Skip to main content

PHIPA, HIPAA, and PIPEDA Explained

PUBLISHED ON: 02.08.2019

A doctor showing a patient a computer screen with complex medical terminology on itAre you a Canadian facility wondering, “If I use a US-based mental health EHR, will my data be secure and PHIPA / PIPEDA compliant?!”  

Both Canadian and US federal legislatures have established rules for data privacy and security provisions regarding the collection, use, and disclosure of personal health information (PHI). 

In the United States, the Health Insurance Portability and Accountability Act (HIPAA) requires compliance to ensure that proper security measures are taken, as does the Personal Information Protection and Electronic Documents Act (PIPEDA) and the Personal Health Information Protection Act (PHIPA) in Canada.

Are they all the same?! Let us break it down for you…


The Personal Information Protection and Electronic Documents Act (PIPEDA) was enacted in 2000 as a way to safeguard personal information in electronic commerce. This privacy law requires organizations and health professionals to protect an individual’s data, as well as obtain consent from the individual when they collect, use, or disclose such information.

This information includes:

  • Demographic Data
  • Medical Information
  • ID Numbers
  • Credit Card Information

PIPEDA specifically applies to commercial use, which is defined as,

“Any particular transaction, act, or conduct, or any regular course of conduct that is of a commercial character, including the selling, bartering or leasing of donor, membership or other fund-raising lists (Office of the Privacy Commissioner of Canada).”

This means that non-profits, charities, and politically affiliated associations are not required to protect an individual’s information.

Although PIPEDA applies to organizations involved in interprovincial and international transactions, Canada has allowed provinces that have similar privacy legislations, such as PHIPA in Ontario, to be exempt.


The Personal Health Information Protection Act (PHIPA) legislation was enacted on November 1, 2004, in Ontario as a way to ensure the privacy of personal health information. It outlines policies and practices for health information custodians, such as doctors, hospitals, or other healthcare provider facilities.

What’s the purpose of PHIPA?

PHIPA has three main purposes to meet its security requirements:

  1. Establish regulations for the collection, use, and disclosure of personal health information in a manner that protects the confidentiality of the information and the privacy of the individuals in question
  2. Provide individuals with the right to access their personal health information and patient records, and to correct or amend such information, subject to certain exceptions
  3. Provide independent review and resolution of personal health information complaints (Certified Information Privacy Professional Guide)

Who is responsible for PHIPA compliance?

Under PHIPA, health information custodians are identified as health care practitioners, health service providers, hospitals, medical facilities, pharmacies, laboratories, social workers, and any other long-term care facilities.

These custodians are accountable for the protection of PHI from theft, loss, disclosure, unauthorized use, PHIPA compliance, and their PHI agents. PHI agents are individuals authorized by the custodian to interact with PHI, such as facility employees, volunteers, or students.

What’s the difference between PIPEDA and PHIPA?

While PIPEDA applies to healthcare organizations involved in the collection and utilization of personal information, PHIPA specifically applies to those within Ontario and the custodians – not just organizations involved in commercial activities. Those who are compliant with PHIPA are not required to be compliant with PIPEDA, as PHIPA is seen as a substantially similar privacy legislation.


The Health Insurance Portability and Accountability Act (HIPAA) was enacted in the United States in 1996 to safeguard medical information and to ensure the confidentiality and security of PHI by healthcare providers and organizations- electronically and on paper.

HIPAA regulations require the establishment and adherence to procedures aimed at protecting personal health information and are mandated by the government.

Is electronic PHI protected under HIPAA?

Organizations must have secure information practices and technical safeguards for e-PHI, such as an audit log, integrity controls, transmission security, access control, and business associate agreements (BAAs). These measures ensure that only authorized persons have access to e-PHI and that information is not improperly altered, destroyed, or shared.

Access control mechanisms are crucial to prevent unauthorized access, and organizations should take reasonable steps to monitor and restrict access to sensitive information. It is also important that business associates of medical facilities/providers have a contract outlining how they will handle and protect the data they receive.


By enforcing these regulations and adopting proactive security measures, healthcare organizations can significantly reduce the risk of privacy breaches, safeguarding the confidentiality and integrity of personal health information (PHI).

Just like PIMSY keeps our US clients HIPAA compliantwe keep our Canadian clients PHIPA / PIPEDA compliant too

Contact us for details: 877.334.8512, ext 1 or at 


Office of the Privacy Commissioner of Canada

Compliancy Group: HIPAA

Author: pehradmin

Feeling forced into a new EHR and the deadline is looming?

All EHRs are not the same. It’s critical to find the one that fits the unique needs of your organization. Find out why people choose PIMSY.