PHIPA Compliance Guide for Ontario Medical Clinics

What Every Ontario Clinic Must Know About Health Privacy in 2026

By Marc & Jason Lacroix | OpsMed.ca | Published March 2026

Ontario physicians and clinic administrators face a rapidly evolving health privacy landscape, with new enforcement powers, AI governance requirements, and digital health mandates all layered atop the foundational obligations of PHIPA. The Personal Health Information Protection Act (S.O. 2004, c. 3, Sched. A) — Ontario’s health-sector privacy law in force since November 1, 2004 — governs every aspect of how clinics collect, use, and disclose personal health information. The stakes have never been higher: as of January 1, 2024, the Information and Privacy Commissioner of Ontario can impose administrative monetary penalties of up to $500,000 per organization, and the first such penalty was levied in August 2025 against a physician and his clinic for unauthorized EHR access. This guide covers the PHIPA compliance landscape — statutory requirements, IPC guidance, and program-level obligations — that Ontario family medicine practices, Family Health Teams, and group practices must know — with exact statutory references, dollar amounts, and timelines.

A note on sources: This guide synthesizes the Personal Health Information Protection Act (S.O. 2004, c. 3, Sched. A) and its regulations (O. Reg. 329/04), IPC decisions and guidance documents, Ontario Health and OntarioMD program requirements, and case law. Statements are tagged to distinguish [PHIPA requirement] (statutory obligations), [IPC guidance] (IPC-recommended practices), and [Program requirement] (Ontario Health/OntarioMD obligations). Readers should verify current status for any operational decisions, as program requirements evolve. See Coverage and Limitations for full source transparency.

Table of Contents

How PHIPA defines who is responsible and what is protected

PHIPA applies to every health information custodian (HIC) — defined under s. 3(1) as a person or organization with custody or control of personal health information. For clinic purposes, this includes physicians operating a solo practice or group practice, operators of independent health facilities, and any health care practitioner as defined by the Regulated Health Professions Act, 1991. When a physician holds hospital privileges, they function as an agent of the hospital for PHI in the hospital’s custody, but remain a HIC for records in their own clinic.

Personal health information under s. 4(1) encompasses any identifying information — oral, written, or electronic — about an individual that relates to their physical or mental health (including history), the provision of health care to them, their health care payment or coverage eligibility, donation or testing of body parts or bodily substances, their Ontario health card number, or the identification of their substitute decision-maker. The definition is deliberately broad: a patient’s name linked to an appointment constitutes PHI.

An agent under s. 17 is any person acting for or on behalf of a HIC in respect of PHI — whether employee, volunteer, student, or contractor, and whether paid or unpaid. The HIC retains ultimate responsibility for agent actions, but agents bear independent duties including notifying the custodian at the first reasonable opportunity of any theft, loss, or unauthorized use or disclosure of PHI (s. 17(3)).

PHIPA rests on the 10 Fair Information Principles drawn from the CSA Model Code (CAN/CSA-Q830-96): accountability, identifying purposes, consent, limiting collection, limiting use/disclosure/retention, accuracy, safeguards, openness, individual access, and challenging compliance. These principles are woven throughout the Act’s operative provisions, from the requirement to designate a contact person (s. 15) to the mandate for a public statement of information practices (s. 16).

PHIPA is fundamentally consent-based. Under s. 29, a HIC cannot collect, use, or disclose PHI unless consent has been obtained and the activity is necessary for a lawful purpose, or the activity is specifically permitted without consent. Section 18 requires that consent be knowledgeable, relate to the information in question, and not be obtained through deception or coercion. Consent may be withdrawn at any time (s. 18(5)).

The distinction between implied and express consent is critical for daily clinic operations. Implied consent — inferred from behavior or circumstances — is sufficient within the “circle of care.” Express consent is required for disclosures to non-HICs (insurers, employers), disclosures to another HIC for non-healthcare purposes, and any fundraising or marketing activities (ss. 32, 34).

