Compliance

PHIPA and Survey Data: Ontario Health Privacy for Research

8 min read

Learn how Ontario's Personal Health Information Protection Act (PHIPA) applies to survey research, what exemptions exist for researchers, and how to handle health data compliantly.

What Is PHIPA?

The Personal Health Information Protection Act (PHIPA) is Ontario's provincial legislation governing the collection, use, and disclosure of personal health information (PHI) by health information custodians. Enacted in 2004 and administered by the Information and Privacy Commissioner of Ontario (IPC), PHIPA applies to health information custodians, physicians, hospitals, pharmacies, long-term care facilities, public health agencies, and any person or organization that receives PHI from a custodian, including research teams conducting health-related surveys or studies.

Who Needs to Comply?

  • Health information custodians: physicians, hospitals, community health centres, pharmacies, laboratories, ambulance services, long-term care homes, and the Ministry of Health
  • Agents of custodians: anyone authorized by a custodian to handle PHI on their behalf, including contracted research firms, survey platform providers, and data processors
  • Research teams receiving PHI from custodians for approved research purposes, even if the researchers themselves are not custodians
  • Survey platforms and SaaS vendors that store, process, or transmit PHI on behalf of custodians or their agents
  • Market research agencies conducting health-related studies where participants disclose personal health information

Gray areas: PHIPA governs personal health information held by custodians, not all health-related data. A consumer survey asking "How often do you exercise?" likely does not involve PHI under PHIPA, because the researcher is not a custodian and did not receive the data from one. However, a survey administered by a hospital to its patients about their care experience almost certainly involves PHI. When health system clients provide participant lists or link survey responses to patient records, PHIPA applies regardless of how innocuous the survey questions seem.

Key Requirements for Research Teams

Defining Personal Health Information

PHIPA defines PHI broadly: any identifying information about an individual that relates to their physical or mental health, health care history, plan of treatment, payments or eligibility for health care, donation of body parts, health card number, or identification of a health care provider. For research teams, this means that survey responses linking a participant's identity to any health condition, treatment, medication, or health service use constitute PHI under PHIPA.

The Research Exemption

PHIPA includes a research planning framework that allows custodians to disclose PHI for research without individual consent under specific conditions. The research must be approved by a Research Ethics Board (REB), the researcher must submit a research plan to the custodian, and the custodian must be satisfied that the research purpose cannot reasonably be accomplished without the PHI, that obtaining individual consent is impractical, and that the research plan includes adequate safeguards. This exemption exists because requiring individual consent for every retrospective health study would make much population health research impossible.

Research Ethics Board Approval

Any study using PHI obtained through the research exemption must have REB approval before data collection begins. The REB reviews the study protocol, data handling procedures, participant protections, and the proportionality between research benefits and privacy risks. For survey research, the REB will evaluate your questionnaire, consent process, data storage plans, and de-identification procedures. Even when consent is obtained directly from participants, many institutions and health organizations require REB approval as a condition of data access.

Data Use Agreements

When a custodian shares PHI with a research team, a written research agreement is required. This agreement specifies what data is shared, for what purpose, how it will be secured, who will have access, when it will be destroyed, and what happens in case of a breach. Research teams must also agree not to contact the individuals whose data they receive, not to attempt re-identification of de-identified data, and not to publish information that could identify individuals.

De-identification Requirements

PHIPA encourages the use of de-identified information whenever possible. If the research question can be answered with de-identified data, the custodian should provide de-identified data rather than full PHI. De-identification under PHIPA requires removing direct identifiers (name, health card number, address) and assessing whether the remaining information could reasonably be used to identify an individual. Small cell sizes, rare conditions, and unique demographic combinations all create re-identification risks that researchers must address.

Security and Access Controls

Researchers holding PHI must implement administrative, technical, and physical safeguards to protect the information. Technical safeguards include encryption, access logging, and secure storage. Administrative safeguards include training, confidentiality agreements for team members, and documented security procedures. Research teams must also have a breach notification protocol, custodians must be notified of any unauthorized access to PHI, and the custodian may be required to notify affected individuals and the IPC.

