Skip to content
Lunarlink

Ontario

PHIPA — Personal Health Information Protection Act

PHIPA is Ontario's governing statute for personal health information. For security system design, it places heavy restrictions on where cameras can go, what they can capture, and how long any related information may be retained.

Applies to

Health information custodians — hospitals, clinics, labs, specialty practices, pharmacies, and their agents.

What it requires

The obligations, in plain English.

  • Limit use and disclosure

    Health information custodians must not use or disclose personal health information for purposes beyond direct care, unless a specific exception applies.

  • Accurate records and audit trails

    Every access to personal health information must be logged, retained, and auditable.

  • Safeguards

    Administrative, technical, and physical safeguards must protect PHI — which extends to video in clinical or semi-clinical environments.

  • Right of access and correction

    Individuals have the right to access and correct their own PHI.

How we design against it

From rule to drawing.

  • No cameras in clinical space

    Exam rooms, treatment rooms, and consult spaces do not receive cameras. This is a design constraint before a camera choice.

  • Privacy zones on transition cameras

    Corridor cameras adjacent to clinical space are masked to prevent glimpses into exam rooms when doors open.

  • Role-based access control

    Records rooms and pharmacies get dedicated access zones with named credentials, not shared fobs.

  • Retention tiers

    Short retention (30–60 days) on video; long retention (7 years) on access events tied to PHI-bearing spaces.

  • Canadian data residency

    Cloud platforms configured to use Canadian regions. Cross-border replication disabled.

Common mistakes

What gets flagged on audit.

  • Cameras installed inside or directly overlooking exam rooms.

  • Default cloud region left on US data centres.

  • Shared 'staff' credentials in the access system.

  • Retention sized identically for all zones — no tiering for PHI-adjacent spaces.

References

Where to read the source.

  • Information and Privacy Commissioner of Ontario (IPC)

    Ontario's regulator — publishes PHIPA guidance and investigates complaints.

  • IPC Guidance on the Use of Video Surveillance

    Specific guidance on health-care settings.

Audit-prep review.

We'll walk your existing system against PHIPA and deliver a written gap analysis — so you know what the regulator would find before they do.

Request a PHIPA review