The circle of care (a practical term not found in the statute itself) refers to the group of HICs and their agents who may rely on assumed implied consent under s. 20(2) to share PHI for providing health care. Six conditions must all be met: the custodian must be a health care provider, the PHI was received from the individual or another custodian, the information was received for providing health care, the intended use is for providing health care, the custodian has no reason to believe consent has been expressly withheld, and it is reasonable in the circumstances to assume consent. Family members acting in a personal capacity, insurers, and non-health entities are not part of the s. 20(2) assumed implied consent circle of care — disclosures to them require express consent. However, a substitute decision-maker (SDM) appointed under the Health Care Consent Act, 1996 may consent on behalf of an incapable patient, and the SDM’s involvement in care discussions does not violate the circle of care rules.

In practice, the circle of care typically includes the patient’s family physician, referring specialists actively involved in the patient’s care, hospital care teams during an admission, diagnostic labs processing ordered tests, and pharmacists dispensing prescribed medications. It explicitly excludes — and express consent is required for any disclosure to — police officers (unless a specific statutory exception applies), the Children’s Aid Society (mandatory reporting obligations under the CFSA are a separate legal authority, not a circle-of-care matter), the Workplace Safety and Insurance Board, insurance companies, employers, and lawyers. Front-desk staff handle these requests daily and must understand when to require written authorization before releasing any PHI.

The lock-box right — grounded in PHIPA’s consent framework (particularly s. 19 and the ability to expressly withhold or withdraw consent) — gives patients the power to prevent sharing of specific PHI even within the circle of care. When a patient exercises this right, the assumed implied consent under s. 20(2) no longer applies for that information. When a patient exercises this right, the disclosing HIC must comply and must notify the receiving custodian that it has been prevented from disclosing all information considered reasonably necessary. Withdrawal is not retroactive — it does not require retrieval of previously disclosed information.

Substitute decision-makers and patient capacity

When a patient lacks capacity to consent — as determined under the Health Care Consent Act, 1996 — a substitute decision-maker (SDM) may consent on their behalf to the collection, use, or disclosure of PHI. [PHIPA requirement] PHIPA s. 25 governs the exercise of consent rights by SDMs. The physician must determine capacity for each specific decision (capacity is decision-specific and can fluctuate). The SDM hierarchy under the HCCA proceeds from guardian of the person, to attorney for personal care, to a ranked list of family members. Front-desk staff should understand that an SDM is not the same as a “family member asking for information” — the SDM must be identified and documented in the chart, and the scope of their authority should be noted.

What every HIC must do: core custodian obligations

Privacy policies and information practices (s. 10) form the backbone of PHIPA compliance. Every HIC must develop, implement, and maintain information practices that comply with PHIPA — covering when, how, and for what purposes PHI is collected, used, modified, disclosed, retained, and disposed of, along with the administrative, technical, and physical safeguards maintained. Under s. 16, the HIC must publish a written public statement [PHIPA requirement] describing these practices, how to contact the designated contact person, how to request access or correction, and how to complain to both the HIC and the IPC.

Every HIC must designate a contact person under s. 15 [PHIPA requirement], responsible for facilitating compliance, ensuring agents are informed of their duties, responding to public inquiries, handling access and correction requests, and receiving complaints. In a solo practice, the physician typically serves as both HIC and contact person; larger clinics often designate an office manager or privacy officer.

The safeguards obligation under s. 12(1) [PHIPA requirement] requires HICs to take steps reasonable in the circumstances to protect PHI against theft, loss, unauthorized use or disclosure, and unauthorized copying, modification, or disposal. This encompasses administrative safeguards (policies, training, confidentiality agreements), technical safeguards (encryption, access controls, audit logging), and physical safeguards (locked cabinets, restricted server rooms, positioned monitors).

Retention and destruction are governed by s. 13(1), which requires secure handling at every stage. PHIPA itself does not prescribe specific retention periods — these come from professional regulators. The College of Physicians and Surgeons of Ontario requires physicians to retain medical records for a minimum of 10 years from the date of the last entry, or 10 years after a minor patient reaches age 18. Given the Limitations Act’s 15-year ultimate limitation period, many practitioners retain records for 15+ years. When records reach end-of-life, destruction must render reconstruction not reasonably foreseeable — cross-cut shredding for paper, specialized data wiping or physical destruction for electronic media.

Patient access rights under ss. 52–54 [PHIPA requirement] require HICs to respond to access requests within 30 calendar days, extendable by a further 30 days under specific conditions (s. 54(3)–(4)). Clinics may charge a reasonable cost-recovery fee. Access may be refused only on narrow grounds including risk of serious harm, records created for legal proceedings, or records from government inspections. Under s. 55, patients may request correction of errors; if refused (e.g., the record is a professional opinion made in good faith), the patient must be allowed to attach a statement of disagreement.

