Back to BlogCompliance

PHIPA Compliance Guide for Canadian Hospitals (2026) — Complete Checklist

Jul 1, 2026 10 min readCA

Everything Canadian hospitals need to know about PHIPA compliance — complete checklist, breach notification requirements, and software recommendations.

PHIPA compliance is mandatory for all Ontario hospitals and healthcare providers. With IPC enforcement increasing and penalties up to $500,000 per violation, hospitals need robust compliance processes. This guide covers everything you need.

PHIPA Compliance Checklist

PHIPA Compliance Checklist — Key Items
CategoryRequirementStatus
GovernancePrivacy Officer appointedRequired
GovernancePrivacy policies documentedRequired
GovernancePrivacy impact assessment completedRequired
AccessRole-based access controlsRequired
AccessUnique user IDs for all staffRequired
AccessAccess logs maintained (2+ years)Required
EncryptionPHI encrypted at restRequired
EncryptionPHI encrypted in transit (TLS 1.2+)Required
BreachBreach response plan documentedRequired
BreachIPC notification process establishedRequired
TrainingAnnual PHIPA training for all staffRequired
ContractsBAAs with all service providersRequired

Frequently Asked Questions

What is PHIPA compliance?
PHIPA (Personal Health Information Protection Act) is Ontario's health privacy legislation. Compliance requires hospitals to implement safeguards for personal health information (PHI), including access controls, audit logging, encryption, breach notification, and privacy impact assessments.
What are PHIPA breach notification requirements?
Under PHIPA, hospitals must notify the Information and Privacy Commissioner of Ontario (IPC) of any breach involving PHI. Notification is required when there's a real risk of significant harm to individuals. The notification must be made as soon as possible after the breach is discovered.