PIPEDA vs PHIPA in 2026: What Ontario Medical Clinics and Allied Health Practices Need to Know

Ontario healthcare practices face a privacy compliance landscape in 2026 that is more complex and more consequential than at any previous point. Two separate privacy laws apply simultaneously — PIPEDA at the federal level and PHIPA at the provincial level — and both are in active transition.

In August 2025, Ontario’s Information and Privacy Commissioner issued PHIPA’s first ever administrative monetary penalties. Federal privacy reform legislation expected to be introduced in 2026 will raise maximum fines dramatically. Courts have expanded the circumstances that trigger breach notification obligations. And the threat environment — with healthcare ransomware up 58% in 2025 — has made the Safeguards principle more urgent than ever to address.

For any physician, nurse practitioner, physiotherapist, pharmacist, optometrist, or other allied health professional operating in Ontario, understanding this evolving dual-law landscape is not optional. It is a professional obligation.

PIPEDA — The Federal Baseline and Its 2026 Transition

PIPEDA has governed private-sector privacy in Canada since 2000. It applies to every organisation that collects, uses, or discloses personal information in the course of commercial activity — including Ontario healthcare practices for information that falls outside PHIPA’s specific scope.

In 2025, the OPC demonstrated a significantly more assertive enforcement posture. The OPC commenced Federal Court enforcement proceedings against Aylo for alleged PIPEDA contraventions — a notable first signalling the OPC’s willingness to pursue judicial remedies rather than relying on voluntary compliance. The OPC has stated it will prioritise cases involving sensitive data and vulnerable individuals, categories that squarely include patient health information.

New federal privacy legislation expected in 2026 will revive key elements of the Consumer Privacy Protection Act from the failed Bill C-27. The incoming framework is expected to include enforcement powers to issue binding orders, administrative monetary fines of up to C$25 million or 5% of gross global revenue, modernised consent requirements, a right to deletion, and specific provisions addressing AI-related data uses. As of April 2026, legislation has not yet been tabled, but ministerial statements and confirmed policy direction make its arrival imminent.

PHIPA — The Ontario Health-Specific Law and Its Historic 2025 Enforcement Milestone

PHIPA governs personal health information collected, used, or disclosed by health information custodians in Ontario. The definition of health information custodian includes physicians, nurses, physiotherapists, pharmacists, chiropractors, optometrists, registered psychotherapists, and a wide range of other regulated health professionals operating in Ontario.

The most significant PHIPA development of 2025 was the IPC’s first use of its administrative monetary penalty powers, issued in August 2025 in a case involving a physician and a private clinic. For years, PHIPA was sometimes described informally as having limited enforcement teeth because the IPC had historically relied on orders and recommendations rather than financial penalties. That characterisation is now definitively wrong.

Courts have also reinforced in 2025 that PHIPA breach notification obligations can be triggered even where there is no evidence of data theft — expanding the circumstances requiring formal notification and documentation for Ontario health information custodians.

How the Two Laws Interact

When PHIPA was enacted, the federal government determined that it is substantially similar to PIPEDA for purposes of health information. As a result, PHIPA displaces PIPEDA for personal health information collected, used, or disclosed in the course of providing health care in Ontario.

In practice this means: for personal health information in a clinical context — patient records, diagnoses, treatment histories, prescriptions — PHIPA applies. For other personal information — staff records, billing data, business contacts, general website visitor data — PIPEDA applies. For health information shared across provincial boundaries, PIPEDA may re-apply.

With both laws now in active enforcement mode and both facing significant reform, Ontario healthcare practices need a compliance programme that addresses both frameworks simultaneously — not separately.

Where PHIPA Is More Stringent Than PIPEDA

Consent requirements are stricter. PHIPA requires express consent for the collection, use, and disclosure of personal health information in most circumstances. Implied consent, acceptable in some PIPEDA contexts, has a narrower application under PHIPA.

Individual access rights are stronger. Patients have a more robust right to access their health records and to correct inaccuracies. Requests must be responded to promptly and grounds for refusing access are narrow and specific.

Agent obligations are explicit. PHIPA explicitly addresses the obligations of agents — staff members, contractors, and service providers who handle personal health information on behalf of the health information custodian. Physicians and clinic operators are personally responsible for ensuring their agents comply.

