Ontario · PHIPA
Health-record access and privacy for Ontario custodians
AccessPoint manages PHIPA access and correction requests, mandatory breach reporting to the IPC, and privacy impact assessments — pre-configured for Ontario and running inside your own Microsoft 365 tenant.
Ontario — PHIPA at a glance
- Access deadline
- As soon as possible and no later than 30 days to respond to a request for one's own record (s. 54), extendable by a further 30 days
- Correction
- Custodians must respond to a correction request within 30 days; a refused correction carries a statement of disagreement (s. 55)
- Access fees
- Reasonable cost recovery with a fee estimate given first; no fixed amount is prescribed by regulation (s. 54(11))
- Breach notification
- Notify affected individuals at the first reasonable opportunity, and report to the IPC in the prescribed circumstances (since October 1, 2017)
- Oversight
- Information and Privacy Commissioner of Ontario (binding orders and administrative penalties)
- Languages
- English, with French-language services
Built for Ontario — PHIPA
One platform for the whole access-and-privacy mandate, pre-configured for this regime and running in your own Microsoft 365 tenant.
PHIPA access and correction
Intake to disclosure on Ontario's 30-day clock — access to a patient's own record, correction requests with their own 30-day response and a statement of disagreement, the PHIPA rules, and defensible records, all on Microsoft 365.
Mandatory breach reporting to the IPC
Log a breach, assess it against the circumstances PHIPA prescribes — snooping, theft, a pattern of breaches, or a breach significant by its sensitivity or scale — and get a live checklist for the affected individual, the Commissioner, and the annual breach-statistics report.
Consent directives and the lock-box
Track the consent directives that let a patient limit how their personal health information is used or shared, with an auditable record of every disclosure decision.
Privacy impact assessments
Run a PIA before a new collection, use, or information system goes live — a guided questionnaire, an embedded risk register, and an exportable, defensible record.
IPC complaints and binding orders
Track complaints and reviews to the Information and Privacy Commissioner with an investigation workspace — and because the IPC can order access, correction, and information-practice changes and levy administrative penalties, keep the record that holds up.
In your own Ontario tenant
Every request, assessment, and record stays inside your own Microsoft 365 and Azure tenant — no third-party cloud, no cross-border transfers, no per-user fees.
Binding orders
Ontario's IPC doesn't just recommend — it orders. AccessPoint builds the record that holds up.
Unlike the recommendation-model provinces, the Information and Privacy Commissioner of Ontario has order-making power under PHIPA. The IPC can order a custodian to grant access or make a correction, order an information practice changed, and impose administrative penalties — and a final order can be filed with the Superior Court of Justice and enforced as a judgment. On top of that, custodians must report breaches to the IPC in the circumstances the regulation prescribes and file annual breach statistics. That makes a complete, defensible record decisive. AccessPoint runs access and correction on the 30-day clock, computes breach reporting to the Commissioner, and captures every decision on a hash-chained audit trail — in your own tenant.
Configured out of the box
Installing the ca-on-phipa configuration pack seeds your tenant with everything this regime needs — a starting point you can adjust, not a lock-in.
Related guide: FOI Workflow Quick Check- PHIPA as the legal-authority and citation spine, with FIPPA and MFIPPA shipped as separate configurations
- Ontario statutory-holiday calendar and 30-day due-date rules
- Access, correction, and disclosure grounds mapped to PHIPA, with the statement-of-disagreement workflow
- Consent-directive (lock-box) tracking for uses and disclosures
- Breach assessment against the IPC's prescribed reporting circumstances, plus the annual statistics report
- Reasonable cost-recovery fee estimates for patient record requests
- IPC complaint and order grounds, dispositions, and administrative-penalty tracking
- Privacy impact assessment templates for new collections and systems
Ontario — PHIPA Questions
How long does an Ontario custodian have to respond to an access request?
Does the IPC make binding orders under PHIPA?
When must a breach be reported to the IPC?
Where does Ontario health data reside?
Run PHIPA Access, Breach, and Assessments in One Platform
Try AccessPoint free for 30 days, pre-configured for Ontario. No credit card required.
Start Free Trial