HIPAA + PHIPA for Ontario clinics: the 14 technical safeguards your MSP must implement
You'll learn
- The five HIPAA technical safeguards that are non-negotiable for any practice handling PHI.
- The PHIPA-specific controls Ontario clinics have to layer on top (and what most out-of-province MSPs miss).
- The evidence artifacts to collect so your next audit is a review, not a panic.
Ontario dental, medical, optometry, physiotherapy, and chiropractic clinics increasingly operate across two frameworks: HIPAA (when handling US patient data, insurance coordination, or cross-border referrals) and PHIPA (Ontario\u2019s Personal Health Information Protection Act, which applies to every clinic regardless of cross-border activity). Most MSPs in Ontario know one or the other fluently. The gap between them β the Ontario-specific requirements HIPAA doesn\u2019t cover, and the operational discipline PHIPA assumes without spelling out β is where compliance failures happen.
We\u2019ve seen it both ways. One clinic had a solid HIPAA posture from a US MSP but hadn\u2019t addressed PHIPA consent management or Ontario data-residency logging; the IPC (Office of the Information and Privacy Commissioner of Ontario) complaint hit, and they had no documentation. Another clinic was PHIPA-disciplined from a local MSP but hadn\u2019t signed BAAs with US cloud vendors; a US referral partner\u2019s compliance team refused to share patient records until it was fixed.
The answer isn\u2019t two compliance programs. It\u2019s one control set that satisfies both. This guide is that set.
HIPAA specifies five categories of technical safeguard. Within each, some standards are "required" (must do) and some are "addressable" (must do or document why you\u2019re not). For Ontario clinics, treat addressable as required β PHIPA leaves no cover for "we decided not to."
1. Access Control β Unique User Identification (required)
Every user needs a distinct login. Shared credentials β "[email protected]" β fail both HIPAA and PHIPA on day one. In practice: one user, one email, one credential, per person.
Evidence artifact: user directory export showing no shared accounts.
2. Access Control β Emergency Access Procedure (required)
A documented way to access PHI during system failure. For a small clinic this is usually: a secondary device + cached read-only access, a break-glass admin account (see Vol 1), and a written runbook.
Evidence artifact: written emergency-access procedure, quarterly drill log.
3. Access Control β Automatic Logoff (addressable)
Workstations and applications log off after inactivity. Dental operatory setup is where clinics fail this most β an operatory PC left logged in between patients while a hygienist chairside-assists is a PHIPA exposure.
Evidence artifact: endpoint management policy showing 10-15 minute inactivity timeout. Our clinic clients typically run 10 minutes at reception + 15 minutes in operatories.
4. Access Control β Encryption and Decryption (addressable \u2192 required in practice)
PHI encrypted at rest on endpoints and backend. BitLocker on Windows, FileVault on Mac, full-disk encryption on any server holding PHI. Azure/AWS storage encrypted at rest (default now, but evidence it).
Evidence artifact: endpoint encryption status report from your RMM or Intune; cloud storage encryption configuration export.
5. Audit Controls (required)
Mechanisms to record and examine activity in systems containing PHI. In practice: access logs retained for 6+ years (PHIPA requires 10+ for some categories), reviewable by an authorized person, with alerts on anomalous access.
Evidence artifact: audit log retention policy, monthly access-review log, quarterly anomaly-detection report.
6. Integrity (required)
Controls to ensure PHI is not altered or destroyed improperly. In M365 / modern EHR this is usually: version history, backup with immutability (see Vol 3), and integrity monitoring on critical data stores.
Evidence artifact: backup immutability configuration, version-history policy, integrity-monitoring alert log.
7. Authentication (required)
Procedures to verify a person or entity is who they claim. MFA on everything that touches PHI. Not "MFA on admins" β on everyone. A dental hygienist\u2019s account can reach patient records; it needs MFA.
Evidence artifact: MFA enrollment coverage report (should be 100% of non-break-glass users).
8. Transmission Security β Integrity Controls (addressable)
Guard against improper modification of PHI in transit. TLS 1.2+ on every channel carrying PHI (email, web, API, backup).
Evidence artifact: TLS configuration audit (use SSL Labs or equivalent) showing no TLS 1.0/1.1 endpoints.
9. Transmission Security β Encryption (addressable \u2192 required)
PHI encrypted in transit. TLS is the baseline; end-to-end encryption for secure messaging with patients is the aspiration. M365 native secure email (encrypted via OME) satisfies this for most workflows.
