HIPAA vs PHIPA: How US and Ontario Health Privacy Laws Compare
HIPAA is United States federal law that regulates Covered Entities and Business Associates under 45 CFR § 160.103, while PHIPA (the Personal Health Information Protection Act, 2004) is Ontario provincial law that regulates health information custodians and their agents. Both laws protect personal health information, but they differ in who they regulate, how consent works, where breaches get reported, and how violations are penalized. An organization operating on both sides of the border can be subject to both at once.
TL;DR: Quick answer
- HIPAA applies to Covered Entities and Business Associates as defined at 45 CFR § 160.103; PHIPA applies to health information custodians in Ontario, such as physicians, hospitals, and pharmacies, plus the agents and service providers acting for them.
- HIPAA permits use and disclosure of PHI for treatment, payment, and health care operations without patient authorization; PHIPA is consent-based, relying on implied consent within the circle of care and express consent outside it.
- HIPAA breaches are reported to HHS OCR (within 60 days of discovery for breaches affecting 500 or more individuals); PHIPA breaches meeting defined triggers are reported to the Information and Privacy Commissioner of Ontario at the first reasonable opportunity.
- HIPAA civil penalties effective January 28, 2026 range from $145 to $73,011 per violation in Tier 1, rising to $2,190,294 for Tier 4, with a $2,190,294 annual cap (45 CFR § 102.3); PHIPA added administrative monetary penalties effective January 1, 2024 of up to $50,000 CAD for individuals and $500,000 CAD for organizations.
- PHIPA does not impose a blanket Canadian data residency rule, but custodians remain accountable for PHI handled by service providers, so cross-border hosting decisions need contracts and safeguards, not just a checkbox.
Who does each law regulate?
HIPAA's regulated parties are Covered Entities (health plans, health care clearinghouses, and providers that transmit health information electronically in connection with covered transactions) and the Business Associates that handle protected health information (PHI) for them. The definitions sit at 45 CFR § 160.103, and the Business Associate relationship must be papered with a Business Associate Agreement under § 164.308(b) and § 164.504(e). A hosting provider storing ePHI is a textbook Business Associate.
PHIPA's regulated party is the health information custodian: physicians, nurses, hospitals, long-term care homes, pharmacies, laboratories, and similar entities listed in section 3 of the Act. People and companies that handle personal health information on a custodian's behalf are "agents" or "electronic service providers," and the custodian remains accountable for what they do. There is no direct PHIPA equivalent of the independently liable Business Associate; accountability stays anchored to the custodian, which is why Ontario service agreements tend to be prescriptive about safeguards.
How do the consent models differ?
This is the deepest structural difference. HIPAA's Privacy Rule permits a Covered Entity to use and disclose PHI for treatment, payment, and health care operations without the patient's authorization. Authorization is the exception, reserved for uses like marketing or most disclosures of psychotherapy notes.
PHIPA runs the other way: consent is the default. Within the circle of care, consent to share information for the purpose of providing health care can be implied, which keeps routine treatment workable. Outside that circle, express consent is generally required. PHIPA also gives patients a lockbox option: an individual can expressly withhold or withdraw consent to the sharing of specific information even within the circle of care, and custodians must honor and flag that restriction. HIPAA has a weaker cousin in the right to request restrictions, which providers can usually decline except for the self-pay restriction created by the HITECH Act.
How does breach notification compare: HHS OCR vs the Ontario IPC?
Under the HIPAA Breach Notification Rule (45 CFR §§ 164.400-414), a Covered Entity must notify affected individuals without unreasonable delay and no later than 60 days after discovering a breach of unsecured PHI. Breaches affecting 500 or more individuals also go to HHS OCR within 60 days and to prominent media outlets; smaller breaches are logged and reported to OCR annually.
Under PHIPA, custodians must notify affected individuals at the first reasonable opportunity whenever PHI is stolen, lost, or used or disclosed without authority. Reporting to the Information and Privacy Commissioner of Ontario (IPC) is required when defined triggers are met, including theft of unencrypted PHI, knowing unauthorized use or disclosure, a continuing or patterned breach, or conduct that would also be reportable to a regulatory college. Custodians must additionally submit annual privacy breach statistics to the IPC. The practical difference: HIPAA gives you a 60-day outer bound; PHIPA's "first reasonable opportunity" standard is shorter in practice and the IPC has signaled it expects prompt action, often within days.