Breach notification: Ontario’s demanding requirements

Ontario’s breach notification regime under PHIPA is more demanding than PIPEDA — there is no harm threshold. Every instance of theft, loss, unauthorized use, or unauthorized disclosure triggers mandatory notification, regardless of severity.

Notification to affected individuals is required under s. 12(2) [PHIPA requirement] at the “first reasonable opportunity.” While PHIPA prescribes no specific day count, the IPC has made clear through decisions that delays of months are unacceptable. In PHIPA Decision 255, notifications sent one year after discovery were found non-compliant. The notification must describe what happened and include a statement that the individual is entitled to complain to the IPC. Best practice adds: what PHI was involved, containment steps taken, self-protection measures, and contact information.

Notification to the IPC is required under s. 12(3) [PHIPA requirement] and O. Reg. 329/04, s. 6.3 when any of seven circumstances apply: the breach involved a person who knew or ought to have known they were acting without authority; PHI was stolen; there is continuing unauthorized use or disclosure; the breach is part of a pattern of similar incidents; the HIC has disciplined or terminated an agent who is a regulated health profession member; the HIC has revoked or restricted privileges of a practitioner; or the HIC determines the breach is significant after considering sensitivity, volume, number of affected individuals, and whether multiple parties were responsible.

Annual statistical reports must be submitted electronically to the IPC by March 1 [PHIPA requirement] of each year, covering the previous calendar year (O. Reg. 329/04, s. 6.4). Reports must include counts broken down by breach type — stolen, lost, unauthorized use, unauthorized disclosure — with the number of affected individuals. Additionally, when agents who are members of a regulated college are involved, the HIC must notify the relevant regulatory college within 30 days (s. 17.1(2)).

The IPC’s four-step breach protocol [IPC guidance] — Contain, Notify, Investigate, Prevent — is the operational standard. Containment means immediate action: retrieve records, revoke access, shut down systems, preserve evidence. Recent IPC decisions have expanded what constitutes a breach: ransomware encryption alone constitutes unauthorized “use” and “loss” of PHI, triggering the duty to notify individuals under s. 12(2) even without evidence of data exfiltration or access by the threat actor (upheld by the Divisional Court in Hospital for Sick Children v. Ontario (IPC), 2025 ONSC 5208). Email account compromise for even one hour constitutes both unauthorized disclosure and unauthorized use, triggering the duty to notify at the first reasonable opportunity (PHIPA Decision 255, involving the Simcoe Muskoka District Health Unit, July 2024).

IPC guidance reshaping clinic compliance in 2025–2026

The IPC released landmark guidance on January 28, 2026 addressing AI scribes in healthcare — directly relevant to clinics adopting ambient listening and transcription tools. The guidance requires clinics to establish an AI governance committee with authority to approve, pause, or decommission AI deployments. Before deploying any AI scribe, clinics must complete a privacy impact assessment [IPC guidance], conduct vendor due diligence with contractual safeguards covering data retention, subcontractor controls, and breach notification, and ensure meaningful patient consent that communicates AI use, risks, and alternatives. Human oversight of AI outputs is mandatory given risks of hallucinations and transcription errors. The IPC simultaneously published six principles for responsible AI use jointly with the Ontario Human Rights Commission: AI systems must be valid and reliable, safe, privacy protective, human rights affirming, transparent, and accountable. [IPC guidance] For a vendor-by-vendor comparison of how Ontario’s AI scribes handle PHIPA obligations, see our AI Scribes Buyer’s Guide. For a focused analysis of the IPC’s new rules for AI scribes specifically, see our blog post on AI scribe compliance in Ontario.

For solo practitioners and small clinics, the IPC’s governance expectations can be scaled appropriately. Rather than establishing a formal committee, a solo physician can designate themselves as the AI governance authority — documenting the decision to adopt an AI scribe, ensuring the vendor agreement prohibits use of clinic PHI for training the vendor’s foundational models, and confirming patients can opt out of AI transcription without penalty. The key is documented decision-making, not organizational complexity. [IPC best practice]

A real-world cautionary tale emerged when the IPC investigated a hospital where an unapproved AI transcription tool (Otter.ai) automatically joined a virtual hepatology rounds meeting on September 23, 2024, recorded discussion involving PHI of 7 patients, and emailed transcripts to 65 recipients including 12 former employees. The hospital notified the IPC in December 2024, and the IPC subsequently published its response letter recommending blocking unapproved AI tools at the firewall level and auditing offboarding procedures to revoke all calendar and meeting access upon departure.

