What is PHIPA and does it apply to my Ontario dental practice?

The Personal Health Information Protection Act (PHIPA) is Ontario's health privacy law governing health information custodians, including dental practices. It applies to any dental office collecting, using, or storing patient health information. Compliance is mandatory for all Ontario dentists.

What are the main PHIPA obligations for dental practices?

Key PHIPA obligations include: obtaining informed consent before collecting health information, implementing privacy safeguards, maintaining accurate records, providing patients access to their information, securing patient data, documenting policies, and reporting breaches within 30 days.

What health information counts as PHI under PHIPA?

PHI (personal health information) includes patient names, phone numbers, email addresses, medical histories, treatment plans, diagnoses, prescriptions, X-rays, insurance information, appointment records, and any information revealing patient health conditions or substance abuse.

Can AI receptionists access patient health information under PHIPA?

AI receptionists can handle basic booking and scheduling without accessing full PHI. However, if an AI receptionist interacts with health data, your practice must use a compliant solution with data residency in Canada, 90-day retention limits, encrypted storage, and a signed Data Processing Agreement (DPA).

What are the penalties for PHIPA non-compliance?

PHIPA violations carry fines up to $50,000 for individuals and $250,000 for organizations. The Office of the Information and Privacy Commissioner (IPC) can issue compliance orders, and patients may pursue civil damages for harm from privacy breaches.

How should a dental practice handle a patient data breach under PHIPA?

Upon discovering a breach, notify the IPC within 30 days if risk of harm exists. Document the breach, assess impact, notify affected patients, implement corrective measures, and preserve evidence. Transparency builds trust; honesty is required by law.

Is PHIPA different from PIPEDA?

Yes. PHIPA (Personal Health Information Protection Act) applies to Ontario healthcare providers and covers health information only. PIPEDA (Personal Information Protection and Electronic Documents Act) is the federal law covering private-sector organizations and non-health personal data. Most Ontario dental practices fall under PHIPA for health data and PIPEDA for other business information.

What should I look for in a PHIPA-compliant AI receptionist vendor?

Verify: Canadian data residency, 90-day PHI retention maximum, encrypted storage at rest and in transit, HTTPS/TLS protocols, a signed Data Processing Agreement (DPA), audit logs for access tracking, employee privacy training, and a demonstrated track record with healthcare organizations.

PHIPA Compliance for Ontario Dental Practices: Complete 2026 Guide

Short answer: The Personal Health Information Protection Act (PHIPA) requires Ontario dental practices to protect patient health information through secure storage, informed consent, access controls, breach reporting, and documented privacy policies. Practices must limit data collection to necessary information, retain it only as long as required, and use only PHIPA-compliant vendors—including any AI receptionists that handle patient communication.

What is PHIPA and Who Does It Apply To?

The Personal Health Information Protection Act (PHIPA) is Ontario's primary health privacy legislation. Enacted in 2004, PHIPA governs how health information custodians—including dentists, clinics, hospitals, pharmacies, and mental health professionals—collect, use, store, and disclose personal health information (PHI).

PHIPA applies to all Ontario dental practices, regardless of size. Whether you operate a solo practice, multi-location group, or dental clinic network, you are a "health information custodian" under the law and must comply with its 10 core principles:

Accountability: Designate a privacy officer and document your practices.
Identifying purposes: Clearly state why you collect patient information at the point of collection.
Consent: Obtain informed written consent before collecting health data.
Limiting collection: Collect only necessary, relevant information.
Limiting use and disclosure: Use data only for stated purposes without consent expansion.
Accuracy: Maintain accurate and current patient records.
Safeguards: Implement physical, technical, and organizational security measures.
Openness: Provide patients access to their own health information.
Individual access: Allow patients to request and review their records.
Challenging compliance: Provide mechanisms for patients to dispute privacy violations.

PHIPA vs. PIPEDA: Many dental offices operate under both PHIPA and PIPEDA (Personal Information Protection and Electronic Documents Act). PHIPA covers health information; PIPEDA covers non-health personal data such as business contact information, payment card details, and employee records. Both laws require consent, safeguards, and breach reporting.