Evidence artifact: email encryption policy, secure-messaging procedure document.
These are where clinics using only-HIPAA guidance get caught.
10. PHIPA Consent Management
Ontario\u2019s Lock Box provisions: patients can restrict their PHI from being shared with specific providers. Your EHR and practice management system must support marking specific providers as restricted and preventing access accordingly.
Most dental PM systems (Dentrix, Eaglesoft) and EHRs (Oscar, TELUS PS Suite) support this; the control is about the documented process to action a consent restriction when a patient makes one.
Evidence artifact: documented consent restriction process, example of a Lock Box action in your PM system.
11. Ontario Data Residency (and documented cross-border transfers)
PHIPA doesn\u2019t absolutely prohibit storing PHI outside Ontario, but any cross-border transfer requires documented patient notice + consent OR a privacy impact assessment (PIA) documenting the necessity.
In practice: M365 tenants can be set to Canadian data residency; your backup target should be Canadian; your AI tools (see Vol 7) need configured data-residency controls.
Evidence artifact: data-residency configuration for each system, signed PIA for any cross-border data flow, patient consent template if applicable.
12. Audit Log Review β documented + periodic
PHIPA Regulation 329/04 s. 6.3 requires health information custodians to "maintain, and periodically review, records of accesses and use." Most HIPAA-only MSPs set up audit logs but don\u2019t document a review cadence. PHIPA expects quarterly (at minimum) documented review.
Evidence artifact: quarterly audit review log, signed by the clinic\u2019s Privacy Officer.
13. Business Associate / Service Provider Agreements
HIPAA calls them BAAs; PHIPA calls them agreements with "agents" of the health information custodian. Different frameworks, same idea: every vendor touching PHI has a contract that binds them to equivalent confidentiality controls.
For an Ontario clinic: your MSP, your cloud provider (Microsoft/Google), your backup provider, your EHR, your practice management software, your secure messaging tool, your AI tools. All signed, all on file, all reviewed annually.
Evidence artifact: vendor inventory with signed BAA / agent agreement for each.
14. Breach Notification β 60 days HIPAA, "as soon as reasonably possible" PHIPA
If you\u2019re breached, both frameworks require notification. HIPAA: 60 days to affected individuals. PHIPA: IPC + affected individuals, "as soon as reasonably possible" (case law interprets this as within hours-to-days for significant breaches).
Written incident-response plan naming the Privacy Officer, legal counsel, and MSP contacts in escalation order. Rehearsed (tabletop exercise at minimum annually).
Evidence artifact: written IR plan, annual tabletop exercise log.
For a new clinic getting ready for the first IPC or HIPAA review:
If you\u2019re missing more than three of these, the right move isn\u2019t to rush the audit β it\u2019s to remediate for 60-90 days first.
-
"We have HIPAA so we have PHIPA." No. HIPAA addresses administrative + physical + technical safeguards; PHIPA adds Ontario-specific consent, residency, and audit-review expectations that HIPAA is silent on.
-
Treating audit logs as a checkbox. Logs retained but never reviewed fail PHIPA\u2019s "periodically review" requirement. Quarterly review signed off in writing β schedule it.
-
MFA on admins only. HIPAA and PHIPA both expect authentication on all PHI-touching accounts. Partial MFA coverage is a qualified finding every time.
-
US cloud defaults on a Canadian clinic. M365 tenant region matters; default provisioning often puts smaller tenants on US data centers unless explicitly selected Canadian. Check your tenant region.
-
Missing BAA with the MSP itself. The MSP handling your infrastructure IS a business associate / agent. The single most common gap during initial audits.
We run the 14-control remediation as a 60-90 day project for Ontario clinics, or operate all 14 continuously under a managed-IT contract. The free IT health check for a clinic includes a HIPAA + PHIPA gap estimate β usually 2-3 hours of interviews, then a scored roadmap. Dental / medical / optometry / physio all welcome.
- Volume 1 β MFA rollout. Safeguards 1, 2, and 7 all depend on this.
- Volume 2 β SOC 2 Type II. Many Ontario health-adjacent firms pursue both HIPAA + SOC 2; they overlap significantly.
- Volume 6 β CIS Controls v8 IG1. A cleaner operational framework that maps to both HIPAA and PHIPA for technical measures.
- Healthcare industry page β our vertical page for dental practices + DSOs specifically.
