PHIPA s.10.1 Electronic Audit Log Requirements: What Ontario Healthcare Organizations Need to Know

What Is PHIPA s.10.1 and Why Was It Introduced?

Ontario’s Personal Health Information Protection Act (PHIPA) has governed how health information custodians collect, use, and disclose personal health information since 2004. As healthcare delivery shifted to electronic systems — EMRs, hospital information systems, patient portals, cloud-based tools — a gap emerged: PHIPA imposed broad duties to protect personal health information (s.10, s.12), but contained no specific requirement to log and audit electronic access.

The Ontario legislature addressed this in 2020 by adding section 10.1 through the Strengthening Quality and Accountability for Patients Act, 2020 (S.O. 2020, c. 5, Sched. 6, s. 3). The provision codifies what the Information and Privacy Commissioner of Ontario (IPC) has recommended for years: that every interaction with an electronic record of personal health information must be systematically logged, actively monitored, and available for regulatory scrutiny [Source 2, 3].

Section 10.1 is a direct legislative response to repeated incidents of unauthorized access to patient records — commonly known as “curiosity snooping” — in Ontario’s healthcare system. IPC investigation reports have documented cases of staff accessing records of co-workers, family members, neighbours, and public figures without any legitimate purpose [Source 3, 4].

What Does s.10.1 Require Health Information Custodians to Do?

Section 10.1 imposes four distinct obligations on every health information custodian that uses electronic means to handle personal health information.

What Is the Core Obligation to Maintain an Audit Log?

Under s.10.1(1), subject to any prescribed exceptions, a health information custodian that uses electronic means to collect, use, disclose, modify, retain, or dispose of personal health information must:

• (a) Maintain, or require the maintenance of, an electronic audit log as described in subsection (4);
• (b) Audit and monitor the electronic audit log as often as is required by the regulations; and
• (c) Comply with any additional requirements that may be prescribed.

The scope is broad. It covers any electronic interaction with personal health information — not only viewing or accessing records, but also modifying, retaining, and disposing of them.

What Must an Electronic Audit Log Contain Under PHIPA?

Under s.10.1(4), the electronic audit log must capture the following for every instance in which a record (or part of a record) of personal health information accessible by electronic means is viewed, handled, modified, or otherwise dealt with:

The word “every” is critical. The Act does not contemplate sampling or selective logging. Every access event must be captured.

Can the Privacy Commissioner Access Your Audit Logs?

Yes. Under s.10.1(2), a health information custodian must provide a copy of the electronic audit log to the Information and Privacy Commissioner upon request. Subsection (3) expressly clarifies that the Commissioner may receive a copy of the log even if it contains personal health information — overriding the usual restrictions under s.60(13) of PHIPA. This is a significant expansion of the IPC’s oversight powers and underscores the seriousness the legislature attaches to audit log compliance.

How Often Must Audit Logs Be Reviewed?

The auditing and monitoring frequency is to be set by regulation under s.10.1(1)(b). While those regulations are not yet finalized, the IPC’s existing guidance — particularly Detecting and Deterring Unauthorized Access to Personal Health Information — recommends that custodians conduct regular, proactive audits rather than limiting reviews to complaint-driven or incident-driven investigations [Source 3].

How Should Healthcare Organizations Meet These Requirements?

Compliance with s.10.1 requires coordinated effort across technology, policy, and people.

What Technology Changes Are Needed?

Assess current EHR/EMR audit capabilities. Most modern electronic health record systems (e.g., Epic, Cerner/Oracle Health, MEDITECH, OSCAR) include built-in audit logging. The first step is to determine whether your systems already capture the five data elements required by s.10.1(4). Common gaps include:

• Logs that record the user who accessed a record but not the specific type of information viewed (e.g., lab results vs. medication history).
• Systems where “break-the-glass” or emergency access events are logged differently (or less completely) than routine access.
• Ancillary systems — dictation platforms, diagnostic imaging viewers, third-party integrations — that may not feed into the primary audit log.

