Why PHIPA Matters for Your Dental Practice
Every dental office in Ontario collects, uses, and discloses personal health information (PHI) — patient records, X-rays, treatment notes, insurance claims. Under the Personal Health Information Protection Act (PHIPA), your practice has specific legal obligations to protect that information.
A PHIPA investigation can be triggered by a single patient complaint. Fines can reach $100,000 per violation, and in cases of egregious non-compliance, the Information and Privacy Commissioner of Ontario (IPC) can order mandatory audits and reporting obligations that last for years.
This checklist covers the key IT controls and policies your dental office needs to maintain PHIPA compliance in 2026.
Section 1: Physical Safeguards
- ☐ Reception computers are positioned so patient screens are not visible to waiting area
- ☐ Server room or IT closet is locked and access-restricted
- ☐ Laptops used for patient data are encrypted (BitLocker/FileVault)
- ☐ Paper records are stored in locked cabinets
- ☐ Shredding policy in place for paper documents containing PHI
Section 2: Technical Safeguards
- ☐ All workstations require password login with auto-lock after 5 minutes
- ☐ Multi-factor authentication (MFA) enabled for email and remote access
- ☐ Anti-virus/EDR solution installed and actively monitored on all endpoints
- ☐ Firewall configured and managed (not default consumer router)
- ☐ Guest Wi-Fi is separate from clinical network
- ☐ Remote access (for staff working from home) uses VPN or zero-trust solution
- ☐ Dentrix/Eaglesoft database backed up daily to encrypted, offsite location
- ☐ Backup restores tested quarterly
- ☐ Software patching applied within 30 days of release (critical patches within 72 hours)
Section 3: Access Controls
- ☐ Each staff member has their own login credentials (no shared passwords)
- ☐ Access to patient records is limited to staff who need it for their role
- ☐ Terminated employees' access is revoked within 24 hours
- ☐ Audit logs track who accessed which patient records and when
- ☐ Privileged admin accounts are separate from daily-use accounts
Section 4: Third-Party Vendors
- ☐ A list of all vendors who access patient data has been documented
- ☐ Data processing agreements (or BAAs) are in place with each vendor
- ☐ US-based cloud vendors (e.g., Microsoft 365) have appropriate data residency or BAA in place
- ☐ Vendor access is reviewed annually
- ☐ X-ray software vendor's cloud storage location confirmed
Section 5: Privacy Policies & Procedures
- ☐ Written Privacy Policy posted in reception and available on website
- ☐ Privacy Officer designated (can be the dentist or office manager)
- ☐ Staff have completed privacy training in the past 12 months
- ☐ Breach response procedure documented and staff trained
- ☐ Patient consent forms updated to reflect current data practices
Section 6: Breach Response
- ☐ Breach response plan exists and has been tested
- ☐ IPC breach notification procedure understood (mandatory for significant breaches)
- ☐ Patient notification procedure documented
- ☐ Breach log maintained
Common PHIPA Violations in Dental Offices
The most common PHIPA issues we find when auditing GTA dental practices:
- Shared workstation passwords: When staff share login credentials, there's no way to audit who accessed what record
- No backups or untested backups: A ransomware attack becomes catastrophic without confirmed working backups
- Unencrypted laptops: A stolen laptop with unencrypted patient data is an automatic reportable breach
- Unmanaged vendor access: Old software vendors with remote access credentials that were never revoked
- No staff training records: Can't demonstrate compliance without training documentation
Get a Free PHIPA IT Assessment for Your Dental Office
Group 4 Networks provides specialized PHIPA compliance assessments for GTA dental practices. In 30 minutes, we'll identify your top compliance gaps and provide a written report — at no charge.