Healthcare Clinics · ON · AB · BC · QC

Build the documented privacy program your regulator actually asks for.

In IPC Decision 298, the adjudicator didn't ask about the EMR. They asked for the privacy policy, the incident response plan, and the staff training log.

Independent clinics across Ontario, Alberta, BC, and Quebec use CybershieldMaple to build that documented program — jurisdiction-aware, sealed, and audit-ready in 30 days.

Get Your Free Gap Assessment See how it works

The regulatory record

Your EMR manages your patients. It cannot produce your governance program.

Oscar, TELUS PS Suite, and OSCAR Pro are clinical systems. They encrypt records, manage access, and log data use. That is not the same as a documented privacy program. The IPC treats them as entirely separate categories.

CybershieldMaple is the governance system — the layer that produces the policies, logs, plans, and evidence the regulator will ask for.

IPC Decision 298 · August 2025

"The adjudicator did not ask the clinic about their EMR. They asked for the privacy policy, the incident response plan, and the staff training log."

Decision 298 established administrative monetary penalties under PHIPA. The documents that triggered the finding — or would have prevented it — are not generated by any clinical system. They must be actively authored and maintained.

CSM produces every document referenced in that decision — automatically.

Core capabilities

Every document your regulator asks for — built on the IPC's own handbook.

Mapped to PHIPA, HIA, PIPA, and Law 25. Jurisdiction-aware from day one.

Authored from IPC handbook chapter 2 templates. Jurisdiction-aware — your Ontario clinic gets an Ontario-specific policy, your Quebec location gets a French-native Law 25 version. Timestamped and versioned.

Staff Training Logs

Per-staff attestations, dated and signed. IPC handbook chapter 5 requires documented training evidence. CSM generates it automatically when staff complete training and records the attestation in the immutable governance ledger.

Incident Response Plan

72-hour breach notification workflow from the moment of discovery. Includes a documented IRP, notification templates, and a timestamped incident log. Ready for the IPC, OIPC, or CAI the day it matters.

Vendor BAA Registry

Every vendor who touches patient health information needs a signed BAA. CSM tracks every agreement, expiry date, and risk tier — with renewal alerts at 60, 30, and 10 days before expiry.

Security Risk Assessment

Guided SRA builder mapped to IPC handbook chapter 4. Not a blank canvas — structured questions built on the IPC's own controls, with auto-fill from data already in your governance workspace.

30-Day Audit-Ready Package

From zero documentation to a sealed, cryptographically signed evidence package in 30 days. Hand it to a regulator, a cyber insurer, or a hospital procurement team. One click to generate.

30 days

From no documentation to a sealed, audit-ready evidence package.

$25M

Maximum penalty under Law 25 — already active in Quebec and Ontario.

72h

Breach notification deadline under PHIPA and PIPEDA — the SickKids ruling.

PHIPA · HIA · PIPA · Law 25

Why now

The window for being undocumented is closing.

Decision 298 established administrative monetary penalties under PHIPA — the first time the IPC levied fines of this kind. Law 25 in Quebec is now fully in force, with penalties up to $25M for organizations without a documented privacy program.

Independent clinics that haven't built this program aren't breaking the rules yet — but they are one complaint away from a finding. A 30-day path to demonstrable accountability is no longer optional infrastructure.