What Is PHIPA?
The Personal Health Information Protection Act (PHIPA) is Ontario's provincial legislation governing the collection, use, and disclosure of personal health information (PHI) by health information custodians. Enacted in 2004 and administered by the Information and Privacy Commissioner of Ontario (IPC), PHIPA applies to health information custodians, physicians, hospitals, pharmacies, long-term care facilities, public health agencies, and any person or organization that receives PHI from a custodian, including research teams conducting health-related surveys or studies.
Who Needs to Comply?
- Health information custodians: physicians, hospitals, community health centres, pharmacies, laboratories, ambulance services, long-term care homes, and the Ministry of Health
- Agents of custodians: anyone authorized by a custodian to handle PHI on their behalf, including contracted research firms, survey platform providers, and data processors
- Research teams receiving PHI from custodians for approved research purposes, even if the researchers themselves are not custodians
- Survey platforms and SaaS vendors that store, process, or transmit PHI on behalf of custodians or their agents
- Market research agencies conducting health-related studies where participants disclose personal health information
Gray areas: PHIPA governs personal health information held by custodians, not all health-related data. A consumer survey asking "How often do you exercise?" likely does not involve PHI under PHIPA, because the researcher is not a custodian and did not receive the data from one. However, a survey administered by a hospital to its patients about their care experience almost certainly involves PHI. When health system clients provide participant lists or link survey responses to patient records, PHIPA applies regardless of how innocuous the survey questions seem.
Key Requirements for Research Teams
Defining Personal Health Information
PHIPA defines PHI broadly: any identifying information about an individual that relates to their physical or mental health, health care history, plan of treatment, payments or eligibility for health care, donation of body parts, health card number, or identification of a health care provider. For research teams, this means that survey responses linking a participant's identity to any health condition, treatment, medication, or health service use constitute PHI under PHIPA.
The Research Exemption
PHIPA includes a research planning framework that allows custodians to disclose PHI for research without individual consent under specific conditions. The research must be approved by a Research Ethics Board (REB), the researcher must submit a research plan to the custodian, and the custodian must be satisfied that the research purpose cannot reasonably be accomplished without the PHI, that obtaining individual consent is impractical, and that the research plan includes adequate safeguards. This exemption exists because requiring individual consent for every retrospective health study would make much population health research impossible.
Research Ethics Board Approval
Any study using PHI obtained through the research exemption must have REB approval before data collection begins. The REB reviews the study protocol, data handling procedures, participant protections, and the proportionality between research benefits and privacy risks. For survey research, the REB will evaluate your questionnaire, consent process, data storage plans, and de-identification procedures. Even when consent is obtained directly from participants, many institutions and health organizations require REB approval as a condition of data access.
Data Use Agreements
When a custodian shares PHI with a research team, a written research agreement is required. This agreement specifies what data is shared, for what purpose, how it will be secured, who will have access, when it will be destroyed, and what happens in case of a breach. Research teams must also agree not to contact the individuals whose data they receive, not to attempt re-identification of de-identified data, and not to publish information that could identify individuals.
De-identification Requirements
PHIPA encourages the use of de-identified information whenever possible. If the research question can be answered with de-identified data, the custodian should provide de-identified data rather than full PHI. De-identification under PHIPA requires removing direct identifiers (name, health card number, address) and assessing whether the remaining information could reasonably be used to identify an individual. Small cell sizes, rare conditions, and unique demographic combinations all create re-identification risks that researchers must address.
Security and Access Controls
Researchers holding PHI must implement administrative, technical, and physical safeguards to protect the information. Technical safeguards include encryption, access logging, and secure storage. Administrative safeguards include training, confidentiality agreements for team members, and documented security procedures. Research teams must also have a breach notification protocol, custodians must be notified of any unauthorized access to PHI, and the custodian may be required to notify affected individuals and the IPC.
