PHIPA HINP Services Agreement (Ontario)

Version 1.0.0·Effective 2026-06-01

PHIPA HINP Services Agreement (Ontario)

This agreement governs the electronic services that Phiusion Labs provides to you, the Ontario health-information custodian, under the Personal Health Information Protection Act, 2004 (PHIPA) and Ontario Regulation 329/04. It is specific to Ontario; if you also practice in another province or country, the Privacy Notice for Practitioners covers your account information across all jurisdictions, and the Privacy Notice for Patients covers patient-facing terms.

You accept this agreement when you sign up as an Ontario-based health professional. A new major version of this agreement requires your acceptance before you can continue using the application; see §12 of the Privacy Notice for Practitioners for the versioning rules.

Phiusion is B2B software sold for cosmetic and general wellness purposes. Nothing in this agreement should be read to suggest that the application performs a regulated clinical function; clinical judgment remains entirely yours under your professional licence.

1. Phiusion's role: Health Information Network Provider

Phiusion Labs acts as a Health Information Network Provider ("HINP") to you under O. Reg. 329/04 s.6(2). A HINP is "a person who provides services to two or more health-information custodians where the services are provided primarily to custodians to enable the custodians to use electronic means to disclose personal health information to one another."

For clarity:

  • Phiusion is not a health-information custodian. PHIPA s.3(1) defines custodian by reference to direct provision of health care or related functions; Phiusion does not provide health care. You are the custodian for the personal-health-information ("PHI") records you create inside the application.
  • Phiusion is not your agent under PHIPA s.2. A HINP supplies electronic services on which you, the custodian, rely; it does not act on your behalf in the agent sense that PHIPA reserves for staff and contractors performing functions a custodian could perform itself.
  • PHIPA s.6(2) and (3) apply. As a HINP, Phiusion is bound to the network-provider duties: provide a plain-language description of services and safeguards, restrict its agents' access to PHI, notify custodians of breaches, and submit to the custodian's audit. The published artefact that satisfies the s.6(3) plain-language obligation is the PHIPA Audit Summary.

This role applies only to PHI that you, as an Ontario custodian, place into the application. Phiusion's own administrative records about you (account, billing, support) sit under the Privacy Notice for Practitioners; they are not PHI.

2. Services Phiusion provides

Phiusion supplies the following electronic services to you as an Ontario custodian:

  • Application hosting. Web application access from the Phiusion domain, including authentication, session management, and user-interface delivery.
  • Patient-record storage. Storage of patient profiles, medical-history fields, photo sessions, clinical-evaluation sessions, and treatment selections that you enter or that the application generates on your behalf.
  • Photo storage and processing. Secure object storage for patient photos, including a background-removal preprocessing step performed before storage.
  • SkinXS API access. Routing of patient photos to the SkinXS analysis service for skin-feature scoring, with results returned to your workspace for your professional review and curation.
  • Telemetry and reliability monitoring. Error reporting, performance counters, and feature-usage signals that allow Phiusion to keep the application running and to investigate problems you report.
  • Breach detection. Monitoring for unauthorized access, abnormal query patterns, and credential compromise, plus the incident-response workflow described in the internal Breach Notification Playbook (available to regulators and to data subjects on request).
  • Backups and restoration. Encrypted database and storage backups, with restoration available on your written request.

Phiusion does not make autonomous clinical decisions, does not generate prescriptions, and does not produce patient-facing output without your curation step. SkinXS suggests; you decide.

3. Safeguards

Phiusion applies technical, organizational, and administrative safeguards to PHI commensurate with the sensitivity of the data and consistent with PHIPA s.12 and IPC Ontario guidance. A current snapshot is published at the PHIPA Audit Summary; the categories are:

  • Technical. TLS 1.2 or higher in transit; AES-256 at rest; row-level security in the database so that each custodian sees only its own records; mandatory multi-factor authentication on every practitioner account; signed-URL access controls on photo storage; key management with rotation; segmented production environments.
  • Organizational. A named Privacy Officer at Phiusion (Jonathan Garbutt, privacy@phiusionlabs.app); a documented information-security programme; annual penetration testing; vulnerability-management with severity-keyed SLAs; mandatory privacy and security training for all personnel with production access.
  • Administrative. Background checks and confidentiality undertakings for engineering and support staff; role-based access control ("RBAC") with least-privilege defaults; access logging on every read and write of PHI; quarterly access reviews; written sub-processor agreements; written vendor agreements with Universkin SAS (BAA and DPA, available to you on request).

These safeguards are described at greater length in the PHIPA Audit Summary, which is the artefact you may consult or share with the Information and Privacy Commissioner of Ontario ("IPC") to demonstrate Phiusion's compliance with O. Reg. 329/04 s.6(3).

