Effective Jan. 1, 2024, the Information and Privacy Commissioner of Ontario (IPC) has discretion to issue administrative monetary penalties (AMPs) for contraventions of the Personal Health Information Protection Act, 2004 (PHIPA) or its regulations. PHIPA governs how health information custodians such as health care practitioners and institutions, may collect, use and disclose personal health information.
The IPC can order a maximum AMP of C$50,000 for a natural person and C$500,000 for organizations, as outlined in the O. Reg. 329/04. Importantly, where there is an economic gain, the IPC may issue an AMP above the maximum amounts in proportion to the economic benefit derived from the contravention.
The IPC has published guidance on its new enforcement powers, stating that AMPs are one tool in the “broader regulatory toolkit for encouraging compliance with PHIPA in a manner that is flexible, balanced, and progressive”. Accordingly, AMPs will not be the default response to contraventions of PHIPA, but rather reserved for more severe violations. The guidance provides examples of cases where AMPs may be appropriate, such as serious snooping on patient records, contraventions for economic gain (such as selling products or services based on improper use and disclosure of personal health information), or persistent disregard for an individual’s right to access their personal health information. AMPs will typically not be imposed in cases involving unintentional errors or one-off mistakes, provided that prompt and reasonable corrective action is taken upon discovery of the error.
In determining the amount of an AMP, the IPC must consider the following criteria, in addition to any other criteria it considers relevant:
- The extent to which the contraventions deviate from the requirements of PHIPA or its regulations.
- The extent to which the person could have taken steps to prevent the contraventions.
- The extent of the harm or potential harm to others resulting from the contraventions.
- The extent to which the person tried to mitigate any harm or potential harm or took any other remedial action.
- The number of individuals, health information custodians and other persons affected by the contravention.
- Whether the person notified the IPC and any individuals whose personal health information was affected by the contravention.
- The extent to which the person derived or reasonably might have expected to derive, directly or indirectly, any economic benefit from the contravention.
- Whether the person has previously contravened PHIPA or its regulations.
For the most severe PHIPA contraventions, the IPC may still refer the case to the Attorney General for prosecution, resulting in even higher fines of up to $200,000 for individuals, and $1,000,000 for organizations. However, to date, there have been a very limited number of prosecutions under PHIPA, with very few convictions.
PHIPA now provides the IPC with greater enforcement powers by allowing it to directly issue AMPs. Unlike criminal or quasi-criminal fines, administrative penalties do not require prosecution by the crown and a finding of guilt before the court. Ontario health information custodians should review their privacy practices to ensure statutory compliance.