PrivacyIQ Changelog

Version history for the PrivacyIQ PHIPA & Cybersecurity Compliance Assessment.

v2.0April 2026Current

New

Cybersecurity assessment module — 12 control domains, ~80 controls, anchored to CCCS Baseline Cyber Security Controls v1.2 and CAN/DGSI 104:2021/Rev 1:2024

Practice model taxonomy — FHT, FHG, FHO, FHN, CCM, NPLC, AHAC, Solo Family Practice, Walk-in Clinic — conditional Section 14b supplement per model

Dual-axis scoring — Separate PHIPA score (Sections 1–14) and Cyber score (Sections 15–26) plus combined PrivacyIQ score (60% PHIPA / 40% Cyber)

Stop-and-resume flow — Partial PHIPA-only results available after Section 14 with option to continue to cybersecurity assessment

Educational layer — Every cyber control includes plain-English name, technical name, and why-it-matters framing

OCAP® framework — Aboriginal Health Access Centres surfaced with parallel data sovereignty governance (Ownership, Control, Access, Possession)

Terms of Use page — Full Extended Disclaimer / Terms of Use (10 sections)

4th consent checkbox — PHI prohibition checkbox added to consent gate

PHI warning banner — Prominent warning above every section notes textarea

Mid-assessment accuracy reminder — Inline nudge at Section 7 per legal review Risk Note 2 mitigation

Updated

PHIPA s.10.1 (audit log) framing — Corrected to reflect not-yet-proclaimed status; audit logging anchored in s.12(1) reasonable safeguards

PHIPA s.54.1 (consumer ESPs) framing — Corrected to reflect not-yet-proclaimed status; ESP authority anchored in s.10(4) and s.17

Radiologist retention — Updated from repealed IHFA / O. Reg. 57/92 to current ICHSCA / O. Reg. 215/23 (10/5/10-year structure)

Fertility Clinic AHRA citation — Corrected from SOR/2019-191 to SOR/2019-194 (Administration and Enforcement Regulations)

Hospital for Sick Children v. Ontario (IPC), 2025 ONSC 5208 — Integrated — ransomware encryption alone constitutes "use" and "loss" of PHI

PHIPA Decision 255 (Simcoe Muskoka, 2024) — Integrated — even one-hour email compromise constitutes unauthorized disclosure

IPC AI Scribe Guidance (January 28, 2026) — Integrated — AI vendor assessment requirements and consent obligations

CCCS BC numbering — All BC sub-control numbers corrected during framework review

ITSM.10.089 removed — Incorrect document number removed from all cyber controls; replaced with correct CCCS BCS Controls v1.2 reference

Process

Three-phase legal research production (specialty providers, primary care models, cybersecurity)

Multi-stage legal, regulatory, and technical verification

All CCCS corrections applied during ingestion (not as a separate pass)

SKU validation report produced for BB review against FW: DITLO Master

v1.0April 2026

Initial release. 13 PHIPA assessment sections, 112 questions covering PHIPA governance, safeguards, retention, access, consent, reporting, and breach readiness. Severity-weighted scoring (CRITICAL / HIGH / STANDARD). Three downloadable HTML documents: Executive Summary, Compliance Playbook, and Remediation Roadmap. Three-checkbox consent gate with reviewed disclaimer language. 14 Ontario healthcare profession types with profession-specific Section 14 supplements.