PHIPA 60-Day Breach Notification SOP for Ontario Clinics: Free Download
Written by Mike Pearlstein, CISSP, CEO of Fusion Computing Limited. Helping Canadian businesses build and manage secure IT infrastructure since 2012 across Toronto, Hamilton, and Metro Vancouver.
This is the breach-day-by-breach-day Standard Operating Procedure that Ontario clinics use to meet the PHIPA 60-day notification regime without scrambling at day 55. It is a calendar-anchored playbook covering every required action from day zero (incident detection) to day 60 (Information and Privacy Commissioner of Ontario notification and Theft, Loss, Unauthorized Use or Disclosure report). The download is the SOP PDF, a calendar template, the patient notification letter template, and the IPC notification report template.
What’s in this download
- A day-by-day SOP covering days 0, 1, 7, 14, 30, 45, and 60 of the PHIPA breach response window, with named roles and required artifacts.
- A patient notification letter template anchored to the IPC of Ontario guidance and CPSO documentation expectations.
- The IPC of Ontario PHIPA breach notification report template, pre-filled for an Ontario family practice or specialty clinic.
- A calendar template for the clinic owner with required check-in dates, escalation triggers, and CMPA/CDSPI reporting cues.
Talk to Fusion about PHIPA-aligned IT
What’s in this download?
The SOP is anchored to the Personal Health Information Protection Act of 2004 (as amended), the Information and Privacy Commissioner of Ontario’s breach reporting framework, and the College of Physicians and Surgeons of Ontario’s documentation expectations in CPSO Policy 3-12. The 60-day clock under PHIPA is not a single deadline.
It is a sequence: notify affected individuals at the first reasonable opportunity, complete the IPC of Ontario report by day 60, and produce internal documentation that proves the timeline and the decision-making.
The operational tools inside the document do four things. First, they break the 60 days into anchor days (day 0 detection, day 1 internal escalation, day 7 patient notification first wave, day 14 written patient notification, day 30 IPC pre-notification, day 45 IPC report draft, day 60 IPC report filed) with named clinic roles for each.
Second, they give a literal patient notification letter that satisfies PHIPA section 12.3 plus the IPC guidance on plain language. Third, they give the IPC report template pre-formatted for an Ontario clinic. Fourth, they wire in the CMPA notification and the CDSPI cyber rider notification so those happen on a defensible cadence.
The calendar template is the piece most clinics tell us they wish they had. It is an editable spreadsheet that takes a detection date and renders the seven anchor dates automatically, with email reminder triggers for the clinic owner and the practice manager. When a breach is discovered on a Friday afternoon and the clinic is closed Saturday, the calendar already accounts for the first reasonable opportunity test under PHIPA.
One data point from our client work: a 5-physician Family Health Organization in Hamilton used this SOP after a stolen laptop incident in 2024. Patient notification went out on day 6, the IPC report filed on day 38, the CPSO record was clean, and the CMPA-side review closed without a finding.
The clinic owner has told us the calendar template alone saved roughly 20 hours of staff time across the 60 days. Reach out if you want to walk through how the SOP interacts with your specific EMR and your specific staffing model.
Who is this for?
This is for the clinic owner of a 3 to 7 physician Family Health Organization, Family Health Group, or Family Health Network in Ontario regulated under PHIPA as a Health Information Custodian. The person whose name is on the IPC of Ontario report when an incident is filed. If that is you, this SOP is the document that means you are not drafting that report from scratch under deadline pressure.
It is also for the office manager or practice administrator of a specialty clinic, dental practice operating under the Royal College of Dental Surgeons of Ontario regime, or independent diagnostic imaging clinic, where the same PHIPA breach notification framework applies. The SOP’s anchor days, the patient letter template, and the IPC report template work across these settings, with minor wording variations called out in the document.
It is not intended for hospitals operating under the Public Hospitals Act with their own incident response infrastructure, and it is not intended for federally regulated entities under PIPEDA outside the Ontario PHIPA regime. Solo physicians and 2-physician clinics can use the document, though the named-role section assumes a small administrative team and is materially lighter when there is no practice manager.
Download the PHIPA 60-Day Breach Notification SOP
Fill in the four fields below. We will send the SOP PDF, the patient notification letter template (Word), the IPC report template (Word), and the calendar template (Excel) to your clinic email within five minutes. The patient notification letter is pre-formatted for letterhead and clinic-specific signatures.
