PHIPA vs PIPEDA vs HIPAA vs FIPPA: What's the Difference?
All four laws protect personal information, but they apply in different places. PHIPA covers health information in Ontario. PIPEDA is Canada's federal private-sector privacy law. HIPAA is the U.S. health-privacy law. FIPPA governs Ontario public-sector institutions. For an Ontario healthcare provider, PHIPA is almost always the law that controls patient records — though PIPEDA can still apply to some commercial and cross-border activities.
Quick comparison table
| Law | Jurisdiction | Covers | Enforced by |
|---|---|---|---|
| PHIPA | Ontario (provincial) | Personal health information held by health custodians | IPC of Ontario |
| PIPEDA | Canada (federal) | Personal info in commercial activity; cross-border | Privacy Commissioner of Canada |
| HIPAA | United States | Protected health info held by covered entities | U.S. HHS / OCR |
| FIPPA | Ontario (provincial) | Records held by Ontario public institutions | IPC of Ontario |
PHIPA vs PIPEDA: does PHIPA replace PIPEDA?
PHIPA does not completely replace PIPEDA. Ontario's PHIPA was declared "substantially similar" to PIPEDA for personal health information, which means that for custodians handling PHI in Ontario, PHIPA is the operative law. However, PIPEDA can still apply where health information crosses provincial or national borders for commercial purposes, or where an organization is engaged in federally regulated commercial activity. The practical rule of thumb: in-Ontario patient care → PHIPA; interprovincial/commercial data flows → check PIPEDA too.
PHIPA vs HIPAA: are they equivalent?
PHIPA and HIPAA are often compared because both protect health information, but they are not equivalent and not interchangeable. HIPAA is U.S. federal law enforced by the Department of Health and Human Services; PHIPA is Ontario law enforced by the IPC. A vendor that is "HIPAA compliant" is not automatically PHIPA compliant — data-residency, consent, and breach-reporting rules differ. If you're vetting a U.S. SaaS tool, that distinction matters; see our guide on whether common tools are PHIPA compliant.
PHIPA vs FIPPA
FIPPA (the Freedom of Information and Protection of Privacy Act) governs Ontario public institutions — ministries, universities, agencies — and their general records. PHIPA is the specialized law for health information. Where a public hospital holds both general administrative records and patient records, FIPPA and PHIPA can both be in play, with PHIPA taking precedence for PHI.
So, is PHIPA federal or provincial?
PHIPA is provincial — it is Ontario legislation only. It is not a federal act and does not apply in other provinces (which have their own health-privacy laws, such as PHIA in Nova Scotia or HIA in Alberta).
Frequently Asked Questions
Does PHIPA completely replace PIPEDA?
No. PHIPA governs personal health information held by custodians in Ontario, but PIPEDA can still apply to cross-border and commercial activities.
Is PHIPA equivalent to HIPAA?
No. They are different laws in different countries. HIPAA compliance does not guarantee PHIPA compliance.
What is the difference between PHIPA and FIPPA?
FIPPA covers records of Ontario public institutions generally; PHIPA covers personal health information held by health custodians, and takes precedence for PHI.
Is PHIPA federal or provincial?
Provincial. PHIPA applies only in Ontario.
Sources & citations
Moving health data across borders?
We help Ontario organizations choose tools and cloud regions that satisfy PHIPA — and PIPEDA where it overlaps.
Book a free PHIPA readiness consultThis guide is general information from Northline Technologies, an IT solutions provider, and is not legal advice. For binding interpretation of PHIPA, consult a qualified Ontario privacy lawyer or the Information and Privacy Commissioner of Ontario.