Ontario’s Personal Health Information Protection Act (PHIPA) works in conjunction with PIPEDA. PHIPA governs custodians of health information (hospitals, long term care service providers, pharmacies, health care practitioners, etc.) as well as their agents (insurance companies, information processors, employees, information managers, and volunteers) regarding the disclosure and use of personal health information. It ensures that when they have personal health information in their control or custody it is protected from loss, theft, and unauthorized disclosure or use.

ontario phipaIt also protects personal health records from unauthorized disposal, modification, or copying.
It is the responsibility of cloud service providers to provide notice to the records custodian of any breaches. They must also provide public access to the services provided. Upon request they must make accessible a record of all transfers and access of information as well as a risk assessment. The cloud service provider must ensure that their own agreement and any third party agreements are in compliance with the guidelines of PHIPA.


When you are selecting a cloud provider at the provincial private and public sector level in Ontario, it is essential that you conduct a thorough evaluation of the provider and their policies. Questions to ask include:

  • Is the business’ ownership inside of Canada?
  • Where are the business and data centers physically located?
  • For businesses located in a province and governed under that province’s laws, is the data center also located within that province?
  • Are all contractual provisions aligned with the privacy laws of your province including third party access limitations and requirement to provide notification of a suspected or
    actual security breach?
  • What policies does the cloud company have in place for privacy, security, and access management?
  • What are the protocols for infrastructure security including encryption of information when it is stored and transferred?
  • What policies does the cloud company have in place regarding subpoenas and warrants that are issued to them from jurisdictions outside of the province or outside of Canada?

For More information on Ontario’s privacy laws, visit:

0 replies

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply

Your email address will not be published. Required fields are marked *