PHIPA at 22: lessons from two decades of Ontario health privacy law
February 14, 2026 · 8 min read · Merakey Team
Ontario's Personal Health Information Protection Act came into force in 2004. Twenty-two years later, the law is still the controlling framework for how personal health information is collected, used, and disclosed in the province. It has aged better than most of its contemporaries. Looking back at how PHIPA has been interpreted, enforced, and tested in court tells us a lot about where AI in Ontario healthcare is heading.
What the law got right
PHIPA's core insight, in 2004, was that health information is different from other personal information. Health data is sensitive, mistakes are consequential, and the relationship between custodian and patient is built on trust that the data will not be shared without permission. The Act made the custodian relationship explicit, and built specific obligations around it: knowledge consent, purpose limitation, accountability for agents.
That structure has held up. Twenty years of new technology, new business models, and new clinical practice have all fit inside the original frame. The Information and Privacy Commissioner of Ontario has interpreted the Act broadly, sometimes generously to data subjects, sometimes pragmatically toward custodians, but consistently within the original logic.
Where the law has been tested
The cases that have produced the most law are the ones at the edges. Snooping cases, where staff at hospitals accessed records they had no business reading. Vendor cases, where a service provider used patient information for a purpose the custodian had not approved. Cross-border cases, where data flowed to a US-based service and the custodian had not adequately considered the implications.
The pattern in the case law is consistent. The IPC has repeatedly held custodians responsible not just for what they did with data, but for what their agents and service providers did. That accountability is the through-line. It is also the rule that makes AI deployments more complex than custodians often realize.
What this means for AI
When a hospital, agency, or clinic uses an AI tool, the AI provider is an agent under PHIPA. The custodian is responsible for what the agent does. That includes what the agent does with the prompts, with the responses, with any logging, with any model training. A privacy policy that says "data may be used to improve the model" is not a defence. It is a problem, because the custodian has consented to a use the patient never agreed to.
This is why self-hosted AI, or AI hosted entirely under the custodian's control, has a structural advantage. There is no third-party agent doing things the custodian cannot fully audit. The chain of accountability stays inside the organization.
What the next decade looks like
Bill C-27 will likely add more granular AI rules at the federal level. Ontario may update PHIPA to address automated decision-making explicitly. The IPC will continue to publish guidance, and case law will continue to clarify the edges. None of this changes the foundation. Custodians are accountable for what their agents do with health information. AI agents are no different.
Twenty-two years in, the practical lesson of PHIPA is the same as it was in 2004: build for accountability, not for excuses. Sentinel's architecture starts from this assumption. The custodian sees every prompt, every response, every log entry, with no third party in the middle.
Related articles
PIPEDA and AI chatbots: what healthcare organizations need to know in 2026
PIPEDA applies the moment a chatbot touches patient data. Cloud-hosted LLMs create cross-border data flows most agencies haven't accounted for. Here's what the law requires.
Self-hosted vs. cloud AI: why 43% of healthcare orgs are choosing local
Healthcare organizations are moving AI workloads off the cloud. We compare self-hosted and cloud AI for regulated industries, covering data sovereignty, PIPEDA compliance, and the real cost of a breach.
Ready to see Meridian in action?
See how Sentinel keeps every prompt, response, and log inside the custodian's control, with no third party in the middle.
Book a Demo