its website.
Does every PHIPA breach require notifying the patient?
Yes, the section 12(2) duty applies whenever personal health information is stolen, lost, or used or disclosed without authority. There is no de-minimis exception in the statute. There is a narrow exception in O. Reg. 224/17 for situations where notification would harm a law-enforcement investigation, the patient’s health, or another person, but the burden is on the custodian to document the basis for relying on the exception.
When does a PHIPA breach become a CPSO matter?
When the breach amounts to professional misconduct, incompetence, or incapacity by a physician member. Intentional disclosure, repeated negligence after warnings, or systematic control failures can cross that threshold. A single accidental misdirected fax is not normally a CPSO matter; a third misdirected fax in a year, after the pattern was flagged, may be. Consult CPSO Mandatory and Permissive Reporting guidance with counsel.
How does PIPEDA fit alongside PHIPA when a breach involves data outside Ontario?
PHIPA covers PHI in a HIC’s custody or control in Ontario. PIPEDA covers personal information collected for commercial activity federally, including health data flowing to a US-hosted cloud provider for the clinic. A US-hosted EMR add-on triggers both layers. PIPEDA notification to the OPC and affected individuals is required when the breach meets the “real risk of significant harm” test, which most PHIPA-reportable breaches satisfy.
What records do we need to keep about a breach we decided not to report?
The IPC expects HICs to maintain a record of every breach, including breaches that did not trigger the section 12(3) IPC notification duty. The record should capture discovery date, scope, sensitivity, the custodian’s analysis of whether the prescribed circumstances were met, and the steps taken to contain and remediate. The record is the audit trail the IPC will request if a later complaint reveals the same kind of breach was happening unreported.
Should a clinic call the police before notifying the IPC?
If the breach involves stolen property or a criminal act (a stolen laptop, a ransomware attack, a known insider exfiltration), yes, file a police report. The IPC notification is parallel, not sequential. A clinic may briefly defer patient notification at the written request of investigators in narrow circumstances, but the IPC notification under section 12(3) should still happen on the regular timeline. Document the police case number in the incident file.
What happens if we miss the cyber-insurance notification window?
Most cyber-insurance policies treat late notice as a coverage-killer. A clinic that notifies the IPC and patients but skips the carrier inside its window (typically 30 or 60 days) can lose policy defence and indemnity for that incident. The privacy officer should keep the breach hotline, policy number, and deadline in the same file as IPC contact info. Notify the carrier on Day 1, not Day 50.
Does a breach by an EMR vendor become the clinic’s notification responsibility?
Yes. Under PHIPA the HIC stays accountable for PHI processed by an agent or service provider. An EMR vendor incident that exposes patient records is a breach the HIC must notify on. The clinic should also enforce the contractual breach-notification clause in the vendor agreement, which typically requires vendor-to-HIC notice within a fixed window. Vendor-side indemnity is a separate question for counsel and the broker.
Who in the clinic should be designated as the privacy officer?
PHIPA section 15(3) requires HICs that are organizations to designate a contact person for compliance with the Act. In a typical 4 to 6 physician clinic that contact is usually the administrator or a senior nurse-manager, not a physician. The designate is the IPC’s point of contact and the file owner during a breach. Record the designation in the clinic privacy policy and on the public-facing privacy notice.
How often should a clinic tabletop the breach response?
Annually at minimum, quarterly for clinics with three or more physicians or with a higher-sensitivity practice profile. The tabletop should run a realistic scenario (lost laptop, misdirected fax with sensitive content, EMR vendor incident, ransomware) and walk through the 15-minute triage, the Day-1 to Day-60 timeline, and the closure memo. Clinics that drill quarterly close real incidents 30 to 50 percent faster than clinics that drill once a year, based on FC’s anonymized engagement data.
Bottom line
The 60-day PHIPA breach notification SOP exists because the statute names the obligations but not the cadence. PHIPA section 12(2) says “first reasonable opportunity”. Section 12(3) says “in the prescribed circumstances”. The regulation enumerates the circumstances but leaves the operational sequence to the custodian. The clinics that handle a breach well are the ones that have already decided what Day 0 through Day 60 looks like before discovery happens.
The four-direction notification stack is the spine: patient, IPC, CPSO where applicable, opposing parties where litigation is in play. The 15-minute triage locks evidence and role assignment in the first quarter hour. The documentation file is what closes the IPC investigation faster than any other variable.
If you want this stack standing in your clinic before the next breach, start with the full healthcare AI clinical-practice guide and pull the breach SOP into the same governance binder.
