Who Does PHIPA Apply To? Custodians, Agents & the Circle of Care
PHIPA applies to health information custodians in Ontario — doctors, nurses, hospitals, pharmacies, labs, long-term care homes, and similar providers — plus their agents (anyone who handles PHI on the custodian's behalf, including IT vendors). It does not generally apply to insurers or employers acting in those roles. The 'circle of care' lets custodians share PHI for treatment under implied consent.
Who is a health information custodian?
A health information custodian is a person or organization that delivers health care and, in doing so, has custody or control of personal health information. Common custodians include physicians and other regulated health professionals, hospitals, pharmacies, laboratories, long-term care and retirement homes, community care providers, and medical officers of health. If you provide care and hold patient records in Ontario, you are almost certainly a custodian.
What is a PHIPA agent?
A PHIPA agent is any person or organization that, with the custodian's authorization, acts for or on behalf of the custodian in handling PHI — whether or not they are paid. This includes employees, contractors, volunteers, and IT and cloud providers. Agents may only handle PHI as the custodian permits and must meet the same safeguard expectations. This is why your managed-IT partner must be properly bound by agreement.
Who is the contact person under PHIPA?
A custodian that is not a single individual must designate a contact person. This person facilitates compliance, responds to access and correction requests, receives complaints and inquiries, and serves as the point of contact with the IPC. Any informed staff member can be designated, but the role carries real responsibility.
The circle of care
The "circle of care" is a shorthand for the group of custodians directly involved in a patient's treatment who may rely on the patient's implied consent to share PHI for that care. It lets a family doctor, specialist, pharmacist, and lab share information to treat you without re-collecting express consent at every step — while still respecting any consent the patient has withheld (a "lock-box").
Who does PHIPA NOT apply to?
PHIPA generally does not govern information once it is held by insurance companies or employers acting in those capacities, because they are not custodians. It also doesn't cover health information stripped of identifiers. Insurers and employers may instead be subject to other privacy laws such as PIPEDA. See our PHIPA vs PIPEDA comparison for where each applies.
Frequently Asked Questions
Who does PHIPA apply to?
PHIPA applies to health information custodians in Ontario and their agents — providers like doctors, hospitals, pharmacies, and labs, plus anyone handling PHI on their behalf, including IT vendors.
Does PHIPA apply to insurance companies or employers?
Generally no, when they act as insurers or employers rather than as health custodians. They may instead be covered by PIPEDA or other laws.
What is a PHIPA agent?
An agent is any person or organization authorized to handle personal health information on a custodian's behalf, including employees, contractors, and IT/cloud providers.
Who can be a contact person under PHIPA?
Any suitably informed individual a custodian designates to oversee compliance and handle access requests, complaints, and IPC communications.
Sources & citations
Your IT provider is a PHIPA agent
Northline operates as a properly bound agent — with the agreements, safeguards, and Canadian data residency PHIPA expects of anyone handling your patients' PHI.
Book a free PHIPA readiness consultThis guide is general information from Northline Technologies, an IT solutions provider, and is not legal advice. For binding interpretation of PHIPA, consult a qualified Ontario privacy lawyer or the Information and Privacy Commissioner of Ontario.