Compliance Checklist
Use this checklist to evaluate whether your health-related survey research meets PHIPA requirements:
- Determined whether your study involves personal health information as defined by PHIPA
- Identified whether you are acting as a custodian, agent of a custodian, or independent researcher
- Obtained Research Ethics Board (REB) approval before any PHI is collected or disclosed
- Executed a written research data use agreement with the custodian providing PHI
- Consent forms clearly explain how health information will be collected, used, and protected
- Using de-identified data wherever the research objectives allow
- Direct identifiers (name, health card number, address) are removed or separated from research data
- PHI is encrypted in transit and at rest, with access restricted to authorized research personnel
- All team members with access to PHI have signed confidentiality agreements and completed privacy training
- A breach notification protocol is documented and includes notification to the custodian within the agreed timeframe
- Data retention and destruction timelines are specified in the research plan and data use agreement
- Published results have been reviewed to ensure no individual can be identified from small cell sizes or unique combinations
How This Compares to HIPAA
| Requirement | PHIPA (Ontario) | HIPAA (United States) |
|---|---|---|
| Scope | Health information custodians in Ontario | Covered entities and business associates in the US |
| Research exemption | Custodian disclosure with REB approval and research plan | IRB or Privacy Board waiver of authorization |
| De-identification standard | Removal of identifiers + risk assessment | Safe Harbor (18 identifiers) or Expert Determination |
| Breach notification | To custodian; custodian notifies IPC + individuals | To HHS, individuals, and media (if 500+ affected) |
| Penalties | Up to $200,000 (individual), $1,000,000 (organization) | Up to $1.5 million per violation category per year |
| Consent model | Knowledgeable consent with specific exceptions | Individual authorization with specific exceptions |
| Minimum necessary | Yes, collect only what is needed | Yes, minimum necessary standard |
| Data residency | No explicit requirement, but often contractually imposed | No explicit requirement, but BAAs address data handling |
How Quali-Fi Helps You Comply
Quali-Fi's platform is designed to handle health-related research within PHIPA's requirements. Canadian data residency ensures that participant health information stays within Canadian borders, critical for Ontario health system clients and custodians who require domestic data storage as part of their research agreements. All data is encrypted using AES-256 at rest and TLS 1.3 in transit, and role-based access controls let you restrict PHI access to only the team members named in your research agreement.
The platform's consent management features support the informed, knowledgeable consent PHIPA requires. You can build multi-step consent flows that explain the specific health information being collected, how it will be used, who will access it, and how participants can withdraw. Withdrawal mechanisms are built in, when a participant withdraws, their identifiable data is flagged and can be removed from the dataset while preserving aggregate statistics. Every consent action is timestamped and logged for audit purposes.
For de-identification workflows, Quali-Fi's anonymization tools let you strip direct identifiers from datasets before analysis or export. Audit logging tracks every instance of data access, providing the accountability trail that custodians and REBs require. Combined with SOC 2 Type II certification, which independently validates security controls, access management, and incident response procedures. Quali-Fi gives health research teams a platform that meets PHIPA's technical and administrative safeguard requirements without requiring custom security infrastructure.
FAQs
Does PHIPA apply to all health surveys in Ontario?
Not automatically. PHIPA applies when personal health information is involved and a health information custodian is part of the data flow. A general wellness survey conducted by a market research firm without any connection to a custodian may not fall under PHIPA, though PIPEDA would still apply. The key question is whether the data constitutes PHI and whether a custodian is collecting, disclosing, or receiving it.
Can I conduct health surveys without REB approval?
If your study does not involve PHI from a custodian and you are collecting data directly from willing participants with informed consent, REB approval may not be legally required under PHIPA. However, many organizations, journals, and clients require REB approval as a condition of participation regardless. If you are receiving PHI through the research exemption (without individual consent), REB approval is mandatory.
What happens if a participant withdraws from a health study?
Under PHIPA, individuals have the right to withdraw consent for the use of their PHI. The practical implications depend on your study design, withdrawing from a prospective survey is straightforward, but removing a participant's data from an already-analyzed dataset may be complex. Your research plan should document the withdrawal process, including what happens to data already collected and whether de-identified data remains in aggregate analyses.
How long can I keep health research data?
PHIPA requires that PHI be retained only as long as needed for the purpose for which it was collected, or as required by law. Your research data use agreement should specify retention periods. Many REBs and custodians require destruction of identifiable data within a set period after study completion, typically one to seven years depending on the funder, institution, and publication requirements.
Does PHIPA apply outside Ontario?
PHIPA is Ontario-specific legislation. Other provinces have their own health privacy laws: Alberta has the Health Information Act (HIA), and other provinces rely on PIPEDA or their general privacy legislation for health information. If you conduct research across multiple provinces, you may need to comply with multiple frameworks. For national health studies, PIPEDA serves as the baseline with provincial legislation layered on top.
Related Compliance Topics
- PIPEDA Compliance for Research. Canada's federal privacy framework
- HIPAA Survey Compliance. US healthcare privacy requirements
- Research Ethics Compliance. IRB and REB requirements for research
- Consent Management in Surveys. Building compliant consent workflows
- Data Anonymization for Research. De-identification techniques and standards
- SOC 2 for Research Platforms. Security certification for research technology