What Is PHIPA? Ontario's Health Privacy Law Explained

Q: Is PHIPA federal or provincial?

PHIPA is provincial legislation that applies in Ontario. The federal counterpart PIPEDA can apply in some commercial and cross-border contexts.

Q: Does PHIPA replace PIPEDA?

Not entirely. PHIPA generally governs personal health information handled by custodians in Ontario, while PIPEDA still applies to certain cross-border and commercial activities.

Q: Is PHIPA used in the United States?

No. PHIPA is an Ontario law. The closest US equivalent is HIPAA.

Q: What is the difference between PHIP and PHIPA?

They refer to the same thing; PHIP is a common shorthand or misspelling of PHIPA.

By the Northline Technologies Compliance TeamUpdated June 17, 20268 min read

TL;DR

PHIPA — the Personal Health Information Protection Act, 2004 — is Ontario's health-privacy law. It governs how health information custodians (doctors, hospitals, pharmacies, clinics and their agents) collect, use, and disclose your personal health information (PHI). PHIPA took effect on November 1, 2004, is enforced by the Information and Privacy Commissioner of Ontario, and gives patients the right to access and correct their records while requiring custodians to keep that information secure.

What does PHIPA stand for?

PHIPA stands for the Personal Health Information Protection Act, 2004. It is provincial legislation that applies in Ontario, Canada. People sometimes search for "PHIP" or "what is PHIPA Ontario" — these all refer to the same statute (cited as S.O. 2004, c. 3). PHIPA is pronounced "FY-pa" or "FIP-a" and is occasionally written as the Personal Health Information Protection Act.

What does PHIPA do?

PHIPA sets the rules of the road for personal health information in Ontario. In practical terms it:

Defines who counts as a health information custodian and what their duties are;
Requires consent (express or implied) before PHI is collected, used, or disclosed;
Gives patients the right to access and request corrections to their own records;
Requires custodians to take reasonable safeguards — administrative, technical, and physical — to protect PHI; and
Sets out breach-notification obligations and penalties when those rules are broken.

What does PHIPA govern?

PHIPA governs personal health information held by health information custodians. That includes identifying information about a person's physical or mental health, the care they have received, payments or eligibility for care, organ and tissue donation, and a person's health card number. It applies whether that information is on paper, in an electronic medical record, in email, or stored in the cloud.

Related read: for a full breakdown of what is and isn't covered, see our guide on what information PHIPA protects.

The purpose of PHIPA

PHIPA's purposes broadly fall into four categories: (1) establishing rules for the collection, use, and disclosure of PHI that protect confidentiality and privacy while allowing effective health care; (2) giving individuals a right of access to their own records; (3) giving individuals a right to require correction of their records; and (4) providing independent oversight and remedies through the Information and Privacy Commissioner. In short, PHIPA balances patient privacy against the practical need to share information for care.

When did PHIPA start?

PHIPA received Royal Assent in 2004 and came into force on November 1, 2004. It has been amended several times since — notably to strengthen breach reporting and to add mandatory reporting to the IPC.

Who administers PHIPA?

PHIPA is administered and enforced by the Information and Privacy Commissioner of Ontario (IPC), an officer independent of government. The IPC investigates complaints, reviews breaches, issues orders, and publishes guidance. Health information custodians are directly responsible for complying day to day.

Why PHIPA matters for your organization

If your organization touches health data in Ontario — a clinic, a long-term care home, a digital-health vendor, or an IT provider acting as an agent — PHIPA is not optional. Non-compliance carries fines, IPC orders, and reputational damage. Getting your Microsoft 365 tenant, cloud storage, email, and access controls configured to PHIPA's "reasonable safeguards" standard is exactly the kind of work Northline Technologies does for Canadian healthcare clients.

Frequently Asked Questions

Is PHIPA federal or provincial?

PHIPA is provincial legislation that applies in Ontario. The federal counterpart, PIPEDA, can apply to health information in commercial contexts outside Ontario or to interprovincial/international transfers. See our PHIPA vs PIPEDA comparison.

Does PHIPA replace PIPEDA?

Not entirely. Ontario was declared to have legislation 'substantially similar' to PIPEDA for health information, so PHIPA generally governs PHI handled by custodians in Ontario, while PIPEDA still applies to some cross-border and commercial activities.

Is PHIPA used in the United States?

No. PHIPA is an Ontario law. The closest U.S. equivalent is HIPAA, the Health Insurance Portability and Accountability Act.

What is the difference between PHIP and PHIPA?

They refer to the same thing. 'PHIP' is simply a common misspelling or shorthand for PHIPA.

Sources & citations

Need your systems PHIPA-ready?

Northline configures Microsoft 365, Azure, and cloud workflows to meet PHIPA's safeguard requirements for Ontario healthcare organizations.

Book a free PHIPA readiness consult

This guide is general information from Northline Technologies, an IT solutions provider, and is not legal advice. For binding interpretation of PHIPA, consult a qualified Ontario privacy lawyer or the Information and Privacy Commissioner of Ontario.