PHIPA Obligations for Ontario Dental Offices: Essential Checklist

To maintain PHIPA compliance, your practice should implement the following:

Obligation	What This Means	Why It Matters
Privacy Policy	Written, posted, and available in plain language. Must explain how patient data is collected, used, and protected.	Patients have a legal right to know your practices. Missing policy = compliance violation.
Informed Consent	Patient signs consent at first visit confirming they understand data collection, use, and third-party sharing (e.g., labs, insurance).	Consent must be specific and voluntary. Generic consent forms often fail audits.
Secure Storage	Encrypt patient records at rest (HD encryption, password-protected), use HTTPS for online systems, restrict physical file access.	Unencrypted breaches carry fines up to $250,000; encrypted data is lower risk.
Access Controls	Only authorized staff (hygienists, dentists, front desk for scheduling) access patient records. Use role-based permissions in your practice management software.	Oversharing data increases breach risk and violates "limiting disclosure" principle.
Data Retention Limits	Retain records for 7 years after last visit (or longer if required by law), then securely delete. If you use a cloud vendor (e.g., for AI receptionists), confirm 90-day maximum PHI retention.	Holding data longer than necessary violates PHIPA's "limiting use" principle.
Breach Reporting	Upon discovery of a breach, notify the Office of the IPC within 30 days if risk of harm to patient privacy exists. Notify affected patients promptly.	Failure to report is a separate offense. Timely disclosure demonstrates accountability.
Privacy Officer	Designate a staff member (often office manager or dentist) as privacy lead. Document their role and ensure they're trained.	IPC expects a named contact for privacy inquiries. Missing accountability = penalty.
Vendor Agreements	If you use a cloud system, scheduling software, lab management, or AI receptionist, sign a Data Processing Agreement (DPA) confirming the vendor is PHIPA-compliant.	You remain liable for vendors' breaches. Unsigned DPAs leave you exposed.
Training	Train staff annually on PHIPA, data handling, breach response, and password security. Document training attendance.	Staff mistakes cause 60% of healthcare breaches. Training reduces risk and demonstrates diligence to the IPC.
Patient Access	Upon written request, provide patients a copy of their health record within 30 days (within 5 days if urgent). Charge only photocopying and mailing costs.	Refusing access is a PHIPA violation. Document every access request and response.

The 5 Biggest PHIPA Risks for Dental Practices in 2026

1. Unsecured Patient Data (Weak Encryption, Cloud Storage Without DPA)

Risk: Storing patient records in an unencrypted Excel file, storing backups on an unprotected external drive, or using a cloud system without a signed PHIPA compliance agreement.

Example: A dental office uploads X-rays to a free Google Drive folder without encryption. An employee's personal Gmail is hacked, exposing 500 patient records.

Impact: $50,000+ individual fine, mandatory breach notification, potential civil lawsuits, loss of patient trust.

2. Inadequate Vendor Oversight (Using Non-Compliant AI Receptionists or Practice Management Software)

Risk: Deploying an AI receptionist or scheduling tool that stores patient health information without a Data Processing Agreement or proven Canadian data residency.

Example: A practice adopts a low-cost AI receptionist that stores call recordings (including patient health details) in U.S. servers without encryption or a DPA. A breach exposes 1,000+ call logs.

Impact: You are liable. The vendor's non-compliance is your compliance failure. Fines + breach costs.

3. Weak Access Controls (Staff Oversharing, No Role-Based Permissions)

Risk: Front-desk staff can view full patient histories; administrative staff can access clinical records; shared login credentials.

Example: A receptionist logs into the practice management system using a shared password. A competitor's employee, hired as temporary staff, accesses 200 patient records before leaving.

Impact: Breach + failure to limit disclosure = dual violations. Fines, mandatory staff retraining.

4. Missing or Deficient Breach Response (No 30-Day IPC Notification)

Risk: Discovering a breach but failing to notify the Office of the IPC within 30 days, or not documenting the breach internally.

Example: A ransomware attack encrypts patient files. The office pays to recover data but doesn't report to the IPC for 60 days, hoping to avoid publicity.

Impact: Failure to report = separate offense, additional fine, reputational damage, potential legal action by patients.

5. Incomplete Consent or Privacy Notices

Risk: Using a generic, outdated, or vague privacy notice that doesn't explain AI receptionist use, cloud storage, lab sharing, or insurance billing.

Example: A practice adopts an AI voice receptionist for booking but doesn't update the consent form to explain that the AI may hear patient health details. Patients claim they never consented to AI use.

Impact: Invalid consent = unlawful data use. IPC investigation, forced policy overhaul, potential fines.

How AI Receptionists Must Handle Patient Data Under PHIPA

AI receptionists have become common in Ontario dental practices, offering 24/7 scheduling, appointment reminders, and callback handling. However, PHIPA compliance for AI systems is complex because these tools can hear, store, and process patient health information.

