Ontario’s Personal Health Information Protection Act (PHIPA), effective since November 1, 2004, governs the collection, use, and disclosure of personal health information (PHI) by health information custodians (HICs)—such as doctors, hospitals, pharmacies, labs—and their agents, including IT vendors and cloud providers.
Who’s Covered?
- Health Information Custodians (HICs): hospitals, clinics, doctors, nurses, labs, pharmacies, long-term care facilities, and ambulance services.
- Agents: organizations or individuals handling PHI under the authority of HICs—such as cloud providers, EMR vendors, and research partners.
- Information Managers: third parties managing PHI on behalf of HICs.
.
Core Principles of PHIPA
Consent‑based collection and use
HICs must obtain informed consent (express or implied) for collecting, using, or disclosing PHI, with limited exceptions (e.g., emergencies or statutory obligations).Individual rights
Patients have the right to:- Access their health records
- Request corrections
- Limit sharing of their PHI.
Strict confidentiality and security
PHI must be treated as confidential, safeguarded through administrative, technical, and physical controls such as encryption, authentication, audit logs, and role-based access.Accountability and record‑keeping
HICs must implement privacy policies, maintain audit trails, manage vendors, handle breach protocols, and retain records per regulatory requirements.Limited use for secondary purposes
Use of PHI for research, education, or fundraising is permitted only under strict conditions, often requiring patient consent or research ethics board approvals.
Enforcement & Penalties 🚨
Administrative Monetary Penalties (AMPs)
Effective January 1, 2024, the Ontario Information and Privacy Commissioner (IPC) can impose:- Up to $50,000 per individual
- Up to $500,000 per organization.
AMPs target significant infractions (e.g., unauthorized snooping, breaches for gain) after considering intent, harm, and steps taken to remedy.
Other penalties under PHIPA
- Individuals: Up to $200,000 fine and/or one year in prison
- Organizations: Up to $1 million fine.
Officers or staff complicit in offences can face personal liability.
Civil damages
Individuals harmed by willful or reckless misconduct may receive up to $10,000 for mental anguish.
IPC Case Law Example
In September 2025, a physician accessed newborns’ records in an EHR system and contacted parents to promote private circumcision services—resulting in PHIPA Decision 298. The IPC issued its first AMPs and stressed the importance of demonstrable system-based accountability, along with robust internal policies and disciplinary frameworks.
Compliance Best Practices
Privacy governance & policies
Maintain clear, documented privacy rules, and conduct annual staff training.Access control & audit logging
Implement user authentication, role-based access, and detailed audit trails of PHI access and modification.Secure data handling
Use encryption for PHI at rest and in transit; employ multi-factor authentication, regular system updates, and penetration testing.Breach readiness
Have procedures for breach detection, internal reporting, IPC and patient notification, and remediation.Vendor oversight
Ensure agents comply with PHIPA via contracts, security assessments, and audit reports.Transparency & patient engagement
Clearly communicate data policies, support patient access and corrections, and respect data-sharing preferences.
Conclusion
PHIPA is a rigorous, consent-driven framework designed to protect patient health data in Ontario. With enforcement enhanced through administrative penalties, HICs and their agents must adopt strong governance, robust security, and transparent processes. A proactive compliance stance isn’t just legal—it builds patient trust and shields against costly enforcement.
Looking for a new IT Partner?
Talk to us about your current business needs and future IT goals, so we can help choose the right technology to move your business forwards.