PHIPA Compliant Messaging: What Ontario Healthcare Providers Need To Know

In Ontario, Canada, healthcare providers are governed by PHIPA regulations. With the number of different hoops to jump through, it can be difficult to maintain compliance on all fronts at all times. When it comes to patient communication, the story is no different. Most consumer and even business tools are not PHIPA compliant and healthcare providers are having to adjust fast to not find themselves in hot water. 

The three most common failure points of a communication platform from a PHIPA perspective are the lack of written vendor agreements, non-Canadian data residency and no uneditable audit trails. Consumer platforms like WhatsApp and SMS don’t satisfy any of the above and that is where the need for specialist platforms comes in.

Since 2024, the IPC (Information and Privacy Commissioner) in Ontario has moved from simply having advisory implications, to real world financial penalties for breaches. That is why it is so important to understand what PHIPA requires, what tools get wrong, and what a compliant platform looks like:

PHIPA Vs HIPAA — Why Ontario Is Different

PHIPA is an Ontario-specific regulation. As opposed to HIPAA which is the US federal standard. There are key differences between the two regulations, and the regulatory bodies that enforce them. 

PHIPA is enforced by the IPC, rather than HIPAA’s HHS, meaning different investigative process, different penalties and differing standards to adhere to. Although there is some areas of similarity.

To take on example, HIPAA requires a BAA(Business Assosicate Agreement), and the PHIPA equivalent is a written agreement with an Electronic Service Provider(ESP), under O.Reg. 329/04, s.6(1). In essence this is an agreement of the service provider’s scope, their compliance and security safeguards, as well as restrictions on using customer data.

PHIPA also works in tandem with the federal laws in Canada, governed by PIPEDA and CPSO. With PIPEDA being the act that enforces protection of personal data in commercial activities, and CPSO being the regulatory body for medical practitioners throughout Canada. 

What PHIPA Actually Requires For Messaging

Who It Applies To

PHIPA applies to health information custodians (HICs). That covers physicians, dentists, pharmacists, hospitals, long-term care homes and clinics. But it also extends to anyone acting on behalf of a HIC, which includes IT vendors, messaging platforms and any third party handling patient health information.

If your messaging platform touches patient data in any way, it is classified as an Electronic Service Provider. That means the written agreement requirements apply to it, full stop.

Encryption Requirements

The IPC and CPSO state that electronic messages containing PHI sent to other healthcare providers must be encrypted, unless there is an emergency. Messages to patients must also be encrypted where possible. (Ontario Medical Association)

In practical terms, that means two things. First, encryption in transit, which protects a message while it is being sent from one point to another. The standard to look for is TLS 1.3. Second, encryption at rest, which protects data sitting in storage on servers or devices. The standard there is AES-256. A platform needs both, not one or the other.

It is also worth noting that the CPSO's Virtual Care policy is broader than most providers realise. It covers instant messaging, texting and social media, not just email. If your team is using any of those channels to communicate about patients, the encryption requirement applies.

Written Vendor Agreement: The PHIPA Equivalent Of A BAA

Under O. Reg. 329/04, a custodian must have a written agreement with any ESP that handles PHI. The agreement needs to cover permitted uses of PHI, security obligations, breach notification procedures, data return or deletion at end of contract, and the custodian's right to audit.

The practical question to ask any messaging vendor before signing up is simple: do you have a written PHIPA-compliant ESP agreement ready to sign? If the answer is no, or if they have never heard of the requirement, that tells you everything you need to know.

Canadian Data Residency

Ontario Health's Virtual Visit Standard requires virtual visit data to be held on systems located in Canada. The conservative, widely adopted compliance position is to store all PHI in Canada, preferably in Ontario. (OpsMed)

Vendors using US servers create a cross-border data transfer risk that is difficult to manage under PHIPA. Once PHI leaves Canada and sits on US infrastructure, it can become subject to US law enforcement access in ways that PHIPA cannot protect against.

Qwil Messenger stores all data for Canadian accounts on Canadian infrastructure. There is no routing through US servers and no ambiguity about data jurisdiction.

Audit Trails And Access Logging

PHIPA requires custodians to maintain logs of PHI access and review them on a regular basis. That obligation does not sit with the custodian alone. The platform they use has to support it.

For a messaging tool, that means logs need to be immutable (no one can alter or delete them after the fact), timestamped at the point of each action, and exportable in a format that can be produced for the IPC or used in an internal review. The same requirement exists under HIPAA, just under a different framework and enforced by a different body.