What Patient Data Can an AI Receptionist Legally Handle?

An AI receptionist can safely collect and use:

Patient name and preferred phone number (for callbacks)
Appointment date/time and service type (e.g., "cleaning," "root canal consult")
Insurance provider name (not card details)
Availability and scheduling preferences

An AI receptionist must NOT collect or store without explicit patient consent:

Detailed symptom descriptions (e.g., "I have severe jaw pain due to...")—this is a diagnosis hint
Medication lists or allergies mentioned in conversation
Personal health history (e.g., "I had oral cancer surgery" or "I'm pregnant")
Financial hardship, job loss, or other sensitive personal context

Critical AI Receptionist Compliance Requirements

If your AI receptionist captures any health-related information, ensure the vendor meets these PHIPA standards:

Canadian Data Residency: Patient data must be stored in Canada (PHIPA doesn't mandate this, but it's best practice to avoid U.S. government access under the CLOUD Act).
90-Day Maximum PHI Retention: Call recordings and transcripts containing patient information must be deleted automatically after 90 days unless legally required to retain longer.
Encryption at Rest and in Transit: All data encrypted with TLS 1.2+ in transit and AES-256 or equivalent at rest.
Audit Logs: Vendor must provide logs showing who accessed patient data, when, and why. Your practice must review logs regularly.
Data Processing Agreement (DPA): Signed agreement stating the vendor is a "service provider" (not a separate user of the data) and bound by PHIPA. Agreement must cover data location, retention, breach notification, and audits.
Breach Notification: Vendor must notify you of breaches within 24 hours, allowing you to meet the 30-day IPC deadline.
Vendor Training & Vetting: Vendor must confirm staff are PHIPA-trained and background-checked. You should audit vendor compliance annually.

What to Look For in a PHIPA-Compliant AI Receptionist

Selecting the right AI receptionist vendor is a critical compliance decision. Many vendors claim "HIPAA compliance" (U.S. law), but HIPAA is not equivalent to PHIPA. Here are the non-negotiable criteria:

Pre-Deployment Questions for Vendors

Does your AI receptionist store patient data in Canada?

What to ask: "Where are servers located? Are backups also in Canada?" Accept only vendors with Canadian data centers. U.S. or offshore storage adds legal and security risk.

Do you have a signed Data Processing Agreement (DPA) specific to PHIPA?

What to ask: "Can you provide a completed DPA that names PHIPA as the governing law?" Many vendors offer HIPAA-only agreements. Insist on PHIPA. A DPA should cover: scope of data processed, purpose, duration, vendor obligations, subprocessor management, data subject rights, breach notification, liability, and audit rights.

What is your data retention policy for call recordings?

What to ask: "Do you automatically delete call recordings after 90 days? Can I customize retention? Is deletion actually permanent (not just marked for deletion)?" Insist on automatic 90-day deletion unless you opt for longer retention with a legal hold.

How do you encrypt patient data at rest and in transit?

What to ask: "Is TLS 1.2+ used for all data in transit? Is AES-256 or equivalent used for data at rest? Can you provide an encryption certificate and key-management policy?" Request a technical security summary or SOC 2 Type II report.

Do you provide audit logs showing access to patient data?

What to ask: "Can I download logs showing who accessed patient data, when, and for what reason? Are logs tamper-resistant? How long do you retain audit logs?" Logs are your proof of compliance if breached.

What is your breach notification timeline?

What to ask: "If you discover a breach, how quickly will you notify us? In writing? What information will you provide?" Require 24-hour breach notification in writing so you can meet the 30-day IPC deadline.

Have you completed a PHIPA privacy impact assessment?

What to ask: "Do you have a Privacy Impact Assessment (PIA) on file? Can you share a summary?" A PIA shows the vendor has systematically evaluated privacy risks and mitigation controls.

Are your staff PHIPA-trained and background-checked?

What to ask: "Can you certify that employees with access to patient data have completed PHIPA training and passed a vulnerable sector background check?" This is often overlooked but critical.

How Mihron AI Meets PHIPA Requirements

Mihron AI's Maya voice receptionist is built from the ground up for Canadian healthcare privacy. Here's how it aligns with PHIPA:

Canadian Data Residency

All patient data, call recordings, and transcripts are stored exclusively in Canada. No U.S. cloud providers. No international data transfers.

