From the WELL Cybersecurity Division


Maintaining PIPEDA compliance ensures that patient information is secure. It is vital that all Canadian clinic operators and healthcare providers understand their responsibilities.

What is PIPEDA?

The Personal Information and Electronic Documents Act (PIPEDA) is the federal privacy law for private-sector organizations (i.e. clinics) in Canada which defines how personal information, including Personal Health Information (PHI) ,is collected, used, or disclosed while carrying out commercial activities.

Expand section to learn more

What Can I Do to Protect PHI?
  • Develop and implement a security policy to protect personal information.
  • Use appropriate security safeguards to provide necessary protection. These can include:
    • physical measures (e.g., locked filing cabinets, restricting access to offices, and alarm systems);
    • up-to-date technological tools (e.g., passwords, encryption, firewalls, and security patches); and
    • organizational controls (e.g., security clearances, limiting access, staff training and agreements).
  • Review security safeguards regularly to ensure they are up to date, and that you have addressed any known vulnerabilities through regular security audits and/or testing.
  • Educate your employees and ensure they are aware of the importance of maintaining the security and confidentiality of personal information. Hold regular staff training on security safeguards.
What is a Breach?

The loss of unauthorized access to or unauthorized disclosure of one or more persons personal information resulting from a breach or failure of an organization’s security safeguards, or from a failure to establish those safeguards or sufficient and reasonable safeguard. This includes:

  • Stolen laptop
  • Stolen phone
  • Stolen USB device
  • Malware incident
  • Ransomware attack
  • Hacking
  • Business associate breach
  • EHR breach
  • Office break-in
  • Sending PHI to the wrong patient/contact
  • Discussing PHI outside of the office
  • Social media posts
Fines (per violation - per record exposed)

Whether a breach of security safeguards affects one person or a 1,000, it MUST be reported if your assessment indicates there is a risk of significant harm to one or more persons resulting from the breach.

Disregard—both intentional and unintentional—for PIPEDA’s mandatory breach reporting, notification, and record-keeping requirements could lead to fines and penalties of up to $100,000 per violation. Failure to establish security safeguards in the first place can also expose businesses to penalties.


Scroll to Top