Everything Canadian hospitals need to know about PHIPA compliance — complete checklist, breach notification requirements, and software recommendations.
PHIPA compliance is mandatory for all Ontario hospitals and healthcare providers. With IPC enforcement increasing and penalties up to $500,000 per violation, hospitals need robust compliance processes. This guide covers everything you need.
PHIPA Compliance Checklist
| Category | Requirement | Status |
|---|---|---|
| Governance | Privacy Officer appointed | Required |
| Governance | Privacy policies documented | Required |
| Governance | Privacy impact assessment completed | Required |
| Access | Role-based access controls | Required |
| Access | Unique user IDs for all staff | Required |
| Access | Access logs maintained (2+ years) | Required |
| Encryption | PHI encrypted at rest | Required |
| Encryption | PHI encrypted in transit (TLS 1.2+) | Required |
| Breach | Breach response plan documented | Required |
| Breach | IPC notification process established | Required |
| Training | Annual PHIPA training for all staff | Required |
| Contracts | BAAs with all service providers | Required |
Frequently Asked Questions
- What is PHIPA compliance?
- PHIPA (Personal Health Information Protection Act) is Ontario's health privacy legislation. Compliance requires hospitals to implement safeguards for personal health information (PHI), including access controls, audit logging, encryption, breach notification, and privacy impact assessments.
- What are PHIPA breach notification requirements?
- Under PHIPA, hospitals must notify the Information and Privacy Commissioner of Ontario (IPC) of any breach involving PHI. Notification is required when there's a real risk of significant harm to individuals. The notification must be made as soon as possible after the breach is discovered.