Under Ontario's Personal Health Information Protection Act (PHIPA), healthcare organizations and their IT environments face rigorous transparency mandates. Specifically, Section 10.1 establishes strict statutory guidelines regarding electronic records of Personal Health Information (PHI).
If your clinic uses any electronic means to collect, use, modify, or disclose patient data, generic logging is no longer sufficient. This guide details what your organization must do to meet these statutory definitions and how to configure common productivity platforms like Microsoft 365 and Google Workspace to support compliance.

10.1 (1) Subject to any prescribed exceptions, a health information custodian that uses electronic means to collect, use, disclose, modify, retain or dispose of personal health information shall,
(a) maintain, or require the maintenance of, an electronic audit log described in subsection (4);
(b) audit and monitor the electronic audit log as often as is required by the regulations; and
(c) comply with any requirements that may be prescribed.
(2) A health information custodian referred to in subsection (1) shall provide a copy of the electronic audit log to the Commissioner, upon request. 2020, c. 5, Sched. 6, s. 3.
Same
(3) Despite subsection 60 (13), the Commissioner may be provided with a copy of the electronic audit log even if it contains personal health information. 2020, c. 5, Sched. 6, s. 3.
(4) The electronic audit log must include, for every instance in which a record or part of a record of personal health information that is accessible by electronic means is viewed, handled, modified or otherwise dealt with,
(a) the type of information that was viewed, handled, modified or otherwise dealt with;
(b) the date and time on which the information was viewed, handled, modified or otherwise dealt with;
(c) the identity of all persons who viewed, handled, modified or otherwise dealt with the personal health information;
(d) the identity of the individual to whom the personal health information relates; and
(e) any other information that may be prescribed.

Log Maintenance
You must actively maintain, or require the maintenance of, an electronic audit log.
Proactive Auditing
Your organization must audit and monitor the electronic audit log as often as required by the regulations to catch unauthorized access or data anomalies early.
Commissioner Readiness
Your clinic must provide a copy of the electronic audit log to the Commissioner upon request , even if the log contains personal health information.

Microsoft 365 Business Premium
GW Business Plus,
GW Enterprise Standard
Certified Canadian providers like Sync.com or Citrix ShareFile for Healthcare
Network Attached Storage (NAS) array or a localized Windows Server environment.
1. Enable Unified Audit Logging: Navigate to the Microsoft Purview Compliance Portal > Audit. If it is not already running, click Start recording user and admin activity.
2. Establish Audit Retention Policies: Go to Audit > Audit retention policies and create a new policy. Set the duration to a minimum of 3 Year (or your specific college's data retention mandate) for all core user workloads (Exchange, SharePoint, OneDrive, Teams).
3. Turn on Advanced Auditing Events: Ensure your global administrator executes PowerShell commands to verify that advanced mailbox auditing features (like tracking when an email containing medical notes is explicitly viewed) are actively bound to all active staff accounts.

1. Access the Log Custody Suite: Navigate to the Google Admin Console > Reporting > Audit and investigation.
2. Set Up Custom Log Retention via Vault: Ensure Google Vault is configured across your clinic domain. Create custom Retention Rules targeting Drive files, Gmail messages, and Chat histories containing patient information, locking them down against premature deletion.
4. Configure BigQuery Log Export (optional): Because Google Workspace natively caps active log viewing inside the admin interface, navigate to Account Settings > Legal and Compliance > Data Sharing and configure a continuous log export pipeline into Google BigQuery. This builds an immutable database of all user access timestamps, fulfilling the mandate to provide an unedited log copy to the IPC upon audit.



Subscribe to our weekly newsletter to receive simple, actionable advice on PHIPA, PIPEDA, and core Cybersecurity strategies specifically tailored for small healthcare businesses and clinics.

Accessible technology solutions, assessments, planning, and cloud computing for nonprofits across North America. We understand limited budgets and IT expertise, and offer help through grant writing, consulting and tech support.
Copyright © 2025, Heartfelt IT