90-Day Automatic PHI Retention & Deletion

Call recordings and associated health information are automatically deleted after 90 days of inactivity. Deletion is permanent; no recovery is possible. Your practice can customize retention if a legal hold is needed (e.g., for ongoing litigation).

Encrypted Storage & Transit

All data in transit uses TLS 1.2+. Data at rest is encrypted with AES-256. Encryption keys are managed separately from data and are not accessible to application staff.

Audit Logs & Compliance Trails

Every access to patient-related data is logged: who accessed it, when, from what IP, and for what purpose. Logs are retained for 12 months and are available for compliance audits.

Data Processing Agreement (DPA)

A completed, PHIPA-specific DPA is provided with every account. The agreement names the dental practice as the data controller and Mihron AI as the service provider. Covers liability, breach notification, audit rights, and subprocessor management.

Breach Notification & Incident Response

Any suspected breach is investigated within 24 hours. The practice is notified immediately via the registered email and phone contact. A detailed incident report, assessment of patient impact, and step-by-step remediation plan are provided.

Privacy-by-Design Architecture

Maya collects only necessary information: patient name, phone, appointment type, and date. The receptionist is instructed to avoid capturing or storing health details shared casually in conversation (e.g., symptoms, medications, diagnoses).

Annual Compliance Certification

Mihron AI undergoes independent PHIPA compliance reviews and provides a compliance attestation to all customers. Security assessment summaries and SOC 2 alignment documentation are available upon request.

PHIPA Checklist for Your Dental Practice

Use this checklist to audit your current practices. Check off each item as you implement or verify it:

Item	Status	Notes
✓ Privacy policy written, posted, and in plain language	☐	Must explain data collection, use, third-party sharing, and AI receptionist use
✓ Patient informed consent form signed at first visit	☐	Consent must be specific and voluntary. Dated and initialed by patient
✓ Privacy officer designated and trained	☐	Named staff member (e.g., office manager). Annual PHIPA training documented
✓ Patient records encrypted at rest (hard drives, USB drives, cloud storage)	☐	AES-256 or equivalent. Password-protected. Tested annually
✓ Patient data encrypted in transit (practice management software, email, cloud sync)	☐	TLS 1.2+ for all network traffic. HTTPS for web access
✓ Access controls implemented (role-based permissions in practice software)	☐	Receptionist: scheduling only. Hygienist: clinical notes. Dentist: full access. No shared passwords
✓ Data retention policy documented (7 years post-visit, then secure deletion)	☐	For digital files: encryption + shredding or purging. For paper: cross-cut shredding
✓ Data Processing Agreements signed with all vendors (PMS, cloud storage, AI receptionist, labs)	☐	Each DPA must name PHIPA. Review annually. Confirm vendor PHIPA compliance
✓ Annual staff PHIPA training completed and documented	☐	Topics: data handling, password security, breach response, patient privacy rights. Sign-in sheet
✓ Breach response procedure written and staff trained	☐	Upon discovery: isolate system, assess impact, notify IPC within 30 days, notify patients, document
✓ Patient access request procedure in place (30-day turnaround)	☐	Process written request, compile record, verify patient identity, deliver copy within 30 days
✓ Physical security controls in place (locked filing, visitor sign-in, camera coverage)	☐	Patient files in locked cabinet. Clinic access badge or sign-in. Restrict unauthorized entry
✓ Third-party lab agreements reviewed for privacy compliance	☐	Confirm lab meets PHIPA standards. DPA in place for electronic data transfer
✓ Audit logs reviewed monthly (AI receptionist, practice management system)	☐	Check for unusual access patterns, failed login attempts, data exports. Document review

FAQ: PHIPA Compliance for Ontario Dental Practices

What is the difference between PHIPA and HIPAA?

PHIPA (Personal Health Information Protection Act) is Ontario's health privacy law. It applies to Ontario healthcare providers and their vendors. HIPAA (Health Insurance Portability and Accountability Act) is U.S. law. While both laws share privacy and security principles, they have different requirements, penalties, and enforcement mechanisms. A vendor certified for HIPAA is not automatically PHIPA-compliant. Ensure your vendors meet PHIPA specifically.

Do PHIPA penalties apply to small dental practices?

Yes. PHIPA applies to all health information custodians, regardless of size. A solo dentist with one hygienist faces the same compliance requirements as a multi-location chain. However, enforcement typically focuses on significant breaches or repeated violations. That said, don't rely on size as a reason to deprioritize compliance—the IPC investigates complaints from any patient, and penalties can be substantial.