PHIPA Decision 298 (August 2025) stands as the most consequential enforcement action in PHIPA’s history — the first administrative monetary penalty issued by any privacy commissioner in Canada. A physician at Windsor Regional Hospital used the shared EHR to conduct 146 targeted searches over three weeks, accessing PHI of up to 831 patients — newborn males — then contacted 91 families to offer circumcision services at his private clinic for $350 per procedure. His clinic, WE Kidz Pediatrics, had no privacy policies, no privacy management program, and no documented information practices when it opened. The IPC imposed a $5,000 AMP against the physician and $7,500 against the clinic, and established the standard of “demonstrable accountability”: it is not enough to claim compliance — clinics must produce evidence of policies, training records, and signed confidentiality agreements.

The IPC’s Privacy Management Handbook for Small Health Care Organizations (May 2025) is the single most important operational resource for clinics. Directly targeting solo practitioners, walk-in clinics, specialist practices, and family health teams, it provides templates for privacy policies, breach response protocols, confidentiality agreements, and vendor assessment checklists. IPC Fact Sheet #16 (Health-Care Requirement for Strong Encryption) states that all AES key lengths (128, 192, 256 bit) are currently considered secure for routine use, but notes that AES-128 may not be sufficiently secure for long-term archival of sensitive information. Fact Sheet #12 (Encrypting Personal Health Information on Mobile Devices) adds that AES-192 or AES-256 provide substantially stronger protection. In practice, clinics should use AES-256 for PHI storage and TLS 1.2+ for data in transit. [IPC guidance] Other essential IPC resources include the email communication fact sheet (September 2016) requiring encryption for PHI transmission, and the virtual health care guidance (February 2021) applicable to all telehealth operations.

Cloud storage, EMRs, and technology compliance

PHIPA does not contain an explicit prohibition on storing PHI outside Canada, but the practical compliance landscape creates strong de facto data residency requirements. Cloud providers hosting PHI typically function as electronic service providers (ESPs) under s. 10(4), required by O. Reg. 329/04, s. 6(1) to use PHI only as necessary for providing services, never disclose PHI, and restrict employee access. When a provider enables PHI sharing between multiple HICs, it becomes a Health Information Network Provider (HINP) with enhanced obligations including mandatory written agreements, PIAs, threat risk assessments, access/transfer logging, and immediate breach notification (O. Reg. 329/04, s. 6(3)).

PHIPA does not contain a blanket prohibition on storing or disclosing PHI outside Ontario. Cross-border data flows are governed by the general consent and safeguards framework — the HIC remains responsible for ensuring PHI is protected regardless of where it is stored or processed. However, program-specific requirements impose practical data residency constraints. Ontario Health’s Virtual Visit Standard explicitly requires virtual visit data to be held on systems located in Canada. Provincial digital health services (OLIS, HRM, ConnectingOntario) mandate Canadian hosting. The conservative, widely adopted compliance position is: store all PHI in Canada, preferably in Ontario. [Program requirement] for provincial EHR services; [IPC guidance] generally. All three major cloud providers offer Canadian regions — Azure has Canada Central (Toronto) and Canada East (Quebec City), AWS has Canada (Central) in Montreal, and Google Cloud offers Montreal and Toronto. No cloud platform is PHIPA-compliant out of the box; compliance requires active configuration including tenant setup in Canadian regions, sensitivity labels, data loss prevention, multi-factor authentication, and audit logging.

Encryption requirements flow from the “reasonable safeguards” obligation in s. 12(1) rather than from prescribed technical standards. The IPC’s guidance establishes the practical floor: AES-128 minimum (AES-256 preferred) for data at rest, TLS 1.2+ for data in transit, and strong encryption on all mobile devices containing PHI. Loss of an encrypted device significantly reduces the risk of unauthorized access and may mitigate notification obligations, but encryption alone does not automatically eliminate reporting requirements under s. 12. Clinics should still assess each incident on its facts. [IPC best practice] Every clinic technology stack should include full-disk encryption on workstations, encrypted backups stored in Canada, automatic screen lock and timeout, unique user credentials with MFA, and regular audit log review.

