Health
Provincial health privacy laws across Canada
Last reviewed 2026-06-29 · Plain-language summary, not legal advice.
Health information is the most sensitive category of personal data, and in Canada it is mostly governed by dedicated provincial statutes rather than by PIPEDA. Each of these laws applies to health information custodians — the practitioners and institutions that hold patient records — and to the service providers who handle that information on their behalf. Where the federal government has declared a provincial health law substantially similar for health information, that law displaces PIPEDA for custodians acting within the province. PIPEDA can still apply to health information that crosses a border in commercial activity, or to organizations a provincial health law does not reach. This page links the official text of each provincial statute so you can read the law that governs you.
Ontario — Personal Health Information Protection Act (PHIPA)
Ontario's PHIPA (S.O. 2004, c. 3, Sched. A) governs health information custodians and their agents and electronic service providers. Ontario has no general private-sector privacy law, so PHIPA does the work for health data while PIPEDA covers other commercial activity. Read it at the Government of Ontario e-Laws site: Personal Health Information Protection Act, 2004. We cover it in depth in Ontario PHIPA, in detail.
Alberta — Health Information Act (HIA)
Alberta's Health Information Act (R.S.A. 2000, c. H-5) governs health information held by custodians in the province, alongside Alberta's private-sector PIPA. Official text (PDF) from the Alberta King's Printer: Health Information Act (RSA 2000, c. H-5).
Saskatchewan — Health Information Protection Act (HIPA)
Saskatchewan's HIPA (S.S. 1999, c. H-0.021) protects personal health information held by trustees in the province. Official text from the Saskatchewan Publications Centre: The Health Information Protection Act (c. H-0.021).
Manitoba — Personal Health Information Act (PHIA)
Manitoba's PHIA (C.C.S.M. c. P33.5) governs personal health information held by trustees in the province. Official text from the Manitoba Laws site: The Personal Health Information Act (C.C.S.M. c. P33.5).
New Brunswick — Personal Health Information Privacy and Access Act (PHIPAA)
New Brunswick's PHIPAA (S.N.B. 2009, c. P-7.05) governs custodians of personal health information and has been designated substantially similar to PIPEDA for health information. Official text from the Government of New Brunswick: Personal Health Information Privacy and Access Act (P-7.05).
Nova Scotia — Personal Health Information Act (PHIA)
Nova Scotia's PHIA (S.N.S. 2010, c. 41) governs health information custodians in the province and has been designated substantially similar to PIPEDA for health information. Official text (PDF) from the Nova Scotia Legislature: Personal Health Information Act (Chapter 41 of the Acts of 2010).
Newfoundland & Labrador — Personal Health Information Act (PHIA)
Newfoundland & Labrador's PHIA (S.N.L. 2008, c. P-7.01) governs custodians of personal health information and has been designated substantially similar to PIPEDA for health information. Official text from the House of Assembly: Personal Health Information Act (SNL2008 Chapter P-7.01).
British Columbia, PEI, and the territories
Not every jurisdiction has a PHIPA-style private health statute. British Columbia does not: health information held by private organizations falls under BC's general private-sector law, PIPA, while the public health system is governed by public-sector access-and-privacy rules. Prince Edward Island and the territories have their own arrangements that differ again. If you operate in one of these jurisdictions, confirm the governing rule directly rather than assuming a dedicated health-information act applies.
Working out which law governs you
If you handle health data in more than one province, more than one of these statutes can apply at once — and PIPEDA may sit underneath for cross-border flows. Start with federal vs provincial: which privacy law applies? for the decision path, and the privacy-law hub for the full map. When a hospital or health network sends you a custodian questionnaire, our PHIPA questionnaire guide shows how to answer it.
Common questions.
Does PIPEDA cover health information?
Sometimes, but usually a provincial health law governs instead. Most provinces have a dedicated health-information privacy statute that applies to health information custodians — doctors, hospitals, pharmacies, and the organizations that serve them. Where the federal government has designated that statute substantially similar for health information (as with Ontario's PHIPA, New Brunswick's PHIPAA, Nova Scotia's PHIA, and Newfoundland & Labrador's PHIA), the provincial law displaces PIPEDA for custodians' intra-provincial activity. PIPEDA can still reach health information that crosses provincial or national borders in commercial activity, or that is handled by an organization the provincial law does not cover.
Which health privacy law applies to my clinic?
It depends on the province where you operate as a custodian. A clinic in Ontario is governed by PHIPA; in Alberta by the Health Information Act; in Saskatchewan by HIPA; in Manitoba by PHIA; in New Brunswick by PHIPAA; in Nova Scotia by PHIA; in Newfoundland & Labrador by PHIA. If you operate in more than one province, more than one statute can apply at once. Read the official text for your province — each is linked on this page — and confirm your status as a custodian or as a service provider acting on a custodian's behalf.
Are these provincial health laws 'substantially similar' to PIPEDA?
For several of them, yes — the federal government has declared the health-information privacy laws of Ontario (PHIPA), New Brunswick (PHIPAA), Nova Scotia (PHIA), and Newfoundland & Labrador (PHIA) substantially similar to PIPEDA in respect of health information. That designation means custodians follow the provincial law rather than PIPEDA for activity within the province. Alberta's HIA and Saskatchewan's HIPA govern health information within their provinces as well; the precise interaction with PIPEDA can be fact-specific, so check the statute and, where it matters, get advice.
What about British Columbia, PEI, and the territories?
They are handled differently. British Columbia does not have a standalone private-sector health-information act of the PHIPA type — health information held by private organizations falls under BC's Personal Information Protection Act (PIPA), while the public health system is covered by public-sector freedom-of-information and privacy rules. Prince Edward Island and the territories have their own arrangements that differ again. If you operate in those jurisdictions, confirm the governing rule rather than assuming a PHIPA-style statute applies.