Sales:
1-866-400-0786
|
Support:
1-800-759-0786
Outsource IT logo - MSP in Burlington Ontario

PHIPA

Updates to the Personal Health Information Protection Act (PHIPA)

In June, 2025, the Information and Privacy Commissioner (IPC) issued PHIPA Decision 284, which clarifies enforcement expectations under the Personal Health Information Protection Act (PHIPA). PHIPA governs all Ontario Healthcare providers and their outsourced third-party IT providers, including Outsource IT. This message contains details on the decision and outlines Outsource IT's commitment to supporting its clients in the healthcare sector.
Link to Decision 284
Outsource IT - Company - Careers
Outsource IT Computing - community support and parternships

Decision 284 Explained

Decision 284 resulted from a significant ransomware attack that occurred in October 2023 on multiple healthcare entities (not related to Outsource IT). This decision established a precedent that makes Health Information Custodians, such as doctors, pharmacists, and hospitals, fully responsible for protecting patients' personal health information (PHI), even if they outsource IT services to third-party providers such as Outsource IT. As a result, there is an increased need for Electronic Service Providers (ESPs), such as Outsource IT, to assist their clients in maintaining compliance.
Link to Custodian Announcement
Outsource IT is a recognized IT provider in Ontario healthcare
Under the Personal Health Information Protection Act (PHIPA), Outsource IT operates as an Electronic Service Provider (ESR) as defined in Section 10(4) of PHIPA and subject to Section 6(1) restrictions under Ontario Regulation 329/04.
Healthcare Data Transmission
Outsource IT does not inspect, back up, or maintain patient data stored in Electronic Medical Records (EMR) systems. However, because Outsource IT maintains the networks and infrastructure used by healthcare custodians to access and transmit health information electronically, it may occasionally encounter patient information during activities such as screen sharing with healthcare staff for troubleshooting.
PHI Usage and Reporting
As part of its ESR designation, Outsource IT must adhere to the following behaviour:
1. Outsource IT cannot use any personal health information while providing services, except as absolutely necessary for service delivery.
2. Outsource IT cannot disclose any personal health information it may encounter.
3. Outsource IT's employees and subcontractors must agree to these same restrictions.

Outsource IT and PHIPA

Outsource IT complies with the Personal Health Information Protection Act, 2004 and Ontario Regulation 329/04, specifically the restrictions set out in Section 6(1) regarding the use and disclosure of personal health information.

PHI Restrictions

Outsource IT will not:
(a) Use any personal health information accessed during service provision except as necessary to provide the specific services described in this agreement;
(b) Disclose any personal health information under any circumstances;
(c) Permit employees or agents to access personal health information unless they have agreed to comply with these same restrictions.

Administrative Safeguards

Outsource IT maintains policies and procedures for:
- Workforce security and access management
- Security awareness training for all personnel
- Incident response and breach notification procedures
- Regular evaluation of PHIPA compliance measures
- Designation of a privacy officer responsible for PHIPA compliance

Technical Safeguards

Outsource IT implements:
- Access controls and user authentication systems
- Audit logging and monitoring capabilities
- Data integrity verification measures
- Encryption for data storage and transmission
- Network security controls including firewalls and intrusion detection

Physical Safeguards

Outsource IT maintains:
- Controlled facility access with appropriate identification requirements
- Workstation security policies and device controls
- Secure storage and disposal procedures for any physical media
- Environmental controls for server and network equipment

Outsource IT ensures any third parties retained to assist in providing services agree to comply with restrictions necessary to enable Service Provider's PHIPA compliance, including the same use and disclosure restrictions that apply to Outsource IT.

Incident Reporting

Outsource IT will notify clients immediately upon becoming aware of any unauthorized access, use, disclosure, or disposal of personal health information, or any other privacy incident that may affect Client's personal health information.

Compliance Monitoring

Clients may audit Outsource IT's PHIPA compliance measures upon reasonable notice. Outsource IT will provide documentation of compliance activities upon the client's request.

Termination Obligations

Upon termination of any agreement, Outsource IT will securely return or destroy all personal health information in its possession and certify in writing that no copies have been retained.

Ready to get started?

Contact us
Outsource IT logo - MSP in Burlington Ontario
A reliable Canadian IT company you can trust.
Resources
Client Portal Bill Payments Hosting Login VoIP 911
Company
Contact About Services Overview Solution Partners Community Support Careers Home
Industries
Legal & Professional Services Manufacturing & Construction Healthcare & Pharmaceutical Transportation & Logistics Financial & Insurance Retail & Wholesale Small Business Not-for-Profit Public Sector Enterprise IT
Services
Managed IT Services Co-Managed IT On-Demand IT Managed Cloud Microsoft Services Staff Training AI Integrations Business VoIP
Cybersecurity Services Help Desk & Remote IT Support Disaster Recovery & Continuity Hardware & Device Mgmt Compliance & Risk Management IT Infrastructure & Network Mgmt Endpoint Management & Support Virtual CIO & Tech Strategy
© 2025 Outsource IT Computing Inc. All Rights Reserved.
Accessibility Feedback Terms & Privacy Policy PHIPA