PHIPA Gap Assessment
for Ontario Clinics

The Privacy Officer must be a named individual with a written job description covering their PHIPA responsibilities. "Everyone is responsible" does not satisfy this requirement.

The policy must be current, version-controlled, and producible to the IPC on demand. It should describe how your clinic collects, uses, and discloses personal health information.

This policy should define implicit vs. express consent, how consent is recorded, and how patients can withdraw consent. Must cover all forms of PHI disclosure including referrals.

PHIPA requires records to be retained for a minimum of 10 years (or until a patient turns 18). The destruction method must also be secure and documented (e.g. shredding certificates).

Shared accounts make audit trail attribution impossible and are a clear PHIPA violation. Each person must have unique credentials so access events can be traced to an individual.

PHIPA's "minimum necessary" principle requires that staff access only the PHI needed for their role. Unrestricted access for all staff is a significant compliance gap.

This is the single most common finding in IPC investigations. "We meant to" is not acceptable. A formal offboarding checklist with date-stamped EMR revocation is required.

Regular access reviews catch stale accounts and inappropriate permissions before they become breaches. Document these reviews with a dated report showing who reviewed and what was found.

Having logs is not enough. PHIPA 2020 amendments require documented evidence of active monitoring. Minimum: spot-check 5–10 events monthly, full after-hours review quarterly.

The IPC can request audit logs with little notice. You must know how to export them from your EMR, how long they are retained, and have a process to deliver them promptly and securely.

Triggered reviews are expected after certain events. Document who performs these reviews, what they look for, and what happens when a suspicious access event is found.

The policy must cover: how to identify a breach, who to notify internally, how to assess risk of significant harm, when and how to notify the IPC, and how to notify affected individuals.

The 90-day IPC notification clock starts at discovery. A staff member who discovers a breach and doesn't report it immediately can cost weeks of your reporting window.

All incidents — including minor misdirected faxes or verbal disclosures — must be logged, even if they don't meet the threshold for IPC notification. This demonstrates a culture of compliance.

Answering "No" here is often a red flag — not a good sign. In a busy clinic, minor incidents occur regularly. No incidents logged typically means incidents are not being recognized or reported.

Training must be documented with dates and names. A verbal briefing is not sufficient. Audited organizations are expected to produce training records for every staff member.

Signed confidentiality agreements are a condition of employment, not a formality. They establish the legal obligation of confidentiality and must be renewed annually and retained securely.

Under PHIPA, you remain responsible for PHI even when a vendor handles it. A signed agreement must define how they protect the data, what they can do with it, and what happens if they have a breach.