Who is a health information custodian under PHIPA?
If you run an Ontario clinic or dental office, you are almost certainly a health information custodian, which is the person or organisation PHIPA holds responsible for the patient records in your care. Being a custodian means the legal duty to protect personal health information sits with you, not just with your staff or your software vendor.
The list of custodians is set out in section 3(1) of the Personal Health Information Protection Act. As WeirFoulds LLP explains in its overview of PHIPA, that list includes health care practitioners and the people and facilities that operate health services. According to the Act itself, as published by the Government of Ontario on e-Laws, the enumerated custodians include health care practitioners, hospitals, psychiatric facilities, pharmacies, laboratories and specimen collection centres, long-term care and other named facilities, community and mental health service providers, ambulance services, medical officers of health for boards of health, and the Minister of Health. Dentists and physicians are custodians because they are health care practitioners who provide care.
For most small practices the practical takeaway is simple. The dentist, physician, or other regulated practitioner who provides care is the custodian, and the records created in the course of that care are personal health information that PHIPA governs. That includes clinical charts, radiographs, consultant reports, and the identifying and billing details attached to them.
What safeguards does PHIPA require for personal health information?
PHIPA requires you to take steps that are reasonable in the circumstances to protect personal health information against theft, loss, and unauthorized use or disclosure, and to protect the records themselves against unauthorized copying, modification, or disposal. This duty comes from section 12(1) of the Act, as set out in the Ontario Health guide to PHIPA.
The word to notice is reasonable. PHIPA does not hand you a checklist of specific technologies. It asks you to match your safeguards to the sensitivity of the information and the real risks your practice faces. In practice that means administrative, physical, and technical measures working together, and it means writing down what you decided so you can show your reasoning later.
A workable baseline for a small clinic usually includes:
- Access controls so each staff member sees only what their role needs, with individual logins rather than shared accounts.
- Audit logging that records who opened which chart and when, so you can detect snooping.
- Encryption of records at rest and in transit, and full-disk encryption on any laptop or device that holds patient data.
- Locked storage and controlled physical access for any paper records, servers, or backup media.
- A written privacy policy, staff confidentiality agreements, and regular training.
- Tested backups and a documented plan for what to do when something goes wrong.
How do PHIPA rules apply to your staff and your vendors?
Anyone who handles patient information on your behalf is your agent under PHIPA, and you remain ultimately responsible for how they protect it. That includes your front-desk staff, your associates, and outside parties such as an IT provider or a cloud software vendor. The College of Physicians and Surgeons of Ontario makes this point directly in its advice to the profession: agents are authorised by a custodian to perform activities on its behalf regarding personal health information, and the custodian stays ultimately responsible for its agents' protection of that information.
This is why vendor choices are a compliance issue and not just a technical one. When you send patient data to a practice-management system, a billing service, or an offsite backup, you are relying on that vendor to uphold duties that legally still belong to you. You need a written agreement that spells out what the vendor may do with the data, how it is protected, where it is stored, and what happens on termination.
A few questions are worth asking any vendor before you sign:
- Where is our patient data physically stored, and can it stay on Canadian infrastructure?
- Who at your company can access it, and how is that access logged?
- How is the data encrypted, and how are backups protected and tested?
- What is your process, and your notification timeline, if you suffer a breach that affects our records?
How long must an Ontario clinic keep patient records?
An Ontario dental practice must keep patient records for at least ten years after the date of the last entry, and for a patient who is a minor, at least ten years after the day the patient turned 18. According to the Royal College of Dental Surgeons of Ontario, this covers clinical and financial records, radiographs, consultant reports, and drug and lab prescriptions. Other regulated professions set their own retention minimums, so confirm the rule with your own College if you are not a dental practice.
Retention has a second half that practices often overlook: secure disposal. Keeping records for the required period is only useful if what you eventually destroy is destroyed in a way that makes the information unrecoverable. Shredding paper and properly wiping or physically destroying drives and old devices are part of the same duty to protect records against unauthorized disposal.
When a patient asks for a copy of their record or a transfer to another provider, PHIPA section 54 lets you charge a fee that does not exceed reasonable cost recovery for duplicating and transferring the records, and the RCDSO notes you should give the patient an estimate first. This is cost recovery, not a profit centre, so keep the charge tied to actual effort.
When must you report a privacy breach to the IPC?
You must report a breach to Ontario's Information and Privacy Commissioner when the incident meets one of the prescribed circumstances, and this mandatory reporting has been in force since October 1, 2017. The Information and Privacy Commissioner of Ontario announced the duty alongside its guidance, Reporting a Privacy Breach to the Commissioner: Guidelines for the Health Sector, released on September 28, 2017. Separately, PHIPA section 12(2) requires you to notify the affected individual at the first reasonable opportunity and to tell them they may complain to the Commissioner.
According to a Borden Ladner Gervais summary of the rules, you must report to the IPC when any of these apply: the information was stolen, unless it was de-identified or encrypted; it was used or disclosed by someone who knew or ought to have known they were acting without authority, such as an employee snooping in charts; after an initial loss or breach the information was or will be further used or disclosed without authority; the breach is part of a pattern of similar incidents; you are required to notify a College under the Regulated Health Professions Act because of the breach; or you determine the incident is significant, weighing the sensitivity of the information, how much was involved, how many individuals were affected, and whether more than one custodian or agent was responsible.
There is also an annual reporting duty. The IPC has required custodians to track breach statistics since January 1, 2018 and to file an annual statistical report, and BLG notes those annual statistics are due by March 1 of the following calendar year. Notifying an affected patient does not, by itself, satisfy the separate duty to report to the Commissioner when a prescribed circumstance is triggered.
A practical response sequence when you suspect a breach:
- Contain it. Stop the ongoing exposure and secure the affected records or systems.
- Investigate. Determine what happened, what information was involved, and who was affected.
- Notify. Tell affected individuals at the first reasonable opportunity, and tell them they may complain to the IPC.
- Report to the IPC where a prescribed circumstance applies, and notify your College if required.
- Record it in your breach statistics and fix the underlying cause so it does not recur.
How does Itsultant help an Ontario clinic meet PHIPA?
Itsultant helps small Ontario health practices put the safeguards, vendor arrangements, and records that PHIPA expects into place, and then documents them so you can prove it. We are a Canadian-owned IT and cybersecurity firm working remotely across Canada, and we work with small businesses and non-profits, including health practices. We have advised dental and denture clinics on their IT, so the realities of a working clinic are familiar to us.
On the compliance side, we map the security controls in your practice to PIPEDA and to Ontario's PHIPA, and we align the work to recognised frameworks such as the CIS Controls and the NIST Cybersecurity Framework. To be clear, these are frameworks we align to, not certifications we hold. The output is an evidence pack: mapped controls, documented policies, and monitoring records that you can hand to a regulator, an insurer's questionnaire, or your College if you are ever asked how you protect patient information.
Our approach is open-source-first, so we favour tools like Wazuh, OpenVAS, and Suricata for monitoring and security rather than stacking up per-seat licence fees. Where it helps your procurement or your patients' trust, your data can stay on Canadian infrastructure. Managed IT is a predictable monthly fee, and existing managed clients get a target one-hour response during business hours, Monday to Friday, 9 to 6 EST.
The first step is a free, no-obligation assessment of where your practice stands against PHIPA. To book one, email info@itsultant.ca or call (647) 809-2230.