For Ontario health-information custodians & their service providers
ClearGlass Inc. · Clarity is power · clearglassinc.github.io
This checklist is general educational guidance aligned to common expectations under Ontario's Personal Health Information Protection Act (PHIPA). It is not legal advice and is not a substitute for a tailored assessment or counsel. Use it to find gaps worth a closer look.
1 · Governance & accountability
A designated privacy contact / Privacy Officer is named and reachable
Written privacy & security policies exist and are reviewed at least annually
Staff roles and responsibilities for PHI handling are documented
Written agreements are in place with all service providers handling PHI
2 · Consent & collection
PHI is collected, used, and disclosed only for permitted purposes
A clear public statement of information practices is available
Patients can request access to and correction of their records
Process exists to handle consent directives / "lock-box" requests
3 · Access control
Access to PHI is role-based and follows least privilege
Multi-factor authentication is enforced for remote and admin access
Unique accounts per user (no shared logins) for systems with PHI
Joiner/mover/leaver process promptly revokes access
4 · Audit & monitoring
Access to electronic health records is logged and auditable
Logs are reviewed for unauthorized access ("snooping")
Alerting exists for anomalous access patterns
Log retention meets organizational and regulatory expectations
5 · Safeguards (technical & physical)
PHI is encrypted in transit and at rest (incl. laptops / mobile devices)
Endpoints are patched, hardened, and protected by current anti-malware
Backups exist, are encrypted, and have been test-restored
Physical access to records and servers is controlled
6 · Breach response
A written breach / privacy-incident response plan exists
Staff know how to report a suspected breach
Process covers notifying affected individuals and the IPC where required
Incidents and near-misses are logged and reviewed
7 · People & training
Privacy & security awareness training is delivered and tracked
Confidentiality agreements are signed by everyone with PHI access
Phishing resistance is tested / reinforced periodically
Found gaps? A ClearGlass PHIPA Readiness Assessment turns this checklist into a risk-ranked roadmap. Book a call at clearglassinc.github.io/offers/phipa-readiness.html