Request a Consultation

Home Guides

PHIPA (ONTARIO)

PHIPA questionnaires: answering as an Ontario health-sector vendor

An Ontario hospital, clinic, or health-tech customer has sent you a questionnaire about personal health information, and half the questions assume you know what a "custodian" is. That is a PHIPA review — Ontario's Personal Health Information Protection Act, 2004 — and the first thing it tests is whether you know which role you occupy, because the role determines which questions are actually yours.

HIC, agent, or electronic service provider: which one are you

PHIPA's obligations attach to the health information custodian (HIC) — the hospital, the physician, the lab — and then flow outward through two channels. An agent is a person who acts for or on behalf of the custodian with respect to personal health information: employees, but also contracted services working under the custodian's authority. An electronic service provider (ESP) supplies services to enable the custodian to collect, use, or disclose PHI electronically — without acting on the custodian's behalf. An ESP serving multiple custodians to enable them to exchange PHI with each other is a health information network provider (HINP), a subcategory with its own duties under Ontario Regulation 329/04, including providing custodians with records of access and a written description of its services and safeguards.

Most SaaS and hosting vendors are ESPs. The classification matters because it decides what you may do with PHI: an agent handles it under the custodian's authority and instructions; an ESP must not use it except as necessary to provide the service, and must not disclose it at all. Answer the questionnaire from the wrong role and every subsequent answer inherits the error.

What custodians must obtain from you

PHIPA makes custodians responsible for PHI they entrust to others, so the questionnaire is the custodian assembling what the Act effectively requires them to have: a written service agreement restricting your use and disclosure of PHI, assurances about safeguards, and — for HINPs — the regulation's specific deliverables, including a plain-language description of the service, the results of privacy and security assessments, and the access records. The rows asking for "your standard services agreement" and "your most recent security assessment" are not curiosity; they are the custodian's own compliance file being populated.

The PHI safeguard rows, and the one Ontario reads first

Safeguard questions arrive in the familiar three columns — administrative (training, confidentiality agreements, access policies), technical (encryption, access control, network security), and physical (facility and media controls). The row Ontario reviewers read first, though, is audit logging of PHI access. The province's formative breach pattern is the authorized insider looking up records they have no business reading, so the question is rarely "do you encrypt" and almost always "can you show me who viewed this record, and when." If your system logs every access to PHI with user, record, and timestamp, and the logs are retained and producible, say exactly that. If it logs logins but not record-level access, that distinction is precisely what the reviewer is probing for.

Breach duties: your line runs to the custodian

When PHI in your hands is stolen, lost, or used or disclosed without authority, your duty is to notify the custodian at the first reasonable opportunity. From there the obligations are the custodian's: notifying affected individuals, and determining whether the circumstances meet the thresholds for notifying the Information and Privacy Commissioner of Ontario. Questionnaires test the plumbing, not the law: is the notification commitment in your service agreement, who is the named contact on each side, and has the path ever been exercised. "We would notify the custodian promptly" with no contractual hook and no named contact reads as a duty discovered while filling in the questionnaire.

PHIPA is not HIPAA: do not import US answers

The acronyms invite copy-paste; the statutes do not. HIPAA's roles — covered entity, business associate — do not map onto custodian, agent, and ESP, and there is no BAA under PHIPA: the instrument is the service agreement, with the regulation supplying ESP and HINP duties directly. An answer that says "we will execute a BAA" tells an Ontario reviewer you have not read their statute. If you maintain a HIPAA program, present it as evidence for the underlying controls — the safeguards transfer even though the legal wrapper does not.

How to answer a PHIPA questionnaire, step by step

  1. Classify your role before answering anything. Agent, ESP, or HINP — work through how your service actually touches PHI and state the conclusion in your first answer. Every row after it depends on the classification.
  2. Build the answer library with a PHIPA section. Start from our free answer-library template and add rows for role classification, the service-agreement clauses covering PHI, audit-log capability, and the breach-notification path. Ontario health-sector questionnaires repeat these almost verbatim.
  3. Get the service agreement language ready. Custodians need written restrictions on your use and disclosure of PHI. Having the clauses drafted — or a standard PHI addendum — turns the longest row of the questionnaire into an attachment.
  4. Document the audit-logging answer to record level. Establish what your system actually logs — user, record, action, timestamp — plus retention and how a custodian would obtain the records. This is the row that gets read first; answer it with specifics or expect the follow-up call.
  5. Write down the breach-notification path. Named contacts both sides, the "first reasonable opportunity" commitment in the agreement, and who within your team declares an incident. The reviewer wants the mechanism, not the sentiment.
  6. Translate any HIPAA evidence into PHIPA terms. Map your existing safeguard documentation to the administrative, technical, and physical rows, and strip the US vocabulary. Same controls, Ontario's words.

When the answer is no: closing PHIPA-specific gaps

PHIPA "no" answers cluster around the rows that assume visibility into who touches PHI — the audit trail, the access controls, the identity layer. Each is deployable as an open-source component you keep:

  • No PHI access audit trail: Managed Wazuh — centralized audit logging with retention, which is the row Ontario reviewers read first.
  • No privileged-access control on systems holding PHI: Managed Teleport — recorded, audited sessions for everyone who can reach the database.
  • No identity or MFA in front of clinical applications: Managed Keycloak — SSO and MFA so "who viewed this record" has a trustworthy answer.

The general discipline — triage, answer honestly, build the library as you go — is covered in our guide to answering security questionnaires; the above is what Ontario's health sector adds. If a custodian's review is already in flight and the role classification alone is generating debate, ThinSky's Questionnaire Rescue drafts the full response.

Common questions.

Are we an agent or an electronic service provider under PHIPA?

An agent acts for or on behalf of the custodian with respect to personal health information — staff, contracted clinicians, a billing service working under the custodian's authority. An electronic service provider supplies services that enable the custodian to handle PHI electronically — a SaaS platform, a hosting provider — without acting on the custodian's behalf. Most software vendors are electronic service providers; the distinction matters because agents handle PHI under the custodian's authority while ESPs are restricted from using or disclosing it at all except as needed to provide the service.

Does HIPAA compliance satisfy PHIPA questionnaires?

No, though the controls overlap heavily. HIPAA is US law with its own role taxonomy — covered entities and business associates — and its instruments, like the BAA, have no legal standing in Ontario. A reviewer reading "we are HIPAA compliant" in a PHIPA questionnaire learns that you have safeguards, but not that you understand your Ontario obligations. Answer in PHIPA's terms and offer the HIPAA program as supporting evidence for the underlying controls.

What audit logging does PHIPA expect from vendors?

Ontario reviewers expect that every access to personal health information in an electronic system is logged — who viewed which record, when — and that the logs can be produced. Health information network providers are specifically required to keep and provide custodians with an electronic record of accesses. Snooping by authorized insiders is the breach pattern Ontario's health sector knows best, which is why the audit-log row is read before anything else.

Who notifies the IPC after a PHI breach?

The custodian. A vendor's duty runs to the custodian: notify them at the first reasonable opportunity if PHI is stolen, lost, or used or disclosed without authority. The custodian then notifies affected individuals and determines whether the circumstances require notifying the Information and Privacy Commissioner of Ontario. Vendors who notify the IPC directly, uninvited, are answering a question that was never theirs.

Or skip the spreadsheet entirely.

Email us the questionnaire, the deadline, and a sentence about the deal — we reply with scope and a fixed quote within one business day.

Get questionnaire rescue →