Ontario · PHIPA

Health-record access and privacy for Ontario custodians

AccessPoint manages PHIPA access and correction requests, mandatory breach reporting to the IPC, and privacy impact assessments — pre-configured for Ontario and running inside your own Microsoft 365 tenant.

Ontario — PHIPA at a glance

Access deadline
As soon as possible and no later than 30 days to respond to a request for one's own record (s. 54), extendable by a further 30 days
Correction
Custodians must respond to a correction request within 30 days; a refused correction carries a statement of disagreement (s. 55)
Access fees
Reasonable cost recovery with a fee estimate given first; no fixed amount is prescribed by regulation (s. 54(11))
Breach notification
Notify affected individuals at the first reasonable opportunity, and report to the IPC in the prescribed circumstances (since October 1, 2017)
Oversight
Information and Privacy Commissioner of Ontario (binding orders and administrative penalties)
Languages
English, with French-language services

Built for Ontario — PHIPA

One platform for the whole access-and-privacy mandate, pre-configured for this regime and running in your own Microsoft 365 tenant.

PHIPA access and correction

Intake to disclosure on Ontario's 30-day clock — access to a patient's own record, correction requests with their own 30-day response and a statement of disagreement, the PHIPA rules, and defensible records, all on Microsoft 365.

Mandatory breach reporting to the IPC

Log a breach, assess it against the circumstances PHIPA prescribes — snooping, theft, a pattern of breaches, or a breach significant by its sensitivity or scale — and get a live checklist for the affected individual, the Commissioner, and the annual breach-statistics report.

Consent directives and the lock-box

Track the consent directives that let a patient limit how their personal health information is used or shared, with an auditable record of every disclosure decision.

Privacy impact assessments

Run a PIA before a new collection, use, or information system goes live — a guided questionnaire, an embedded risk register, and an exportable, defensible record.

IPC complaints and binding orders

Track complaints and reviews to the Information and Privacy Commissioner with an investigation workspace — and because the IPC can order access, correction, and information-practice changes and levy administrative penalties, keep the record that holds up.

In your own Ontario tenant

Every request, assessment, and record stays inside your own Microsoft 365 and Azure tenant — no third-party cloud, no cross-border transfers, no per-user fees.

Binding orders

Ontario's IPC doesn't just recommend — it orders. AccessPoint builds the record that holds up.

Unlike the recommendation-model provinces, the Information and Privacy Commissioner of Ontario has order-making power under PHIPA. The IPC can order a custodian to grant access or make a correction, order an information practice changed, and impose administrative penalties — and a final order can be filed with the Superior Court of Justice and enforced as a judgment. On top of that, custodians must report breaches to the IPC in the circumstances the regulation prescribes and file annual breach statistics. That makes a complete, defensible record decisive. AccessPoint runs access and correction on the 30-day clock, computes breach reporting to the Commissioner, and captures every decision on a hash-chained audit trail — in your own tenant.

Binding orders The IPC can order access, correction, and information-practice changes, and levy administrative penalties.
Mandatory IPC reporting Breach reporting to the Commissioner in prescribed circumstances, plus the annual statistics.
Audit-ready evidence A hash-chained ledger behind every access, correction, and disclosure.

Configured out of the box

Installing the ca-on-phipa configuration pack seeds your tenant with everything this regime needs — a starting point you can adjust, not a lock-in.

Related guide: FOI Workflow Quick Check
  • PHIPA as the legal-authority and citation spine, with FIPPA and MFIPPA shipped as separate configurations
  • Ontario statutory-holiday calendar and 30-day due-date rules
  • Access, correction, and disclosure grounds mapped to PHIPA, with the statement-of-disagreement workflow
  • Consent-directive (lock-box) tracking for uses and disclosures
  • Breach assessment against the IPC's prescribed reporting circumstances, plus the annual statistics report
  • Reasonable cost-recovery fee estimates for patient record requests
  • IPC complaint and order grounds, dispositions, and administrative-penalty tracking
  • Privacy impact assessment templates for new collections and systems

Ontario — PHIPA Questions

How long does an Ontario custodian have to respond to an access request?

Under PHIPA, a health information custodian must respond as soon as possible and no later than 30 days after a request for access to the individual's own record, with a further 30-day extension available in defined circumstances. AccessPoint computes the due date on Ontario's calendar and tracks every request against it.

Does the IPC make binding orders under PHIPA?

Yes. Unlike the recommendation-model provinces, the Information and Privacy Commissioner of Ontario has order-making power under PHIPA — it can order access or correction, order information practices changed, and impose administrative penalties, and a final order can be filed with the Superior Court of Justice and enforced as a judgment. AccessPoint keeps the investigation record and representations complete so your position is defensible.

When must a breach be reported to the IPC?

PHIPA requires custodians to notify affected individuals at the first reasonable opportunity, and to report to the Commissioner in the circumstances the regulation prescribes — including theft, unauthorized access by someone who ought to have known they lacked authority, a pattern of breaches, and breaches significant by their sensitivity or scale — a duty in force since October 1, 2017. Custodians must also file annual breach statistics. AccessPoint assesses the circumstances and computes both.

Where does Ontario health data reside?

Entirely within your own Microsoft 365 and Azure tenant. Requests, records, assessments, and audit history never leave your control — no third-party cloud and no cross-border data transfers.

Run PHIPA Access, Breach, and Assessments in One Platform

Try AccessPoint free for 30 days, pre-configured for Ontario. No credit card required.

Start Free Trial