PHIPA stands for Ontario's Personal Health Information Protection Act, 2004. If you handle personal health information in Ontario, especially in healthcare delivery, PHIPA is one of the key privacy laws you'll hear about. This post is a plain-English overview of what it is, who it applies to, and what organizations typically need to do in practice.
What PHIPA covers
PHIPA focuses on personal health information. That includes obvious things like diagnoses and test results, but also administrative details connected to healthcare (depending on context), like health card numbers and records that link a person to care. If your product, service, or internal workflows touch health information, you should assume PHIPA expectations will come up, especially when working with healthcare partners.
Who PHIPA applies to (high level)
PHIPA is built around a defined, closed category of "health information custodians" (HICs) — the specific individuals and organizations listed in the Act that have custody or control of personal health information. This includes hospitals, physicians, pharmacies, dentists, labs, ambulance services, psychiatric facilities, and long-term care homes, among others. It is a closed list, not a catch-all for anyone who handles health data.
Importantly for health-tech vendors: if you are not yourself a health information custodian, you are likely operating as an agent or service provider to one. PHIPA imposes obligations on agents acting on behalf of custodians, but the compliance relationship and accountability flow through the custodian. Understanding whether your organization is a custodian, an agent, or neither is a material threshold question — it determines which obligations attach directly to you.
In practice, if you're a vendor selling into Ontario healthcare, you may be asked to demonstrate that your safeguards, contracts, and processes align with PHIPA expectations, even if you are not the custodian.
What PHIPA requires in practice (the parts that usually matter day-to-day)
Most PHIPA conversations come down to a few operational questions:
- Are you collecting and using health information for clear, limited purposes?
- Do you have appropriate access controls and auditability?
- Do you have rules for retention, deletion, and secure disposal?
- Do you have vendor management and contractual clarity?
- Are you ready to respond to incidents and requests (corrections, access, etc.)?
If you want a structured, practical baseline for this, start with Minimum Viable Privacy (MVP).
Where PHIPA work often starts: map the data flow
If you're not sure what you have, you can't protect it. A good starting point is a lightweight assessment that clarifies:
- What health information you collect
- Where it moves and where it's stored
- Who can access it and how
- Which vendors and tools touch it
For formal documentation and risk review, consider a Privacy Impact Assessment (PIA).
PHIPA vs. security: why you may also need a TRA or pen test
PHIPA is a privacy law, but you'll still be assessed on whether you protect data appropriately. Two common supporting pieces of work are:
- Threat and Risk Assessment (TRA) for security risk prioritization
- Penetration Testing to test exploitability of technical weaknesses
Common PHIPA triggers for startups and vendors
PHIPA questions tend to come up when:
- You're onboarding an Ontario clinic, hospital, or health network
- You're integrating with EHR/EMR systems or claims workflows
- You're introducing a new vendor that stores or processes health information
- You're using AI on health data (especially for profiling or decision support)
If AI is part of your roadmap, explore Artificial Intelligence Readiness resources.
Want help translating PHIPA expectations into a real program?
If you're working in Ontario healthcare, you don't need a mountain of paperwork. You need clear controls, clean documentation, and repeatable processes.
