Every Canadian dental office that collects, uses, or discloses personal health information is subject to PIPEDA — the Personal Information Protection and Electronic Documents Act. Most dental offices we audit are unknowingly non-compliant in multiple areas. The enforcement risks are real: complaints, OPC investigations, and reputational damage that can follow a practice for years.
Here's what PIPEDA requires from a technology perspective, and what your IT provider should actively be doing to keep you compliant.
What Is PIPEDA and Why Does It Apply to You?
PIPEDA governs how private-sector organizations collect, use, and disclose personal information in the course of commercial activity. For a dental practice, this includes patient names, contact information, health history, payment information, X-rays, treatment records — essentially everything in your patient management system.
Ontario dental practices are also subject to PHIPA (Personal Health Information Protection Act), which has similar and in some cases stricter requirements. When in doubt, following the stricter standard is the safe approach.
A Brampton dental office we onboarded had patient X-rays stored on an unencrypted shared drive accessible to everyone in the office, including front desk staff with no clinical role. Under PIPEDA and PHIPA, this is a clear violation. It was fixed within 48 hours of discovery — but they'd been operating that way for 4 years.
The IT Compliance Checklist: What Your Provider Should Have Done
1. Encryption at Rest and in Transit
All devices storing patient data — workstations, servers, laptops — must use full-disk encryption. Windows BitLocker or equivalent must be enabled and verified. Patient data transmitted over your network or to the cloud must use TLS encryption. If your practice management software transmits data unencrypted, that's a compliance gap your IT provider should have caught and flagged.
2. Access Controls and Least Privilege
Not every staff member should have access to every patient record. Your IT configuration should limit user access based on role: clinical staff see clinical records, admin staff see what they need for billing and scheduling. Each user should have a unique login — shared passwords are a PIPEDA violation. Your IT provider should have set this up using Active Directory or equivalent role-based access control.
3. Audit Logging
You must be able to demonstrate who accessed what patient data and when. Your practice management system and network should generate audit logs that are retained for a minimum of 7 years. These logs are your proof of due diligence if a complaint is ever filed. Ask your IT provider when they last reviewed your audit log configuration — most haven't.
4. Secure, Tested Backups
Patient records must be backed up and recoverable. Your backups must be encrypted (a backup stored unencrypted is a compliance risk in itself). Recovery must be tested regularly. If your backup hasn't been restored and verified in the last 90 days, you don't actually know it works.
5. Patch Management and Endpoint Security
Unpatched systems are the most common vector for data breaches involving health information. Your IT provider should be applying Windows updates, firmware updates, and antivirus definition updates on a regular automated schedule. Every endpoint — including the front desk computers that staff use between patients — must have active, updated endpoint protection.
6. Business Associate Agreements with Vendors
Any vendor that handles patient data on your behalf — your practice management software company, your cloud backup provider, your IT provider — should have a written data processing agreement in place. Your IT provider should be able to tell you exactly which of your vendors handle PHI and confirm that agreements exist.
7. Breach Response Plan
PIPEDA requires mandatory breach reporting to the Office of the Privacy Commissioner if a breach creates a "real risk of significant harm." You need a documented breach response plan that defines who is notified, what steps are taken, and how affected patients are informed. Your IT provider should be part of this plan and able to conduct forensic analysis of a suspected breach.
Questions to Ask Your IT Provider Today
- Is full-disk encryption enabled on every device that stores patient data?
- Can you show me the role-based access control configuration?
- When was our backup last tested with a full restore?
- Are audit logs being retained for 7 years?
- Have you reviewed our vendor agreements for data processing clauses?
If your IT provider can't answer these questions confidently, it's time to have a more serious conversation — or find a provider who specializes in healthcare IT compliance. Starcomm has been supporting dental offices in the GTA for over 25 years. PIPEDA compliance isn't a checkbox for us — it's part of every managed IT engagement we run for healthcare clients.