PHIPA — Canada's health privacy law — requires that personal health information be collected, stored, and protected appropriately. Using software hosted outside Canada creates real compliance risk. The most important thing your practice management software needs: Canadian data residency, encryption at rest and in transit, access controls, and a Data Processing Agreement (DPA) available on request.
What PHIPA actually requires
The Personal Health Information Protection Act (PHIPA) is Ontario's primary health privacy legislation. Similar laws exist across Canadian provinces — Alberta's Health Information Act (HIA), British Columbia's Personal Information Protection Act (PIPA), and Quebec's Law 25. Together, they establish how regulated health professionals must handle personal health information (PHI).
At a practical level, PHIPA requires that health information custodians — which includes physiotherapists, RMTs, chiropractors, osteopaths, and most regulated wellness practitioners — must:
- Collect only the information they need for the purpose of providing care
- Protect information from unauthorized access, use, or disclosure through reasonable safeguards
- Ensure agents and service providers — including software platforms — meet equivalent privacy standards
- Notify clients and the regulator in the event of a privacy breach
- Retain records appropriately and destroy them securely when no longer needed
The "agents and service providers" requirement is the one most practitioners overlook. If your practice management software doesn't meet PHIPA's standards, you — as the health information custodian — are responsible.
Important: This article provides general information about privacy compliance for Canadian practitioners. It is not legal advice. For specific compliance questions, consult a privacy lawyer or your regulatory college.
PHIPA vs HIPAA — not the same thing
Many US-based practice management platforms advertise HIPAA compliance. This is meaningful for US practitioners — but it is not the same as PHIPA compliance, and it does not satisfy Canadian privacy requirements.
The differences matter:
- Data residency: HIPAA doesn't require US data to stay in the US. PHIPA, combined with provincial privacy guidance, creates strong expectations that Canadian health data stays in Canada or under equivalent protection.
- Government access: US legislation (including the CLOUD Act and the USA PATRIOT Act) can compel US companies to produce data stored on US servers — even for non-US customers. This creates risk for Canadian patient data stored on US platforms.
- Regulatory jurisdiction: A breach affecting Canadian patients is investigated by Canadian privacy commissioners — not US regulators. HIPAA certification doesn't give you standing with the IPC Ontario or the OPC.
A HIPAA-compliant US platform is not a substitute for PHIPA-compliant Canadian infrastructure. These are different laws with different requirements.
The risks of using non-Canadian software
The practical risks of using non-PHIPA-compliant software fall into two categories:
Regulatory risk: If a privacy complaint is filed against your practice — by a client, or following a breach — your regulator will assess whether your software and practices met PHIPA's requirements. Using software that stores Canadian patient data outside Canada, without appropriate safeguards, is a compliance failure. Penalties can include fines and professional discipline.
Reputational risk: Practitioners who collect health information have an implicit trust relationship with their clients. A breach — or even a disclosure that client data was stored on foreign servers without clients' knowledge — can damage that trust significantly. In a field where referrals and word-of-mouth are critical, reputation matters.
Built and hosted in Canada — PHIPA compliant by design
Canadian data stays
in Canada.
See how MyoMesh handles privacy →
What Canadian data residency means
Data residency refers to where data is physically stored — the geographic location of the servers. Canadian data residency means your client health information lives on servers in Canada, subject to Canadian law.
Why does this matter? Because data stored in another country is subject to that country's laws. A US-hosted platform can be compelled by US courts to produce data stored on its servers — even for non-US customers. That data could theoretically be accessed by a foreign government without your knowledge or your client's consent.
For PHIPA compliance, the clearest and most defensible approach is Canadian data residency. When evaluating practice management software, ask explicitly: where are your servers located? "Cloud-based" or "encrypted" doesn't answer this question.
What to look for in your software
Here's what a PHIPA-conscious practice management platform should offer:
- Canadian data residency — servers located in Canada, explicitly stated
- Encryption at rest and in transit — data encrypted when stored and when transmitted
- Role-based access controls — staff can only access what they need for their role
- Audit logging — record of who accessed what data and when
- Data Processing Agreement (DPA) — a formal agreement describing how the platform handles your data, available on request
- Breach notification process — clear process for notifying you if a breach occurs, so you can meet your PHIPA notification obligations
- Data portability — ability to export your data in a usable format if you change platforms
- No third-party data sharing — client health data not sold or shared with advertising partners
Ask any platform you're evaluating for their privacy documentation and DPA before signing up. A platform that can't produce these promptly is a platform that hasn't taken compliance seriously.
How MyoMesh handles data security
MyoMesh is built and hosted in Canada on Google Cloud infrastructure with Canadian data residency. All data is encrypted at rest and in transit. We use Google's Vertex AI for MyoMind AI features — selected specifically because it operates under Google's enterprise data protection framework, which does not use customer data to train AI models.
We provide a Data Processing Agreement for every account. We do not sell or share client health data with third parties. Our privacy practices are detailed on our PHIPA compliance page.
Common questions
PHIPA — the Personal Health Information Protection Act — is Ontario's primary health privacy law. It governs how health information custodians collect, use, and disclose personal health information. Similar legislation exists in other provinces. PHIPA sets requirements for consent, access, storage, and breach notification.
Yes. If you're a regulated health professional in Canada collecting personal health information through your software, your software and how you use it must comply with PHIPA. Using non-compliant software is a regulatory risk — and as the health information custodian, you are responsible.
No. HIPAA is US legislation. PHIPA is Ontario's equivalent. A US platform that is HIPAA compliant is not automatically PHIPA compliant, and may not meet Canadian data residency requirements. These are different laws with different requirements and different regulators.
Canadian data residency means your client health information is stored on servers located in Canada and subject to Canadian law. Data stored in the US is subject to US laws — including legislation that may allow US government access. For PHIPA compliance, Canadian data residency is the clearest path to meeting provincial privacy requirements.
You risk regulatory investigation, fines, and reputational damage if a breach occurs. Under PHIPA, health information custodians are responsible for ensuring their agents and service providers meet privacy requirements. 'I didn't know the software wasn't compliant' is not a defence.
PHIPA compliant.
Canadian by design.
MyoMesh is built and hosted in Canada. Every account includes a Data Processing Agreement.
Learn about our privacy practices → Start your experience