Who Is a Health Information Custodian Under PHIPA? A Plain-English Guide

PHIPA s.3(1) defines a health information custodian as a person or organization that has custody or control of personal health information as a result of, or in connection with, the performance of their powers or duties. The definition is tied to function — not to organizational size, not to corporate structure, and not to whether you think of yourself as being in the business of managing health information.

The Act lists the categories of custodians explicitly. You are a health information custodian if you fall into any of the following:

• A health care practitioner — including physicians, nurses, dentists, pharmacists, physiotherapists, chiropractors, optometrists, midwives, and other regulated health professionals
• A person who operates a group practice of health care practitioners
• A person who operates a pharmacy
• A hospital within the meaning of the Public Hospitals Act
• A person who operates an independent health facility
• A person who operates a long-term care home
• A person who operates a home care agency or provides home care services
• Home and Community Care Support Services (formerly Community Care Access Centres)
• An ambulance service within the meaning of the Ambulance Act
• A laboratory or specimen collection centre
• A psychiatric or mental health facility
• Entities prescribed by regulation

Custodians bear ultimate accountability for all personal health information they hold — whether they handle it themselves or delegate its handling to others. That accountability cannot be transferred by contract, outsourcing arrangement, or any other organizational mechanism.

PHIPA defines an agent as a person who, with the authorization of a health information custodian, acts for or on behalf of the custodian in respect of personal health information — for the custodian's purposes, not the agent's own purposes.

The category of agents is intentionally broad. Agents typically include:

• Administrative staff who access patient records as part of their daily work — receptionists, medical secretaries, billing clerks
• Clinicians employed by or working under the authority of the custodian — nurses, allied health professionals, clinical associates
• Volunteers and students on clinical placement whose work involves personal health information
• IT contractors and technical support staff with access to clinical systems that hold PHI
• Billing and claims processing contractors authorized by the custodian to handle patient claims

The defining characteristic of an agent relationship is custodian authorization. Your front-desk receptionist who accesses a patient record to confirm an appointment is acting as your agent. Their access is authorized by you — and you are accountable for it. PHIPA specifies that agents must not collect, use, or disclose PHI beyond what is necessary for the custodian's purposes and the scope of their authorization.

An information manager is a person or organization that processes, stores, retrieves, transfers, or disposes of personal health information on behalf of a custodian, or provides information management or information technology services to the custodian.

Unlike agents — who act under the custodian's ongoing direction as part of operations — information managers perform defined technical or operational functions, typically under a written service agreement. They handle PHI as a service, not as part of a care delivery role.

Common information managers for Ontario health organizations include:

• Cloud-based electronic medical record (EMR) and electronic health record (EHR) platforms
• Cloud infrastructure and hosting providers whose servers store PHI
• Medical billing and insurance claims processing services
• Medical transcription and clinical documentation services
• Data backup, archival, and disaster recovery providers
• IT managed service providers with remote access to clinical systems
• Secure messaging and patient communication platform vendors

One of the most consequential misconceptions in healthcare privacy compliance is the belief that outsourcing PHI handling transfers legal responsibility to the vendor. Under PHIPA, it does not.

When you engage an EMR vendor, a cloud backup provider, or a billing service to handle PHI on your behalf, you remain the health information custodian. The vendor becomes your information manager. You are responsible for ensuring the vendor complies with PHIPA — which means having an adequate written agreement in place, conducting reasonable oversight, and requiring prompt breach notification from the vendor if something goes wrong on their systems.

The IPC has been explicit in enforcement decisions: the absence of a written information manager agreement is a PHIPA violation by the custodian — independent of whether any breach has actually occurred. A vendor's failure to notify you of a breach does not shield you from accountability to the IPC or to affected patients.

• Vet every agent and information manager before granting access to PHI — not after a breach
• Ensure information manager agreements contain PHIPA-required provisions — a vendor's standard terms of service are not sufficient
• Retain audit rights over your information managers so you can verify they are actually meeting their obligations

PHIPA requires a written agreement with every information manager. That agreement must go significantly further than a standard service contract or a vendor's terms of service. A compliant information manager agreement must address all of the following:

1. Purpose limitation — the information manager may only use, disclose, or retain PHI for the specific purposes defined in the agreement. The vendor may not use patient data for product development, analytics, or marketing without explicit authorization.
2. Required safeguards — the agreement must require technical and administrative protections appropriate to the sensitivity of the PHI and the identified risks of unauthorized access or loss.
3. Breach notification obligation — the information manager must be contractually required to notify you promptly upon discovering or suspecting any unauthorized access, use, disclosure, or loss of PHI — so you can fulfill your own notification obligations to the IPC and to affected patients.
4. Audit rights — you must retain the right to verify the information manager's compliance with the agreement and with PHIPA, including the right to conduct or commission compliance audits.
5. Prohibition on sub-processing — the information manager should not be permitted to further delegate PHI handling to any sub-processor without your prior written consent.
6. Data return and secure destruction — the agreement must specify what happens to PHI when the relationship ends: return to you, secure destruction with written certification, or a documented alternative you have approved.

The IPC has found in multiple decisions that clicking 'agree' on a vendor's standard online terms does not satisfy PHIPA's written agreement requirement. The agreement must specifically address PHI handling, safeguards, and breach notification. Track all your information manager agreements, expiry dates, and required clauses in one place — our vendor registry is built precisely for this obligation.

Solo health care practitioners — physicians, dentists, pharmacists, physiotherapists, and other regulated professionals — are personally health information custodians under PHIPA. The obligations are not limited to organizations or corporations. If you are a regulated health professional holding patient records in the course of practice, every PHIPA requirement applies to you directly and personally.

This matters because individual custodians are personally subject to PHIPA's enforcement tools. Administrative Monetary Penalties of up to $200,000 per contravention for individuals have been available since January 1, 2024. The IPC's Decision 298 in August 2025 — in which an AMP was issued against a physician for unauthorized access to 831 newborns' records — confirms that the IPC will use these penalties against individual practitioners when the conduct warrants it.

A sole practitioner cannot delegate their PHIPA accountability to a practice manager, an IT provider, or a billing service. Tasks can be delegated — accountability cannot. A documented privacy program is not bureaucratic overhead: for a solo practitioner, it is the primary evidence that PHIPA obligations have been taken seriously.

1. PHIPA, 2004. Personal Health Information Protection Act, 2004, S.O. 2004, c. 3, Sched. A
2. IPC — Health Privacy Rights. Information and Privacy Commissioner of Ontario — Your Health Privacy Rights in Ontario
3. IPC — Custodians and the Law. Information and Privacy Commissioner of Ontario — Custodians and the Law