Northline Technologies
Healthcare IT Team · Dec 15, 2025
Residency vs. sovereignty
Data residency means the physical location of the storage. Data sovereignty means which country's laws can compel access to that data. The two are related but not the same — and clinics regularly confuse them.
A US-headquartered cloud vendor can store your data in a Canadian datacentre (residency) while still being subject to US law (sovereignty), including the CLOUD Act. For most Ontario clinic workloads, that residual sovereignty risk is acceptable when the vendor offers contractual and technical safeguards. But you have to know it exists.
What the IPC of Ontario actually expects
PHIPA does not include a hard 'must reside in Canada' rule. What it does require is that custodians take reasonable steps to protect PHI and have a clear understanding of where it goes. The IPC has been explicit in past guidance that custodians should know where their data is stored, who has access, and what foreign laws may apply.
In practice, that means: provision Canadian regions where available, document residency in writing, and disclose any cross-border processing in your privacy notice. See what the IPC of Ontario actually expects for the broader pattern.
Microsoft 365 and Azure: Canadian by configuration
Microsoft 365 tenants can be provisioned in the Canadian region, keeping core workloads — Exchange, SharePoint, OneDrive, Teams — in Toronto and Quebec City. Azure offers Canada Central (Toronto) and Canada East (Quebec City) for VMs, databases, and storage.
We configure both as standard in our Microsoft 365 for Healthcare and Microsoft Azure engagements, and we obtain Microsoft's written confirmation of regional placement for your privacy file.
The vendors that quietly trip clinics up
It's rarely your EMR. It's the marketing platform, the survey tool, the transcription service, the third-party booking widget, the productivity SaaS the office manager signed up for during a free trial. Many of these store data in the US by default — sometimes with no Canadian option at all.
Inventory every SaaS your clinic touches. For each, ask: where is data stored, what data is shared, and is there an electronic service provider agreement? A useful starting point is to look at every recurring credit card charge over the last twelve months.
What to document, and where to keep it
Keep a one-page data residency register listing every vendor, what data they hold, the country of residency, the date you confirmed it, and a link to the vendor's written statement. This is the document an IPC investigator will ask to see first.
Need help building yours? We do this as part of every PHIPA compliance engagement — or book a free assessment to see where your clinic stands today.
Key takeaways
- Get residency confirmed in writing from every vendor that touches PHI.
- Residency and sovereignty are not the same thing — disclose cross-border risk in your privacy notice.
- Microsoft 365 and Azure can both be provisioned in Canadian regions; verify after the fact.
- SaaS tools — not EMRs — are usually where data quietly leaves Canada.
- Maintain a one-page data residency register, updated annually.