PHIPA Compliance in 2025: What Ontario Health Clinics Actually Need to Do
Administrative Monetary Penalties are now in force. The first AMP was issued in August 2025 after a physician accessed 831 newborns' records without authorization. Here is what your Ontario clinic must have in place.
If you run a health clinic in Ontario, the PHIPA compliance checklist Ontario privacy officers must follow changed materially in January 2024. Administrative Monetary Penalties are now enforceable, a physician was hit with the first-ever AMP in August 2025 for accessing 831 newborns' records without authorization, and IPC decisions have confirmed that a single compromised email account — accessed for less than one hour — triggers mandatory breach notification. This guide is written for clinic administrators and privacy officers, not lawyers. It covers what the law requires, what the IPC is actively penalizing, and what your clinic should have in place today.
The Personal Health Information Protection Act, 2004 (S.O. 2004, c. 3, Sched. A) — PHIPA — is Ontario's primary health privacy legislation. It governs how personal health information (PHI) is collected, used, disclosed, retained, and disposed of by organizations and individuals classified as Health Information Custodians.
Health Information Custodians (HICs) include:
- Health care practitioners: physicians, nurses, dentists, pharmacists, physiotherapists, and other regulated health professionals
- Hospitals and other health facilities
- Long-term care homes
- Pharmacies, clinical laboratories, and specimen collection centres
- Community Health Centres, Community Care Access Centres, and other health service providers
- Public health units and boards of health
- Government ministries that administer health programs
The scope is broad. If you operate a dental practice, physiotherapy clinic, family health team, or independent specialist practice in Ontario, PHIPA applies to you.
Agents act on a HIC's authority — employees, contractors, volunteers, students on placement. The HIC remains legally responsible for an agent's PHIPA compliance. An agent's breach is the HIC's breach.
Information managers are third parties that process PHI on behalf of a HIC: cloud-based EHR vendors, billing services, transcription companies, IT support providers with system access. PHIPA s. 10 requires a written agreement with every information manager that includes specific privacy and security terms. The absence of that agreement is itself a compliance violation. See our vendor management module to track all your information manager agreements and renewal dates in one place.
PHIPA structures its requirements around eight interconnected obligations. Meeting all eight is what demonstrable compliance looks like to the IPC.
| Obligation | PHIPA Provision | What It Requires in Practice |
|---|---|---|
| Consent | ss. 18–28 | Collect, use, or disclose PHI only with the individual's express or implied consent unless a specific PHIPA exception applies. Individuals may withdraw consent at any time. |
| Collection Limitation | s. 29 | Collect only PHI that is necessary for the identified purpose. No speculative or precautionary collection beyond what the care episode requires. |
| Use & Disclosure | ss. 37–50 | Use or disclose PHI only for the purpose for which it was collected, with consent, or as expressly permitted by PHIPA. Purpose creep — using PHI for a secondary purpose without consent — is a violation. |
| Safeguards | s. 12(1)(a)–(b) | Implement technical, physical, and administrative safeguards proportionate to the sensitivity of the PHI and the risks of unauthorized access, loss, or destruction. |
| Access Rights | ss. 52–54 | Respond to an individual's request to access their own PHI within 30 days. Provide the record or explain any applicable exemptions in writing. |
| Correction | ss. 55–56 | Accept requests to correct PHI. If you decline, attach the individual's statement of disagreement to their record and note the refusal in writing. |
| Breach Notification | s. 12(2) | Notify the IPC and affected individuals at the first reasonable opportunity after any unauthorized access, use, disclosure, copying, or loss of PHI. |
| Audit Logs | s. 12(1)(c) | Maintain an electronic record of every access to PHI stored in electronic form: who accessed it, when, what was accessed, and whether it was modified. |
For the first twenty years of PHIPA's existence, the IPC's primary enforcement tools were orders and public reports. That changed on January 1, 2024, when Administrative Monetary Penalties (AMPs) came into force. The IPC can now impose direct financial penalties without going to court.
AMP maximums under PHIPA:
- Organizations (HICs): up to $500,000 per contravention
- Individuals: up to $200,000 per contravention, plus up to one year imprisonment
Criminal penalties under PHIPA s. 72 remain available alongside AMPs and carry their own maximums: up to $1,000,000 for organizations and up to $200,000 for individuals.
