If your organization collects, uses, or discloses personal health information in Ontario, the Personal Health Information Protection Act (PHIPA) is not optional. It is the governing privacy law for health information in the province, and it carries significant penalties for non-compliance — including fines of up to $100,000 for organizations and up to $200,000 for individuals who wilfully commit offences.
For healthcare providers, health clinics, digital health platforms, insurers, and any organization that handles patient data, PHIPA compliance is both a legal obligation and a patient trust requirement. The Act was substantially amended by Bill 188 in 2024, which introduced significant new obligations including mandatory notification to the Information and Privacy Commissioner of Ontario. Yet many Ontario organizations — particularly smaller clinics and emerging healthtech companies — operate without a formal PHIPA compliance program.
PHIPA is Ontario’s provincial privacy law governing personal health information (PHI). It came into force in 2004 and was substantially amended in 2024. The Act applies to health information custodians — a defined legal category that includes regulated health professionals (physicians, dentists, nurses, physiotherapists), hospitals, pharmacies, laboratories, community health centres and mental health clinics, insurance companies handling health data, and health information networks and electronic health record platforms.
Organizations that are not custodians but receive PHI from custodians — referred to as agents in the legislation — must also comply with PHIPA’s requirements through their relationship with the custodian. PHIPA’s definition of personal health information is intentionally broad: it includes identifying information about an individual’s physical or mental health condition, health history, health care provided, health number, related payments, genetic information, and the identity of a substitute decision-maker.
Unlike purely administrative privacy frameworks, PHIPA compliance requires real technical security controls — and intersects directly with PIPEDA compliance requirements for organizations that operate across provincial lines.
Collect Only What Is Necessary. PHIPA prohibits collecting PHI beyond what is reasonably necessary for the purpose. This principle of data minimization applies to all data collection: intake forms, patient portals, mobile applications, and third-party integrations.
Use and Disclose PHI Only for Authorized Purposes. PHI collected for one purpose cannot generally be used for another without consent. Treatment, payment, and related administrative functions are the primary permitted purposes. Research, marketing, and secondary analytics require specific authorization.
Obtain Meaningful Consent. Individuals must know what information is being collected, why, and by whom. Express consent is required for non-routine disclosures. Consent can be implied for direct treatment purposes within a circle of care.
Implement Technical and Administrative Safeguards. Custodians must protect PHI against theft, loss, and unauthorized access with safeguards proportionate to the sensitivity of the information — including access controls, encryption, audit logging, and physical security measures.
Respond to Access Requests. Individuals have the right to access their own PHI. Requests must be responded to within 30 days.
Notify of Breaches. The 2024 amendments strengthened breach notification requirements. Custodians must notify affected individuals and the IPC of Ontario when PHI is breached and the breach creates a real risk of significant harm.
Bill 188 (the Strengthening Privacy Protection for Individuals Act, 2024) introduced several significant changes that affect Ontario healthcare organizations:
Across Ontario healthcare organizations, these gaps appear most frequently:
A functional PHIPA compliance program consists of the following components:
PHIPA compliance is not purely a legal exercise — it requires real technical security controls. Custodians that rely on administrative policies without supporting technical enforcement remain exposed to both incidents and regulatory findings.
Brigient works with Ontario healthcare organizations and healthtech companies to implement the technical components of PHIPA compliance: access control architecture, encryption of PHI at rest and in transit, audit logging and monitoring, and incident response planning. Brigient’s team has experience with the specific security requirements of healthcare environments, including EMR platforms, patient portals, and cloud-based health data systems.
For organizations that need executive-level oversight of their PHIPA compliance program, a virtual CISO engagement can provide the accountability structure PHIPA requires. For organizations that have received an IPC inquiry or experienced a breach, Brigient provides incident response services that address both the technical scope and the regulatory response process.
PHIPA places responsibility on the health information custodian — the organization or individual who controls the PHI. The custodian must also ensure that any agents or vendors handling PHI on their behalf meet PHIPA’s requirements. Designating a privacy officer responsible for overseeing compliance is strongly recommended.
What happens if we have a data breach under PHIPA? You are required to notify affected individuals and — following the 2024 amendments — the Information and Privacy Commissioner (IPC) of Ontario when a breach creates a real risk of significant harm. Failure to notify can result in IPC investigation, public findings, and administrative penalties. The IPC also has order-making power to require remediation.
Yes. Digital platforms that collect, store, or process personal health information on behalf of a custodian are subject to PHIPA’s requirements. The 2024 amendments specifically addressed the obligations of electronic service providers and health information networks operating in Ontario. If your platform handles PHI and operates in Ontario, PHIPA applies regardless of where your servers are located. Review the full text of PHIPA (Ontario legislation) for the complete list of custodian and agent obligations.
For Ontario healthcare organizations, PHIPA generally takes precedence over the federal PIPEDA for health information handling in the province. However, organizations that operate interprovincially, transmit health data across borders, or handle both health and non-health personal information may need to comply with both frameworks. The maximum penalty for PHIPA non-compliance varies by the nature of the offence. The IPC also has extensive order-making authority, compelling organizations to change their practices, destroy improperly collected data, or cease specific activities. Directors and officers can face personal liability under certain provisions.
PHIPA compliance protects your patients and your organization. The penalties for non-compliance have increased, the IPC is active in enforcement, and patients are increasingly aware of their data rights. The cost of a breach — financial, reputational, and regulatory — far exceeds the cost of building a compliance program before an incident occurs.
Brigient provides cybersecurity and compliance services for Ontario healthcare organizations, from technical PHIPA security controls through breach response and regulatory notification support. Contact Brigient to assess your current PHI security posture and close the gaps.
Let’s Talk About Your Project: Unleash Possibilities, Explore Solutions, and Forge a Brighter Digital Future Together.
Contact Us Today!
