Skip to content
4
4UIT / OPS · OTTAWA Take a brief
Home/Blog/A PHIPA technical compliance checklist for Ottawa healthcare clinics
// HEALTHCARE IT By Amanjot Singh May 30, 2025 12 min read

A PHIPA technical compliance checklist.

PHIPA compliance is the custodian's responsibility, not the IT vendor's. But the technical safeguards that make compliance possible — they are ours. Here is the working list.

The Personal Health Information Protection Act is principles-based, not prescriptive. There is no checkbox audit; there is "reasonable safeguards" and the Information and Privacy Commissioner of Ontario's (IPC) guidance on what reasonable means in 2025. This is the technical checklist we work from with our healthcare clinic customers in Ottawa.

1. Encryption, end-to-end

  • BitLocker on every Windows workstation and laptop. FileVault on every Mac. Documented enforcement via Intune or comparable MDM.
  • Encrypted backup, both on-site and off-site. AES-256 minimum. Keys not stored alongside the data.
  • TLS 1.2+ on all email transport. Microsoft 365 sensitivity labels for sending PHI externally.
  • Mobile devices: full-disk encryption enforced via MDM, with remote wipe capability tested annually.

2. Access controls

  • MFA on every account that touches the EMR, M365, or any system holding PHI. Phishing-resistant MFA (Authenticator app or hardware key) for any administrative account.
  • Role-based access in the EMR — receptionists see scheduling, clinicians see charts, admins see audit logs. Documented.
  • Joiner-mover-leaver process documented. Same-day account disable on departure. Quarterly access review.
  • Strong password policy: 14+ chars, no rotation requirement (per current NIST SP 800-63B guidance), breached-password screening.

3. Audit logging

  • EMR audit logs retained per your records-management policy.
  • Log who accessed which patient record, when, from which device — including read-only access, not just edits.
  • M365 audit log retention extended beyond default 90/180 days. We recommend 1 year minimum.
  • Quarterly review of admin actions. Alert on access patterns outside business hours.

4. Backup and resilience

  • 3-2-1-1 backup architecture: 3 copies, 2 media types, 1 off-site, 1 immutable.
  • Canadian-region storage for off-site backup. Documented data residency.
  • Monthly restore drill, logged. Annual full disaster-recovery test.
  • Documented RTO and RPO commitments. For most clinics: RTO 4 hours, RPO 1 hour.

5. Network controls

  • Firewall with current firmware, IPS active, web/category filtering enabled.
  • Clinical network segmented from guest WiFi. Imaging traffic on its own VLAN where bandwidth-sensitive.
  • DNS filtering catching phishing and malware destinations before connection.
  • Site-to-site VPN encrypted (IKEv2 or WireGuard preferred over older protocols).

6. Threat detection

  • EDR on every endpoint that touches PHI. Sophos Intercept X is our default.
  • MDR — 24/7 monitoring — strongly recommended. Increasingly demanded by cyber insurers on renewal.
  • Email gateway in front of M365 / Google Workspace catching phishing and BEC.
  • Documented incident-response runbook with notification timeline aligned to PHIPA breach-notification expectations.

7. Vendor management

  • Written agreements with every vendor that touches PHI, including data-processing addenda.
  • Documented data residency for cloud vendors. Most must store in Canadian regions or be explicitly disclosed.
  • Annual vendor review — are they still accredited, still appropriate for the data they hold?
  • Sub-processor list maintained and reviewed.

8. Documentation the privacy officer needs

  • Written information security policy, reviewed annually.
  • Asset inventory: every device, every server, every user account, every system holding PHI.
  • Data-flow diagram: where PHI lives, where it goes, who touches it.
  • Incident-response runbook with named roles and notification thresholds.
  • Records-retention schedule.
  • Annual security awareness training for all staff, with completion logged.
The IPC has been clear: a clinic that can produce these documents on request is in a far stronger position than one that can demonstrate "good intentions" but no paper trail.

What 4UIT covers

Our managed-IT plan for healthcare clinics covers items 1–6 directly, and provides the documented artifacts for items 7–8 to make the privacy officer's job easier. Compliance is the custodian's accountability; we make it executable.

More on our healthcare-clinic IT services or book a brief to talk through your specific environment.

Sources: Information and Privacy Commissioner of Ontario guidance on PHIPA · NIST SP 800-63B Digital Identity Guidelines.

// Frequently asked questions

What does PHIPA require technically?

Ontario's Personal Health Information Protection Act (PHIPA) requires "reasonable" technical, physical and administrative safeguards. The Information and Privacy Commissioner of Ontario (IPC) has issued guidance specifying expectations: encryption of stored and transmitted PHI, audit logging of all PHI access, role-based access control with periodic review, secure disposal, and a documented incident-response plan with breach-notification timelines.

Is PHIPA compliance the IT provider's responsibility?

No. Under PHIPA the Health Information Custodian (HIC) — the clinic, hospital, or practitioner — bears legal accountability. IT providers act as "agents" of the HIC. The custodian must ensure their agents implement appropriate safeguards, but accountability cannot be transferred.

What are the breach-notification rules under PHIPA?

Since 2017, custodians must notify affected individuals at the first reasonable opportunity following an unauthorised use or disclosure of PHI, and notify the IPC of significant breaches. Specific reporting thresholds were strengthened in 2019 — review the IPC's current guidance for full reporting criteria.

Does PHIPA require encryption?

PHIPA itself is principles-based, but the IPC's guidance treats encryption of PHI at rest (especially on mobile devices, laptops, and removable media) and in transit as a "reasonable safeguard" expected of any custodian. Failure to encrypt has been cited in IPC orders following lost-laptop breaches.

How long must clinical audit logs be retained?

PHIPA does not prescribe a specific period for audit logs, but most Ontario clinics align audit-log retention with their clinical-records retention schedule (typically 10+ years for adult records, longer for paediatric records). At minimum, audit logs must be retained long enough to investigate incidents identified within the breach-notification window.

// Related at 4UIT

Want IT that is quietly excellent?

20-minute call. No deck, no pressure. We listen, then propose.

Take a brief →
// FIELD NOTES NEWSLETTER

One email a month.

Field notes from the operator floor — Ottawa IT, cybersecurity, what's actually working. No filler, no listicles, no AI nonsense. Reply with anything you want us to write about.