All posts

Compliance & privacy · July 3, 2026 · 8 min read

PHIPA-Compliant Practice Management Software: A Checklist for Ontario Therapists

What PHIPA actually requires from your practice software: data residency, safeguards, audit trails, retention, and the questions to ask any vendor before trusting them with PHI.

If you practise in Ontario, you are almost certainly the health information custodian for your clients' records under PHIPA, and your practice software vendor is your agent or electronic service provider. That means the legal duty is yours, and your software either helps you meet it or quietly undermines it. Here's the checklist that matters, in plain language.

1. Where does the data live?

PHIPA doesn't flatly prohibit data leaving Canada, but Canadian residency dramatically simplifies your obligations and your clients' trust. Ask the vendor where the database, backups, and file storage physically sit. PsychApp stores client data in Canada Central.

2. Technical safeguards (s.12 "reasonable measures")

At minimum, expect encryption in transit and at rest, per-user access controls at the database layer (not just the UI), two-factor authentication, and automatic sign-out on idle workstations. If a vendor can't say "row-level security" or explain their session policy, keep looking.

3. Audit trails

When a college or the IPC asks "who accessed this record and when," you need an answer. PsychApp keeps an append-only audit log covering note signing, record changes, file access, and billing actions, visible to you in Settings.

4. Records that behave like clinical records

  • Signed notes must lock; corrections happen through dated addenda, never silent edits.
  • Deleting a client's chart during a retention period is a compliance failure. Software should push you toward archiving (chart retained, restorable) instead of deletion.
  • Retention: CRPO and CPO expect 10 years from last contact (longer for minors); OCSWSSW at least 7.

5. The vendor relationship on paper

Ask for the vendor's privacy policy naming its subprocessors, a service agreement recognizing your custodian role, and their breach notification commitment. Then do your side: designate a privacy officer (it can be you), keep a breach response plan, and document consent.

6. Questions to email any vendor today

  • Where exactly is PHI stored and backed up?
  • Do you support MFA and idle timeout?
  • Is there an immutable audit trail I can see?
  • What happens to my data if I leave?
  • Do you use client data to train AI models? (The only good answer is no.)

PsychApp publishes its answers in its privacy policy and maintains a compliance program document mapping PHIPA and college obligations to platform behaviour. See how PsychApp handles privacy.

Frequently asked questions

Does PHIPA require my practice software to store data in Canada?

Not in absolute terms, but extra-provincial storage adds transparency and safeguard obligations. Canadian residency is the cleaner path and what most Ontario custodians prefer; PsychApp stores client data in Canada Central.

Am I the custodian, or is my software vendor?

In private practice, you are almost always the custodian; the vendor acts as your electronic service provider under your instructions. You cannot outsource the legal responsibility — only the infrastructure.

Keep reading

Ready to try PsychApp?

14-day free trial. No credit card required. Set up in an afternoon.

Start your free trial