Privacy Law for Dental and Medical Practices in Canada
By Yong Du
Privacy obligations for Canadian dental and medical practices — which laws apply alongside PIPEDA, what patient records require, breach reporting for health information, and compliance requirements for private clinics.
What makes dental and medical practices distinct
Health information is the most sensitive category of personal information recognized under Canadian privacy law. The OPC, OIPC Alberta, and OIPC BC all treat health data as requiring heightened protection — and the consequences of a breach are correspondingly serious. A breach of patient records carries the risk of embarrassment, discrimination, insurance implications, and harm to the patient's relationship with their provider.
Dental and medical practices also operate under health legislation that runs alongside PIPEDA and provincial PIPA — creating a multi-statute compliance environment that requires careful attention to which obligation applies to which type of information.
Which laws apply
| Jurisdiction | Law | Applies to | Regulator |
|---|---|---|---|
| Alberta | Health Information Act (HIA) | Health information held by regulated health professionals (dentists, physicians, and their clinics) — patient diagnoses, treatment records, prescriptions, test results | OIPC Alberta — oipc.ab.ca |
| Alberta | Alberta PIPA | Non-health personal information (patient contact details, payment records, employee information) | OIPC Alberta — oipc.ab.ca |
| BC | BC PIPA | Patient information at private health practices (BC has no private-sector health privacy statute equivalent to Alberta's HIA) | OIPC BC — oipc.bc.ca |
| Federal | PIPEDA | Commercial activities involving personal information; interprovincial activity; provinces without substantially similar legislation | OPC — priv.gc.ca |
Important: Alberta HIA obligations for health custodians are detailed and sector-specific. This guide covers the PIPEDA and provincial PIPA layer. Dental and medical practices in Alberta should obtain legal advice specific to HIA compliance — the HIA has distinct consent, access, and breach notification requirements that differ from PIPEDA in significant ways.
What personal information dental and medical practices hold
Patient health information: Diagnoses, treatment notes, clinical records, X-rays and imaging, prescriptions, referral letters, lab results, medical history, medications, allergies, surgical history.
Patient administrative information: Full name, date of birth, address, phone number, health card number, provincial health insurance information, insurance provider and policy number.
Patient financial information: Payment records, credit card or banking details, outstanding balances, insurance claim information and explanation of benefits.
Employee information: SINs, banking details for payroll, T4s, professional licence numbers, employment records.
Common breach scenarios
Ransomware: Medical and dental practices are primary ransomware targets — patient records have high value for extortion (sensitive health information the patient may not want disclosed) and for insurance fraud. A ransomware attack on a clinic typically affects every patient in the practice management system. See Ransomware Attack: What Canadian SMEs Must Do.
EHR or cloud platform breach: A breach at an electronic health record vendor affects all practices using that platform. Your accountability for patient data held there does not transfer to the vendor. See Vendor or Third-Party Breach.
Unauthorized employee access: A receptionist, biller, or clinical staff member accessing records of patients they are not treating — sometimes motivated by curiosity about a known patient. Audit logging is essential in a practice environment where multiple staff have system access. See Unauthorized Employee Access.
Improper disposal: Patient records in recycling rather than shredded, retired computers containing patient data not securely wiped, USB drives with patient records not encrypted. See Physical Records Breach.
RROSH in a dental or medical breach
Health information is explicitly identified as a sensitive category under PIPEDA and is treated as presumptively high-risk by regulators. A breach of patient records — diagnoses, treatment history, medications — will almost always meet the RROSH threshold. The combination of health information with insurance details or payment records further elevates the risk.
Factors that push toward RROSH in this sector:
- Any patient diagnosis, treatment record, or medication information exposed
- Mental health records, substance use records, or reproductive health information — these carry heightened sensitivity and stigma risk
- Patient health card numbers exposed — enables health insurance fraud
- Combination of health information with patient identity and insurance details
The multi-statute RROSH issue: In Alberta, an HIA breach notification obligation may be triggered before or independently of the PIPEDA RROSH analysis. Do not defer the HIA assessment while completing the PIPEDA one — both assessments run concurrently.
Core compliance obligations
Privacy officer: Designate a named individual responsible for privacy compliance. In most practices this is the practice owner or clinic manager. Their contact must appear in your privacy policy.
Privacy policy: Your policy must describe what patient information you collect, why, how it is protected, how long it is kept, and how patients can access their records or make a complaint.
