Updated
In one paragraph
The Personal Health Information Protection Act (PHIPA) is Ontario’s health-privacy law and applies to every health information custodian in the province — clinics, hospitals, doctors, dentists, pharmacies, optometrists, physiotherapists, and others. PHIPA does not specify technical controls directly; it requires custodians to take “reasonable steps” to protect personal health information (PHI). This matrix translates those reasonable steps into 14 concrete IT control areas, maps each to CIS Controls v8.1 for verifiable implementation, and flags the seven controls most commonly missing in mid-sized Ontario clinics. Use it as an internal audit checklist before your next vendor renewal, professional regulator audit, or insurer review.
📚 New here? Start with PHIPA Compliance: The Complete Guide for the plain-language overview, then use this matrix to audit your controls.
Who PHIPA applies to
PHIPA’s reach is broad — broader than most clinic owners realize. A health information custodian (HIC) under PHIPA s.3 includes:
- Health-care practitioners regulated under the Regulated Health Professions Act, 1991 — physicians, dentists, nurses, midwives, optometrists, pharmacists, physiotherapists, chiropractors, psychologists, social workers, and 18 other regulated professions.
- Operators of health-care facilities — hospitals, long-term care homes, retirement homes, community health centres, Aboriginal Health Access Centres, and independent health facilities.
- Pharmacies, ambulance services, and Community Care Access Centres.
- Centralized service organizations like Ontario Health, LHINs (now Ontario Health Teams), and shared electronic health record platforms.
If you bill OHIP, store patient records, or operate any system that touches PHI, PHIPA applies to you. Vendor agreements that involve PHI — including IT service providers, cloud platforms, and EHR vendors — are governed by the “agent” provisions in PHIPA s.17.
The five PHIPA pillars
PHIPA’s substantive requirements distill into five pillars that drive every IT-control decision:
- Consent — collection, use, and disclosure of PHI generally require consent, with specific exceptions (s.18-20).
- Accuracy — custodians must take reasonable steps to ensure PHI is accurate, complete, and up to date (s.11).
- Safeguards — administrative, technical, and physical safeguards proportionate to the sensitivity of PHI (s.12).
- Retention — written retention and destruction policies; secure disposal (s.13, O.Reg. 329/04 s.7).
- Breach response — notification to the affected individual, the Information and Privacy Commissioner of Ontario (IPC), and applicable professional regulators (s.12(2), amended 2017).
The PHIPA IT Controls Matrix
The 14 control areas below cover the practical safeguards a custodian needs to satisfy PHIPA s.12 “reasonable steps.” Each row maps the control to its PHIPA anchor, the corresponding CIS Controls v8.1 safeguard, and the tooling pattern we deploy across our Ontario healthcare clients.
| # | Control area | PHIPA anchor | CIS v8.1 safeguard | Typical implementation |
|---|---|---|---|---|
| 1 | Access control & MFA | s.12(1) | 6.3, 6.5 | Entra ID + conditional access + MFA on every clinical app |
| 2 | Role-based access | s.12(1), s.49 | 6.6, 6.8 | Group-based EHR permissions; least-privilege for non-clinical staff |
| 3 | Encryption at rest | s.12(1) | 3.6, 3.11 | BitLocker on endpoints, encrypted DB volumes, encrypted backups |
| 4 | Encryption in transit | s.12(1) | 3.10 | TLS 1.2+ enforced, VPN for remote EHR access, secure email (S/MIME or portal) |
| 5 | Endpoint detection (EDR) | s.12(1) | 10.6, 10.7 | Huntress + Defender for Endpoint on every clinical workstation |
| 6 | Patch management | s.12(1) | 7.3, 7.4, 7.7 | Patches within 14d for critical CVEs; tracked monthly |
| 7 | Audit logging | s.10, s.12 | 8.1, 8.5, 8.11 | EHR audit trail retained ≥ 10 years; centralized log aggregation |
| 8 | Backup & DR | s.12(1) | 11.1, 11.4, 11.5 | 3-2-1 immutable backups + quarterly restore tests; RPO ≤ 24h, RTO ≤ 8h |
