How it works
PHIPA is Ontario's health privacy law. It governs how "health information custodians" collect, use, and disclose personal health information. If a physician, nurse practitioner, or registered nurse practises in your clinic, that person is a custodian and the patient records they create are in scope. Everyone else who touches those records, including front desk staff, estheticians, and outside software vendors, acts as an agent of the custodian. The custodian stays accountable for what agents do.
The duties come down to a short list:
- Consent. Care providers can rely on implied consent inside the circle of care. Anything outside care, including marketing, testimonials, and before-and-after photos, needs express consent.
- Unique access. Every user gets their own login, and access is limited to what the role actually needs.
- Audit logs. Electronic systems must record who viewed, changed, or shared each record, and those logs have to be available for review.
- Safeguards. Encryption in transit and at rest, device and password controls, and a written retention and disposal schedule.
- Vendor agreements. Anyone handling health information on your behalf needs a written agreement setting out permitted use and safeguards.
- Breach response. Tell the affected patient at the first reasonable opportunity, notify Ontario's Information and Privacy Commissioner in defined situations, and file breach statistics with the IPC each year.
Why it matters for aesthetic clinics
A med spa feels like retail and runs on medicine. Injectables are delegated medical acts, charts are real clinical charts, and the front desk moves fast. That combination is where privacy problems usually start.
Most of the risk sits in the growth stack rather than the EHR. Booking widgets, CRM, text recall, review requests, ad platforms, and AI chat assistants all pull patient names, phone numbers, and treatment interest into systems that were never set up as clinical software. Sending a "Botox top-up" campaign to a list segmented by past treatment is a use of health information for marketing. That needs express consent, not an unsubscribe link.
The stakes are written into the law. Ontario doubled its PHIPA penalties in 2020, and the maximum fine is now $200,000 for an individual and $1,000,000 for an organization. The IPC also publishes its decisions, so a bad outcome becomes a public, searchable record attached to your clinic name. For a business built on trust and referrals, that reputational cost tends to outrun the fine.
PHIPA vs HIPAA
Ontario clinics buy a lot of American software, and most of it markets itself as "HIPAA compliant." That is a useful signal, not an answer.
| PHIPA (Ontario) | HIPAA (United States) | |
|---|---|---|
| Who it covers | Health information custodians and their agents | Covered entities and business associates |
| Regulator | Information and Privacy Commissioner of Ontario | Office for Civil Rights, US Department of Health and Human Services |
| Vendor paperwork | Written agreement with the custodian | Business Associate Agreement |
| Patient breach notice | At the first reasonable opportunity | Within 60 days of discovery |
| Regulator breach notice | To the IPC in defined cases, plus annual statistics | Within 60 days for breaches of 500 or more people, otherwise annually |
| Data location | No hard residency rule, but the custodian stays accountable wherever data lives | No hard residency rule |
A HIPAA-ready vendor has usually built the right technical controls. You still need the PHIPA-side agreement and your own accountability on top.
The Ownerized take
Compliance is not the enemy of growth here. It is the reason your automation is allowed to run at all. We treat PHIPA as a design constraint on the growth stack: least data in the marketing layer, express consent captured at the point of booking, unique logins everywhere, and a written agreement with every vendor that touches a record. Clinics that get this right can automate recall, reviews, and follow-up with real confidence, because nothing in the flow depends on a shortcut. That is how we build the AI Growth System for aesthetics clinics.
Common mistakes
- Shared front desk logins. One "reception" account erases your audit trail, and it is the most common finding of all.
- Treating an unsubscribe link as consent. Marketing that uses treatment history needs express consent collected up front.
- Before-and-after photos posted under a general clinic consent form. Photo use for marketing is a separate, specific, revocable consent.
- Buying software on a "HIPAA compliant" badge and never signing a PHIPA-side agreement with the vendor.
- Patient details in staff text threads and personal phones, outside any system that keeps a log.
- Turning on audit logs and never reading them. The law expects review, not just capture.
- No named privacy contact. PHIPA expects a designated person, and in practice that person is who catches a problem in week one instead of month six.
Frequently asked questions
Does PHIPA apply to a med spa?
PHIPA applies once a regulated health professional in your clinic collects health information. If a physician, nurse practitioner, or nurse assesses patients or supervises injectables, that provider is a custodian and the charts are in scope. A purely cosmetic service with no health professional involved usually falls under PIPEDA, the federal commercial privacy law, instead.
Can I store patient data on US servers under PHIPA?
Yes. PHIPA has no hard data residency rule, unlike some other provinces. You stay accountable wherever the data sits, so you need a written agreement with the vendor, appropriate safeguards, and a clear answer for patients who ask. Some clinics still choose Canadian hosting because it is easier to explain.
Do I need consent to text patients about promotions?
Yes, and two laws apply. PHIPA requires express consent to use health information for marketing, and Canada's anti-spam legislation requires consent for the message itself. Capture both at booking, keep a record of when and how, and make opting out simple. A recall reminder for scheduled care is different from a promotional offer.
What happens if we have a breach?
Notify the affected patient at the first reasonable opportunity, and notify Ontario's Information and Privacy Commissioner in defined situations such as theft, deliberate snooping, or a pattern of similar incidents. Log the event, contain it, and include it in the breach statistics you file with the IPC each year.
Does PHIPA compliance affect AI tools and chatbots?
It applies to any tool that touches patient information. An AI chat assistant on your site that captures symptoms or treatment interest is collecting health information, so it needs consent, access controls, logging, and a vendor agreement. Keep the marketing layer thin: capture intent, not clinical detail.