Ontario's Personal Health Information Protection Act (PHIPA) sets strict rules for how health information custodians collect, use, and protect patient data. A breach can result in fines up to $1,000,000 and mandatory patient notification.
Check your PHIPA compliance free →If your practice collects, uses, or discloses personal health information about Ontario patients — PHIPA applies to you.
Collect only the personal health information reasonably necessary for the purpose of providing care.
Patient consent is required before sharing personal health information with third parties not directly involved in care.
Any agent handling personal health information on your behalf — IT providers, billing companies, cloud services — must have a written PHIPA agreement.
Health information is among the most sensitive personal data. Security measures must match the sensitivity — strong passwords alone are not sufficient.
If personal health information is stolen, lost, or accessed without authority, you must notify the affected patients and the Information and Privacy Commissioner.
Personal health information must be retained for at least 10 years after last use and disposed of securely when no longer needed.