PHIPA Compliance
AutoRx is built for pharmacies operating as health information custodians under Ontario's Personal Health Information Protection Act (PHIPA). When AutoRx processes prescriptions on your behalf, it acts as your agent under PHIPA, bound by the same obligations that apply to your pharmacy. This page summarizes how AutoRx aligns with those obligations. Your commercial agreements (a BAA and a DPA) set the binding terms; the Trust Center and Security pages document the operational controls.
AutoRx's role under PHIPA
Under PHIPA, your pharmacy is the health information custodian and remains accountable for the personal health information it holds. AutoRx is an agent acting on your instructions: it collects, uses, and discloses personal health information only as needed to enter and validate prescriptions in Kroll, and only as your agreements permit. AutoRx does not use patient data for any purpose beyond the service you have engaged it for, and never sells it or shares it for advertising.
How AutoRx aligns with PHIPA
- Canadian data residency. All personal health information is stored and processed in Canadian data centres, encrypted in transit and at rest. Nothing is routed outside Canada.
- Need-to-know access and circle of care. Access is limited to the automated pipeline and the authorized staff at your pharmacy. AutoRx staff access is restricted to support and incident response, logged, and governed by confidentiality obligations.
- Consent directives (lockbox). AutoRx reads only the records your Kroll permissions expose. Where a patient has restricted a record in your PMS, AutoRx works within that restriction.
- Accuracy. Because AutoRx reads the patient profile, drug history, and your formulary before every write, it is built to enter prescriptions accurately and route anything uncertain to a pharmacist rather than guessing.
- Audit logs. Every parse, write attempt, retry, and human correction is recorded with a timestamp and actor, available for regulatory review on request.
- Breach notification. AutoRx's incident-response process supports your PHIPA breach-notification obligations, with prompt notice to your pharmacy of any security incident affecting your data.
- Subprocessor disclosure. Every subprocessor that may touch personal health information is disclosed in the Trust Center, with Canadian residency maintained.
The agreements behind it
PHIPA expects custodians to bind their agents in writing. AutoRx provides a Business Associate Agreement (BAA) and a Data Processing Agreement (DPA) that define permitted uses, security obligations, breach handling, and subprocessor terms. Request both before any prescription data moves. See also our PIPEDA compliance summary for the federal private-sector privacy layer that applies alongside PHIPA, and the PHIPA glossary entry for a plain-language definition.
Frequently asked questions
Is AutoRx PHIPA compliant?
Yes. AutoRx is designed for Ontario's Personal Health Information Protection Act from the ground up. It acts as your agent under PHIPA, stores all personal health information in Canadian data centres, operates under a Business Associate Agreement (BAA) and a Data Processing Agreement (DPA), and logs every action for regulatory review.
Where is patient data stored under PHIPA?
All personal health information AutoRx processes is stored and processed in Canadian data centres, encrypted in transit and at rest. Data is never stored or routed outside Canada, and every subprocessor that may touch patient data is disclosed in the AutoRx Trust Center.
Does AutoRx respect a patient's lockbox or consent directive?
Yes. AutoRx reads only the records your Kroll permissions expose. Where a patient has placed a consent directive (a lockbox) on their record in your pharmacy management system, AutoRx operates within those restrictions rather than overriding them.
What happens in a privacy breach?
AutoRx's incident-response process is built to support your PHIPA breach-notification duties. Your pharmacy is notified promptly of any security incident affecting your data, with the detail needed to meet your obligations to the Information and Privacy Commissioner of Ontario and to affected individuals.
