PHIPA

PHIPA (Personal Health Information Protection Act) is Ontario’s provincial health privacy law. It governs how health information custodians — including pharmacies — collect, use, disclose, and protect personal health information.

In Ontario, pharmacies are health information custodians under PHIPA. This means they are legally responsible for the personal health information they handle, including prescription records, patient identifiers, and medication histories.

What PHIPA means for pharmacy software vendors:

Any technology vendor that handles personal health information on behalf of a pharmacy is a “agent” under PHIPA and is bound by the law’s requirements. Pharmacies must ensure that:

• Vendors store and process data only within Canada (or under equivalent protections if outside Canada)
• The vendor has a written agreement covering permitted uses and security obligations
• The vendor’s subprocessors are disclosed
• Audit logs are available for regulatory review

When evaluating pharmacy automation vendors, ask specifically about Ontario PHIPA compliance if your pharmacy operates in Ontario. A vendor that cites HIPAA (the US equivalent) without mentioning PHIPA has not built compliance for Canadian requirements.

AutoRx is PHIPA-compliant by design. Patient data is stored exclusively in Canadian data centres, and all subprocessors are documented in the Trust Center.