If your security team works inside a hospital, clinic, or long-term care home in Ontario, PHIPA security compliance isn’t a back-office privacy matter — it’s part of the front-line job. Guards see patient names on triage boards, overhear clinical conversations, write incident reports that name patients, and monitor cameras that capture people at their most vulnerable. Under Ontario’s Personal Health Information Protection Act, 2004 (PHIPA), all of that is regulated. This guide explains, in plain terms, what PHIPA asks of a healthcare security operation, where your guards actually fit in the law, and what to confirm before you bring a provider on site. For the bigger picture of how we approach this, see our healthcare security services in Canada.

What PHIPA actually is — and which law governs your site

PHIPA is Ontario’s health-privacy law. It governs how “health information custodians” — hospitals, clinics, doctors, long-term care homes — collect, use, and disclose personal health information (PHI). Oversight sits with the Information and Privacy Commissioner of Ontario (IPC), which investigates complaints and breaches.

Which statute applies depends on where you operate. A Toronto hospital answers to PHIPA; an Alberta facility answers to the Health Information Act (HIA). A common and costly error is a security vendor applying the wrong jurisdiction’s privacy framework — a clear sign they don’t understand the environment they’re working in.

The practical takeaway: your security provider doesn’t need to be a privacy lawyer, but it does need to know which law governs your building and train its officers accordingly.

Where security guards fit: the “agent” concept

Here’s the part most facility managers miss. Under PHIPA, a security officer working on your behalf is usually treated as an agent of the custodian — meaning your hospital. When your guard handles PHI, the hospital remains legally accountable for how that information is treated.

That has three concrete consequences:

  • Your PHIPA obligations extend to the guard. Training, confidentiality, and access rules that apply to staff apply to contracted security too.
  • Access must be limited to what the role needs. A guard doesn’t need to read charts to do their job; they need to know a patient is a flight risk, not their diagnosis.
  • The contract matters. Your service agreement should require the vendor to bind its officers to PHIPA-consistent confidentiality and to notify you immediately of any privacy incident.

The everyday moments where PHI shows up in security work

PHIPA compliance for security isn’t abstract. It lives in ordinary shifts:

  • Incident reports. A report naming a patient, their room, and what happened is PHI. It must be stored securely and shared only with authorized staff.
  • CCTV and monitoring. Cameras in clinical areas capture PHI by design. Recording, retention, and who can view footage all fall under the custodian’s PHIPA responsibilities — one reason security camera systems in healthcare need to be planned with privacy in mind, not just coverage.
  • Patient watch and escorts. Sitting with a patient on constant observation means hearing and seeing PHI for an entire shift. We cover the operational side of this in patient watch operational standards.
  • Whiteboards and handovers. Guards positioned near nursing stations routinely see names and statuses. The rule is simple: observe what you must, disclose nothing you don’t have to.

The standard officers should be trained to is “minimum necessary” — collect, view, and share only the PHI the safety task genuinely requires.

Thinking about how your security coverage handles patient privacy? Book a consultation and we’ll walk through your specific sites.

What good PHIPA-aware security looks like in practice

You can’t outsource accountability, but you can choose a provider that reduces your risk instead of adding to it. In a strong operation you’ll see:

  • Documented confidentiality training for every officer before they start, refreshed on a schedule — not a one-time signature.
  • Clear incident-reporting workflows that keep PHI secure and route it only to authorized people.
  • Breach-response readiness. PHIPA requires custodians to notify affected individuals at the first reasonable opportunity when PHI is stolen, lost, or accessed without authority, and to report certain breaches to the IPC. Your vendor needs to know how to escalate to you fast, because the clock is yours.
  • Role-appropriate access. Officers who understand they are there for safety and order, not to browse information.

This is why PHIPA-aware security overlaps so heavily with the rest of the healthcare picture — from de-escalation and mental health response to workplace violence obligations under Bill 168. Privacy, safety, and conduct are the same professional standard viewed from different angles.

When you’re evaluating providers formally, the privacy questions belong in your RFP — our healthcare security RFP guide lists the ones most hospitals forget to ask.

Frequently Asked Questions

Q1. Does PHIPA apply to contracted security guards, or only hospital staff?
Ans. It applies to both. When guards act on the hospital’s behalf they’re generally “agents” under PHIPA, so the custodian’s privacy obligations extend to them and their conduct.

Q2. Which privacy law applies to my facility?
Ans. It depends on your province: Ontario facilities follow PHIPA, and Alberta facilities follow the Health Information Act. A capable provider trains its officers to the statute that governs your site.

Q3. Can a security guard legally look at a patient’s chart or diagnosis?
Ans. Only if the safety task genuinely requires it, which it rarely does. The standard is “minimum necessary” — a guard usually needs a safety flag, not a clinical record.

Q4. Is CCTV footage of patients considered personal health information?
Ans. Footage from clinical areas often captures PHI, so its recording, retention, and access are governed by the custodian’s PHIPA responsibilities. This should be planned when the camera system is designed.

Q5. Who is responsible if a guard causes a privacy breach?
Ans. As the custodian, the hospital carries the primary legal accountability, which is exactly why your contract should bind the vendor to PHIPA-consistent practices and immediate breach reporting.

Q6. What should a security incident report include without breaching
Ans. Enough to document the safety event accurately and no more, stored securely and shared only with authorized staff. Record what happened and why security acted, not unnecessary clinical detail.

Q7. Does PHIPA require guards to have specific privacy training?
Ans. PHIPA doesn’t prescribe a guard curriculum, but because guards handle PHI, the custodian is expected to ensure they’re trained in confidentiality and appropriate handling. Look for documented, refreshed training.

Q8. How quickly must a privacy breach be reported?
Ans. PHIPA requires custodians to notify affected individuals at the first reasonable opportunity and to report certain breaches to the IPC of Ontario. Your vendor’s job is to escalate to you immediately so you can meet that timeline.

Q9. We operate in Alberta, not Ontario — does any of this still apply?
Ans. The principles do, but the governing statute is Alberta’s Health Information Act rather than PHIPA. A capable provider trains officers to the framework of the province they work in.

Q10. How do I check whether a security vendor understands healthcare privacy?
Ans. Ask which statute governs your site, how they train and refresh officers on confidentiality, and how they’d handle a breach. Vague or incorrect answers about the governing law tell you what you need to know.