Compliance Checklist

Use this checklist to evaluate whether your health-related survey research meets PHIPA requirements:

  • Determined whether your study involves personal health information as defined by PHIPA
  • Identified whether you are acting as a custodian, agent of a custodian, or independent researcher
  • Obtained Research Ethics Board (REB) approval before any PHI is collected or disclosed
  • Executed a written research data use agreement with the custodian providing PHI
  • Consent forms clearly explain how health information will be collected, used, and protected
  • Using de-identified data wherever the research objectives allow
  • Direct identifiers (name, health card number, address) are removed or separated from research data
  • PHI is encrypted in transit and at rest, with access restricted to authorized research personnel
  • All team members with access to PHI have signed confidentiality agreements and completed privacy training
  • A breach notification protocol is documented and includes notification to the custodian within the agreed timeframe
  • Data retention and destruction timelines are specified in the research plan and data use agreement
  • Published results have been reviewed to ensure no individual can be identified from small cell sizes or unique combinations

How This Compares to HIPAA

Requirement PHIPA (Ontario) HIPAA (United States)
Scope Health information custodians in Ontario Covered entities and business associates in the US
Research exemption Custodian disclosure with REB approval and research plan IRB or Privacy Board waiver of authorization
De-identification standard Removal of identifiers + risk assessment Safe Harbor (18 identifiers) or Expert Determination
Breach notification To custodian; custodian notifies IPC + individuals To HHS, individuals, and media (if 500+ affected)
Penalties Up to $200,000 (individual), $1,000,000 (organization) Up to $1.5 million per violation category per year
Consent model Knowledgeable consent with specific exceptions Individual authorization with specific exceptions
Minimum necessary Yes, collect only what is needed Yes, minimum necessary standard
Data residency No explicit requirement, but often contractually imposed No explicit requirement, but BAAs address data handling

How Quali-Fi Helps You Comply

Quali-Fi's platform is designed to handle health-related research within PHIPA's requirements. Canadian data residency ensures that participant health information stays within Canadian borders, critical for Ontario health system clients and custodians who require domestic data storage as part of their research agreements. All data is encrypted using AES-256 at rest and TLS 1.3 in transit, and role-based access controls let you restrict PHI access to only the team members named in your research agreement.

The platform's consent management features support the informed, knowledgeable consent PHIPA requires. You can build multi-step consent flows that explain the specific health information being collected, how it will be used, who will access it, and how participants can withdraw. Withdrawal mechanisms are built in, when a participant withdraws, their identifiable data is flagged and can be removed from the dataset while preserving aggregate statistics. Every consent action is timestamped and logged for audit purposes.

For de-identification workflows, Quali-Fi's anonymization tools let you strip direct identifiers from datasets before analysis or export. Audit logging tracks every instance of data access, providing the accountability trail that custodians and REBs require. Combined with SOC 2 Type II certification, which independently validates security controls, access management, and incident response procedures. Quali-Fi gives health research teams a platform that meets PHIPA's technical and administrative safeguard requirements without requiring custom security infrastructure.

FAQs

Does PHIPA apply to all health surveys in Ontario?

Not automatically. PHIPA applies when personal health information is involved and a health information custodian is part of the data flow. A general wellness survey conducted by a market research firm without any connection to a custodian may not fall under PHIPA, though PIPEDA would still apply. The key question is whether the data constitutes PHI and whether a custodian is collecting, disclosing, or receiving it.

Can I conduct health surveys without REB approval?

If your study does not involve PHI from a custodian and you are collecting data directly from willing participants with informed consent, REB approval may not be legally required under PHIPA. However, many organizations, journals, and clients require REB approval as a condition of participation regardless. If you are receiving PHI through the research exemption (without individual consent), REB approval is mandatory.

What happens if a participant withdraws from a health study?

Under PHIPA, individuals have the right to withdraw consent for the use of their PHI. The practical implications depend on your study design, withdrawing from a prospective survey is straightforward, but removing a participant's data from an already-analyzed dataset may be complex. Your research plan should document the withdrawal process, including what happens to data already collected and whether de-identified data remains in aggregate analyses.

How long can I keep health research data?

PHIPA requires that PHI be retained only as long as needed for the purpose for which it was collected, or as required by law. Your research data use agreement should specify retention periods. Many REBs and custodians require destruction of identifiable data within a set period after study completion, typically one to seven years depending on the funder, institution, and publication requirements.

Does PHIPA apply outside Ontario?

PHIPA is Ontario-specific legislation. Other provinces have their own health privacy laws: Alberta has the Health Information Act (HIA), and other provinces rely on PIPEDA or their general privacy legislation for health information. If you conduct research across multiple provinces, you may need to comply with multiple frameworks. For national health studies, PIPEDA serves as the baseline with provincial legislation layered on top.

Related Guides

Put it into practice

Ready to apply this in your research?

Quali-Fi makes it easy to run surveys, conjoint studies, and more, all in one platform.