Navigating PHIPA and PIPEDA:
Electronic Audit Log

PHIPA Section 10.1: The Electronic Audit Log Compliance Guide

Under Ontario's Personal Health Information Protection Act (PHIPA), healthcare organizations and their IT environments face rigorous transparency mandates. Specifically, Section 10.1 establishes strict statutory guidelines regarding electronic records of Personal Health Information (PHI).

If your clinic uses any electronic means to collect, use, modify, or disclose patient data, generic logging is no longer sufficient. This guide details what your organization must do to meet these statutory definitions and how to configure common productivity platforms like Microsoft 365 and Google Workspace to support compliance.

PHIPA Law definition

Electronic audit log

10.1  (1)  Subject to any prescribed exceptions, a health information custodian that uses electronic means to collect, use, disclose, modify, retain or dispose of personal health information shall,

    (a)   maintain, or require the maintenance of, an electronic audit log described in subsection (4);

    (b)   audit and monitor the electronic audit log as often as is required by the regulations; and

    (c)   comply with any requirements that may be prescribed.

Access by Commissioner

(2)  A health information custodian referred to in subsection (1) shall provide a copy of the electronic audit log to the Commissioner, upon request. 2020, c. 5, Sched. 6, s. 3.

Same

(3)  Despite subsection 60 (13), the Commissioner may be provided with a copy of the electronic audit log even if it contains personal health information. 2020, c. 5, Sched. 6, s. 3.

Content of log

(4)  The electronic audit log must include, for every instance in which a record or part of a record of personal health information that is accessible by electronic means is viewed, handled, modified or otherwise dealt with,

    (a)   the type of information that was viewed, handled, modified or otherwise dealt with;

    (b)   the date and time on which the information was viewed, handled, modified or otherwise dealt with;

    (c)   the identity of all persons who viewed, handled, modified or otherwise dealt with the personal health information;

    (d)   the identity of the individual to whom the personal health information relates; and

    (e)   any other information that may be prescribed.

Understanding the Statutory Requirements of Section 10.1

To achieve compliance, an organization's electronic logging infrastructure must perform three core activities:

  • Log Maintenance
    You must actively maintain, or require the maintenance of, an electronic audit log.

  • Proactive Auditing
    Your organization must audit and monitor the electronic audit log as often as required by the regulations to catch unauthorized access or data anomalies early.

  • Commissioner Readiness
    Your clinic must provide a copy of the electronic audit log to the Commissioner upon request , even if the log contains personal health information.

Choosing the Right Cloud Licensing

Standard consumer or entry-level business cloud licenses do not provide the granular logging capabilities, forensic tracking, or extended retention periods required by healthcare regulations.

Microsoft

Microsoft 365 Business Premium

Google

GW Business Plus,
GW Enterprise Standard

Cloud Storage Providers

Certified Canadian providers like Sync.com or Citrix ShareFile for Healthcare

On-Premises Systems

Network Attached Storage (NAS) array or a localized Windows Server environment.

Microsoft 365 Configuration Steps

1. Enable Unified Audit Logging: Navigate to the Microsoft Purview Compliance Portal > Audit. If it is not already running, click Start recording user and admin activity.

2. Establish Audit Retention Policies: Go to Audit > Audit retention policies and create a new policy. Set the duration to a minimum of 3 Year (or your specific college's data retention mandate) for all core user workloads (Exchange, SharePoint, OneDrive, Teams).

3. Turn on Advanced Auditing Events: Ensure your global administrator executes PowerShell commands to verify that advanced mailbox auditing features (like tracking when an email containing medical notes is explicitly viewed) are actively bound to all active staff accounts.

FAQ image

Google Workspace Configuration Steps

1. Access the Log Custody Suite: Navigate to the Google Admin Console > Reporting > Audit and investigation.

2. Set Up Custom Log Retention via Vault: Ensure Google Vault is configured across your clinic domain. Create custom Retention Rules targeting Drive files, Gmail messages, and Chat histories containing patient information, locking them down against premature deletion.

4. Configure BigQuery Log Export (optional): Because Google Workspace natively caps active log viewing inside the admin interface, navigate to Account Settings > Legal and Compliance > Data Sharing and configure a continuous log export pipeline into Google BigQuery. This builds an immutable database of all user access timestamps, fulfilling the mandate to provide an unedited log copy to the IPC upon audit.

FAQ image

CONCLUSION

PHIPA Section 10.1 shifts the burden of proof cleanly onto Ontario’s independent clinics. In the event of a suspected data breach or a spot audit by the Information and Privacy Commissioner, saying "our systems are secure" is legally meaningless without an unalterable, comprehensive trail of evidence.

Generic IT settings drop the ball here, leaving clinic owners vulnerable to catastrophic regulatory fines and legal liability.

Let’s Check Your Clinic's Digital Health Pulse

Whether your clinic anchors its operations in an enterprise-configured cloud suite like Microsoft 365 or Google Workspace, relies entirely on a compliant EMR system, or utilizes a specialized on-premises environment, the logging pipeline must be clear, continuous, and audit-ready.

Partnering with a specialized managed service provider ensures your technical architecture handles the regulatory heavy lifting—allowing your practitioners to focus safely on what they do best: delivering exceptional patient care.

Accessible technology solutions, assessments, planning, and cloud computing for nonprofits across North America. We understand limited budgets and IT expertise, and offer help through grant writing, consulting and tech support.

Copyright © 2025, Heartfelt IT