5 Signs Your Clinic's IT Provider Doesn't Understand Healthcare

1. They ask you to 'just email it'

If your IT provider has ever asked you to forward a patient record, a scanned chart, or a screenshot of an EMR screen to a regular email address, that's a PHIPA breach in motion. A healthcare-fluent provider has a secure intake — usually an encrypted portal or an OME-protected inbox — and would never ask for PHI in plain mail.

This one signal tells you almost everything about how the provider thinks about patient data. If it's a problem today, our managed IT service starts every engagement by setting up that secure channel.

2. They don't know your EMR by name

OSCAR, Jane, TELUS PS Suite, Accuro, Dentrix, ABELDent — a healthcare-fluent provider knows these systems, their quirks, their vendor support paths, and their hardware requirements. They can also talk plausibly about imaging integrations, billing modules, and lab interfaces.

If your IT provider treats your EMR as 'that medical thing the vendor handles,' you'll end up paying for every minor change twice — once to your EMR vendor and once to the MSP figuring it out on your time.

3. There's no electronic service provider agreement

PHIPA requires custodians to have a written agreement with any IT provider that handles or could access PHI. It covers permitted uses, security obligations, breach notification, and audit rights. Healthcare-fluent providers bring this agreement to the first meeting. Generic MSPs are surprised when you ask.

Without an ESP agreement on file, your privacy officer can't demonstrate compliance, and an IPC investigation will land squarely on the clinic. We cover what auditors actually look for in what the IPC of Ontario actually expects.

"We've inherited dozens of clinics whose previous IT provider was technically excellent — and completely uninvolved in privacy. That's not a partnership; that's a vendor."

4. They have no breach response plan for your clinic

Ask your provider: 'If we discovered a ransomware infection at 6pm tonight, what happens in the next two hours?' A healthcare-fluent provider has a documented runbook including containment, IPC notification timelines, patient notification templates, and forensic evidence preservation.

If the answer is 'we'd start by restoring from backup,' you have a problem. Our walkthrough of the first 72 hours of a PHIPA breach is the standard we hold ourselves to.

5. They disappear when the auditor shows up

When a privacy officer is preparing for a college inspection, an insurance renewal questionnaire, or a College of Physicians audit, the IT provider should be in the loop and producing artefacts: backup logs, MFA enforcement reports, training records, vendor agreements. Generic MSPs will tell you to 'fill it out and send it back if you need anything.'

Healthcare-fluent providers do this work as a normal part of the relationship — not as an emergency favour during audit week.

Not sure where your current provider stands on any of these? Book a free, no-obligation second-opinion conversation through our contact page.