Penalties are now actively applied. The IPC’s August 2025 penalty decisions have established precedent. Ontario health professionals now operate in an environment where PHIPA non-compliance carries documented financial consequences — not just orders to comply.

Dual reporting obligations. A qualifying breach under PHIPA requires notification to the IPC in addition to any PIPEDA reporting obligations to the OPC. Both regulators may investigate independently. Understanding which regulator to notify and in what timeframe requires clarity on which law governs the specific information involved.

Frequently Misunderstood Points

Does PHIPA apply to veterinarians? No. PHIPA’s definition of personal health information relates to the health of a human individual. Veterinary records are not personal health information under PHIPA. Veterinary practices are governed exclusively by PIPEDA for privacy purposes.

Does PHIPA apply to dental hygienists? Yes. Dental hygienists are regulated health professionals in Ontario and are health information custodians under PHIPA when collecting, using, or disclosing personal health information in the course of providing health care.

Does PHIPA apply to registered psychotherapists? Yes. Registered psychotherapists are regulated by the College of Registered Psychotherapists of Ontario and are health information custodians under PHIPA.

What if I am employed by a clinic rather than independently operating? Physicians and other health professionals employed by a health information custodian act as agents of that custodian under PHIPA. The organisation bears primary PHIPA responsibility, though individual practitioners retain personal obligations for their direct actions.

The Cybersecurity Implications in 2026

Both PIPEDA and PHIPA require appropriate technical and organisational safeguards. With healthcare ransomware surging 58% in 2025 and attackers in 2026 shifting to backup corruption tactics that maximise recovery difficulty, the Safeguards requirements of both laws are under more scrutiny than at any previous point.

The types of security failures that trigger PHIPA investigations in Ontario — compromised staff credentials, ransomware attacks on EMR systems, former employee access, lost unencrypted devices, inadequate access controls — are the same ones that trigger PIPEDA investigations nationally and that Netxafe assessments specifically identify and quantify.

Practical Steps for Ontario Practices in 2026

Conduct a privacy impact assessment covering all information you collect, why, where it is stored, who has access, and how it is protected — mapping each category to the applicable law.

Publish a Privacy Policy on your website and provide a plain-language privacy notice to new patients, satisfying the Openness principle under both laws.

Implement the Safeguards both laws require — two-factor authentication, encrypted storage, individual access credentials, regular external security assessments, and properly isolated backups. Implementing them once addresses both laws simultaneously.

Update staff training to reflect the 2025 enforcement developments — including PHIPA’s first monetary penalties — and the 2026 threat landscape including AI-enhanced phishing and backup corruption ransomware.

Review your compliance programme annually. With both federal and provincial frameworks in active transition, annual review is no longer optional for any Ontario healthcare practice.

What to Do Right Now If You Have Never Formally Assessed Your Dual-Law Obligations

For an Ontario healthcare practice that has never formally assessed its PIPEDA and PHIPA compliance posture, 2026 is the moment to act. Both regulators are more active than ever. The threat environment is more dangerous than ever. And incoming federal legislation will raise the compliance bar and the penalty ceiling simultaneously.

The most practical starting point is an external security assessment that addresses your technical Safeguards obligations — the area where both PIPEDA and PHIPA require concrete, documentable controls. A Netxafe Scan gives you immediate visibility into your external exposure, including staff credential compromise, SSL validity, DNS email authentication, and open port exposure. A Netxafe Audit extends this to a structured PIPEDA compliance interview covering all ten Fair Information Principles, producing a compliance dashboard and a prioritised remediation roadmap.

Pair this with three immediate administrative steps: designating a named Privacy Officer for your practice, publishing a Privacy Policy on your website, and establishing a written incident response procedure that covers both your PIPEDA reporting obligations to the OPC and your PHIPA notification obligations to the IPC. These three steps take less than a day to implement and address the most commonly cited gaps in OPC and IPC investigations of small healthcare practices.

The dual-law compliance environment in Ontario is genuinely more complex than in most other provinces. But the core security controls required — proper authentication, encrypted storage, access management, documented policies — address both laws simultaneously. Implementing them once satisfies obligations under both frameworks.

Netxafe helps Ontario medical and allied health practices navigate their PIPEDA and PHIPA compliance obligations. Contact us at netxafe.ca.