Ontario
Ontario PHIPA: health information privacy
Last reviewed 2026-06-29 · Plain-language summary, not legal advice.
Ontario splits privacy into two streams. Ordinary commercial personal information is governed federally by PIPEDA, because Ontario has never enacted a general private-sector privacy law. Personal health information is governed by the Personal Health Information Protection Act, 2004 (PHIPA), in force since November 1, 2004. You can read the Act in full on Ontario's e-Laws: Personal Health Information Protection Act, 2004 (S.O. 2004, c. 3, Sched. A).
Why PIPEDA still matters in Ontario
If your organization handles customer or marketing data in Ontario that is not personal health information, your baseline is PIPEDA — the same federal law that applies in every province without its own general private-sector statute. The full Act is here: Personal Information Protection and Electronic Documents Act. PHIPA layers on top only for personal health information held by custodians. Many Ontario organizations are subject to both, for different data.
Custodians, agents, and electronic service providers
PHIPA's duties attach to roles. A health information custodian — a hospital, long-term care home, pharmacy, physician, or other regulated health practitioner — has custody or control of personal health information and carries the primary obligations. An agent acts for the custodian and may handle health information only as the custodian permits. An electronic service provider supplies services such as storing or transmitting records; one that supplies those services and does not otherwise view the records (a so-called "health information network provider" when it connects multiple custodians) has specific, narrower duties — including safeguards, audit capability, and plain-language notices. Knowing which role you occupy determines what PHIPA requires of you.
Consent and the circle of care
PHIPA generally requires consent to collect, use, or disclose personal health information, but it recognizes implied consent within the circle of care: custodians providing health care can assume consent to share what is needed for that care unless the individual has expressly withheld it (a "lock-box"). Outside that context, and for uses unrelated to care, the consent expectations tighten.
Safeguards and audit logging
Custodians must take steps that are reasonable in the circumstances to protect personal health information against theft, loss, and unauthorized use or disclosure. In electronic systems this is where audit logging becomes a practical requirement: the ability to record who accessed which record and when is what lets a custodian detect snooping, respond to access requests, and meet the Commissioner's expectations. A PHIPA review that asks how you log access is testing this directly.
Breach notification under PHIPA
Where personal health information is stolen, lost, or used or disclosed without authority, the custodian must notify the affected individual at the first reasonable opportunity. In defined circumstances the custodian must also report to the Information and Privacy Commissioner of Ontario, and regulated health professionals can face reporting obligations to their regulatory College. This regime is separate from PIPEDA's breach rules and is triggered on its own terms.
Why HIPAA answers fail an Ontario review
US vendors often arrive with HIPAA documentation and assume it satisfies Ontario. It does not. HIPAA is American law with a different structure — covered entities and business associates — and different breach triggers and oversight. PHIPA's custodian/agent/electronic-service-provider model, its circle-of-care consent, and its reporting to the Ontario Commissioner have to be answered on their own terms. Our PHIPA questionnaire guide covers how to do that; for the bigger map of Canadian health-privacy statutes, see provincial health privacy laws across Canada.
Common questions.
Does PIPEDA or PHIPA apply in Ontario?
Both, but to different information. Ontario has no general private-sector privacy law, so PIPEDA governs ordinary commercial personal information collected, used, or disclosed by businesses in Ontario. PHIPA governs personal health information held by health information custodians — and because PHIPA has been declared substantially similar for health information, it displaces PIPEDA for custodians handling that health data within Ontario.
What is a health information custodian under PHIPA?
A health information custodian is a person or organization that has custody or control of personal health information in connection with their powers, duties, or work — for example hospitals, long-term care homes, pharmacies, physicians, and other regulated health practitioners. Custodians carry the core PHIPA obligations. People and organizations that act for a custodian are 'agents,' and those that only supply services like data storage are 'electronic service providers' with their own narrower duties.
Is PHIPA the same as HIPAA?
No. PHIPA is Ontario law; HIPAA is United States law. They cover similar ground — health-information privacy and security — but the definitions, consent model, breach-reporting triggers, and oversight body are different. Importing HIPAA answers into an Ontario review is a common mistake: PHIPA's circle-of-care implied consent, its custodian/agent/electronic-service-provider structure, and its reporting duties to the Information and Privacy Commissioner of Ontario do not map cleanly onto HIPAA's covered-entity and business-associate framework.
How does breach notification work under PHIPA?
Where personal health information is stolen, lost, or used or disclosed without authority, a custodian must notify the affected individual at the first reasonable opportunity. In defined circumstances the custodian must also report to the Information and Privacy Commissioner of Ontario, and regulated health professionals may face reporting to their College. This is separate from PIPEDA's breach regime and uses its own triggers.