Updated
In short
PHIPA is Ontario’s health-privacy law. It applies to every health information custodian — and the IT vendors that serve them — and requires reasonable administrative, technical, and physical safeguards for personal health information. Since 2020, fines reach $200,000 for individuals and $1,000,000 for organizations. This guide covers who it applies to, the core obligations, breach reporting, penalties, and a compliance roadmap; the linked controls matrix turns it into an auditable checklist.
What is PHIPA?
The Personal Health Information Protection Act, 2004 (PHIPA) is Ontario’s health-privacy law. It governs how personal health information (PHI) is collected, used, disclosed, retained, and protected. PHIPA is enforced by the Information and Privacy Commissioner of Ontario (IPC), an independent officer of the Legislature. Because PHIPA has been declared substantially similar to Canada’s federal law, it — not PIPEDA — is the operative privacy law for health information held by Ontario custodians.
Who PHIPA applies to
PHIPA applies to health information custodians (HICs) — and, through them, to the vendors that handle PHI on their behalf. You are almost certainly a custodian if you are any of the following:
- A regulated health practitioner: physician, dentist, nurse, pharmacist, optometrist, physiotherapist, chiropractor, psychologist, social worker, and others under the Regulated Health Professions Act.
- An operator of a hospital, long-term care home, retirement home, community health centre, or independent health facility.
- A pharmacy, ambulance service, or community care organization.
- A centralized health-record platform or shared service organization.
If you are an IT provider, cloud platform, or software vendor that touches PHI, you are an agent of the custodian under PHIPA s.17 and are bound by a written agreement to the same safeguards.
The core obligations at a glance
PHIPA does not prescribe specific technologies. It requires custodians to take “reasonable steps” across five areas: consent for collection/use/disclosure, accuracy of records, safeguards (administrative, technical, physical), retention and secure disposal, and breach response. The practical translation of “reasonable steps” into concrete IT controls is exactly what our matrix provides.
Get the PHIPA IT Controls Matrix
This guide explains what PHIPA requires and why. When you are ready to audit your own controls, our practitioner matrix maps all 14 control areas to CIS Controls v8.1 with the evidence an IPC review expects.
Breach reporting under PHIPA
Since 2017, PHIPA requires custodians to notify affected individuals “at the first reasonable opportunity” when PHI is stolen, lost, or used/disclosed without authority. Notification to the IPC is required for defined classes of breach (insider snooping, theft, breaches likely to cause harm, and pattern breaches under O.Reg. 224/17). Custodians must also file an annual statistical report of all breaches to the IPC each March — including breaches below the individual-notification threshold.
Penalties and enforcement
PHIPA’s offence fines were doubled in 2020. On conviction, the maximum fines are now:
- Up to $200,000 and/or up to one year imprisonment for an individual.
- Up to $1,000,000 for an organization.
Beyond fines, the reputational and regulatory-college consequences of a PHIPA breach are often more damaging than the penalty itself. The IPC publishes investigation decisions, and a member’s college may take its own disciplinary action where an individual’s conduct caused the breach.
How to comply: a practical roadmap
- Confirm your status. Verify you are a custodian and identify every agent (IT provider, EHR vendor, cloud platform) that handles PHI.
- Run the controls matrix as a self-assessment. Mark each of the 14 control areas red/yellow/green against your current state.
- Fix the high-risk gaps first. In practice these are usually MFA on the EHR, tested backups, reviewed audit logs, and updated vendor agreements.
- Name and equip a privacy officer (s.15(3)) with training records and a complaint-handling process.
- Rehearse a breach. Run a tabletop on a ransomware-on-the-EHR scenario and time your notification workflow.
PHIPA, PIPEDA, and the other laws
PHIPA governs PHI in Ontario custodians. PIPEDA continues to apply to non-health commercial activities and to cross-border data transfers. If Bill C-27 passes, its Consumer Privacy Protection Act would replace PIPEDA federally but would not displace PHIPA in Ontario. Ontario public institutions follow FIPPA/MFIPPA instead.
About this guide
This guide is maintained by Mike Pearlstein, CISSP, Founder and CEO of Fusion Computing Limited, a Canadian managed IT and cybersecurity provider and Microsoft Solutions Partner. It is reviewed as legislation and program requirements change. Definitions are written for business leaders, not lawyers — for a legal opinion on your specific obligations, consult qualified counsel.
Want a second opinion on where your organization actually stands? We will review your current controls against this framework in plain language — no jargon, no obligation.
