Effective January 1, 2024, the Information Privacy Commissioner of Ontario (IPC) gained the enforcement power of imposing administrative monetary penalties (AMP) on organizations and individuals that contravene PHIPA or its regulations.1 An AMP may be issued for the purpose of encouraging compliance with PHIPA, or to prevent a person from, directly or indirectly, deriving an economic benefit from contravening PHIPA.

The IPC is able to order an AMP to a maximum of $50,000 for an individual and $500,000 for an organization. If the offender received an economic benefit that is in excess of the AMP maximum, the IPC can order that they pay that amount.

In its  Administrative Monetary Penalties: Guidance for the Health Care Sector, the IPC provided a non-exhaustive list of examples of contraventions of PHIPA that could attract an AMP as an appropriate enforcement option:

  • Serious snooping into patient records.
  • Contraventions for economic gain. Where personal health information is improperly used and disclosed without authority for the purpose of selling products or services related to the information to individuals.
  • Disregard for individual's right of access. An AMP may be appropriate in cases where a HIC has persistently failed to comply with PHIPA access request requirements, or has unlawfully destroyed or abandoned health records. The IPC would not typically consider using an AMP in cases of unintentional errors or one-off mistakes, such as a misdirected fax or email, provided that there is evidence of timely and reasonable corrective measures being taken by the HIC in response. The IPC also noted that a HIC that is a victim of a cyberattack that could not have been reasonably foreseen or avoided would likely not face an AMP, provided that the HIC fully cooperated in containing the breach, notified affected individuals where required, and taken additional security measures needed to mitigate the risks of a similar future attack.

The IPC is required to consider the following criteria when determining an appropriate amount at which to set an AMP:

  1. The extent to which the contraventions deviate from the requirements of PHIPA or its regulations.
  2. The extent to which the person could have taken steps to prevent the contraventions.
  3. The extent of the harm or potential harm to others resulting from the contraventions.
  4. The extent to which the person tried to mitigate any harm or potential harm or took any other remedial action.
  5. The number of individuals, health information custodians and other persons affected by the contraventions.
  6. Whether the person notified the Commissioner and any individuals whose personal health information was affected by the contraventions.
  7. The extent to which the person derived or reasonably might have expected to derive, directly or indirectly, any economic benefit from the contraventions.
  8. Whether the person has previously contravened the Act or its regulations

The IPC is also able to consider any other relevant criteria in determining the amount of an AMP.

If you find yourself in a position where you have contravened a provision of PHIPA, Alysia Christiaen, privacy lawyer and Lerners Chief Privacy Officer, is available to assist with your response to and remedy of that contravention. Having counsel assist in this process can reduce the risk of an AMP being ordered by the IPC.

Footnote

1. See s 61.1 of PHIPA and O Reg 329/04, s 35.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.