Vendor contracts should specify scope of permitted PHI use, security requirements, breach notification procedures with timelines, Canadian data residency guarantees, audit rights, data return and destruction upon termination, subcontractor restrictions, and PHIPA compliance obligations. For EMRs, clinicians must use an OntarioMD-certified product to access provincial EHR services. The major certified options — Accuro (Harris Healthcare), OSCAR (through certified deployment partners), and PS Suite/Med Access (Telus Health) — all support OLIS, HRM, and ConnectingOntario integration. OntarioMD’s five-stage certification process evaluates data standards, identity management, privacy and security, and hosting, with total fees of $27,500 for vendor certification. [Program requirement]

Appointment reminders, online booking, and SMS compliance

Automated SMS and email appointment reminders involve the disclosure of PHI to third-party Electronic Service Providers. [IPC guidance] A patient’s name linked to a specific clinic or appointment type (e.g., “Psychiatry follow-up at 2 PM”) constitutes PHI. Clinics must ensure reminder services and online booking platforms sign PHIPA-compliant vendor agreements under O. Reg. 329/04, s. 6(1), and practice data minimization — reminders should include only the minimum necessary information (date, time, clinic name) without referencing specific medical details or sensitive appointment types. Third-party booking platforms that collect patient contact information and health card numbers are handling PHI and must be assessed as ESPs with Canadian data residency, access restrictions, and breach notification obligations.

Patient communication: secure portals vs. standard email

The IPC strongly recommends secure patient portals over standard email for communicating PHI. [IPC guidance] Standard email (including Gmail, Outlook.com, and Yahoo) transmits data unencrypted between mail servers and is vulnerable to interception, misdirection, and unauthorized access. If a clinic chooses to communicate PHI by standard email, express patient consent is required — the patient must be informed of the risks and explicitly agree. The IPC’s email communication fact sheet (September 2016) advises encrypting all PHI transmitted electronically. In practice, clinics should default to secure messaging platforms integrated with their EMR, and reserve standard email only for non-PHI communications such as appointment reminders that do not reference clinical details.

Fax security remains Ontario’s top privacy risk

Despite being treated as a legacy technology, fax remains the dominant communication channel in Ontario primary care, with over 152 million healthcare faxes transmitted annually. Misdirected faxes account for 63% of all unauthorized PHI disclosures reported to the IPC — making fax the single largest source of privacy breaches in the province. [PHIPA requirement] Clinics must implement reasonable safeguards (s. 12(1)) for fax communications, which the IPC has indicated should include: pre-programming frequently used fax numbers to reduce manual dialing errors, using fax cover sheets with confidentiality notices, verifying recipient fax numbers before transmitting PHI, positioning fax machines in secure areas inaccessible to unauthorized persons, and conducting regular audits of fax logs for misdirected transmissions. Clinics transitioning to e-fax services must assess these vendors as Electronic Service Providers under O. Reg. 329/04, s. 6(1), with written agreements covering PHI handling, Canadian data residency, and breach notification.

Staff privacy training is a practical mandate

While PHIPA does not use the phrase “training program required,” the combined effect of ss. 10, 12, and 17 creates an unmistakable obligation. Section 17(1) requires HICs to take reasonable steps to ensure agents comply with PHIPA — the IPC has indicated this includes random access audits [IPC guidance] and regular staff training. The IPC’s PIA guidelines explicitly ask organizations to document training length, frequency, which categories of agents receive training, and how completion is recorded.

Annual training [IPC guidance / Program requirement] is the accepted standard across the Ontario health sector. Ontario Health requires its staff to complete privacy and security training annually. ConnectingOntario mandates annual completion of its Privacy and Security Training test for all ClinicalViewer users. [Program requirement] OntarioMD provides free, CME-accredited privacy and security training modules (updated March 2026 to address AI tools) offering up to three Mainpro+ credits through the College of Family Physicians of Canada.

