Overview
Dental clinics in Ontario must comply with specific privacy and security standards to protect patient information and ensure proper healthcare delivery. This page outlines the key compliance requirements with links to official sources.
1. PHIPA – Personal Health Information Protection Act, 2004
What it is: Ontario's primary provincial law governing how dental practices handle personal health information (PHI).
Key Requirements:
- Encryption of all electronic patient records
- Unique user IDs and periodic password changes for access control
- Protection software (anti-virus, anti-malware, firewalls)
- Regular security updates and patches
- Annual security awareness training for all staff (legally required)
- Written policies for data access, correction, and breach response
- Physical security measures (locked areas, access controls)
Official Source:
Personal Health Information Protection Act, 2004 – Ontario.ca →
2. RCDSO – Royal College of Dental Surgeons of Ontario
What it is: The regulatory body for Ontario dentists, providing professional standards and guidelines.
Key Requirements:
- Compliance with Electronic Records Management Guidelines
- Implementation of appropriate security safeguards for electronic records
- Regular training and policies for staff
- Risk assessments and ongoing monitoring
- Proper vetting of cloud service providers (if using cloud storage)
Official Sources:
RCDSO Standards, Guidelines & Resources →
Electronic Records Management Guideline →
3. Mandatory Breach Reporting (Since October 2017)
What it is: Legal requirement to report certain privacy breaches to the Information and Privacy Commissioner of Ontario (IPC).
When to Report to IPC:
- Unauthorized use or disclosure by someone who knew or should have known it wasn't allowed
- Stolen information (devices, records, ransomware attacks)
- Further unauthorized use after an initial breach
- Pattern of similar breaches indicating systemic issues
- Disciplinary action against a college member or non-member
- Significant breaches involving sensitive information or many individuals
- Unauthorized collection via electronic health records
What to Include:
- Circumstances of the breach
- Steps taken to contain and remediate
- Notification to affected individuals
- Nature of compromised information
Official Sources:
IPC Ontario – Report a Health Privacy Breach →
IPC Breach Notification Guidelines (PDF) →
Annual Reporting: By March 1 each year, dental clinics must submit statistics on ALL privacy breaches from the previous year to the IPC (even breaches not required to be reported immediately).
Essential Cybersecurity Controls for Compliance
To meet the above standards, dental clinics must implement:
- Encryption – Full disk encryption, encrypted email and backups
- Access Controls – Unique user IDs, strong passwords, multi-factor authentication
- Network Security – Firewalls, network segmentation, secure Wi-Fi
- Endpoint Protection – Anti-virus, anti-malware, regular patching
- Monitoring – 24/7 network monitoring, security event logging
- Backup & Recovery – Regular automated backups with tested recovery
- Annual Training – Mandatory security awareness training for all staff
- Documentation – Written policies, procedures, and incident logs
- Vendor Management – Security agreements with third-party providers
Key Contacts & Resources
Information and Privacy Commissioner of Ontario (IPC)
Website: www.ipc.on.ca
Report a Breach: IPC Breach Reporting Form
Royal College of Dental Surgeons of Ontario (RCDSO)
Website: www.rcdso.org
Practice Advisory Service: [email protected]
Ontario Government – PHIPA Legislation
Full Act: ontario.ca/laws/statute/04p03
Additional Compliance Resources
Last Updated: October 2025
This information is provided as a general guide. For specific compliance questions related to your dental practice, please consult with legal counsel or contact the regulatory bodies directly.