PHIPA compliance means a clinic meets its legal duties under Ontario's Personal Health Information Protection Act: safeguarding patient records, honouring patient consent, reporting certain breaches to the privacy regulator, and giving patients access to their own information. It applies to most private clinics that collect or hold personal health information.
That is the short version. The longer version matters because the rules changed in ways that raise the stakes for small clinics, and because the language around them tends to be written for lawyers rather than for the person who actually runs the front desk. This guide walks through what PHIPA asks of a clinic in plain terms, who it covers, what counts as a breach, what happens when things go wrong, and what a compliant clinic looks like in practice.
Who has to follow PHIPA?
PHIPA (the Personal Health Information Protection Act, 2004) governs organizations and people it calls "health information custodians," or HICs. That is a broad group. It includes private clinics, physicians, dentists, and other regulated health professionals working in independent or group practice. If your clinic collects, uses, or stores personal health information about patients in Ontario, you are almost certainly a custodian, and the Act applies to you directly.
Being a custodian is not a formality. It means the legal responsibility for protecting that information sits with you, not with your software vendor and not with whoever happens to be at the front desk when something goes wrong. Your electronic medical record system is a tool you use to meet your obligations. It is not the party the regulator holds accountable.
What does PHIPA actually require a clinic to do?
At the centre of PHIPA is consent. The Act runs on a model called "implied consent within the circle of care." In practice, that means the clinicians and staff directly involved in a patient's care can share that patient's information among themselves to provide treatment, without asking permission at every step. Patients can push back on this. They can withhold or withdraw consent for specific information, sometimes described as putting a record in a "lockbox." And for any use of health information outside direct care, you need the patient's express consent rather than implied consent.
Alongside consent, PHIPA requires custodians to keep reasonable safeguards in place against theft, loss, and unauthorized use or disclosure of personal health information. This is section 12 of the Act. "Reasonable" is doing a lot of work in that sentence, and it is deliberately not a fixed checklist. It scales with the sensitivity of the information and the size of the practice, but at minimum it covers the physical, technical, and administrative measures a reasonable clinic would take to keep records from walking out the door or landing in the wrong hands.
Patients also have rights you have to honour. They can request access to their own records, and they can ask you to correct information they believe is wrong. These are not favours. They are legal entitlements, and how a clinic responds to them is part of being compliant.
What counts as a privacy breach under PHIPA?
A breach is any theft, loss, or unauthorized use or disclosure of personal health information. That last phrase is the one clinics underestimate. A breach is not only a hacker or a stolen laptop. It includes a staff member looking up the file of a patient they are not treating, a fax or email sent to the wrong recipient, or records left accessible to someone who should not see them. Curiosity-driven snooping by an employee is one of the most common breaches clinics face, and it counts.
The point worth holding onto is that a breach is about unauthorized access to information, not about whether anyone was harmed. That distinction becomes important the moment you have to decide whether to report.
Do I have to report a breach, and when?
Sometimes, yes. Mandatory breach reporting to the Information and Privacy Commissioner of Ontario (the IPC) has been in force since October 1, 2017, under section 12(3) of the Act and Ontario Regulation 224/17. You are required to notify the IPC when a breach falls into specific prescribed circumstances, including theft, unauthorized use or disclosure, a pattern of similar breaches, a breach that leads to a regulatory college disciplining a member, or any breach that is "significant."
There is a common misreading worth clearing up. Some privacy laws use a "real risk of significant harm" threshold before notification kicks in. For a clinic acting as a custodian, that harm threshold is not the test. The prescribed circumstances above are what govern whether you report. (A separate harm-based rule exists for Health Information Network Providers, which is a different kind of organization, so do not let that framing bleed into how you assess your own clinic's duties.)
There is also a quieter obligation that many clinics miss entirely. Every custodian must submit an annual statistical breach report to the IPC, due by March 1 each year. This duty has applied since 2019, with tracking of the underlying statistics beginning January 1, 2018. Even a clinic that had no reportable breach still has to account for that. It is a recurring calendar item, not a one-time task.
What happens if my clinic doesn't comply?
The consequences got heavier, and they now run on more than one track.
Since January 1, 2024, the IPC has had the power to levy Administrative Monetary Penalties, or AMPs, of up to $50,000 for an individual and up to $500,000 for an organization. This is a newer, faster enforcement tool, and in 2025 the IPC used it for the first time in a decision known as PHIPA Decision 298. We cover that case in detail in a companion article; for now the takeaway is simply that the power is no longer theoretical.