Training must cover: what constitutes PHI (s. 4), custodian and agent roles (s. 17), consent principles including express versus implied consent (ss. 18–26), circle of care rules (s. 20), the data minimization principle (s. 30), administrative/technical/physical safeguards (s. 12(1)), breach notification duties (s. 12(2)), the lock-box right, patient access and correction rights (ss. 52–55), prohibited activities including snooping (s. 72), and secure disposal procedures (s. 13). New agents must complete training before receiving access to PHI. Documentation should include the agent’s name, training date, topics covered, completion evidence, and a signed confidentiality acknowledgment.

The consequences of staff violations reinforce training urgency. Individual agents face AMPs of up to $50,000, criminal fines of up to $200,000 and imprisonment of up to one year for wilful offences, and civil liability including up to $10,000 for mental anguish. The HIC retains ultimate responsibility — even if an agent acted beyond authority. Under s. 17.1, if a HIC terminates, suspends, or disciplines an agent who is a college member, reporting to the regulatory college is mandatory within 30 days. [PHIPA requirement]

Staff offboarding: the forgotten safeguard

Orphaned accounts of former employees are a leading vector for unauthorized access and ransomware. [PHIPA requirement] The safeguards obligation under s. 12(1) extends to access revocation upon departure. Clinics should maintain a documented offboarding checklist executed on the day of departure: disable or delete all EMR user accounts, revoke ONE® ID and ConnectingOntario credentials, terminate building access (keys, fobs, alarm codes), remove calendar and virtual meeting access to prevent tools like Otter.ai from auto-joining via retained invites, wipe any clinic PHI from personal mobile devices under BYOD arrangements, and collect physical assets (laptops, USB drives, printed materials). The Otter.ai breach — where a former physician’s retained calendar access enabled an AI tool to record and distribute PHI — demonstrates how a single missed offboarding step can cause a reportable privacy incident.

How PHIPA and federal privacy law intersect

PHIPA was declared “substantially similar” to Part 1 of PIPEDA by federal Order in Council P.C. 2005-2224 on November 28, 2005. The practical effect: HICs and their agents who comply with PHIPA are exempt from PIPEDA for the collection, use, and disclosure of PHI within Ontario. However, PIPEDA continues to apply to interprovincial and international data transfers, federally regulated organizations handling health data, and non-health commercial activities (such as pharmacy loyalty programs or retail sales data unrelated to health care).

For clinics operating entirely within Ontario and handling only PHI, PHIPA is the primary privacy statute. However, common law duties of confidentiality, CPSO professional standards, employment law (for staff health records), and other regulatory obligations also apply concurrently. The moment PHI crosses provincial or national borders — stored on a US-hosted cloud server, sent to an out-of-province specialist, or transferred to a national insurer — PIPEDA may also apply. The Office of the Privacy Commissioner of Canada and the Ontario IPC maintain a memorandum of understanding for cooperation and complaint referral.

Bill C-27, the proposed federal Consumer Privacy Protection Act that would have replaced PIPEDA with potential fines of up to $25 million or 5% of global revenue, died on the Order Paper when Parliament was prorogued on January 6, 2025. PIPEDA remains in force with no imminent changes. Any future federal privacy reform would require re-evaluation of PHIPA’s substantially similar designation.

Ontario Health and OntarioMD layer additional requirements

Ontario Health and OntarioMD impose compliance requirements that extend beyond PHIPA’s statutory floor. Clinics connecting to provincial EHR systems must complete privacy and security attestation, designate a Privacy and Security Contact/Officer, and have their Legally Responsible Person sign agreement packages. The ConnectingOntario ClinicalViewer requires ONE® ID credentials for all users, mandatory privacy and security training (~40 minutes) before access is granted, and annual recompletion of the training test. [Program requirement] Organizations must maintain training records and produce them on audit.

The Digital Health Drug Repository (DHDR) — containing 12+ years of publicly funded drug dispensing data and 10+ years of monitored drug data — is accessible through ConnectingOntario, ClinicalConnect, and certified EMRs, subject to identical onboarding requirements. The Health Report Manager (HRM) delivers hospital reports electronically to clinician EMRs under a Services Subscription Agreement that incorporates ongoing compliance obligations.

Ontario’s Enhancing Digital Security and Trust Act, 2024 (Bill 194) enables the government to set regulation requirements for cybersecurity programs in health institutions, including mandatory incident reporting, technical standards, and defined roles. Specific regulations remain forthcoming through public consultation, but clinics should anticipate formal cybersecurity program requirements. Ontario Health’s Cyber Security Centre already operates Regional Security Operating Centres reaching 100% of acute hospitals and continues expanding its scope.

