Administrative monetary penalties now in effect under PHIPA

Effective Jan. 1, 2024, the Information and Privacy Commissioner of Ontario (IPC) has discretion to issue administrative monetary penalties (AMPs) for contraventions of the Personal Health Information Protection Act, 2004 (PHIPA) or its regulations. PHIPA governs how health information custodians such as health care practitioners and institutions, may collect, use and disclose personal health information.

The IPC can order a maximum AMP of C$50,000 for a natural person and C$500,000 for organizations, as outlined in the O. Reg. 329/04. Importantly, where there is an economic gain, the IPC may issue an AMP above the maximum amounts in proportion to the economic benefit derived from the contravention.

The IPC has published guidance on its new enforcement powers, stating that AMPs are one tool in the “broader regulatory toolkit for encouraging compliance with PHIPA in a manner that is flexible, balanced, and progressive”. Accordingly, AMPs will not be the default response to contraventions of PHIPA, but rather reserved for more severe violations. The guidance provides examples of cases where AMPs may be appropriate, such as serious snooping on patient records, contraventions for economic gain (such as selling products or services based on improper use and disclosure of personal health information), or persistent disregard for an individual’s right to access their personal health information. AMPs will typically not be imposed in cases involving unintentional errors or one-off mistakes, provided that prompt and reasonable corrective action is taken upon discovery of the error.

Read our article on this topic available on BLG’s website.

This content has been updated on February 7, 2024 at 15 h 36 min.