4. Directives to Phiusion's agents

PHIPA s.6(3)(b) requires a HINP to put restrictions in place that prevent its agents from accessing PHI except where strictly necessary to deliver the services. Phiusion's standing directives to its personnel — including personnel of Universkin SAS, the French company that builds and operates the platform on our behalf — are:

  • Need-to-know. No member of Phiusion or Universkin staff may access PHI except where the access is required to deliver a service listed in §2 or to respond to a written request from you.
  • Role-based access. Production access is granted by role, with the smallest possible privilege envelope for each role. Privileges are reviewed quarterly and revoked on role change.
  • Training. Every individual with any path to PHI completes privacy and security training at onboarding and annually thereafter. Records of completion are kept for the same period as our other consent records (see §7).
  • Confidentiality. Every individual signs a confidentiality undertaking that survives termination. Breach of the undertaking is grounds for dismissal and, where applicable, civil action.
  • Logging and review. Access to PHI is logged. Logs are reviewed on a defined cadence and on demand following any incident.
  • No secondary use. Personnel may not use PHI for any purpose outside the services described in §2, and may not export PHI from the production environment except where doing so is required to deliver a service you have requested.

These directives apply equally to Universkin SAS staff. The BAA and DPA between Phiusion Labs and Universkin SAS make the directives contractually binding on Universkin.

5. PHI handling rules

Phiusion handles PHI strictly within the four corners of the custodian's authority:

  • Collection. Phiusion collects only PHI that you, the custodian, choose to enter into the application (or that the application generates on your behalf — for example, SkinXS scores computed from photos you upload). Phiusion does not solicit PHI from any other source and does not purchase data about your patients.
  • Use. PHI is used only to deliver the services in §2 and to discharge Phiusion's HINP duties under PHIPA. This includes operational uses such as error investigation, capacity planning, and security monitoring. PHI is not used for marketing, advertising, profiling, or model training without a separate written authorization grounded in patient consent (see the AI Improvement Consent and the Privacy Notice for Patients).
  • Disclosure. Phiusion does not disclose PHI to third parties except to the sub-processors disclosed at Sub-Processors (each acting on documented instructions, see §6) or where legally compelled by a valid Ontario or Canadian instrument. If compelled, Phiusion will, where lawful, give you advance notice so that you may challenge the demand.
  • Retention. PHI is retained for the period you set as custodian. Phiusion's default retention windows for backups and operational logs are published in the internal Retention Schedule (available to regulators and to data subjects on request); if you require shorter retention for a specific dataset, write to privacy@phiusionlabs.app.
  • Destruction. When you direct destruction (account closure, a specific deletion request, or end of retention), Phiusion deletes the active record and isolates any backup copy that cannot be targeted-deleted, letting the backup age out under the schedule. A destruction confirmation is available on request.

6. Sub-processors and pass-through obligations

Phiusion uses the sub-processors listed at Sub-Processors to deliver the services. Each sub-processor is bound by a written agreement that flows down, in substance, the same restrictions Phiusion accepts under this agreement — confidentiality, security safeguards, breach notification, restrictions on secondary use, and audit cooperation.

  • Material-change notification (two-tier). Routine sub-processor changes affecting PHI — adding a new sub-processor or materially changing the scope of an existing sub-processor's PHI access — are notified at least 15 days in advance by in-app banner and email to the address on your account. Emergency or risk-driven changes (vendor outage, vendor security incident, regulator order, vendor insolvency, or similar) are notified as soon as practicable (typically within 24 hours) and may take effect before notice. If you object on reasonable PHIPA grounds — during the routine notice window or after an emergency change — write to privacy@phiusionlabs.app; if the objection cannot be resolved, you may terminate this agreement under §9 without penalty.
  • Platform-operator sub-processor. Universkin SAS (France) operates the application on Phiusion's behalf and is the most significant sub-processor. The BAA and DPA between Phiusion and Universkin are available on request to you, the IPC, or the Office of the Privacy Commissioner of Canada ("OPC") for federal-stream review.
  • Cross-border transfers. Where PHI is transferred to a sub-processor outside Canada, the contractual flowdowns required by PIPEDA Schedule 1 Principle 4.1.3 are in place. Quebec-specific cross-border rules do not apply to Ontario custodian data.