Retention: Patient health records have sector-specific minimum retention periods under provincial health legislation and regulatory college requirements. In Alberta, HIA requirements govern health record retention. Contact your regulatory college (Royal College of Dental Surgeons of Alberta, College of Physicians and Surgeons of Alberta, CDSBC, BCMJ) for profession-specific retention standards. Do not rely solely on the general PIPEDA retention principle for health records.
EHR vendor contracts: Every electronic health record or practice management platform must have a written agreement confirming the vendor's data handling obligations, security requirements, and what happens if the vendor is breached or goes out of business.
Safeguards: Encrypted storage for all patient records, MFA on practice management systems, role-based access so staff can only access records for patients they are actively treating, audit logging to detect unauthorized access, and secure destruction of paper records and retired hardware.
Patient notification specifics: When notifying patients of a health information breach, describe specifically what health information was involved — not generic "medical records." Patients need to know whether their diagnosis, prescription, or imaging was affected. Advise patients to monitor their provincial health insurance account for unauthorized claims if health card numbers were exposed.
Experienced a breach at your practice? ClearBreach walks dental and medical practices through their RROSH assessment across PIPEDA and provincial PIPA and generates regulator reports and patient notification letters in under 15 minutes. Start your assessment →
ClearBreach assesses your obligations under PIPEDA, Alberta PIPA, and BC PIPA. Alberta HIA obligations are a separate assessment that ClearBreach does not currently cover — Alberta health practices should obtain HIA-specific legal advice in parallel with using ClearBreach for their PIPEDA/PIPA assessment.
Related guides
- PIPEDA Breach Reporting Requirements
- Alberta PIPA Breach Notification
- BC PIPA Breach Reporting
- Ransomware Attack: What Canadian SMEs Must Do
- Vendor or Third-Party Breach: What Canadian Organizations Must Do
- Responding to Individual Access Requests Under Canadian Privacy Law
This guide covers PIPEDA, Alberta PIPA, and BC PIPA obligations for private dental and medical practices. Alberta HIA obligations for health custodians require separate legal advice and are not fully covered here. Regulatory college requirements for record-keeping and patient confidentiality are separate from privacy legislation and are not covered here. Quebec's Law 25 is not covered here.
Frequently asked questions
Does PIPEDA apply to my dental or medical practice?
Yes, but it is not the only law that applies. In Alberta, regulated health professionals — including dentists and physicians — are 'custodians' under the Health Information Act (HIA), which governs patient health information separately from PIPEDA. In BC, private health practices are subject to BC PIPA for patient information. PIPEDA may also apply to commercial activities. The result is that most dental and medical practices operate under multiple overlapping privacy regimes. This guide covers the PIPEDA and provincial PIPA layer; HIA obligations should be addressed with legal counsel familiar with Alberta health privacy.
If patient records are breached, do I have to report it?
Yes, under both health legislation (in Alberta) and PIPEDA or provincial PIPA (depending on province). In Alberta, the HIA requires custodians to notify affected individuals and the OIPC Alberta of unauthorized access to health information. PIPEDA's breach notification obligations apply in parallel for the non-health dimensions of the breach (patient contact information, payment details). In BC, BC PIPA applies to private practices for patient information and requires notification if RROSH is present. You must assess and notify under each applicable statute.
Can patients access their own health records?
Yes. Under PIPEDA and provincial privacy legislation, individuals have the right to access their personal information, including health records. In Alberta, the HIA gives patients a right of access to their own health information held by custodians. Your practice must have a process for responding to these requests within the applicable timeline (30 days under PIPEDA and BC PIPA; 30 days under HIA with possible extension). See [Responding to Individual Access Requests Under Canadian Privacy Law](/guides/responding-to-access-requests-canada/).
We use a cloud-based electronic health record system — what are our obligations?
Your accountability for patient health information does not transfer to the EHR vendor. Under PIPEDA Principle 1 and equivalent provincial provisions, you remain the accountable organization for personal information you transfer to a third party for processing. Your contract with the EHR vendor must include privacy and security obligations, confirm that the vendor will only use patient data for the purposes you specify, and address what happens if the vendor is breached. If the EHR vendor is breached and patient data is affected, your notification obligations apply regardless of whether the vendor also notifies.
This guide is educational and does not constitute legal advice. It is grounded in the text of PIPEDA, Alberta PIPA, and BC PIPA and published guidance from the OPC, OIPC Alberta, and OIPC BC. If your situation involves regulatory investigation, litigation risk, or circumstances not addressed here, engage a qualified privacy lawyer.