Form not loading? Email us directly and we’ll send the SOP within the hour.
Related deep dives
- The full PHIPA 60-day breach notification walkthrough: the statute, the IPC guidance, and the day-by-day reasoning behind the SOP.
- AI for Canadian healthcare clinics: the broader PHIPA-safe AI deployment context that the SOP sits inside.
- IPC of Ontario AI healthcare checklist clinic walkthrough: the IPC’s expectations for AI use in clinics, side by side with the breach framework.
- OHIP billing data security clinic owner checklist: the controls that make the day-zero detection step in the SOP something the clinic actually has visibility into.
- Ransomware playbook for an Ontario FHO clinic: the specific incident type that triggers most of the breach notifications the SOP is built for.
Book a working session on the SOP
Frequently Asked Questions
What’s the download?
A PDF SOP (day-by-day breach playbook, roughly 18 pages), a Microsoft Word patient notification letter template, a Microsoft Word IPC of Ontario breach notification report template, and a Microsoft Excel calendar template that renders the seven PHIPA anchor dates from a detection date. The total payload is one PDF, two Word documents, and one Excel file. Everything is anchored to PHIPA, the IPC of Ontario breach framework, and CPSO Policy 3-12.
How will my data be used?
Your name, clinic name, role, and email go into Fusion Computing’s contact system. We will email you the SOP files within minutes. We may send occasional updates relevant to Canadian clinic IT, PHIPA, IPC of Ontario, and CPSO developments, no more than once a month. Your data is never sold, never shared with the IPC, never shared with regulators, and never shared with EMR vendors. Unsubscribe is one click.
Is this just a sales pitch?
No. The SOP, the patient letter, the IPC report template, and the calendar are the deliverable. Most clinics that download the file never speak to Fusion, and the SOP works without our involvement. We make it free because regulator-anchored documents like this one are how Canadian clinics find out we exist.
If you want a conversation about Fusion handling the IT controls that sit behind the SOP, the EMR access logging, the laptop encryption, or the multi-factor authentication rollout, you can reach out on your own timeline.
Do I need to be an existing FC client?
No. The SOP is free for any PHIPA-regulated Health Information Custodian in Ontario, any clinic administrator, any clinic-side privacy officer, or any healthcare law firm working with clinics to download and adapt. It is published under a permissive use-and-modify license inside the clinic. The only restriction is no resale and no removal of the Fusion Computing attribution footer on the cover page. Most downloaders are not Fusion clients, and that is fine.
Can I share it with my partner or colleague?
Yes. Share it with your physician partners, your practice manager, your EMR administrator, your IT vendor, your insurance broker, your healthcare lawyer, or your privacy officer. Attribution to Mike Pearlstein and Fusion Computing must remain on the cover page. We’d prefer your colleague download their own copy so we can keep them current when PHIPA or the IPC guidance changes, but we’re not going to police it.
Who wrote this?
Mike Pearlstein, CISSP, CEO of Fusion Computing Limited. Fusion has been doing regulator-anchored IT work for Canadian healthcare clinics, law firms, and financial brokerages since 2012. The SOP was built against PHIPA (as amended), the IPC of Ontario breach reporting framework and its 2024 annual report, CPSO Policy 3-12, and four real PHIPA breach timelines that Fusion ran with Ontario clinic clients in the past 24 months.
It was reviewed by an outside healthcare privacy lawyer before publication.
Bottom line
PHIPA does not give a clinic 60 days of quiet to think about a breach. It gives the clinic a 60-day window to file the IPC of Ontario report, anchored on a duty to notify affected individuals at the first reasonable opportunity. That sequence has anchor days the IPC and the CPSO can ask about, and most clinics discover them under pressure rather than in advance.
This SOP front-loads that calendar so the clinic has the patient letter drafted, the IPC report scaffolded, and the named roles assigned long before an incident happens.
If you want help with the controls behind the SOP, the EMR access logging the IPC asks about, the laptop and phone encryption that determines whether a stolen device is even a reportable breach, the multi-factor authentication on every clinical login, or the staff PHIPA training cadence, that is work Fusion does for Ontario clinics every week.