| 9 | Vendor / agent agreements | s.17 | 15.4, 15.5 | Written PHIPA-compliant agent agreements; annual attestation |
| 10 | Breach response | s.12(2) | 17.1, 17.4 | Documented IRP, IPC reporting workflow, tabletop ≥ 1×/yr |
| 11 | Privacy officer | s.15(3) | 14.2 | Named contact person, training records, complaint log |
| 12 | Retention & secure disposal | s.13, O.Reg. 329/04 s.7 | 3.5 | 10-year minimum for adult records; cryptographic-erasure on disposal |
| 13 | Mobile device management | s.12(1) | 4.1, 4.2 | Intune compliance policies, remote wipe, BYOD container |
| 14 | Security awareness training | s.15 | 14.1, 14.3 | Annual PHIPA + phishing training; tracked completion |
The breach-notification timeline
PHIPA s.12(2) imposes notification obligations when PHI is stolen, lost, used, or disclosed without authority. The timeline:
- To the affected individual — at the first reasonable opportunity. Notice must describe the nature of the breach, the information involved, and the steps taken to contain it.
- To the IPC — when the breach falls into one of the four classes in O.Reg. 224/17: insider snooping, theft/loss of PHI, breach with significant harm, or pattern breaches. Use the IPC’s Health Privacy Breach form.
- To the regulatory college — when an individual member’s act or omission caused the breach (e.g., a regulated nurse who inappropriately accessed a record). This is a notification to the relevant Health Profession Act college.
- Annual statistical report to the IPC — all PHIPA breaches, even those individually below the IPC-notification threshold, must be counted and reported in March of each year.
The seven most-missed controls
Across the 30+ Ontario health-custodian engagements Fusion Computing has worked on, the following seven controls are most often missing or weak at first assessment:
- Audit logs retained but never reviewed. PHIPA s.10 requires the ability to detect inappropriate access. A log no one reads is not a control.
- Vendor/agent agreements that predate PHIPA’s 2017 amendment. Many older IT contracts lack breach-cooperation clauses.
- Backup systems with no documented restore test in the past 12 months. Backups that have never restored are theoretical.
- MFA on email but not on the EHR itself. The EHR is the highest-value target.
- BYOD devices with no MDM and no separation of PHI from personal data. A common gap in small clinics.
- Disposal of old PCs and copiers without verified cryptographic erasure. Copier hard drives are the classic PHIPA breach vector.
- Privacy officer named but with no training records or complaint-handling SOP. A titular role does not satisfy s.15(3).
Where to start
If you operate a small or mid-sized Ontario health-custodian organization (5 to 150 employees) and you’re not certain how your current IT controls map to PHIPA, the practical sequence is:
- Run the 14-row matrix above as a self-assessment. Mark each row red, yellow, green.
- Pull your audit logs from the past 90 days. Have a privacy officer review them.
- Verify your last backup restore test. If it’s older than 6 months or doesn’t exist, schedule one this quarter.
- Review your IT vendor agreement against PHIPA s.17 agent requirements. Most older agreements need amendment.
- Run a tabletop breach exercise. Use a realistic scenario — ransomware on the EHR — and time the response.
About this matrix
This matrix is maintained by Mike Pearlstein, CISSP, Founder and CEO of Fusion Computing Limited. Mike has led IT and cybersecurity programs for Ontario health custodians since 2012 and holds the Certified Information Systems Security Professional designation (ISC²). Fusion Computing is a Microsoft Solutions Partner (Security, Modern Work, Infrastructure) and a CompTIA Managed Services Trustmark holder. We deploy this matrix as part of every health-custodian onboarding and re-audit annually.
If you’d like a PDF version of this matrix or want to discuss your situation, book a 30-minute consult. No obligation, no sales pitch — we’ll tell you what we’d do.
