The Information and Privacy Commissioner of Ontario (IPC) issued Decision 298 marking the first use of administrative monetary penalties (AMPs) under PHIPA since their introduction in January 2024.
Background
A physician misused his access to an electronic health record system shared by several hospitals to identify and contact parents of newborn males to offer circumcision services at his private clinic.
Over a period of three weeks, the physician conducted 146 targeted searches in the electronic health record system for newborn males. At least 91 of these individuals were solicited for circumcision services by phone or text message. Two parents filed complaints which were quickly relayed to the hospital where the physician worked and held privileges. An investigation was launched, the privacy breach was contained, and the physician’s hospital privileges were immediately suspended.
The IPC's decision
The IPC found that the hospital took reasonable steps to protect personal health information by implementing several key measures including having comprehensive privacy policies and procedures that were reviewed annually and requiring annual privacy training and confidentiality agreements for professional or credentialed staff.
"Demonstrable accountability"
The IPC explained that, when it questions a custodian’s compliance with the requirement to have information practices that comply with the requirements of PHIPA, the custodian is expected to provide information about its policies, practices and procedures and show that it has, in fact, complied with them. The IPC referred to this as “demonstrable accountability” and defined it as “a repeatable and demonstrable system of data governance whereby organizations can show regulators more concretely, backed by evidence, how they meet their legal requirements in practice.”
Hospital professional staff by-laws
The IPC recommended that hospitals update their professional staff by-laws to include more direct and explicit references to privacy obligations and the requirement that professional staff comply with the hospital’s privacy policies. The IPC also recommended that hospitals ensure that professional staff are provided with copies of their privacy policies before they submit an application for appointment and each year before they complete any reappointment application.
Imposition of administrative monetary penalties
Importantly, the IPC used its new power to impose administrative monetary penalties (AMPs) for the first time in Decision 298. PHIPA allows AMPs of up to $50,000 per individual and $500,000 per custodian. Decision 298 applies the Guidance for the Health Care Sector on AMPs (the Guidance) which the IPC published in January 2024 when this new power came into force. The Guidance establishes that AMPs are a key part of a progressive enforcement model. AMPs are reserved for more serious cases and have two main purposes: to encourage compliance with PHIPA and to prevent custodians from deriving an economic benefit from a contravention.
In line with the Guidance, the IPC imposed AMPs of $5,000 and $7,500 on the physician and his private clinic, respectively. The IPC held that these amounts were reasonable because the physician’s actions were a serious deviation from his obligations, were undertaken for economic gain and caused harm to patients who were in a vulnerable state. The IPC considered mitigating factors, including that the physician stopped the misconduct when asked to do so, and that he no prior privacy offenses.
Key takeaways for health information custodians
AMPs: In imposing the first AMPs since the new power came into force, the IPC followed the Guidance it published on situations where AMPs will be considered appropriate.
Demonstrable accountability: The IPC expects that, when providing information to the IPC or answering questions about its information practices, the custodian will provide clear evidence about its practices and how they are complied with. This includes maintaining detailed records of staff and physician training and clearly documenting that staff and physicians acknowledge their privacy obligations and review the custodian’s privacy policies.
Professional staff bylaws: Hospitals may wish to consider how to address the IPC’s recommendation that hospitals update their professional staff bylaws to include explicit references to professional staff privacy obligations and to the requirement that the professional staff comply with the hospital’s privacy policies.
For more information on the potential impact of this decision, or about how health information custodians can improve their privacy management programs more generally, please reach out to any of the key contacts listed below.