PHIA, HIA, and PIPEDA for Saskatchewan clinics: what you actually have to do (2026)
The three laws in one paragraph
HIPA (Saskatchewan Health Information Protection Act) is the provincial law that governs how trustees — clinics, pharmacies, physicians, eHealth Saskatchewan — collect, use, store, and disclose personal health information in Saskatchewan. It is enforced by the Saskatchewan Information and Privacy Commissioner (OIPC). PIPEDA is the federal private-sector privacy law and applies to commercial activity (e.g. billing data, contractor relationships) that crosses provincial borders. PHIPA proper is the Ontario equivalent — if a vendor's documentation says "PHIPA," they almost always mean the same control set and it satisfies HIPA in practice. In Saskatchewan, the binding law is HIPA.
Who is a "trustee" — and why it matters
Under HIPA, a trustee is the person or organization with custody or control of personal health information. For a private medical clinic, the trustee is typically the physician (sole practitioner) or the clinic corporation. Pharmacies are trustees in their own right. Your IT provider is not a trustee — we are an information management service provider under section 18 of HIPA, and the trustee must have a written agreement with us before we touch PHI. A clinic without that agreement on file is the first finding an OIPC investigator will write up.
The HIPA controls an OIPC review actually checks
The OIPC's published investigation reports are the best guide to what gets flagged. Across the last five years, the recurring themes are:
- Access controls and audit logs. Unique user accounts (no shared logins), role-based access in the EMR, and the ability to produce an access log for a named patient on request.
- Encryption at rest and in transit. Full-disk encryption on every device that touches PHI (BitLocker / FileVault), TLS on every connection, and encrypted backups.
- Written privacy and security policies. Clinic-specific, signed, and reviewed annually. Generic downloaded templates without a clinic name in them are a finding.
- Staff training. Documented privacy training at hire and at least annually thereafter, with a signed acknowledgement on file.
- Breach response procedure. A written plan that names a Privacy Officer, defines what counts as a breach, and commits to notifying the OIPC and affected patients when material risk exists.
- Information management service provider agreements. Signed agreements with your IT provider, EMR vendor, backup vendor, AI scribe vendor — anyone who can technically access PHI.
- Disposal records. Certificates of destruction for retired drives, workstations, and paper records.
HIPA vs PIPEDA: which one applies to what
| Data | Primary law | Practical implication |
|---|---|---|
| Patient chart, lab result, prescription | HIPA | Trustee duties, OIPC oversight, IMSP agreement required. |
| Billing data sent to TELUS / WSIB / out-of-province insurer | HIPA + PIPEDA | Cross-border commercial activity adds PIPEDA on top. |
| Employee HR records | PIPEDA (federal-works) or provincial labour law | Not PHI; still requires reasonable security. |
| Website contact-form submissions | PIPEDA / CASL | Consent for marketing, retention policy, breach notification. |
Cloud and data residency under HIPA
HIPA does not strictly require that PHI stay in Canada — but section 16 requires the trustee to do a risk assessment before disclosing PHI outside Saskatchewan, and the OIPC has consistently expected a documented decision when PHI leaves the country. Microsoft 365 with a Canadian-region tenant (Toronto / Quebec City data centres), an EMR hosted in Canada, and backups stored in Canada is the path-of-least-friction. Using a US-only AI scribe, a US-hosted backup, or a consumer file-sharing tool without a risk assessment is the configuration that generates findings.
The Privacy Officer role — who, and what they actually do
HIPA requires every trustee to designate a contact for privacy enquiries. In a two-physician clinic this is usually one of the physicians or the office manager; in a larger group it should be a named non-physician. The Privacy Officer:
- Receives access and correction requests from patients and responds within 30 days.
- Owns the breach response procedure and notifies the OIPC when required.
- Approves new technology that touches PHI (new EMR module, AI scribe, telehealth tool).
- Reviews the audit logs at least quarterly for unusual access patterns.
Breach notification: when you have to call the OIPC
A 2023 HIPA amendment added a mandatory breach-notification duty when a breach creates a "material risk of significant harm." The trustee must notify the affected individual and the OIPC. In practice, the threshold is low for clinical data — a lost unencrypted laptop, a misdirected fax of a chart, an employee snooping in a neighbour's record, a ransomware incident that touched the EMR server — all typically clear the bar. The notification clock starts when the trustee becomes aware, not when the incident occurred.
The honest IT checklist for HIPA defensibility
- Unique accounts for every user; MFA enforced; shared logins eliminated.
- BitLocker / FileVault on every workstation and laptop.
- Endpoint detection and response (EDR), not just legacy antivirus.
- Microsoft 365 Business Premium or equivalent, tenant in a Canadian region.
- Image-based backups with at least one immutable / offsite copy, tested quarterly.
- Signed information management service provider agreement with the IT provider.
- Privacy and security policies named to the clinic, reviewed annually.
- Documented privacy training, signed by every staff member, refreshed annually.
- Written breach response procedure with the Privacy Officer named.
- Quarterly audit log review and a record that it happened.
We package this as a free Saskatchewan clinic cybersecurity checklist (PDF) you can hand to your office manager. If you'd like us to run the assessment for you, book a 30-minute review.
Frequently asked
- Is HIPA the same as PHIPA?
- No. HIPA is Saskatchewan's Health Information Protection Act. PHIPA is the Ontario equivalent. The control sets are close enough that vendor documentation written for PHIPA generally satisfies HIPA, but in Saskatchewan the binding law is HIPA and the regulator is the Saskatchewan OIPC.
- Does HIPA require patient data to stay in Canada?
- Not strictly. HIPA requires a documented risk assessment before PHI is disclosed outside Saskatchewan, and OIPC findings consistently expect a defensible decision when PHI leaves the country. Canadian-region cloud services are the path of least friction.
- Do we need a signed agreement with our IT provider?
- Yes. Under section 18 of HIPA, the trustee must have a written information management service provider agreement with anyone who can technically access PHI on their behalf — including your IT MSP, EMR vendor, backup vendor, and AI scribe vendor.
- Who has to be the Privacy Officer?
- HIPA requires the trustee to designate a contact for privacy enquiries. It can be a physician, the office manager, or a named external advisor. In a clinic with more than a few physicians, naming a non-physician is usually more workable.
- When does a breach have to be reported to the OIPC?
- Since the 2023 HIPA amendments, when a breach creates a material risk of significant harm to an individual. In practice, lost unencrypted devices, misdirected faxes, snooping incidents, and ransomware events that touch the EMR almost always meet this threshold.
Related
Request a free assessment
A named technician will reach out within one business day.