Canada: Update On Ontario's PHIPA: Administrative Monetary Penalties Now In Force

Effective January 1, 2024, the Information and Privacy Commissioner of Ontario (IPC) can now issue administrative monetary penalties (AMPs) for violations of Ontario's Personal Health Information Protection Act, 2004 (PHIPA). PHIPA governs how health information custodians in Ontario, such as health care practitioners and institutions, may collect, use and disclose personal health information. It is now the only privacy legislation applicable in Ontario with this kind of enhanced enforcement power.

Pursuant to an amendment to the O. Reg. 329/04, the general regulation under PHIPA, the maximum amount of an AMP under PHIPA is C$50,000 for a natural person and C$500,000 for other legal entities, including medical professional corporations and operators of groups of health care practitioners. However, the IPC may increase the amount of an AMP by an amount equal to the economic benefit the person acquires as a result of the contravention.

In determining the amount of an AMP, the IPC must consider the following criteria, in addition to any other criteria the IPC considers relevant:

• The extent to which the contravention deviates from the requirements of PHIPA or its regulations.
• The extent to which the person could have taken steps to prevent the contravention.
• The extent of the harm or potential harm to others resulting from the contraventions.
• The extent to which the person tried to mitigate any harm or potential harm or took any other remedial action.
• The number of individuals, health information custodians and other persons affected by the contravention.
• Whether the person notified the IPC and any individuals whose personal health information was affected by the contravention.
• The extent to which the person derived or reasonably might have expected to derive, directly or indirectly, any economic benefit from the contravention.
• Whether the person has previously contravened PHIPA or its regulations.

The IPC has published guidance on these new powers stating that it will not use AMPs as the default response to violations of PHIPA. AMPs will generally only be used as an enforcement option for more severe violations of PHIPA, not in cases involving unintentional errors or one-off mistakes.

Examples in the IPC's guidance of when AMPs may be appropriate include serious snooping on patient records, contraventions for economic gain (such as selling or designing products based on disclosure of personal health information without legal authority), or disregarding an individual's right to access their personal health information.

Existing, but rarely invoked, offence provisions under PHIPA provide for fines up to C$1-million for non-compliance with the legislation but require referral to the Attorney General of Ontario for prosecution. These new powers allow the IPC to issue AMPs directly after conducting a review of a possible contravention, and therefore represent a material change of the enforcement risk for persons subject to PHIPA. Health information custodians in Ontario should review their information practices to ensure compliance with the requirements of PHIPA and its regulations.

For permission to reprint articles, please contact the Blakes Marketing Department.

© 2020 Blake, Cassels & Graydon LLP.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.