Home · Standards · Ontario Personal Health Information Protection Act (PHIPA)

Standard · PHIPA

Ontario Personal Health Information Protection Act (PHIPA)

Ontario's Personal Health Information Protection Act (PHIPA, S.O. 2004, c. 3, Schedule A) governs personal health information processing in Ontario. PHIPA displaces PIPEDA for personal health information processed by health information custodians (HICs) in Ontario. For ITAD covering Ontario healthcare engagements (hospitals, clinics, laboratories, health information networks), PHIPA imposes specific obligations on PHI destruction at retirement.

Request a Quote Contact

PHIPA scope and HIC definition

PHIPA applies to health information custodians in Ontario — hospitals, clinics, laboratories, pharmacies, health information network providers, individual health professionals. Most Ontario healthcare IT engagements bring Maxicom into scope as the disposition vendor for an HIC.

PHI destruction under PHIPA

PHIPA requires HICs to ensure personal health information is securely destroyed when no longer required. The Information and Privacy Commissioner of Ontario (IPC) interprets this to require destruction methods aligned to recognised standards (NIST 800-88 / IEEE 2883). Maxicom certificates explicitly cite both.

Imaging system retirement

PACS/RIS imaging systems retire alongside hospital storage. Engagement model: coordination with radiology informatics; PHI-grade chain of custody; per-imaging-system certificate.

Ontario Health and the Centre of Excellence engagements

Ontario Health (formerly LHIN/CCO consolidation) and similar provincial-scale healthcare IT entities operate at high-sensitivity protocols. Engagement profile: programme-level master service agreements, witness destruction standard, provincial-data-residency requirements.

Reviewed by the Maxicom compliance desk. Last updated April 2026.

Operates to NIST 800-88 · PIPEDA · OSFI B-13 · NAID-grade · IEEE 2883-2022

References

Authoritative references

Primary sources for the standards and frameworks referenced on this page. Maxicom maps every engagement to these recognised authorities.

Frequently asked questions

Does PHIPA require physical destruction of all PHI-bearing media?

No — PHIPA is method-neutral but the IPC of Ontario interprets it to require recognised standards. Most engagements use Purge for non-restricted PHI and Destroy for top-classified.

What about IPC inspection?

IPC can inspect HIC operations including ITAD vendor relationships. Maxicom certificates are designed for IPC inspection.

How long do certificates retain under PHIPA?

10 years typical for healthcare records destruction certificates; longer where specific health-record retention rules apply (some pediatric records to age of majority + 10 years).

A photograph of the rack works. A spreadsheet works better. CAD settlement, against PO.

Sell IT — Start an RFQ — 90 seconds → Request a service WhatsApp +1 437-996-2283

purchase@maxicom.ca · per engagement SLA