IPC Decision 298 — August 2025: A physician accessed the electronic health records of 831 newborns without authorization. The access was not for any treatment or care purpose — the records were used for private business solicitation. The IPC issued the first-ever AMP under the January 2024 provisions. Decision 298 establishes that accessing PHI beyond what is necessary for a legitimate care purpose — even by a licensed HIC — is a PHIPA contravention that now carries direct financial consequences.
When a privacy breach occurs — or when you believe one may have occurred — the IPC expects a structured, documented response. The four required steps are:
- Contain — Stop the breach immediately. Disable compromised accounts, change credentials, isolate affected systems, and recover any physical records. Document your containment actions and the exact times they were taken.
- Notify — Notify the IPC at the first reasonable opportunity. Also notify affected individuals unless doing so would hinder a law enforcement investigation or create a risk to someone's safety. Both notifications are mandatory under PHIPA s. 12(2) — they are not discretionary.
- Investigate — Conduct a documented internal investigation. Identify what PHI was involved, how many individuals were affected, how the breach occurred, how long it persisted, and whether any PHI was actually disclosed to unauthorized parties.
- Prevent — Implement changes to prevent recurrence. Update technical controls, revise policies, retrain affected staff. Document the preventive measures taken and retain those records.
PHIPA s. 12(1)(c) requires every HIC to ensure a record is made of every access to PHI held in electronic form. For any clinic running an EHR system, this means every viewing, modification, and export of a patient record must generate an audit entry containing:
- The date and time of the access
- The identity of the person who accessed the record
- The specific records or patient files that were accessed
- Whether the record was viewed only, or also modified or exported
These logs must be retained and available to the IPC upon request. The IPC has cited inadequate audit logging in multiple breach investigation decisions. A clinic that cannot demonstrate — through tamper-evident electronic records — who accessed which patient file and when is at a significant disadvantage in any IPC investigation.
Automated audit logging is the standard the IPC expects: every action captured without manual intervention, retained for the applicable period, and exportable on demand. If your current EHR or clinical system does not generate comprehensive audit logs, that is a compliance gap that must be closed before a breach occurs — not after. See how our platform automates PHIPA audit trail collection with tamper-evident logs your team can produce on demand.
Based on PHIPA's requirements and the IPC's published enforcement priorities, here is the foundational compliance framework every Ontario health clinic should have in place:
- Designate a Privacy Officer with documented authority and clearly defined responsibilities.
- Conduct and document a Privacy Impact Assessment (PIA) for every new system, program, or process that involves PHI.
- Maintain a written inventory of all PHI you hold: what it is, where it is stored, and who can access it.
- Execute a written information manager agreement (PHIPA s. 10) with every vendor or third party that processes PHI on your behalf.
- Implement automated, tamper-evident electronic audit logging on every system that holds or accesses PHI.
- Maintain a documented Breach Response Plan that identifies response roles, escalation contacts, and the IPC notification process.
- Train every staff member with access to PHI on PHIPA requirements at least annually. Retain signed attestations as evidence of completion.
- Apply role-based access controls: only staff whose role requires access to specific PHI should have it.
- Review and test your technical and administrative safeguards at least annually. Document the review in writing.
- Ensure your clinic has a process for individuals to submit access and correction requests, and that staff understand the 30-day response requirement.
The IPC's current enforcement focus — reflected in AMPs, breach decisions, and public reports — centres on three areas where audits consistently find gaps: audit trail adequacy, breach notification speed, and information manager agreements. Run a free compliance audit to see where your clinic stands against the IPC's current priorities.
- PHIPA, 2004. Personal Health Information Protection Act, 2004, S.O. 2004, c. 3, Sched. A
- IPC Health Privacy. Information and Privacy Commissioner of Ontario — Health Privacy Rights
- IPC Decision 298. Information and Privacy Commissioner of Ontario, PHIPA Decision 298 (August 2025)
- IPC Decision 255. Information and Privacy Commissioner of Ontario, PHIPA Decision 255 (July 2024)