PHIPA applies to every dental practice in Ontario. Many practices have compliance gaps they don't know about — here's a plain-English checklist to find yours.
Data storage and access
- Patient records stored in Canada or with a signed PHIPA custodian agreement. US-hosted cloud systems without a PHIPA-compliant agreement are a gap.
- Role-based access controls in your practice management system. No shared logins. Each staff member has their own credentials.
- Access revoked immediately when staff leave. Same-day deactivation, not "when we get around to it."
- Encrypted backup of patient records, tested quarterly. Off-site or cloud backup with encryption at rest.
Patient communication
- Appointment reminders contain no clinical information. "You have an appointment Tuesday at 2pm" is fine. The nature of the visit is PHI.
- Email used for PHI exchange is encrypted or uses a PHIPA-compliant portal. Consumer Gmail and Outlook are not adequate for sending patient health information.
- Communication platforms (Weave, Jane, etc.) have signed PHIPA BAAs. Request the BAA before onboarding any new tool that handles patient data.
Patient rights
- Patients can request access to their records and you have a defined process to respond within 30 days.
- Privacy policy posted on your website and in the practice, reviewed annually.
- Consent collected at intake covers the purposes for which you use patient information.
Breach response
- Breach response plan documented: who is responsible, who gets notified (IPC Ontario), within what timeframe.
- Annual staff PHIPA training with signed acknowledgement on file.
A free Patient Flow Audit reviews your digital setup against this checklist and identifies your priority gaps. Book your free Patient Flow Audit →