Ensure completeness across all electronic systems. The obligation extends to every system that handles personal health information electronically, not just the primary EMR:

• Hospital information systems (HIS)
• Laboratory information systems (LIS)
• Radiology/PACS systems
• Pharmacy management systems
• Patient portals
• Scheduling and registration systems
• Data warehouses and analytics platforms
• Cloud-based and SaaS tools

Centralize or correlate logs. Where multiple systems are in use, consider deploying a centralized log management or security information and event management (SIEM) solution to aggregate, normalize, and correlate audit events across systems.

Protect log integrity. Audit logs must be tamper-resistant. Store logs in a manner that prevents modification or deletion by the users whose actions are being logged. Implement write-once storage, access controls on log repositories, and cryptographic integrity verification.

What Policies and Procedures Are Required?

Develop or update your audit and monitoring policy. This policy should address:

• The scope of systems covered by the audit log requirement.
• Roles and responsibilities for maintaining, auditing, and monitoring logs.
• The frequency of proactive audits (pending regulation, align with IPC guidance — at minimum quarterly, with more frequent audits for high-risk areas).
• Criteria for flagging suspicious access (e.g., after-hours access, access by terminated employees, access to records of VIPs, co-workers, or family members).
• Escalation and investigation procedures when anomalies are detected.
• Retention periods for audit logs (pending regulation, many organizations retain for a minimum of 10 years to align with records retention schedules and statutes of limitation).

Document your processes. The IPC will expect not only that audit logs exist, but that you can demonstrate a structured, repeatable process for reviewing them.

What Training and Staffing Is Needed?

Assign clear accountability. Designate a privacy officer or compliance lead with explicit responsibility for the audit log program. In larger organizations, this may involve a team spanning IT security, privacy, and clinical informatics.

Train staff on the “why.” Employees and agents who access personal health information should understand that their actions are logged and actively monitored. This serves as both a deterrent and a cultural signal that the organization takes privacy seriously.

Build investigative capacity. Staff responsible for reviewing audit logs need training on interpreting log data, identifying patterns indicative of unauthorized access (e.g., “curiosity browsing”), and conducting investigations that are fair and legally defensible.

How Should Organizations Prepare for Commissioner Requests?

When the IPC requests a copy of the electronic audit log under s.10.1(2), the custodian must produce it promptly. This means:

• Logs must be in an exportable, readable format.
• The process for extracting and transmitting logs to the IPC should be documented and tested in advance.
• Staff must understand that personal health information within the log may be disclosed to the Commissioner without the individual’s consent.

What Is the Impact on Healthcare Organizations?

The electronic audit log requirement has operational, financial, cultural, and legal implications.

What Are the Operational Consequences?

Expanded scope of privacy compliance. Section 10.1 moves audit logging from a best practice to a statutory obligation. Organizations that have relied on ad-hoc or complaint-driven access reviews will need to build a systematic, proactive audit program.

Infrastructure investment. Organizations with fragmented or outdated IT environments may face significant effort in ensuring that every system handling personal health information generates compliant audit logs. Smaller custodians — solo-practice physicians or community pharmacies — may need to upgrade their EMR systems or engage vendors to enable compliant logging.

Ongoing resource commitment. Maintaining, monitoring, and auditing logs is not a one-time project. It requires continuous operational resources, including staff time for regular reviews and investigations.

What Is the Financial Impact?

Costs will vary by organizational size and current state of readiness. Budget considerations include:

• System upgrades or replacements to ensure compliant logging across all electronic systems.
• SIEM or log management tools for organizations with multiple systems.
• Staff time for regular audit reviews, investigations, and training.
• External expertise (consultants, legal counsel) during the initial implementation phase.
• Ongoing maintenance of log storage infrastructure, particularly given the volume of data generated in high-traffic environments like hospitals.

What Are the Legal Risks of Non-Compliance?

