skip to content

Practical Approaches for the Personal Health Information Protection Act (PHIPA)

Posted on December 02, 2019

Phipa hippa healthcare compliance

Let’s start with what Is PHIPA?

Here in Ontario, Canada, we have the Personal Health Information Protection Act, also known as PHIPAA, which was established in 2004 to govern personal health information. Specifically, PHIPA establishes the rules for the collection, use, and disclosure of personal health information of individuals. So if you handle personal health information you are considered a custodian and are regulated under PHIPA.

PHIPA guide

Source: Guide by the Information and Privacy Commissioner of Ontario 


Ok so you’ve come across HIPAA, PIPEDA and PHIPA. Confused? You’re not alone. PIPEDA is Canada’s Personal Information Protection and Electronic Documents Act and PHIPA is basically the privacy act that deals with Personal Health information in Ontario. Whereas HIPAA is for personal health information privacy across the border in the US. Rarely does it impact our compliance standards, but it can. That’s for another day. So, PHIPA is important for any Ontario organization that handles any personal health information including website data.

PHIPA and Inorbital.

PHIPA is often considered the Canadian equivalent to HIPAA (Health Insurance Portability and Accountability Act). Clients should note that as part of PHIPA compliance, information stored, and user consent is given to the health care provider that obtains and maintains the data not the web development agency.

phipa website compliance

What you get from Inorbital

As part of the Inorbital PHIPA compliance service Inorbital will provide a Threat Risk Assessment and prepare a Privacy Impact Assessment when required. 

In compliance with Privacy Legislation Inorbital maintains a privacy policy in compliance with applicable privacy legislation, addressing its practises relating to the collection, use, disclosure, retention and disposal of personal information. 

Inorbital also monitors and enforces compliance within its own privacy policy which includes:

  • Appointing a privacy compliance officer who shall be given the responsibility for Inorbital's compliance with the privacy and security terms and conditions that are determined at contract time. 
  • In addition, we employ appropriate safeguards to prevent theft, loss and unauthorized access, copying, modification, use, disclosure or disposal of PHI. Without limiting the generality of the foregoing, Inorbital takes reasonable steps to ensure that all PHI received from clients is securely segregated from any information owned by us, including password authorization.
    • including notifications of any privacy breach to custodian immediately upon confirmation
    • audit trail to track the use of our content database

Contact us if you are planning a digital project that includes any form of health related information.

Blog post author Tony


Director and Founder

Inorbital founder and digital solution architect with over 20 years’ experience planning and directing dynamic web presence and web applications for all types of savvy organizations. When not directing Inorbital you can find him actively trying something completely new.

How Can We Help

Tell Us About Your Project