PHIPA Compliance Checklist for Ontario Healthcare Providers Using AI in 2026

What Counts as Personal Health Information Under PHIPA

Personal health information (PHI) under PHIPA is identifying information about an individual that relates to their physical or mental health, the provision of healthcare to them, or their health history. It includes information that, on its own or combined with other information, could identify the individual.

This definition is broader than many people expect. A patient's name combined with the fact that they attended a specific clinic is PHI, even if no diagnosis is mentioned. A person's health card number on its own is PHI. Prescription information is PHI. Mental health records have additional protections. Genetic information has additional protections.

PHIPA applies to "health information custodians" — a defined category that includes physicians, dentists, nurses, pharmacists, hospitals, community health centres, long-term care homes, and a range of other healthcare providers.

The PHIPA AI Compliance Checklist

Section 1: Inventory and Awareness

• Have you identified all AI tools your practice currently uses? This includes tools used by clinical staff, administrative staff, and contractors. Many practices have AI tools in use that leadership isn't fully aware of.

• For each AI tool, do you know what data it processes and where? Most AI tools process data on remote servers. The relevant question is: does PHI touch that tool, and if so, where does that processing happen?

• Have you reviewed the terms of service and privacy policies for each AI tool you use? Consumer AI tools generally don't offer PHIPA-compliant data processing terms.

• Do you have a written inventory of the personal health information your practice collects and processes? PHIPA requires custodians to have policies and procedures governing PHI.

Section 2: Consent and Transparency

• Do your patients know their information may be processed using AI tools? PHIPA's consent requirements vary depending on the purpose for which PHI is being used, but patients generally have the right to know how their information is handled.

• Have you updated your privacy notice to reflect AI tool usage? Most privacy notices were written before AI tools became part of practice operations.

• Do you have a process for patients who don't consent to AI processing of their information?

Section 3: Safeguards and Data Handling

• Is PHI being transmitted outside Canada for AI processing? PHIPA requires that PHI be adequately protected, and cross-border transmission creates additional risk. US-based AI tools processing Ontario PHI is a significant compliance issue.

• Do you have data processing agreements in place with AI tool vendors? PHIPA requires agreements with agents who handle PHI on your behalf. Most consumer AI tools don't offer PHIPA-compliant agent agreements.

• Is PHI anonymized or de-identified before being input to AI tools where possible? De-identified information is not PHI under PHIPA and doesn't carry the same restrictions.

• Have you implemented access controls so AI tools can only be used by authorized staff for authorized purposes?

Section 4: Breach Preparedness

• Do you have a process for identifying and responding to privacy breaches involving AI tools? PHIPA requires breach notification to affected patients and potentially to the IPC.

• Do you know how to contact the AI tools you use in the event of a breach? Many consumer AI tools don't have straightforward breach notification processes.

• Have you logged your AI tool usage in a way that would allow you to identify who was affected in a breach scenario?

Section 5: Staff Training

• Have clinical and administrative staff received training on appropriate AI tool use? Staff who understand what they can and can't put into AI tools are your first line of defence.

• Do staff know who to contact if they have questions about AI and PHI? Someone in your practice needs to own the AI compliance question.

Common PHIPA Violations Happening Right Now

Dictating clinical notes using consumer AI voice tools. Several popular transcription apps use AI to convert speech to text and store recordings on cloud servers. If a clinician is dictating notes that include patient names and clinical information, that's PHI being processed by a consumer tool without PHIPA safeguards.

Using AI chat tools to draft clinical communications. Drafting a letter to a patient, a referral note, or a response to a patient inquiry using an AI tool often involves inputting PHI.

Third-party billing and coding services using AI. Your PHIPA obligations include ensuring your agents handle PHI appropriately — which means asking your billing service what AI tools they use.

AI scheduling tools with patient data. Some third-party scheduling platforms now use AI features. If patient health information is processed through these tools, PHIPA applies.

The Path Forward

The goal isn't to stop using AI tools. The goal is to use them in a way that maintains the trust patients have placed in you and keeps your practice on the right side of PHIPA. In practice, that means a combination of approved tools with appropriate safeguards, anonymization where possible, and clear policies about what goes into AI systems.

The IPC is watching how healthcare AI develops in Ontario. The practices that have done the compliance work proactively will be in a much stronger position than those who haven't when that scrutiny arrives.