Northline Technologies
Healthcare IT Team · Nov 4, 2025
1. A named privacy officer — by name, not role
Every IPC investigation begins with the same question: 'Who is your privacy officer?' If the answer is 'the office manager, I guess?' you're already losing ground. The privacy officer should be named in your privacy notice, in your staff handbook, and on a sign in the waiting room.
It doesn't have to be a senior clinician. It does have to be someone who has read your policies and can answer questions about them.
2. Written policies that match how you actually work
A privacy policy, breach response plan, acceptable use policy, retention schedule, and mobile device policy — at minimum. The IPC isn't impressed by length; they're impressed by alignment. If your policy says staff use encrypted email and they don't, the policy hurts you.
We provide a complete set as part of every PHIPA compliance engagement, tailored to the clinic, not photocopied from a generic template.
3. Documented annual training with certificates
Every staff member, contractor, and locum should complete annual PHIPA training, and you should have the signed completion records to prove it. The IPC has investigated clinics where the training was excellent and the records were missing — it didn't help.
Make it part of onboarding (see onboarding staff securely) and renew it on a calendar reminder, not 'whenever we get to it.'
"The IPC isn't looking for perfect. They're looking for prepared. The difference is documentation."
4. Audit logs that go back at least a year
When a complaint surfaces about a specific record access, the IPC will ask for the audit trail. Your EMR and Microsoft 365 audit logs should be retained for a minimum of one year — preferably longer — and you should be able to produce them in a reasonable timeframe.
Default Microsoft 365 retention is often shorter than this; we cover the fix in is Microsoft 365 PHIPA-compliant.
5. A breach response plan you've actually tested
The IPC has a soft spot for clinics that can describe — calmly, in plain language — what they would do in the first hour of a breach. They are less impressed by a 40-page plan no one in the building has ever opened.
Run a tabletop exercise once a year. Walk through a scenario (lost laptop, phishing compromise, misdirected fax) and time yourselves. Our 72-hour breach playbook is a good starting script.
6. Electronic service provider agreements on file
Every IT provider, EMR vendor, billing service, transcription service, and cloud backup vendor that touches PHI needs a written agreement on file. The IPC will ask for them by vendor name, so keep a one-page register listing each one.
If your current IT provider hasn't given you an ESP agreement, that's a strong signal — and one of the five red flags of a non-healthcare-fluent IT provider. Book a free assessment and we'll walk through your current vendor list.
Key takeaways
- Name a specific privacy officer in your privacy notice and waiting room.
- Written policies must match actual practice — alignment matters more than length.
- Annual PHIPA training, with certificates kept on file, for every staff member.
- Audit logs retained at least one year and producible on request.
- A tested breach response plan beats a perfect plan that's never been used.
- Electronic service provider agreements on file for every vendor touching PHI.