Maintaining PIPEDA compliance ensures that patient information is secure. It is vital that all Canadian clinic operators and healthcare providers understand their responsibilities.

What is PIPEDA?

The Personal Information and Electronic Documents Act (PIPEDA) is the federal privacy law for private-sector organizations (i.e. clinics) in Canada which defines how personal information, including Personal Health Information (PHI) ,is collected, used, or disclosed while carrying out commercial activities.

Expand section to learn more

  • Develop and implement a security policy to protect personal information.
  • Use appropriate security safeguards to provide necessary protection. These can include:
    • physical measures (e.g., locked filing cabinets, restricting access to offices, and alarm systems);
    • up-to-date technological tools (e.g., passwords, encryption, firewalls, and security patches); and
    • organizational controls (e.g., security clearances, limiting access, staff training and agreements).
  • Review security safeguards regularly to ensure they are up to date, and that you have addressed any known vulnerabilities through regular security audits and/or testing.
  • Educate your employees and ensure they are aware of the importance of maintaining the security and confidentiality of personal information. Hold regular staff training on security safeguards.

The loss of unauthorized access to or unauthorized disclosure of one or more persons personal information resulting from a breach or failure of an organization’s security safeguards, or from a failure to establish those safeguards or sufficient and reasonable safeguard. This includes:

  • Stolen laptop
  • Stolen phone
  • Stolen USB device
  • Malware incident
  • Ransomware attack
  • Hacking
  • Business associate breach
  • EHR breach
  • Office break-in
  • Sending PHI to the wrong patient/contact
  • Discussing PHI outside of the office
  • Social media posts

Whether a breach of security safeguards affects one person or a 1,000, it MUST be reported if your assessment indicates there is a risk of significant harm to one or more persons resulting from the breach.

Disregard—both intentional and unintentional—for PIPEDA’s mandatory breach reporting, notification, and record-keeping requirements could lead to fines and penalties of up to $100,000 per violation. Failure to establish security safeguards in the first place can also expose businesses to penalties.


Scroll to Top
From the WELL Cybersecurity Division
This is default text for notification bar