PHIPA Compliance Meets Innovation

Ontario’s Personal Health Information Protection Act (PHIPA) governs healthcare providers including general practitioners and group practices, long-term care facilities and community care access centres, hospitals, psychiatric facilities, and independent health facilities. PHIPA regulates the collection, use and disclosure of personal health information, and sets out individual rights with regard to personal health information (e.g., consent, access). Healthcare providers are responsible to demonstrate compliance with PHIPA, particularly in the context of new initiatives involving personal health information.

PHIPA was most recently revised in 2016, with changes aiming to:

  • Increase accountability and transparency by making it mandatory to report privacy breaches to the Information and Privacy Commissioner and, in certain cases, to relevant regulatory colleges
  • Strengthen the process for prosecuting offenses under PHIPA by removing the requirement that prosecutions must be commenced within six months of the alleged privacy breach
  • Further discourage “snooping” into patient records by doubling the fines for offenses under PHIPA from $50,000 to $100,000 for individuals and from $250,000 to $500,000 for the organization
  • Clarify the authority under which healthcare providers may collect, use and disclose personal health information in electronic health records

Besides penalties, PHIPA violations including privacy breaches entail serious costs related to discovery and containment, investigation, remediation expenses, legal fees, and loss of public confidence. It is essential that patients feel that they can trust their healthcare providers to protect their privacy. Ensuring legal compliance is both an important responsibility and wise investment for healthcare providers.

The drive to unlock new insights from health data through research and analysis can sometimes push the boundaries of privacy regulations. A KI Design privacy review can help you understand and manage the privacy risks arising from secondary uses of data.

Our healthcare privacy compliance services assess organizational practices, with a particular focus on the effectiveness of de-identification and anonymization strategies used to protect data. We are able to identify the strengths and weaknesses of your current approaches and define the level of privacy risk to which your organization is exposed. We can then design solutions to support immediate compliance with key security regulations and standards by mitigating security vulnerabilities, measuring and managing overall security exposure and risk, and ensuring compliance with internal and external privacy policies.

Learn more about our privacy products and services at or contact us to see how we can help you.