HIPAA vs PHIPA: How US and Ontario Health Laws Differ
HIPAA is a United States federal law and PHIPA is Ontario, Canada's provincial health-privacy law, and they apply in different jurisdictions to different organizations. Both require safeguarding personal health information, limiting use and disclosure, and notifying people of breaches, but they differ in scope, definitions, consent rules, and enforcement. A US provider follows HIPAA; an Ontario custodian follows PHIPA.
TL;DR: Quick answer
- HIPAA applies in the United States; PHIPA applies in Ontario, Canada.
- Both protect health information and require breach notification, but their definitions and consent rules differ.
- PHIPA centers on health information custodians; HIPAA centers on covered entities and business associates.
- A US provider follows HIPAA; an Ontario custodian follows PHIPA, and a BAA can bridge the two when they work together.
What is each law?
HIPAA, the Health Insurance Portability and Accountability Act, sets US national standards for protecting health information held by covered entities and their business associates. PHIPA, Ontario's Personal Health Information Protection Act, governs how health information custodians in Ontario collect, use, and disclose personal health information.
How do HIPAA and PHIPA differ?
| Dimension | HIPAA (US) | PHIPA (Ontario) |
|---|---|---|
| Jurisdiction | United States | Ontario, Canada |
| Regulated party | Covered entities and business associates | Health information custodians and their agents |
| Consent model | Permits many uses without explicit consent for treatment, payment, and operations | Generally relies on implied or express consent, with a "circle of care" concept |
| Breach notification | Required to individuals and HHS, with timelines | Required to individuals and, in defined cases, to the Information and Privacy Commissioner |
| Enforcement | HHS Office for Civil Rights | Information and Privacy Commissioner of Ontario |
Which law applies to me?
- A US clinic, hospital, or health plan follows HIPAA.
- An Ontario custodian such as a clinic or hospital follows PHIPA.
- A vendor serving a US covered entity may be bound to HIPAA through a Business Associate Agreement, even if based in Canada.
- An organization operating in both places may need to satisfy both frameworks.
Frequently asked questions
What is the difference between HIPAA and PHIPA?
They are different laws for different jurisdictions. HIPAA is US federal law; PHIPA is Ontario provincial law. They share goals but differ in definitions, consent, and enforcement.
Does PHIPA apply outside Ontario?
PHIPA is Ontario legislation. Other Canadian provinces have their own health-privacy laws, and PIPEDA applies federally in many commercial contexts.
Which law applies to a US clinic with Canadian patients?
A US covered entity follows HIPAA. Handling Canadian residents' data may also raise Canadian privacy obligations, so confirm with counsel.
Where to go from here
For the broader question of when US rules reach across borders, see is HIPAA only for US sites.
This guide is general information, not legal advice. Confirm your obligations under HIPAA, PHIPA, or both with qualified counsel.