How to Set Up Online Payments That Comply With PIPEDA and PHIPA

Canadian practices ask me constantly: "Can we take payments online without breaking privacy laws?" The short answer is yes, but you need to get the setup right. PIPEDA (the Personal Information Protection and Electronic Documents Act) and PHIPA (Ontario's Personal Health Information Protection Act) have clear requirements about how you collect payment information alongside health data.

Here's what I've learned from helping hundreds of Canadian practices set up compliant online payments.

Why Online Payments PIPEDA PHIPA Canada Regulations Matter Together

Most practices think about privacy compliance for health information, then treat payment collection as a separate thing. That's the mistake. When you collect a credit card payment for a dental cleaning, PIPEDA governs the payment data. When that payment links to a patient account with health records, PHIPA kicks in for Ontario practices. Both laws require you to protect the information, explain what you're doing with it, and get proper consent.

PIPEDA applies to all private-sector organizations in Canada that collect personal information during commercial activities. PHIPA applies specifically to health information custodians in Ontario. If you're an Ontario practice collecting payments, you need to comply with both.

The principles overlap significantly. Both require consent, security safeguards, transparency about collection purposes, and limited retention. The practical challenge is making sure your payment system meets both sets of requirements.

What PIPEDA Actually Requires for Payment Collection

PIPEDA has ten principles that apply to payment processing. The ones that matter most for online payment setup:

Consent: You need meaningful consent before collecting payment information. That means telling patients why you're collecting card details, what you'll charge, and when. "We collect credit card information to process copayments and outstanding balances" is better than "Payment information required."

Limiting Collection: Only collect what you need. You don't need a patient's SIN to process a payment. You probably don't need their full address if you already have it on file. Every extra field is another data point to protect.

Safeguards: PIPEDA requires security appropriate to the sensitivity of the information. Credit card data is highly sensitive. That means encryption in transit (TLS 1.2 minimum), encrypted storage, and access controls. You can't store full card numbers in plain text. Period.

Retention Limits: You can't keep payment information forever. PIPEDA requires you to delete or anonymize data once the purpose is fulfilled. If you kept a card on file to process a one-time copay, you shouldn't still have it two years later. I've seen practices run into trouble by keeping every credit card ever entered "just in case." That violates retention limits and increases your breach risk.

PHIPA Requirements for Ontario Practices

If you're in Ontario, PHIPA adds specific rules about health information. Payment records often contain health information when they link to diagnosis codes, treatment descriptions, or appointment notes.

PHIPA requires:

Express Consent: For collecting, using, or disclosing health information beyond direct care purposes. Processing payments is ancillary to care, so you need clear consent. Your intake workflow should explain that payment processing includes linking charges to health records.

Circle of Care Limits: Only people who need payment information for their job should access it. Your receptionist needs to see payment status. Your massage therapist probably doesn't.

Breach Notification: If payment data gets exposed along with health information, PHIPA requires notifying affected individuals and the Information and Privacy Commissioner of Ontario. The threshold is "real risk of significant harm." Credit card numbers plus patient names absolutely meet that standard.

Patient Access Rights: Patients can request their payment history. You need systems to produce that record within 30 days.

I worked with a Toronto physiotherapy clinic that kept payment notes in the same field as clinical observations. That made circle-of-care access control impossible. We separated payment records into a distinct module with role-based access.

Setting Up Compliant Online Payment Collection

Here's the practical setup that actually works for Canadian practices:

Use PCI-DSS Compliant Payment Processors: Don't build your own payment system. Use a processor certified to PCI-DSS standards (the Payment Card Industry Data Security Standard). Stripe, Square, and similar services handle card data tokenization so you never store full card numbers.

Separate Payment Data from Clinical Records: Your EHR should link to payment records, not embed them. That separation makes access controls cleaner and reduces your compliance scope.

Configure Consent at Collection Time: When a patient enters payment information, show them exactly what they're consenting to. "I authorize [Practice Name] to charge this card for copayments, outstanding balances, and services rendered. I understand this payment information will be securely stored and used only for billing purposes."

Enable Transaction Receipts: PIPEDA requires transparency. Patients need records of what you charged and when. Automated email receipts solve this. Formisoft sends receipts immediately after processing, which also cuts down on "I don't remember being charged" calls.

Set Retention Policies: Decide how long you'll keep payment records and stick to it. Seven years is common for accounting purposes, but check with your accountant. After that period, delete or anonymize the data.

Implement Role-Based Access: Not everyone needs payment access. Receptionists processing charges, yes. Clinicians reviewing medical history, no. Configure permissions accordingly.

Common Setup Mistakes That Create Compliance Gaps

I see these mistakes repeatedly:

Storing CVV codes: Never. PCI-DSS prohibits storing card verification values after authorization. Some practices kept CVVs "to make future charges easier." That's a violation and increases fraud risk.

Combining payment forms with health history: A single form asking for credit card details, current medications, and surgical history creates a consent nightmare. Separate forms for patient intake and payment collection work better.

No audit trails: PIPEDA requires knowing who accessed payment data. If you can't produce an access log, you can't demonstrate compliance. Enable logging for all payment transactions and access events.

Unclear refund processes: Patients have the right to request deletion of their information. What happens if someone wants their card removed after you've charged it? You need a documented process that balances privacy rights with accounting requirements.

Missing breach response plans: Hope you never need it, but PHIPA requires notifying the IPC of Ontario within a specific timeframe if health information gets exposed. Have a written plan before the breach happens.

Real Configuration Example

Here's how a Calgary family practice set up compliant payment collection using Formisoft:

They configured online booking with upfront copay collection. New patients see three screens: demographic information first, then insurance verification, then payment details.

The payment screen includes a consent statement: "I authorize [Practice Name] to charge this card for my copayment of $25.00 and any future balances arising from today's visit. This payment information will be stored securely and deleted after seven years per our retention policy."

After the appointment, patients receive an automated receipt via email showing the charge, date, service description (generic: "office visit," not specific diagnosis), and the last four digits of the card charged.

The practice set role-based access so front desk staff see payment status but therapists don't. After seven years, an automated workflow flags payment records for deletion unless there's an active dispute or audit hold.

This setup has passed two compliance audits without findings.

Your Action Plan for Compliant Payment Collection

Start here:

Audit your current payment process. Where do you collect card information? Who can access it? How long do you keep it? Write down what you find.

Choose a PCI-compliant processor. Don't compromise on this. The cost difference between compliant and non-compliant processors is negligible compared to breach consequences.

Draft clear consent language. Test it with actual patients. If they're confused about what they're agreeing to, your consent isn't valid.

Configure role-based access. Start restrictive and open up as needed, not the other way around.

Document your retention policy. Set calendar reminders to actually execute deletion. Policies don't matter if you ignore them.

Set up breach response procedures. Include contact information for the IPC of Ontario (if you're in Ontario), your lawyer, and your cyber insurance provider.

Canadian practices handle compliant payment collection every day. The regulations are clear, the tools exist, and patients expect the convenience. Get your setup right once, then focus on delivering care while your payment workflow handles the rest.