STRUCTURA HEALTH
All articles

Your EMR Vendor Isn't PHIPA-Compliant For You: What a Real Vendor Agreement Needs

Buying a Canadian-hosted EMR does not make your clinic PHIPA-compliant. Every third party that touches patient data — your EMR, your billing platform, your IT contractor — needs its own written agreement. Here is what that agreement actually has to cover.

By Structura Health · Last verified

A common and expensive misunderstanding: a clinic assumes that because its EMR vendor advertises "PHIPA-compliant infrastructure," the clinic's own compliance obligations are covered. They are not. PHIPA compliance is not something a vendor can confer on a custodian — it is a written, signed agreement between the two of them that has to exist, and it has to say specific things.

The custodian, not the vendor, carries the legal duty

Under PHIPA, your clinic — not your EMR company, not your billing service, not your IT contractor — is the health information custodian. Every one of those third parties is, in the language of the Act and its provincial equivalents, an information manager or agent acting on the custodian's behalf. Saskatchewan's HIPA calls this relationship an "information management service provider" (IMSP) agreement; Newfoundland & Labrador's PHIA calls it an "information manager" (IM) agreement (s.22); the underlying obligation is the same across every province: a written agreement must exist before that vendor is allowed to touch personal health information, and the agreement has to hold the vendor to standards the custodian is separately accountable for.

What has to actually be in the agreement

A real vendor agreement — not a EULA click-through, not a marketing page claiming compliance — needs to address:

1. Purpose limitation. The vendor may use the data only for the specific services described in the agreement, not for its own product development, marketing, or resale, unless separately and explicitly authorized.

2. Security safeguards. Encryption in transit and at rest, access controls, and a description of who at the vendor can access identifiable health information and why.

3. Data residency. Where the data physically lives, and whether it ever leaves Canada — a live issue given Alberta's Health Information Act, which specifically restricts storing health information outside Canada without express authorization.

4. Breach notification back to the custodian. The vendor must be contractually obligated to notify your clinic of any suspected or confirmed breach immediately — your clinic cannot meet its own regulator-facing deadlines (see the 72-hour breach-response overview) if its vendor sits on the news.

5. Return or destruction of data on termination. What happens to the data when the contract ends — deletion, certified destruction, or return — has to be specified, not assumed.

6. Audit and inspection rights. The custodian needs the contractual right to verify the vendor is actually doing what the agreement says, not just take its word for it.

7. Subcontractor flow-down. If the vendor uses its own subcontractors (a common pattern with cloud-hosted EMRs), the same obligations need to flow down to them.

Why "the vendor said they're compliant" is not evidence

IPC Decision 298 — Ontario's first-ever PHIPA administrative monetary penalty — turned on exactly this kind of gap: the custodian could not produce documented evidence of its own governance, even though the underlying platforms it used may have been secure. The IPC's standard, in its own words, is "a repeatable and demonstrable system of data governance whereby organisations can show regulators more concretely, backed by evidence, how they meet their legal requirements in practice." A vendor's marketing claim is not evidence. A signed, dated agreement — retrievable on demand — is.

Do I need a separate agreement with every vendor, or can one cover everything?

You need a written agreement with every distinct third party that has access to personal health information — your EMR, your billing platform, your transcription service, your IT support contractor, your cloud backup provider. They can follow the same template, but each relationship needs its own signed instance, dated, with the specific vendor named. A generic "we use compliant vendors" statement in your privacy policy does not satisfy this requirement on its own.

What Structura tracks for you

The Vault module keeps every vendor agreement — EMR, billing, IT, cloud backup — in one place with a "last verified" date and the frameworks it maps to, so a missing or stale agreement shows up as a gap before a regulator finds it, not after.


Sources: Saskatchewan HIPA — IMSP agreements (ss.17–18) · Newfoundland & Labrador PHIA — information manager agreements (s.22) · Alberta Health Information Act — Canadian data-storage restriction · IPC PHIPA Decision 298 (2025 CanLII 85580).

Keep reading: Ontario's first PHIPA fine: what the IPC found missing · DIY PHIPA compliance: why the spreadsheet approach breaks · take the free PHIPA scorecard

Check your clinic's PHIPA gaps — free, no login

Map your current practices against the six areas the IPC identified in Decision 298. About three minutes, no account required.

Take the free PHIPA scorecard

Turn compliance into a maintained, demonstrable posture.

Documented governance is the difference between a penalty and a pass. See how Structura gets your clinic audit-ready.