7. Breach notification

The HINP breach chain under PHIPA s.10.1 is custodian-facing:

  • HINP → custodian. If Phiusion has reason to believe that PHI under your custody has been stolen, lost, or accessed by an unauthorized person, Phiusion will notify you at the first reasonable opportunity. "First reasonable opportunity" means: as soon as Phiusion confirms the incident's scope sufficiently to inform you usefully, and in any event without undue delay. We do not wait for a full forensic report before notifying.
  • Information provided. The notification will identify, to the extent then known: what data was affected, how many records, the nature and timing of the incident, the steps Phiusion has taken in response, and a contact at Phiusion for follow-up.
  • Custodian → IPC and individuals. PHIPA reserves to you, the custodian, the decision whether and when to notify the IPC under PHIPA s.12(3) and affected individuals under PHIPA s.12(2). Phiusion does not notify the IPC directly except where Phiusion is contacted as a witness or evidence-holder. Phiusion will assist you in preparing your IPC notification on request.
  • Playbook. The end-to-end workflow — internal triage, custodian notification, IPC support, individual notification templates, post-incident review — is documented in the internal Breach Notification Playbook (available to regulators and to data subjects on request).

Phiusion logs confirmed and suspected privacy incidents in an internal register and retains the register for the period set in the internal Retention Schedule (available to regulators and to data subjects on request).

8. Audit rights

PHIPA s.6(3)(c) gives the custodian the right to audit a HINP's compliance with the agreed safeguards.

  • Published artefact. The PHIPA Audit Summary is the standing artefact: it summarizes the services Phiusion provides, the safeguards in place, the breach-notification chain, and the most recent third-party assurance evidence we hold. You may treat the audit summary as Phiusion's first-line response to an audit request and as a document you can share with the IPC.
  • Custodian audits. Beyond the audit summary, you may, on reasonable notice (ordinarily 30 days), audit Phiusion's compliance with this agreement either through (i) Phiusion's responses to a written information-request, (ii) review of third-party assurance reports we hold (SOC 2 Type II, penetration-test summaries, vendor questionnaires), or (iii) on-site or virtual interviews with named Phiusion staff. Audits must be scoped to PHIPA-relevant controls, conducted during business hours, and subject to confidentiality protections.
  • Cost. Phiusion absorbs the cost of a routine annual audit at the information-request and assurance-report level. Out-of-scope or repeat audits within the same year may be invoiced at our reasonable cost.
  • IPC audit. Phiusion will cooperate with any IPC audit or investigation under PHIPA Part VI and will keep you informed in line with PHIPA s.10.1's notification expectations.

9. Termination and data return

You may terminate this agreement at any time by closing your account in the application or by writing to privacy@phiusionlabs.app. Phiusion may terminate on 90 days' written notice, or sooner where you materially breach this agreement and fail to cure within 30 days.

On termination:

  • Return or destruction. You direct whether the PHI in your workspace is returned to you (export in a structured, machine-readable format) or destroyed. The default, absent your direction within 60 days of termination, is destruction.
  • Backups. Backup copies that cannot be targeted-deleted are isolated, access-restricted, and aged out on the backup schedule published in the internal Retention Schedule (available to regulators and to data subjects on request).
  • Confirmation. A written destruction or export confirmation is provided on request.
  • Survival. The breach-notification, audit-cooperation, and confidentiality provisions of this agreement survive termination to the extent necessary to address pre-termination conduct.

10. Governing law and dispute resolution

This agreement is governed by the laws of the Province of Ontario and the federal laws of Canada applicable therein. The Ontario courts have non-exclusive jurisdiction over any dispute that cannot be resolved informally or through the dispute-resolution provisions of the Terms of Service §13.

Nothing in this agreement limits the IPC's statutory jurisdiction or your statutory rights under PHIPA.

11. Contact and supervisory authorities

  • Phiusion Labs Privacy Officer: Jonathan Garbutt, privacy@phiusionlabs.app. Mailing address: 29 East Wilmot, Richmond Hill, Ontario, Canada.
  • Universkin SAS Data Protection Officer (sub-processor leg): Maître Eric ELABD, +33 (4) 93.00.11.96, dpo@universkin.com.

If you are not satisfied with Phiusion's response, you may contact a supervisory authority:

  • Information and Privacy Commissioner of Ontario (IPC) — primary. https://www.ipc.on.ca/. The IPC is the regulator for PHIPA matters and is the body to whom you, as custodian, would notify a reportable breach under PHIPA s.12(3).
  • Office of the Privacy Commissioner of Canada (OPC) — federal backup. https://www.priv.gc.ca/. The OPC has jurisdiction over PIPEDA-stream matters, which may apply to Phiusion's administrative records about you (the account-level data covered by the Privacy Notice for Practitioners) even though PHI itself flows under PHIPA.

For related documents, see the Privacy Notice for Practitioners, the Privacy Notice for Patients, the PHIPA Audit Summary, the Sub-Processors page, the HIPAA Business Associate Agreement, and the Terms of Service.