Is Microsoft 365 PHIPA-Compliant? 

Why the defaults aren't enough

When you sign up for Microsoft 365, you get a working email and file-sharing platform — but you don't get PHIPA-aligned defaults. Data residency isn't guaranteed without explicit provisioning, MFA isn't enforced for end users, conditional access isn't configured, audit logging is on a short retention by default, and Office Message Encryption is dormant until you turn it on.

None of this is a Microsoft flaw — it's how the platform is built for the broadest possible audience. Healthcare just needs more, and that's the gap the IPC of Ontario will look at first if your clinic is ever investigated.

Our Microsoft 365 for Healthcare service is built around closing exactly these gaps for Ontario clinics.

Lock in Canadian data residency

Microsoft 365 tenants can be provisioned in the Canadian region, which keeps Exchange, SharePoint, OneDrive, and Teams data inside Microsoft's Toronto and Quebec City datacentres. But you have to ask for it at provisioning, and you should verify it after the fact in the Microsoft 365 admin centre under organization data location.

Get this confirmed in writing — Microsoft will provide it on request — and keep it in your privacy officer's file. We cover the legal nuance in our plain guide to Canadian data residency.

MFA and conditional access — every account, no exceptions

Multi-factor authentication is the single highest-impact control you can deploy. Microsoft's own data puts the reduction in account compromise at over 99% once MFA is enforced. Yet many clinics still run with it disabled for 'one or two' admin accounts — exactly the accounts attackers want.

Layer conditional access on top: block sign-ins from outside Canada, require compliant devices for admin roles, and disable legacy authentication protocols like POP and IMAP. We walk through the clinic-specific rollout in MFA for clinics.

"'Compliant' isn't a button in Microsoft 365. It's the sum of about fifteen settings — none individually difficult, all easy to miss."

Office Message Encryption and data loss prevention

When a clinician needs to send patient information to another provider, an insurer, or the patient themselves, it has to be encrypted. Office Message Encryption (OME) makes this a one-click affair — but only after you've configured the policies, the branded portal, and the sensitivity labels.

Pair OME with Microsoft Purview data loss prevention rules so that a slipped-finger email containing a health card number gets blocked or auto-encrypted before it leaves the tenant. This single configuration prevents the most common 'oops' breach we see.

Audit logging, alerts, and retention

Turn on unified audit logging and extend retention to at least one year — preferably the maximum your licence allows. PHIPA breach investigations frequently turn on what audit records can show about who accessed what, when, and from where. Default retention is too short to be useful.

Configure alerts for risky sign-ins, mass downloads from SharePoint or OneDrive, and unusual mailbox forwarding rules. These are the early warnings that turn a small incident into a small incident — not a breach.

Not sure where your tenant stands today? Book a free PHIPA assessment and we'll produce a written checklist of every setting that matters, scored against where your tenant is right now.