In August 2025, Ontario issued its first-ever administrative monetary penalties under PHIPA — up to $50,000 for individuals. The most common compliance failures aren't complex: US-hosted software, no written privacy policy, incorrect record retention, improper consent, and no breach response plan. All five are fixable before your next client appointment.
Privacy compliance isn't the most exciting part of running a health practice. But in 2025 and 2026, it became a lot harder to ignore.
In August 2025, the Information and Privacy Commissioner of Ontario (IPC) issued its first-ever administrative monetary penalties under PHIPA — the Personal Health Information Protection Act. The penalties, which can reach $50,000 for individuals and $500,000 for organizations, signal a clear shift: privacy obligations for health practitioners in Ontario are now actively enforced, not just theoretical.
The good news is that the most common compliance failures aren't complex. They're predictable mistakes that come from not knowing what PHIPA actually requires.
A quick note on who PHIPA applies to
PHIPA applies to health information custodians in Ontario — a category that includes physicians, nurses, pharmacists, physiotherapists, chiropractors, registered massage therapists, and any other regulated health professional who handles personal health information in the course of providing care.
Crucially: there is no size threshold. A sole-practitioner RMT working out of a single treatment room has exactly the same obligations as a regional hospital. The IPC has made this explicit.
Mistake 1: Using software that stores data outside Canada
This is the most common and potentially most serious compliance gap for private practice practitioners.
PHIPA requires that personal health information be stored and managed in a way that protects it from unauthorized access, use, or disclosure. When you use software hosted on servers in the United States — even if that software is well-known and well-regarded — you are storing Canadian health information under US jurisdiction, subject to US law, not Canadian law.
US HIPAA compliance and Canadian PHIPA compliance are not the same standard. A vendor can be fully HIPAA compliant and still not meet PHIPA requirements. They are different regulatory frameworks.
Before choosing any software that touches client health information — scheduling systems, SOAP note tools, intake forms, invoicing platforms — confirm that data is stored on Canadian servers and that the vendor has a signed data processing agreement that addresses PHIPA requirements.
Mistake 2: No written privacy policy for your practice
PHIPA requires health information custodians to have privacy policies and practices in place. This means a written document — not just a general intention to handle things carefully.
Your privacy policy should cover, at minimum: what personal health information you collect, why you collect it, how it's stored and protected, who can access it, how long you keep it, and how clients can access their own records or request corrections.
The IPC's Privacy Management Handbook for Small Health Care Organizations, published in May 2025, provides templates specifically for solo practitioners and small clinics. It's a practical resource and it's free — a good starting point if you don't have a written policy yet.
PHIPA compliance built in from day one
Canadian-hosted data,
no extra setup required.
Learn about PHIPA compliance →
Mistake 3: Keeping records longer — or shorter — than required
PHIPA and professional college standards specify how long health records must be retained. In Ontario:
- Health records must generally be kept for ten years from the date of last contact with the patient
- For records relating to a minor, records must be kept until the client turns 28 years old — which may mean longer than ten years, depending on when they were first seen
Many practitioners either delete records they consider old or inactive without checking these requirements, or they don't have a documented retention policy at all. The College of Physiotherapists of Ontario explicitly includes a record retention policy as a requirement in its Opening a Practice Checklist — and equivalent expectations apply to RMTs and chiropractors under their respective college standards.
Mistake 4: Sharing client information without proper consent
PHIPA allows health information to be shared without explicit consent for the purpose of providing care — for example, referring a client to a specialist and including relevant clinical history in that referral. But sharing information for purposes outside of care requires explicit consent from the client.
Common situations where this goes wrong:
- Sending treatment notes to an employer or insurance company without a signed consent form
- Discussing a client's case with a family member who accompanied them, without the client's explicit permission
- Sharing clinical information with a referring practitioner that goes beyond what is necessary for the referral
When in doubt, get it in writing. A simple consent form that specifies what information is being shared, with whom, and for what purpose, is your documentation and your protection.
Mistake 5: No breach response plan
PHIPA requires that when a privacy breach occurs, affected individuals must be notified "at the first reasonable opportunity." The IPC has interpreted this as approximately 72 hours in most circumstances — considerably faster than many practitioners expect.
A breach doesn't require a dramatic cyberattack. Sending an email with client information to the wrong address, losing a paper chart, or having your laptop stolen all constitute potential breaches.
The IPC's four-step breach protocol — Contain, Notify, Investigate, Prevent — is the standard you're expected to follow. But you can only follow a protocol you've established in advance. Trying to figure out your breach response while a breach is actively happening is too late.
Your breach plan doesn't need to be complex. It needs to clearly identify who is responsible for responding, what steps are taken to contain and assess the breach, how affected clients will be notified, and what changes will be made to prevent recurrence.
Quick compliance checklist
Before your next client appointment, you should be able to answer yes to all of these:
PHIPA readiness check
- My client records software stores data on Canadian servers
- My vendor has signed a data processing agreement addressing PHIPA
- I have a written privacy policy for my practice
- I have a documented record retention schedule
- I have signed consent forms for any third-party information sharing
- I have a written breach response plan
Common questions
PHIPA governs how personal health information is collected, used, stored, and shared in Ontario. It applies to all regulated health professionals who handle personal health information — regardless of practice size. A solo-practitioner clinic has the same obligations as a regional hospital.
No. HIPAA is a US regulation. PHIPA is an Ontario regulation. They are different frameworks with different requirements. A software vendor that is HIPAA compliant is not necessarily PHIPA compliant. Canadian practitioners must confirm their software meets PHIPA — including Canadian data storage.
Health records must generally be kept for ten years from the date of last contact. For records relating to a minor, records must be kept until the client turns 28 — which may mean longer than ten years depending on when they were first seen.
Since January 2024, the IPC has authority to impose administrative monetary penalties under PHIPA. Maximum penalties are $50,000 for individuals and $500,000 for organizations. In August 2025, the IPC issued its first-ever monetary penalties under PHIPA.
PHIPA compliance
built in, not bolted on.
MyoMesh stores all client data on Canadian servers, includes encrypted access controls and audit logs, and provides a signed Data Processing Agreement as standard.
See our PHIPA approach Book a Demo