PHIPA Compliance for Ontario Clinics: A Practical Guide for Health Custodians

If you run or work in an Ontario clinic — a family practice, a dental office, a physiotherapy or mental-health practice — you are a "health information custodian" under PHIPA, the Personal Health Information Protection Act. That status isn't optional, and it doesn't wait for you to opt in. The moment you collect personal health information, PHIPA's obligations attach.

The challenge is that most clinics are run by clinicians, not compliance officers. So here's what PHIPA actually requires, translated out of legalese and into clinic reality.

Consent and the circle of care

PHIPA runs on consent, but it's smarter than a blanket form. For the purpose of *providing care*, you can generally rely on implied consent within the "circle of care" — the health professionals involved in a patient's treatment can share relevant information to deliver it. That's why a referral to a specialist doesn't require a signed release each time.

Outside the circle of care, the rules tighten. Using or disclosing personal health information for anything other than direct care — research, marketing, administrative purposes beyond the obvious — generally needs express consent. And patients can place a "lockbox" on specific information, instructing you to withhold it even from other providers. Your systems and staff need to be able to honour that.

The safeguards PHIPA expects

PHIPA requires you to protect personal health information with safeguards appropriate to its sensitivity — and health data is about as sensitive as it gets. In practice:

• Access controls: staff should see only the records they need. The front-desk coordinator doesn't need clinical notes; the locum covering one day doesn't need the whole patient history.
• Audit logging: you should be able to tell who accessed which record and when. "Snooping" on the records of neighbours, exes, or celebrities is a real and recurring PHIPA problem.
• Secure storage and transmission: encrypted systems, locked physical files, secure messaging — not patient details emailed in plain text.
• Agreements with your vendors: your EMR provider, your billing service, your cloud backup, any AI scribe or transcription tool — each is handling PHI on your behalf and needs the right agreement and safeguards in place.

That last point is where modern clinics quietly fall out of compliance. The instant a clinician starts pasting patient notes into a general-purpose AI tool to tidy up a referral letter, personal health information has left your controlled environment for servers you don't govern — usually outside Canada, almost never with patient consent for that use.

When a privacy breach happens

PHIPA requires you to notify the affected individual at the first reasonable opportunity when their personal health information is lost, stolen, or used or disclosed without authority. In defined circumstances you must also notify the Information and Privacy Commissioner of Ontario (IPC), and you must track breach statistics for annual reporting to the IPC.

The clinics that handle a breach well aren't the ones that never have one — they're the ones who decided in advance how they'd assess it, who they'd tell, and how they'd document it.

Beyond Ontario

If your practice operates in more than one province — or you're benchmarking against the rest of Canada — remember that PHIPA is Ontario's act. Alberta has HIA, Nova Scotia and several other provinces have their own PHIA, and so on. Multi-province providers face a patchwork, not a single standard.

Making PHIPA manageable

PHIPA compliance for a busy clinic isn't about reading the statute — it's about having the consent practices, safeguards, vendor agreements, and breach process *in place and documented*, so that if the IPC ever asks, you have answers instead of anxiety.

Valdra assesses your obligations as a health information custodian, documents your safeguards, builds your breach-response workflow with IPC-ready templates, and covers eight provincial health acts so multi-province practices assess once. See where your clinic stands on PHIPA — before a patient complaint turns into an IPC investigation.