Fax.Plus and Sign.Plus Are Now PHIPA Compliant for Ontario Healthcare

We have been helping healthcare teams move sensitive documents for years, and one question comes up constantly from our Canadian customers: "This is great, but is it PHIPA compliant?" As of today, the answer is a clear yes.

Fax.Plus and Sign.Plus are now PHIPA compliant for healthcare providers in Ontario. After a full compliance assessment of both services, we meet the requirements of Ontario's health privacy law, and we offer a dedicated PHIPA Service Provider Agreement for organizations that handle patient health information. If you run a clinic, hospital, pharmacy, or practice in Ontario and still fax patient records or collect legally binding electronic signatures, this one is for you.

‍

What is PHIPA?

PHIPA is Ontario's health privacy law, and it stands for the Personal Health Information Protection Act. It controls how patient health information is collected, used, stored, and shared across the province, and it has been in force since 2004.

Here is the easy way to think about it. PHIPA is Ontario's version of HIPAA, the American health privacy law most people already know. Same goal, different country: keep a patient's medical information private and secure. The law is enforced by the Information and Privacy Commissioner of Ontario, an independent regulator that handles complaints and investigates breaches. Since 2024, the Commissioner can issue administrative monetary penalties of up to C$500,000 against an organization, so the rules carry real weight. If you want the American side of the story, our explainer on what HIPAA is walks through it.

‍

Does PHIPA apply to providers like Fax.Plus and Sign.Plus?

PHIPA applies to Fax.Plus and Sign.Plus as agents, not as the parties that hold the main legal duty. That distinction is worth understanding, because it tells you exactly what you get from us and what stays on your plate.

PHIPA puts its core responsibilities on a Health Information Custodian, which is the healthcare organization itself: the doctor, the clinic, the hospital. The custodian decides what patient information to collect and who to send it to. Services like Fax.Plus and Sign.Plus act as agents, or electronic service providers. In plain terms, we provide the secure document workflow layer. You decide what to send and to whom; we make sure it travels and is stored safely. Duties like getting patient consent stay with you as the custodian. The security of the transmission and storage is on us. We built our whole assessment around that split, so there is no confusion about who covers what.

‍

What did the PHIPA assessment cover?

The assessment reviewed every PHIPA requirement that applies to  service providers in our role, and it closed with no open gaps at any risk level. The review covered the areas a healthcare organization actually cares about.

‍

Safeguards and audit monitoring

Documents sent through Fax.Plus and documents handled through Sign.Plus are encrypted in transit (TLS 1.3) and at rest (256-bit AES with per-user keys). Access runs on unique user IDs, role-based permissions, two-factor authentication, and single sign-on. Every file transfer and access event is logged and exportable for audit. PHIPA expects more than just keeping logs; it expects active audit-trail monitoring, so we run automated daily anomaly checks rather than only reviewing logs after an incident. You can dig into the details on our security and privacy page or our breakdown of whether Fax.Plus is safe.

‍

Breach handling

If a security incident touches a customer's data, our incident response process notifies that customer quickly with the details they need. This helps the provider meet its own PHIPA duty to notify affected patients and, where required, report to the IPC.

‍

Service Provider Agreement

Providers handling patient health information get a PHIPA Service Provider Agreement that supplements the standard service agreement and sets out confidentiality, breach notification, and data handling terms in writing.

‍

Retention and deletion

You control how long faxes are kept. Records can be removed individually, in bulk through the API, or fully on request, and deleted fax files are destroyed so they cannot be recovered.

‍

Can Ontario healthcare data stay in Canada?

Yes. Ontario custodians can select a Canadian processing region for their Fax.Plus tenant under a custodian agreement, and that choice is enforced both technically, through region-pinning, and contractually. PHIPA does not actually require patient data to stay inside Ontario or Canada, but many custodians prefer it, and some build it into their own information practices. Offering a Canadian region removes that question before it becomes an objection.

‍

How does PHIPA compliance relate to HIPAA, ISO 27001, and SOC 2?

PHIPA compliance builds directly on the certifications Fax.Plus and Sign.Plus already hold, rather than starting from zero. The services run under independently audited ISO 27001 and SOC 2 Type II programs, support HIPAA with a signed Business Associate Agreement for US healthcare customers, and store data under strong Swiss privacy law with 20+ data residency locations available.

A quick translation, since the acronyms pile up fast. ISO 27001 and SOC 2 Type II are essentially independent inspections of how a company protects data, carried out by outside auditors rather than the company itself. PHIPA compliance maps that same foundation onto Ontario's specific legal language. If you already trusted Fax.Plus or Sign.Plus on the strength of those certifications, PHIPA compliance is the next layer on the same base.

‍

What should Ontario healthcare providers do next?

If your organization handles patient health information in Ontario and uses Fax.Plus or Sign.Plus, the next step is to request the PHIPA Service Provider Agreement so your vendor obligations are documented in writing. It is also worth having your privacy team confirm which PHIPA duties stay with you as the custodian, since some responsibilities, like patient consent and notifying individuals after a breach, cannot be handed off to a service provider.

To see how Fax.Plus fits a real healthcare workflow, visit our healthcare fax solution page or read up on HIPAA-compliant faxing.

‍

Häufig gestellte Fragen

‍

Are Fax.Plus and Sign.Plus PHIPA compliant?

Yes. Following a full compliance assessment, Fax.Plus and Sign.Plus meet PHIPA requirements for Ontario healthcare providers and offer a PHIPA Service Provider Agreement for organizations handling patient health information.

Does PHIPA require my data to stay in Canada?

No. PHIPA does not require patient data to remain in Ontario or Canada, but Fax.Plus offers a Canadian processing region for custodians who prefer or require local data handling.

‍

Who is responsible for patient consent, Fax.Plus, Sign.Plus, or the provider?

The healthcare provider, as the custodian. Fax.Plus and Sign.Plus act as agents that help transmit, process, sign, and store documents securely; they do not collect patient consent on the provider's behalf.

Is there a PHIPA certificate or registration?

No. PHIPA does not run a central certification or registration program. Compliance means having the required policies, safeguards, and breach procedures in place and being able to demonstrate them on request.

‍