Secure Medical Communication

PHIPA-Ready Email Communications for Ontario Healthcare Organizations

Supporting Healthcare Organizations Subject to PHIPA

Healthcare organizations across Ontario trust Cyberimpact to communicate securely with patients, members, staff, and stakeholders through a platform designed with strong security and privacy safeguards.

Cyberimpact supports organizations that are subject to Ontario's Personal Health Information Protection Act, 2004 (PHIPA) by maintaining administrative, technical, and organizational safeguards designed to protect personal health information and support privacy compliance obligations.

Healthcare professional using the Cyberimpact platform for secure communications.

Built for Healthcare Privacy Across Canada

While this page focuses on PHIPA, Cyberimpact also supports healthcare organizations across Canada, including organizations subject to Alberta's Health Information Act (HIA), Saskatchewan's Health Information Protection Act (HIPA), various provincial Personal Health Information Acts (PHIA), and the Personal Information Protection and Electronic Documents Act (PIPEDA). Cyberimpact maintains safeguards designed to help healthcare organizations protect personal health information and support their privacy and security obligations under applicable Canadian privacy legislation.
 
While PHIPA compliance ultimately depends on how each organization uses and governs its own processes and data, Cyberimpact provides security controls and contractual commitments designed to support organizations handling personal health information.

Cyberimpact's Role

Cyberimpact provides email communication services to healthcare organizations and processes information on behalf of its customers in accordance with applicable agreements and customer instructions.

Healthcare organizations remain responsible for determining how personal health information is collected, used, disclosed, transmitted, and retained in accordance with PHIPA and other applicable laws and regulations.

Cyberimpact does not determine the purpose or appropriateness of the information customers choose to collect, store, or transmit through the platform.

Cyberimpact
Two employees are reviewing data on a laptop in front of a server rack

Supporting PHIPA Requirements

Cyberimpact maintains security practices designed to support healthcare organizations in protecting personal health information in accordance with PHIPA's requirements for safeguards, confidentiality, and information security.

Our approach includes:

BulletAligning

Encryption in transit and at rest

BulletAligning

Role-based access controls

BulletAligning

Multi-factor authentication for internal systems

BulletAligning

Security monitoring and logging

BulletAligning

Regular penetration testing and security assessments

BulletAligning

Incident response and security management procedures

BulletAligning

Vendor and infrastructure security reviews

BulletAligning

Access management and least-privilege practices

BulletAligning

Secure hosting infrastructure

BulletAligning

Employee security awareness training

BulletAligning

Formal privacy and security policies

Our security and governance practices are continuously reviewed as part of our broader commitment to protecting customer data and maintaining platform integrity.

SOC 2 Type 2 attestation

SOC 2 Type 2

Data encryption

Encryption via TLS 1.2/1.3 and AES-256

Multi-factor authentication

Multi-factor authentication (MFA)

Data hosted in Canada

Data hosted in Canada

Web application firewall

Web Application Firewall (WAF)

DDoS protection

DDoS protection

Daily encrypted backups

Daily encrypted backups

Compliance with laws

Compliance with Law 25, PIPEDA, GDPR, CASL

Secure network infrastructure illustrating data protection and information security.

Our Commitment to Security and Privacy

Protecting your data is at the heart of everything we build. Explore how Cyberimpact manages information security, handles incidents, shares responsibilities with its customers, and supports compliance with Canadian privacy requirements.

Privacy and Security Program

Cyberimpact maintains a comprehensive information security program designed to support the confidentiality, integrity, and availability of customer data.

Key components of our program include:

  • Security governance and risk management
  • Secure software development practices
  • Vulnerability management
  • Incident response procedures
  • Business continuity and disaster recovery planning
  • Third-party security assessments
  • Continuous monitoring and logging
  • Employee confidentiality obligations
  • Periodic access reviews
  • Security awareness and privacy training

Privacy and Security Incident Management

Cyberimpact maintains documented procedures for identifying, investigating, managing, and responding to security and privacy incidents.

Our incident management processes include:

  • Incident detection and monitoring
  • Investigation and impact assessment
  • Containment and remediation activities
  • Internal escalation procedures
  • Post-incident review and corrective actions

Where required by contract or applicable law, customers will be notified of incidents affecting their information.

Third-Party Risk Management

Cyberimpact evaluates vendors and service providers that support the delivery of its services through security and risk assessment processes.

Where appropriate, service providers are subject to contractual, security, confidentiality, and privacy requirements designed to protect customer information and support Cyberimpact's security program.

Access to customer information is restricted to authorized personnel with a legitimate business need and governed by applicable security controls.

Shared Responsibility Model

Protecting personal health information is a shared responsibility between Cyberimpact and its customers.

