PHI in Emails: How Canadian Healthcare Clinics Are Getting PHIPA Wrong

The Email That Leaves Every Morning

In most Canadian healthcare clinics, the day starts with a wave of emails. Referral letters go to specialists. Lab results get forwarded to ordering physicians. Appointment confirmations with diagnosis codes go to patients who didn't opt for a patient portal. Insurance correspondence containing treatment histories goes to benefit administrators.

Most of this is sent in plain text, attached to standard email. No encryption. No expiry. No tracking of who opens it or forwards it. Once it leaves the clinic's mail server, the personal health information in that message is effectively uncontrolled.

Ontario's Personal Health Information Protection Act — PHIPA — governs how health information custodians handle personal health information. It applies to physicians, pharmacists, hospitals, labs, dentists, and a long list of other regulated health professionals. The Act's requirements on electronic communication are not ambiguous, but compliance is inconsistent across the sector in ways that would surprise most patients.

What PHIPA Says About Electronic Transmission

PHIPA requires health information custodians to take steps that are reasonable in the circumstances to protect personal health information against theft, loss, and unauthorized use or disclosure. The Information and Privacy Commissioner of Ontario has consistently interpreted this to mean that PHI transmitted electronically must be transmitted using means that provide reasonable protection.

"Reasonable protection" in an email context means one of three things: encryption, secure messaging platforms with access controls and audit logs, or — in limited circumstances — patient-initiated transmission where the patient has been warned of the risks and has consented to proceed anyway.

A standard Gmail or Outlook email with a PDF attachment does not provide reasonable protection. The email traverses multiple servers outside the custodian's control, may be stored indefinitely on servers in the United States, cannot be recalled if sent to the wrong recipient, and generates no audit trail. The IPC has found this falls short of PHIPA's requirements in multiple orders and investigation reports.

The Three Most Common PHI Email Failures

Referral letters with full clinical history. When a family physician refers a patient to a specialist, the referral letter typically contains the patient's full name, date of birth, health card number, diagnosis, medication list, and relevant clinical history. This document is almost always sent as an unencrypted email attachment to the specialist's general inbox. The specialist's administrative staff open it, process the referral, and file it — often in an EMR system without logging the source of the information.

Lab results forwarded to patients. Patients increasingly request that results be emailed directly. Many clinics comply without discussing the security implications. The IPC's guidance is clear: if a patient requests email transmission after being advised of the risks, the custodian can comply. If a patient simply provides their email on a form without any risk discussion, sending PHI to that email is not consent-based — it's a transmission without the required safeguards.

Insurance correspondence. Treatment summaries, diagnostic codes, and prescription histories sent to insurance administrators create a specific problem: the recipient is not a health information custodian under PHIPA, so they have different (and typically weaker) obligations for how they handle the information. Getting a PHI transmission to an insurer wrong creates exposure for the clinic even if the insurer handles it appropriately.

The Breach Notification Dimension

PHIPA's breach notification requirements, strengthened in amendments that came into force in 2017, require health information custodians to notify the IPC and affected individuals when PHI is stolen, lost, or accessed without authorization.

A misdirected email — the referral letter that went to the wrong specialist because of an autocomplete error — is a breach. A fax sent to the wrong number is a breach. An email with PHI that was forwarded by a staff member to a personal account is a breach.

The IPC receives hundreds of breach notifications from healthcare custodians annually. The single most common cause is misdirected faxes and emails. Organizations that have invested in secure messaging platforms report dramatically lower breach rates — not because misdirection stops entirely, but because secure platforms prevent the underlying PHI from being accessible to unauthorized recipients even when misdirection occurs.

What Actual Compliance Looks Like

The practical path to PHIPA-compliant electronic communication involves two decisions: what you send and how you send it.

What to send: PHI should be shared in the minimum necessary quantity. A referral doesn't always need the full medication list — it needs the information relevant to the referral purpose. Automated redaction of information that doesn't need to travel with a document reduces the consequence of any misdirection that does occur.

How to send it: Ontario's regulated health professions use several tools that provide the required security: eHub (the Ontario Health secure messaging platform), OTN (Ontario Telemedicine Network) secure messaging, encrypted email using S/MIME or PGP, and purpose-built secure messaging platforms with healthcare-specific audit and access controls.

For patient-facing communication, PHIPA allows email at the patient's explicit request — but requires a documented consent process that includes a plain-language explanation of the risks. Most clinics that claim patient consent for email transmission have something much weaker: a checkbox on a new patient form that most patients check without reading.

The Audit Trail Problem

One thing that distinguishes PHIPA-compliant electronic communication from the standard clinic practice is audit logging. PHIPA requires custodians to track who has accessed personal health information, when, and for what purpose. Standard email provides none of this. A secure messaging platform logs every access, every forward, every download.

When the IPC conducts an investigation following a breach or complaint, the first thing investigators ask for is the access log. Organizations that can produce detailed logs of who accessed PHI and when are in a fundamentally different position than ones relying on email timestamp records and staff recollections. The log doesn't prevent breaches — it demonstrates that the custodian was operating with appropriate controls, which affects how the IPC responds to a breach and what remediation it orders.

The clinics that tend to get the most damaging IPC findings aren't the ones that had a breach. They're the ones that had a breach and couldn't demonstrate they had reasonable safeguards in place before it happened.