Breach Notification

Since 2017, PHIPA requires custodians to notify affected individuals at the first reasonable opportunity when PHI is stolen, lost, or used without authority. Notification to the IPC is required for defined classes of breach. (Fusioncomputing)

Your messaging vendor needs to have a documented process for breach notification and commit to notifying you promptly if something goes wrong on their end. A recent IPC decision found that email account compromise for even one hour constitutes both unauthorized disclosure and unauthorized use, triggering the duty to notify. (OpsMed)

That sets a very low threshold. It means the speed and reliability of your vendor's breach detection and notification process matters as much as the technical safeguards they have in place.

The Ontario Enforcement Reality In 2024 And 2025

The regulatory landscape in Ontario shifted meaningfully in 2024. The IPC's powers moved from advisory to punitive, and the first real penalties followed.

As of January 1, 2024, the IPC can issue administrative monetary penalties of up to $50,000 for individuals and $500,000 for organisations under PHIPA. The first such penalty was issued in August 2025, against a physician and his clinic for conducting 146 unauthorised EHR searches over three weeks.

On top of AMPs, criminal penalties remain on the table. Those reach $200,000 for individuals and $1,000,000 for organisations. The IPC's position is now consistent: documented, demonstrable compliance, not good intentions.

A real world example that caught a lot of attention was the Otter.ai incident at a Toronto hospital. An unapproved AI transcription tool automatically joined a virtual clinical meeting, recorded PHI of seven patients and emailed transcripts to 65 recipients, including 12 former employees. The IPC subsequently recommended blocking unapproved tools at the firewall level. It is a good illustration of how quickly an unvetted communication tool can create a reportable breach.

Why Most Messaging Tools Fail PHIPA

Consumer Apps: WhatsApp, SMS, iMessage

Consumer apps fail PHIPA on every major requirement. There is no written ESP agreement available from Meta or any SMS carrier. Data is stored on US servers. There are no audit trails, no role-based access controls and no remote wipe capability for PHI.

The IPC has been clear that secure messaging platforms, not consumer apps, represent the lowest-risk method for communicating PHI. Using WhatsApp for patient communication is not a grey area under PHIPA.

Generic Business Tools: Slack, Email, Teams

Business tools are a bit more complicated. Some will provide a vendor agreement, but it needs to be checked carefully for whether it is actually scoped to PHIPA requirements or just a generic data processing addendum.

Data residency is another issue. The default configuration for most of these tools routes and stores data in the US unless explicitly configured otherwise, which requires enterprise tier access and technical setup that most clinics do not have in place.

For patient-facing communication specifically, these tools also create access friction. Patients typically need an account to join a conversation, which is a barrier that pushes people back toward WhatsApp or SMS.

Fax

Faxes account for the highest proportion of privacy breaches in Ontario. Security is entirely dependent on the fax being sent to the correct number and received by the correct person. The IPC has stated directly that fax machines have no place in modern healthcare delivery.

Despite that, nearly 90% of Ontario doctors still rely on fax as a primary communication method. It is a known breach risk that is largely being used out of habit and because no obvious alternative has been adopted at scale.

Ontario Health's Verified Solutions List: What It Means In Practice

This is an area that does not get enough attention in most compliance content.

Ontario Health runs a Verified Solutions List for virtual care platforms. Solutions on the list have been assessed against provincial standards for privacy, security, interoperability and functionality. Being on that list is not just a badge. It has a direct commercial implication.

Ontario's Secure Messaging Proof-of-Concept Pilot, which ran from April 2024, allowed physicians to bill OHIP for patient-to-physician secure messaging consultations. But only if the platform they were using appeared on Ontario Health's Verified Solutions List. A generic or consumer tool does not qualify, regardless of how it is configured.

For Ontario physicians evaluating a messaging platform, this is a practical shortcut. If the vendor is not on the list, the platform cannot be used to bill for secure messaging under the pilot, and there is less certainty that it meets provincial standards.

What A PHIPA Compliant Messaging Platform Looks Like

Six things to verify before onboarding any messaging platform for PHI communication:

1. Written PHIPA-compliant ESP agreement available before go-live, not gated behind an enterprise tier or produced only on request after signing up.

2. Canadian data residency with PHI stored in Canada, no US server routing, and no cross-border transfer risk by default.

3. Encryption in transit and at rest with TLS 1.3 and AES-256 confirmed, not just claimed.

4. Immutable audit logs at message level, timestamped, and exportable directly by the custodian without needing engineering support.

5. Role-based access controls with MFA enforced and automatic session timeout configured for clinical environments.

6. Breach notification commitment with a documented process, a named contact, and notification timelines aligned to PHIPA reporting windows.