What are the penalties under each law?
| Penalty feature | HIPAA (US) | PHIPA (Ontario) |
|---|---|---|
| Regulator | HHS Office for Civil Rights (OCR) | Information and Privacy Commissioner of Ontario (IPC) |
| Civil / administrative penalties | Four culpability tiers at 45 CFR § 102.3 (effective 2026-01-28): Tier 1 $145 to $73,011 per violation; Tier 4 $73,011 to $2,190,294; annual cap $2,190,294 | Administrative monetary penalties (effective 2024-01-01): up to $50,000 CAD for individuals, $500,000 CAD for organizations, or the financial benefit gained |
| Offence prosecutions | Criminal referrals to DOJ for knowing violations | Fines up to $200,000 CAD and up to one year imprisonment for individuals; up to $1,000,000 CAD for organizations |
| Practical enforcement | Resolution agreements, corrective action plans, civil money penalties | IPC orders, AMPs, and prosecution in egregious cases |
Note that the 2019 HHS Notice of Enforcement Discretion still lowers the effective annual caps for HIPAA tiers 1 through 3. Our full breakdown of HIPAA violation fines and penalties covers the tier mechanics in detail.
Can Ontario custodians host personal health information on US clouds?
PHIPA contains no general prohibition on storing personal health information outside Canada, unlike some Canadian public-sector statutes. What it does require is that the custodian remain accountable: agents and electronic service providers must be bound by agreements, safeguards must be comparable to what PHIPA expects of the custodian, and patients' rights of access and correction must survive the outsourcing.
In practice, Ontario custodians using AWS typically deploy in the Canadian regions (ca-central-1 in Montreal or ca-west-1 in Calgary) to keep data resident in Canada, then layer encryption with customer-managed keys, audit logging, and a service agreement that mirrors the duties a HIPAA BAA would carry. The legal exposure to US process (such as the CLOUD Act) for data held by US-headquartered providers is a real consideration that counsel should weigh; encryption with keys the provider cannot access materially changes that analysis. Custodians serving US patients, or vendors serving US Covered Entities from Canada, can also be pulled into HIPAA directly through a BAA, a scenario we cover in how HIPAA and PIPEDA interact for Canadian organizations.
Which law applies to your organization?
- US provider, US patients: HIPAA, enforced by HHS OCR. Start with our HIPAA-compliant hosting guide.
- Ontario clinic, hospital, or pharmacy: PHIPA, overseen by the IPC. PIPEDA may apply to commercial activities outside the custodian role; note that the federal reform effort (Bill C-27) died in January 2025 and no successor is law as of June 2026.
- Canadian vendor serving a US Covered Entity: HIPAA obligations flow through the BAA regardless of where the vendor sits.
- Organization operating in both jurisdictions: both frameworks apply, and the stricter rule on each point governs in practice. Our comparison of HIPAA versus international privacy laws widens the lens beyond Canada, and how HIPAA treats US sites with global reach covers the inbound-traffic question.
Frequently asked questions
Is PHIPA the Canadian version of HIPAA?
Only loosely. PHIPA covers one province (Ontario) and is consent-based, while HIPAA is US federal law built on permitted uses. Other provinces have their own health privacy statutes, and PIPEDA applies federally to commercial activity.
Does PHIPA require health data to stay in Canada?
No blanket residency rule exists in PHIPA, but the custodian stays accountable for PHI handled by any service provider, so cross-border arrangements need contractual safeguards, and many custodians choose Canadian cloud regions anyway.
Who enforces PHIPA and what are the fines?
The Information and Privacy Commissioner of Ontario. Since January 1, 2024 the IPC can levy administrative monetary penalties up to $50,000 CAD for individuals and $500,000 CAD for organizations, and offence prosecutions can reach $1,000,000 CAD for organizations.
Does a US clinic with Canadian patients need to follow PHIPA?
Generally no; PHIPA regulates Ontario custodians. The US clinic follows HIPAA, though serving Canadian residents can raise separate Canadian privacy considerations worth confirming with counsel.
Can one hosting setup satisfy both laws?
The technical safeguards overlap heavily: encryption at rest and in transit, access controls, audit logging, and breach response map to 45 CFR § 164.312 on the HIPAA side and to PHIPA's section 12 security duty on the Ontario side. The contracts differ: a BAA for HIPAA, an agent or service provider agreement for PHIPA.
Where to go from here
If you are a US Covered Entity, or a vendor bound to one by a BAA, hipaacomplianthosting.com provides managed HIPAA cloud hosting on AWS; that is our business, so treat the recommendation accordingly. Ontario custodians should anchor any hosting decision in counsel review and a documented privacy impact assessment.
This article is general information, not legal advice. Consult qualified counsel about your obligations under HIPAA, PHIPA, or both, and base your safeguards on a documented risk analysis. Reviewed June 2026.