Who must comply with PHIPA?

Health information custodians (HICs) in Ontario — clinics, hospitals, pharmacies, labs, practitioners — and the agents and electronic service providers that handle PHI on their behalf.

Does PHIPA require data residency in Canada?

PHIPA does not mandate Canadian residency, but cross-border processing must be disclosed, contractually controlled, and risk-assessed. Most Ontario custodians require Canadian-region hosting in practice.

When do we need to notify the IPC of a breach?

Custodians must notify the Information and Privacy Commissioner of Ontario (IPC) at the first reasonable opportunity for breaches that meet the prescribed circumstances under O. Reg. 224/17, and notify affected individuals.

Healthcare · Ontario

PHIPA compliance for software development teams.

A practical, developer-centric implementation guide to Ontario's Personal Health Information Protection Act — written for product teams shipping clinical, EMR-adjacent and patient-facing software in 2026.

The Personal Health Information Protection Act (PHIPA) is Ontario's health-sector privacy law. It governs how health information custodians (HICs) — and the agents and electronic service providers (ESPs) acting on their behalf — collect, use, disclose, retain and secure personal health information (PHI). If your software touches PHI for an Ontario clinic, hospital, pharmacy, lab or practitioner, PHIPA applies to you, even when you are the vendor rather than the custodian.

This guide distills PHIPA into the controls, code paths and operational artifacts a delivery team is actually accountable for. It is not legal advice; pair it with counsel and a privacy impact assessment (PIA) before going live.

The developer checklist

Six control families that map to PHIPA Part IV and O. Reg. 329/04. Treat each row as an acceptance criterion in your delivery plan.

Consent & lawful purpose

Capture express or implied consent per s.18 with a clear purpose statement
Support consent withdrawal and the lockbox right (s.20)
Record substitute decision-maker authority where applicable
Surface the purpose of collection at every PHI capture point

Access controls

Enforce role-based access tied to circle of care
Apply least-privilege defaults and just-in-time elevation
Require MFA for all clinical and administrative users
Auto-expire dormant sessions and inactive accounts

Audit logging

Log every PHI view, create, update, export and print event
Capture actor, subject, timestamp, IP, and justification
Make logs tamper-evident and retain for ≥10 years
Provide a patient-facing access-history view

Encryption & residency

TLS 1.2+ in transit; AES-256 at rest with managed KMS
Canadian-region storage and backups by default
Encrypt backups and key-rotate on a documented schedule
Pseudonymize PHI in lower environments — never copy prod data raw

Breach response

Documented incident response runbook with named roles
Notify the IPC at the first reasonable opportunity for prescribed breaches
Notify affected individuals with required content elements
Maintain an annual statistical report of privacy breaches

Vendor & ESP controls

Electronic service provider agreements with PHIPA-aligned clauses
Subprocessor inventory with data-flow mapping
Annual security attestations (SOC 2 or equivalent)
Right-to-audit and breach-notification SLAs in every contract

Implementation phases

Phase 01

Discovery & gap assessment

Inventory PHI flows, identify custodians and agents, map systems against PHIPA Part IV and O. Reg. 329/04 (as amended by O. Reg. 224/17). Output: risk register and remediation backlog.

Phase 02

Architecture & controls

Stand up Canadian-region infrastructure, IAM with MFA, KMS-backed encryption, tamper-evident audit pipeline, and consent service. Pen-test the perimeter before go-live.

Phase 03

Policy & training

Privacy and security policies, breach runbook, agent training, and patient-facing transparency materials (purpose statements, access-history UX).

Phase 04

Operate & attest

Quarterly access reviews, annual privacy impact assessment refresh, IPC-ready statistical reporting, and continuous monitoring tied to on-call response.

FAQ

Who must comply with PHIPA?: Health information custodians in Ontario — clinics, hospitals, pharmacies, labs, practitioners — and the agents and ESPs that handle PHI on their behalf. Vendors are typically agents or ESPs.
Does PHIPA require data residency in Canada?: PHIPA itself does not mandate Canadian residency, but cross-border processing must be disclosed, contractually controlled and risk-assessed. In practice, most Ontario custodians require Canadian-region hosting.
When do we need to notify the IPC of a breach?: Custodians must notify the Information and Privacy Commissioner of Ontario at the first reasonable opportunity for breaches that meet the prescribed circumstances under O. Reg. 224/17, and notify affected individuals.
How long must audit logs be retained?: There is no single statutory retention period, but the IPC's guidance and custodian record-retention schedules typically require PHI access logs for 10 years or longer. Default to ≥10 years, tamper-evident.

Need a PHIPA-aligned build partner?

We deliver Canadian-region, audit-ready software for Ontario healthcare — with PHIPA controls wired in from day one.

Start a conversation