How to Become PHIPA Compliant: A Step-by-Step Guide
To become PHIPA compliant, an Ontario health information custodian must appoint a privacy contact person, map where personal health information lives, set up proper consent practices, apply reasonable administrative/technical/physical safeguards, bind vendors and agents by agreement, train staff, and maintain a breach-response plan. Compliance is an ongoing program, not a one-time checkbox.
How to become PHIPA compliant: 8 steps
"How to be PHIPA compliant" is one of the most common questions Ontario clinics and digital-health startups ask us. There is no government "PHIPA certificate" — compliance means demonstrably meeting the Act's obligations. Here is the practical program we implement with clients.
Step 1: Appoint a contact person / privacy lead
PHIPA requires custodians (other than solo practitioners) to designate a contact person responsible for privacy compliance, handling access requests, and fielding complaints.
Step 2: Map your personal health information
Document what PHI you collect, where it lives (EMR, email, cloud, paper), who can access it, and where it flows — including any vendors or agents.
Step 3: Establish consent practices
Rely on implied consent within the circle of care, but capture express consent where required and honour consent withdrawals and lock-box requests.
Step 4: Implement reasonable safeguards
Apply administrative, technical, and physical controls: role-based access, MFA, encryption at rest and in transit, audit logging, secure disposal, and data-residency choices.
Step 5: Sign agreements with agents and vendors
Anyone who handles PHI on your behalf — including your IT provider and cloud platforms — must be bound by appropriate written agreements.
Step 6: Train your staff
Everyone who touches PHI needs role-appropriate privacy training, refreshed regularly.
Step 7: Prepare a breach-response plan
Define how you detect, contain, notify, and report breaches to affected individuals and the IPC when thresholds are met.
Step 8: Audit and review
Schedule periodic access audits, policy reviews, and a privacy impact assessment for new systems.
Frequently Asked Questions
Is there a PHIPA certification?
No official government certification exists. 'PHIPA compliant' means you can demonstrate that your policies, safeguards, agreements, and training meet the Act's requirements.
Who needs to appoint a contact person?
Health information custodians that are not individual practitioners must designate a contact person to oversee compliance and handle access requests and complaints.
How do I comply with PHIPA in the cloud?
Use Canadian data-residency where feasible, encrypt PHI in transit and at rest, enforce MFA and role-based access, enable audit logging, and sign a written agreement with the provider as your agent.
Does PHIPA apply to a small private practice?
Yes. Solo practitioners and small clinics are custodians and must meet PHIPA's safeguard and access obligations, scaled reasonably to their size.
Sources & citations
Build a PHIPA compliance program that holds up
Northline runs PHIPA readiness assessments and implements the Microsoft 365 / Azure safeguards that satisfy the Act.
Book a free PHIPA readiness consultThis guide is general information from Northline Technologies, an IT solutions provider, and is not legal advice. For binding interpretation of PHIPA, consult a qualified Ontario privacy lawyer or the Information and Privacy Commissioner of Ontario.