If my AI receptionist is HIPAA-compliant, is it automatically PHIPA-compliant?

No. HIPAA and PHIPA are separate laws with different requirements. HIPAA mandates U.S.-based data residency and is enforced by the U.S. Department of Health and Human Services. PHIPA requires Canadian data residency and is enforced by the Ontario IPC. A vendor can be HIPAA-compliant but fail PHIPA requirements if data is stored in the U.S. or if the DPA doesn't address PHIPA obligations. Always confirm PHIPA compliance explicitly with your vendor.

What happens if I discover a data breach after 30 days?

Report it to the IPC immediately, even if past 30 days. The 30-day window is mandatory only if risk of harm exists and you discover the breach promptly. If you discover a breach 60 days after the fact, you must still report promptly. Late reporting may draw scrutiny but is better than concealment. Document why the discovery was delayed (e.g., forensic investigation took time) to show diligence.

Can I use a U.S.-based AI receptionist if I encrypt the data before sending it?

Encryption helps, but PHIPA doesn't explicitly require Canadian residency. However, storing patient data in the U.S. exposes it to U.S. government access under laws like the CLOUD Act, which PHIPA-regulated organizations should avoid. Best practice is to use Canadian-based vendors. If you use a U.S. vendor, encrypt all data and ensure your DPA explicitly addresses cross-border data flows and U.S. government access risks.

Who is liable if a vendor's AI receptionist is breached?

You are. As the health information custodian, you remain responsible for vendors' PHIPA compliance. The IPC can hold you liable for breach notification, fines, and remediation even if a vendor caused the breach. Your recourse is to sue the vendor for breach of contract (the DPA). Always sign a strong DPA, carry cyber liability insurance, and audit vendors regularly to reduce this risk.

Is PHIPA compliance a one-time effort, or ongoing?

Ongoing. PHIPA compliance requires annual staff training, regular audit log reviews, vendor audits, and policy updates. The Ontario IPC also evolves guidance based on case law and emerging threats. Plan for annual compliance check-ins: review your privacy policy, retrain staff, test encryption, and audit vendor DPAs. Many practices designate a quarterly or semi-annual privacy review meeting to stay current.

What should I do if a patient requests their health information?

By law, you must provide it. The process: (1) patient submits written request; (2) you verify patient identity; (3) you compile the complete record; (4) you deliver it within 30 days (5 days if urgent). You can charge only photocopying and mailing costs. Refusing or delaying is a PHIPA violation. Keep records of every access request, the date provided, and cost. A well-documented access process shows compliance to the IPC.

Next Steps: PHIPA Compliance in Your Practice

PHIPA compliance is an investment in patient trust and legal protection. Start with these immediate actions:

Audit your current state: Review your privacy policy, vendor agreements, and encryption practices using the checklist above. Identify gaps.
Update your consent form: Ensure it covers all data uses, including AI receptionist interaction, cloud storage, lab sharing, and insurance billing.
Review vendor agreements: Request PHIPA-compliant DPAs from your practice management software, cloud storage, scheduling system, and AI receptionist vendor. Confirm Canadian data residency and 90-day retention limits.
Train your team: Conduct annual PHIPA training for all staff. Document attendance and scores.
Implement access controls: Set up role-based permissions in your practice management software. Disable shared passwords.
Schedule a compliance audit: Consider hiring a healthcare privacy consultant to conduct a formal assessment. Many insurance policies cover this.

For dental practices in Ontario, Mihron AI provides a PHIPA-compliant AI receptionist built specifically for Canadian healthcare. Maya offers:

24/7 appointment scheduling and patient reminders
Canadian data residency with AES-256 encryption
90-day automatic PHI retention deletion
Signed PHIPA Data Processing Agreement
Audit logs for compliance verification
Integration with NexHealth (Dentrix, Open Dental, Eaglesoft), Cal.com, Google Calendar, and SMS
Pricing from $299 CAD/month (Starter, 500 calls) to $499+ (Growth, 1,500+ calls)

Learn more about PHIPA AI compliance or AI receptionists for Ontario. For dental-specific guidance, see our dental industry page and Toronto dental case study.

Book a PHIPA Compliance Demo

Disclaimer: This guide is educational and not legal advice. For compliance with PHIPA, consult a healthcare privacy lawyer or your provincial dental regulator. The Ontario IPC provides official guidance at https://www.ipc.on.ca/.