Accueil · Normes · Ontario Personal Health Information Protection Act (PHIPA)

Norme · PHIPA

Ontario Personal Health Information Protection Act (PHIPA)

Ontario's Personal Health Information Protection Act (PHIPA, S.O. 2004, c. 3, Schedule A) governs personal health information processing in Ontario. PHIPA displaces PIPEDA for personal health information processed by health information custodians (HICs) in Ontario. For ITAD covering Ontario healthcare engagements (hospitals, clinics, laboratories, health information networks), PHIPA imposes specific obligations on PHI destruction at retirement.

Demander un devis Contact

PHIPA scope and HIC definition

PHIPA applies to health information custodians in Ontario — hospitals, clinics, laboratories, pharmacies, health information network providers, individual health professionals. Most Ontario healthcare IT engagements bring Maxicom into scope as the disposition vendor for an HIC.

PHI destruction under PHIPA

PHIPA requires HICs to ensure personal health information is securely destroyed when no longer required. The Information and Privacy Commissioner of Ontario (IPC) interprets this to require destruction methods aligned to recognised standards (NIST 800-88 / IEEE 2883). Maxicom certificates explicitly cite both.

Imaging system retirement

PACS/RIS imaging systems retire alongside hospital storage. Engagement model: coordination with radiology informatics; PHI-grade chain of custody; per-imaging-system certificate.

Ontario Health and the Centre of Excellence engagements

Ontario Health (formerly LHIN/CCO consolidation) and similar provincial-scale healthcare IT entities operate at high-sensitivity protocols. Engagement profile: programme-level master service agreements, witness destruction standard, provincial-data-residency requirements.

Révisé par le bureau de conformité Maxicom. Dernière mise à jour April 2026.

Opère selon NIST 800-88 · LPRPDE · BSIF B-13 · Norme NAID · IEEE 2883-2022

References

Références faisant autorité

Sources primaires pour les normes citées sur cette page.

Questions fréquentes

Does PHIPA require physical destruction of all PHI-bearing media?

No — PHIPA is method-neutral but the IPC of Ontario interprets it to require recognised standards. Most engagements use Purge for non-restricted PHI and Destroy for top-classified.

What about IPC inspection?

IPC can inspect HIC operations including ITAD vendor relationships. Maxicom certificates are designed for IPC inspection.

How long do certificates retain under PHIPA?

10 years typical for healthcare records destruction certificates; longer where specific health-record retention rules apply (some pediatric records to age of majority + 10 years).

Une photo du rack fonctionne. Un tableur fonctionne mieux. Règlement en CAD, contre bon de commande.

Vendre l'informatique — Démarrer une demande — 90 secondes → Demander un service WhatsApp +1 437-996-2283

purchase@maxicom.ca · selon le mandat