Qwil Messenger For Ontario Healthcare Teams

Qwil Messenger is designed for professional client-facing communication in regulated industries. For Ontario healthcare providers, the relevant points are:

Canadian data hosting. All PHI for Canadian accounts is stored in Canada. There is no routing through US infrastructure and no cross-border data transfer risk.

Written vendor agreement. A PHIPA-compliant ESP agreement is available to healthcare customers before any PHI enters the platform.

Audit trails. Every message, file access and administrative action is logged at message level, in an immutable and timestamped record. Logs are exportable directly from the admin console for IPC review or breach response without needing to involve a developer.

Patient access without friction. Patients join via a browser link. No app download, no account creation. The conversation sits in a secure channel rather than an unencrypted SMS thread or email inbox.

Replaces the fragmented stack. For most Ontario practices, Qwil can replace unencrypted email, SMS, WhatsApp and fax for patient-facing communication in a single platform.

Vendor Evaluation Checklist For Ontario Providers

Before signing up to any messaging platform for PHI communication, work through this list:

• Will the vendor sign a written PHIPA-compliant ESP agreement before go-live?
• Is patient PHI stored on servers located in Canada?
• Is encryption confirmed in transit (TLS 1.3) and at rest (AES-256)?
• Are audit logs immutable, timestamped, and exportable without engineering support?
• Does the platform support role-based access controls and MFA?
• Does the vendor have a documented breach notification process aligned to PHIPA timelines?
• Is the solution on Ontario Health's Verified Solutions List?
• Can patients access the platform without creating an account or downloading an app?

Implementing PHIPA Compliant Messaging In Your Practice

Step 1: Conduct a Privacy Impact Assessment (PIA). The IPC requires a PIA before deploying any new technology that handles PHI. This is not optional and needs to be done before any patient data enters the new platform.

Step 2: Sign the vendor's ESP agreement. Get this done before the first message is sent. The written agreement is what makes the platform legally authorised to handle PHI on your behalf.

Step 3: Configure retention and access policies. Set who can access what, how long messages are retained, and what happens to data at the end of the relationship. Do this at setup, not retrospectively.

Step 4: Train all staff and agents. Training needs to be documented. The IPC expects evidence of training, not just a policy document that staff may or may not have read.

Step 5: Register for the Ontario Health Secure Messaging Pilot if billing for secure messaging. Confirm your platform is on the Verified Solutions List before registering.

Step 6: Schedule an annual vendor security review. Compliance is not a one-time event. Review your vendor's security posture annually and update your written privacy policy to reflect the tools currently in use.

Frequently Asked Questions

Is WhatsApp PHIPA compliant?‍

No. Meta will not sign an ESP agreement, data is stored on US servers, and there are no audit trails or role-based access controls. Using WhatsApp for patient communication is not compliant under PHIPA regardless of how it is configured.

Is email PHIPA compliant for patient communication?‍

Only if it is encrypted. Unencrypted email is not an acceptable channel for PHI. The IPC's preferred option for patient communication is a dedicated secure messaging platform rather than email, even encrypted email.

What is the PHIPA equivalent of a BAA?

‍A written agreement with an Electronic Service Provider under O. Reg. 329/04, s. 6(1). It needs to cover permitted uses of PHI, security obligations, breach notification, and audit rights.

Does PHIPA require PHI to be stored in Canada?‍

Ontario Health's Virtual Visit Standard requires it for verified solutions. The IPC guidance strongly recommends it for all PHI. The practical compliance position adopted by most Ontario healthcare organisations is to store all PHI in Canada.

What are the PHIPA penalties in 2024?‍

Administrative monetary penalties up to $50,000 for individuals and $500,000 for organisations. Criminal penalties go up to $200,000 for individuals and $1,000,000 for organisations. Both the organisation and the individuals within it can be held liable.

Can I bill OHIP for secure messaging?‍

Through Ontario's Secure Messaging Proof-of-Concept Pilot, yes. But only using a platform on Ontario Health's Verified Solutions List. A generic or consumer tool does not qualify.

Next Steps

Most Ontario healthcare providers are currently using at least one tool for patient communication that fails on one of the three core PHIPA requirements: no written ESP agreement, no Canadian data residency, or no audit trail.

The risk of that has gone up significantly since 2024. The IPC now has the tools to impose real financial penalties, and it is using them.

The practical starting point is to run the vendor checklist in this article against every tool your practice uses for patient communication. If any tool cannot answer yes to all eight questions, it warrants either replacement or a documented exception with a risk mitigation plan.

If you want to see how Qwil Messenger handles PHI communication for Ontario healthcare teams, book a demo and we can walk through the ESP agreement, data residency setup, and audit trail configuration in your specific context.