The More Convenient Care Act, 2025 (Bill 11) introduced Digital Health Identifiers (DHIs) through a new Part V.2 of PHIPA, with Ontario Health authorized to create and manage these unique patient identifiers for the provincial EHR. The IPC raised significant concerns about oversight gaps, conflation of Ontario Health’s roles, and insufficient consent protections. Proposed amendments to O. Reg. 329/04 supporting the DHI framework and individual access to PHI in the EHR were published for public comment in August 2025.

Penalties have teeth — and they are being used

PHIPA’s penalty structure operates on three tiers. Administrative monetary penalties under s. 61.1 (in force January 1, 2024) allow the IPC to impose fines of up to $50,000 for individuals and $500,000 for organizations, increased by the amount of any economic benefit derived. Criminal prosecution under s. 72 — requiring Attorney General consent — carries fines of up to $200,000 for individuals (with up to one year imprisonment) and $1,000,000 for organizations, with no limitation period for commencing proceedings. Corporate officers who authorized an offence or knowingly failed to prevent it face personal liability. Civil action under s. 65 permits actual damages plus up to $10,000 for mental anguish where wilful or reckless misconduct is established.

The IPC’s enforcement posture has shifted decisively from advisory to punitive. Beyond Decision 298’s landmark AMP, multiple convictions for “snooping” — healthcare workers accessing records without authorization — have resulted in fines reaching $20,000. The TransForm/TSSO ransomware decisions (PHIPA Decisions 253–254) found that hospitals’ public breach notices failed compliance for omitting the mandatory IPC complaint statement. Decision 266 found a clinic non-compliant for tearing rather than shredding documents containing PHI. The message is consistent: the IPC expects documented, demonstrable compliance — not good intentions.

Conclusion: the compliance imperative for Ontario clinics

Three developments define the current PHIPA compliance landscape. First, enforcement has real consequences — AMPs, criminal penalties, professional discipline, and civil liability create overlapping accountability that reaches both organizations and individuals. Second, technology governance is now central — the January 2026 AI scribe guidance, cloud storage expectations, and digital health identifier framework demand that clinics assess, document, and govern every technology touching PHI. Third, demonstrable accountability is the new standard — the IPC expects not just policies on paper but evidence of implementation: training logs, signed confidentiality agreements, audit trails, vendor assessments, and privacy impact assessments.

Clinics preparing for PHIPA compliance or audit should focus on five priorities: designating a contact person and publishing a written statement of information practices; implementing annual staff training with documented completion records; establishing breach response protocols with clear notification pathways to individuals, the IPC, and regulatory colleges; executing vendor and cloud provider assessments with written agreements meeting PHIPA requirements; and conducting privacy impact assessments before deploying any new technology — particularly AI tools. The IPC’s May 2025 Privacy Management Handbook for Small Health Care Organizations provides the operational blueprint, and OntarioMD’s free CME-accredited training modules offer an immediately actionable starting point for every clinic in Ontario. PHIPA compliance should be embedded in every phase of your clinic’s digital transformation journey — our Digital Transformation Guide maps a phased approach.

OpsMed helps Ontario clinics automate operations while maintaining PHIPA compliance. Learn more about our approach to trust and security, explore how AI scribes are changing clinical documentation, or see our research on the administrative burden crisis and FHO+ billing.

Coverage and limitations

This guide draws on: the Personal Health Information Protection Act, 2004 (S.O. 2004, c. 3, Sched. A) and Ontario Regulation 329/04; IPC decisions, guidance documents, and fact sheets published through March 2026; Ontario Health and OntarioMD program documentation; case law including Hospital for Sick Children v. Ontario (IPC), 2025 ONSC 5208; and professional standards from the CPSO, CFPC, and OMA. This guide does not constitute legal advice. PHIPA obligations are complex and fact-specific; clinics should consult qualified legal counsel for compliance decisions affecting their specific circumstances. Program requirements (Ontario Health, OntarioMD, ConnectingOntario) evolve independently of the statute and should be verified against current documentation. This guide focuses on Ontario family medicine practices and may not address all obligations relevant to hospitals, long-term care homes, or other institutional HICs.