Commissioner oversight is now explicitly backed by statute. Under s.10.1(2), the IPC has a clear statutory right to demand a copy of the audit log at any time. The inability to produce a compliant log on demand will itself be a compliance failure, independent of whether any unauthorized access has occurred.

Evidence in proceedings. Audit logs serve as critical evidence in privacy breach investigations, complaints to the IPC, and civil proceedings under s.65 of PHIPA (damages for breach of privacy). A complete, well-maintained log can demonstrate due diligence. An incomplete or absent log raises adverse inferences.

Penalties. PHIPA’s enforcement regime includes the IPC’s order-making powers (s.61), administrative penalties (s.61.1), and criminal offences (s.72) for unauthorized access, use, or disclosure of personal health information. Under s.72, individuals face fines of up to $200,000 and organizations face fines of up to $1,000,000 [Source 1]. Robust audit logs are both a compliance tool and a defense mechanism.

How Does This Affect Organizational Culture and Patient Trust?

Privacy as an institutional value. The knowledge that all electronic access to personal health information is logged and actively monitored changes organizational culture. IPC investigation reports consistently show that unauthorized access — driven by curiosity about co-workers, family members, neighbours, or public figures — is one of the most common privacy breaches in healthcare [Source 3, 4]. Visible audit programs deter this behaviour.

Patient trust. Patients are increasingly aware of their privacy rights and expect their electronic health information to be protected. An organization’s ability to demonstrate a comprehensive audit log program supports patient confidence and public trust.

What Steps Should Healthcare Organizations Take Now?

Organizations should begin preparing regardless of when s.10.1 is proclaimed in force. The following phased approach provides a structured path.

Phase 1: Assessment (Immediate)

• Conduct a system inventory. Identify every electronic system within the organization that collects, uses, discloses, modifies, retains, or disposes of personal health information.
• Evaluate current audit logging capabilities. For each system, assess whether it captures all five data elements required by s.10.1(4) — type of information, date and time, identity of the person accessing, identity of the patient, and any additional prescribed information.
• Identify gaps. Document systems that lack compliant logging, systems where logs are not retained, and systems where log data cannot be extracted or correlated.
• Review existing policies. Determine whether current privacy and security policies address electronic audit logging, and whether audit and monitoring activities are documented and repeatable.

Phase 2: Remediation and Implementation

• Engage vendors. For systems that do not meet the s.10.1(4) requirements, contact vendors to determine whether configuration changes, upgrades, or add-on modules can close the gaps.
• Deploy log aggregation. If multiple systems are in use, implement centralized log management or SIEM tooling to aggregate and normalize audit events.
• Develop policies and procedures. Draft or update the organization’s electronic audit log policy, including scope, roles and responsibilities, audit frequency, investigation procedures, escalation protocols, and retention periods.
• Build the Commissioner response process. Establish and test a protocol for extracting and providing audit log data to the IPC upon request under s.10.1(2).
• Ensure log integrity controls. Implement technical controls to prevent unauthorized modification or deletion of audit log data.

Phase 3: Operationalize

• Train staff. Conduct targeted training for privacy officers, IT security staff, and compliance teams on audit log review and investigation methods. Conduct general awareness training for all staff who access personal health information electronically.
• Begin proactive auditing. Implement a regular audit schedule. Start with high-risk areas — emergency departments, mental health records, VIP patients, employee health records — and expand coverage over time.
• Document everything. Maintain records of audit activities, findings, investigations, and corrective actions. This documentation is essential for demonstrating compliance to the IPC.

Phase 4: Monitor and Improve

• Monitor regulatory developments. Track the proclamation of s.10.1 into force, the development of supporting regulations (audit frequency, prescribed exceptions), and IPC guidance.
• Refine the program. Use findings from proactive audits to refine access policies, improve training, and tighten controls. Treat the audit program as a continuous improvement cycle.
• Engage with peer organizations. Share lessons learned and benchmark practices through provincial health privacy networks, the Ontario Hospital Association, and other sector bodies.