Cyberimpact provides safeguards and operational controls designed to support the protection of personal health information. Customers remain responsible for:

  • Configuring and using the platform appropriately
  • Managing user access and permissions
  • Determining what information is collected, stored, or transmitted
  • Establishing internal privacy and security policies
  • Managing consent requirements where applicable
  • Ensuring compliance with applicable legal and regulatory obligations
  • Training their workforce on privacy and security requirements

Recommended Best Practices

To help protect personal health information and reduce privacy risks, Cyberimpact recommends that customers:

  • Limit the collection and use of personal health information to what is necessary
  • Avoid including unnecessary sensitive information in email content
  • Apply least-privilege access principles
  • Regularly review user access permissions
  • Establish privacy and security training programs
  • Use secure portals or controlled-access environments for highly sensitive information
  • Implement internal breach response procedures
  • Maintain appropriate retention and disposal practices for personal information

Available Security Documentation

Upon request and subject to appropriate confidentiality protections, Cyberimpact may provide additional security and compliance documentation, including:

  • SOC 2 Type II Report
  • System Security Plan (SSP)
  • Penetration Test Summary
  • Security Questionnaires
  • Additional Security and Compliance Documentation

Organizations seeking additional information may contact our team to discuss their security, privacy, and compliance requirements.

Data Residency and Canadian Operations

Cyberimpact is a Canadian company and operates its platform from infrastructure located in Canada.

Customer data is hosted in Canadian data centres, helping organizations address data residency considerations and supporting compliance with Canadian privacy requirements.

Important Notice Regarding PHIPA

PHIPA does not provide a formal certification program.

Cyberimpact does not claim certification under PHIPA. Instead, Cyberimpact maintains administrative, technical, and organizational safeguards designed to support healthcare organizations in protecting personal health information and meeting their privacy obligations.

Compliance with PHIPA ultimately depends on how each organization configures, uses, and governs its own environment, processes, and data.

Frequently Asked Questions

Is Cyberimpact PHIPA certified?

No. PHIPA does not provide a certification program. Cyberimpact maintains safeguards designed to support organizations that are subject to PHIPA requirements.

Is customer data hosted in Canada?

Yes. Customer data is hosted in Canadian data centres.

Can Cyberimpact provide security and compliance documentation?

Yes. Additional documentation, including SOC 2 Type II reports and other security materials, may be available upon request and subject to appropriate confidentiality protections.

Can healthcare organizations use Cyberimpact to communicate with patients?

Many healthcare organizations use Cyberimpact to communicate with patients, members, staff, and stakeholders. Organizations remain responsible for determining the appropriateness of the information they choose to transmit and for complying with applicable legal and regulatory requirements.

Does Cyberimpact support privacy and security reviews?

Yes. Our team regularly works with healthcare organizations to address privacy, security, procurement, and compliance questions.

Contact Us

Questions about PHIPA, healthcare use cases, privacy requirements, or security practices?

Contact our team to discuss your organization's privacy, security, and compliance requirements.

Contact us

Documents we can provide

Cyberimpact provides a set of documents intended for security, compliance, and IT governance teams.

Due to their sensitive nature, some documents require the signing of a non-disclosure agreement (NDA)

To obtain a document subject to an NDA, please complete the form below.

Icon representing confidential documents available under a non-disclosure agreement (NDA).

Documents available under NDA

(sensitive information)


Cyberimpact PHIPA Readiness & Security Overview
Provides an overview of the administrative, technical, and organizational safeguards implemented to support organizations subject to PHIPA and other Canadian healthcare privacy laws.


Cyberimpact’s HIPAA Security Practices
Overview of the key administrative, technical, and organizational measures implemented to support organizations subject to HIPAA requirements.


Business Associate Agreements (BAA)
Agreement governing the handling of Protected Health Information (PHI) in accordance with HIPAA requirements.


System Security Plan (SSP)
Structured description of our architecture, controls, processes, and security operating model.


GDPR Compliance Assessment
Analysis of practices related to the management of personal data and their alignment with GDPR.


Technical architecture (high-level diagram)
Overview of the service architecture, including main components, data flows, and the overall organization of the system.


HECVAT lite 2.11
Standardized security and privacy assessment questionnaire (Higher Education Community Vendor Assessment Toolkit), used by educational institutions to assess risks related to technology service providers.


VPAT 2.5 (Accessibility)
Declares the level of compliance of our platform in terms of digital accessibility.

Icon representing documents available without a non-disclosure agreement (NDA).

Documents available without NDA


SOC 2 Type 2 Summary Letter
Summarizes the SOC 2 attestation without disclosing sensitive information.
Access now


Privacy Policy
Presents our practices for managing and protecting personal information.
Access now


Anti-spam Policy
Explains the mechanisms put in place to comply with Canadian anti-spam legislation.
Access now


Terms and Conditions
Describes contractual obligations, responsibilities, and limitations of service use.
Access now

Document request form


To obtain one of our official documents available under NDA, such as our full SOC 2 report, our SSP, our GDPR assessment, or our VPAT, please complete the form below.

We invite you to provide the necessary information to allow us to process your request efficiently and provide you with documents tailored to your context.

We generally respond to requests within 3 to 5 business days*.

*Cyberimpact reserves the right not to respond to a request deemed not relevant or insufficiently justified in order to protect the confidentiality of sensitive information.

Cyberimpact — All rights reserved.