PHIPA
Personal Health Information Protection Act (Ontario)
Ontario's health privacy law — governing all PHI custodians
PHIPA governs the collection, use, and disclosure of personal health information (PHI) by health information custodians in Ontario — including hospitals, clinics, pharmacies, labs, insurers, and health-related apps. It is stricter than PIPEDA for health information and requires explicit consent, purpose limitation, and mandatory breach notification to the IPC.
Who must comply with PHIPA?
Health information custodians in Ontario include physicians, dentists, pharmacists, hospitals, clinics, nursing homes, laboratories, and any person that compiles or maintains PHI for them. Health tech companies providing services to custodians may be subject to PHIPA as agents.
Not sure if PHIPA applies? Run a free assessment →
Key obligations under PHIPA
Knowledgeable Consent
Collect, use, or disclose PHI only with knowledgeable consent of the individual, except for treatment and specific permitted purposes.
Implied Consent for Treatment
Implied consent applies for sharing PHI within the circle of care. Express consent is required for disclosure outside the circle.
Data Minimization
Collect, use, and disclose only the minimum PHI reasonably necessary to accomplish the purpose.
Mandatory Breach Reporting
Notify the IPC and affected individuals of privacy breaches at the first reasonable opportunity. No fixed hour window.
Lockbox Right
Individuals can 'lock' specific PHI from disclosure even within the circle of care — this is a PHIPA-specific right.
Agent Agreements
Health information custodians must have written agreements with agents who handle PHI on their behalf.
Penalties & enforcement
Niagara Health System paid a settlement after employee improperly accessed 3,200+ patient records (2014)
Run a free PHIPA gap assessment
Answer 47 questions, get a scored gap report, and see exactly what you need to do to comply with PHIPA — in under 3 hours. Free forever.
Start free assessment