AMPs sit alongside an older penalty track that still exists. PHIPA has long carried offence-fine provisions under section 72, and those fines were doubled by Bill 188, in force March 25, 2020, to a maximum of $200,000 for an individual and $1,000,000 for an organization.
And there is a second, separate line of accountability that clinics tend to forget. PHIPA is enforced by the IPC. Your regulatory college is a different body enforcing its own professional standards through complaints and discipline. One incident can trigger both at once: a privacy breach that draws the IPC's attention can also become a college matter for the clinician involved. They are two independent tracks running in parallel, and satisfying one does not settle the other.
What should a compliant clinic actually have in place?
Compliance is less about a single document and more about a small set of habits and controls that hold up under scrutiny. In practical terms, a compliant clinic can point to most of the following:
- A written privacy policy that reflects how the clinic actually handles information, not a generic template no one has read.
- A named privacy officer who owns this area and is the point of contact for questions and complaints.
- Reasonable safeguards, meaning access controls so staff only reach the records they need, audit logs that show who looked at what, and basic physical and technical protection for stored data.
- A breach response process the team knows how to follow, so that when something happens you can assess it against the prescribed circumstances and report it in time rather than improvising.
- A way to handle patient access and correction requests without scrambling.
- A note in the calendar for the March 1 annual statistical breach report.
None of these are exotic. The gap in most small clinics is not knowing the rules exist; it is not having a durable system that keeps these obligations from quietly slipping. Structura is being built to help clinics keep track of exactly this kind of ongoing obligation, so compliance is something you can manage rather than something you rediscover during an incident.
The bigger picture
PHIPA is the floor for clinics operating in Ontario, and the direction of travel since 2020 has been toward sharper enforcement and clearer duties. The reasonable approach for a busy practice is not to memorize the statute but to build compliance into how the clinic runs day to day, so that consent, safeguards, patient rights, and breach reporting are handled as routine rather than as a fire drill.
This article is the hub of a larger series on Canadian clinic compliance. Companion pieces go deeper on the IPC's first AMP decision and what it signals, how PHIPA compares with the health privacy laws in Alberta, British Columbia, and Quebec, and the role a clinic privacy officer actually plays. Read together, they give a clinic owner or office manager a working map of what compliance requires and where the real risks sit.
Frequently asked questions
Does PHIPA apply to small private clinics?
Yes. PHIPA applies to health information custodians in Ontario, which includes private clinics, physicians, dentists, and other regulated health professionals in independent or group practice. Clinic size does not exempt you. If you collect or hold personal health information, the Act applies to you directly.
What is the "circle of care" under PHIPA?
The circle of care is the group of health providers directly involved in a patient's treatment. Within it, PHIPA allows those providers to share the patient's information to deliver care under implied consent, without asking permission at each step. Patients can still withhold or withdraw consent for specific information.
When does a clinic have to report a privacy breach to the IPC?
A clinic must report to the Information and Privacy Commissioner of Ontario when a breach meets prescribed circumstances, including theft, unauthorized use or disclosure, a pattern of similar breaches, a related college disciplinary action, or any significant breach. This has been mandatory since October 1, 2017. Clinics must also file an annual statistical breach report by March 1 each year.
What are the penalties for a PHIPA violation?
Since January 1, 2024, the IPC can impose Administrative Monetary Penalties of up to $50,000 for an individual and up to $500,000 for an organization. Separate offence fines under the Act reach up to $200,000 for an individual and $1,000,000 for an organization. A single incident can also lead to discipline from the clinician's regulatory college, which is a separate process.
Is PHIPA the same as an EMR or medical records system?
No. PHIPA is the privacy law that sets your legal obligations. An electronic medical record system is a tool for storing and managing records. Using a compliant EMR does not on its own make a clinic PHIPA compliant, because the legal responsibility stays with the clinic as the custodian.
Follow for plain-English Canadian clinic-compliance updates. If you want to see where your clinic stands, take the free PHIPA Readiness Scorecard for a quick starting point.
Internal links: IPC Decision 298 → /blog/phipa-fine-decision-298 · DIY spreadsheet gaps → /blog/diy-phipa-compliance-spreadsheet-breaks · PHIPA vs HIPAA → /blog/phipa-vs-hipaa-us-tools-canada · scorecard → /phipa-scorecard
Sources: PHIPA, SO 2004, c 3, Sched A · O.Reg 224/17 · IPC PHIPA Decision 298 (2025 CanLII 85580) · Bill 188 (2020).